10174b Enu Trainerhandbook Volume1

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
10174B Administering Microsoft Configuring and

SharePoint 2010
Volume 1
ii
Configuring and Administering Microsoft SharePoint 2010
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 10174B Part Number: X18-05902 Released: 01/2012
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS. a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only MOC Courses that are conducted by a MCT at or through an Authorized Learning Center. c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location. d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement. Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy Program. h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in good standing that currently holds the Learning Competency status. i. Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular MOC Course. l. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. m. Trainer Content means the trainer version of the MOC Course and additional content designated solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines. 2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center: i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content, 5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.
d. If you are a MCT. i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control. ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices. 2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement. 3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other provisions in this agreement, then these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement. c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control. 4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time. a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services. b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means. 5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend, make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement. reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation; access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content; access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or transfer the Licensed Content, in whole or in part, or assign this agreement to any third party. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.
6.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are the entire agreement for the Licensed Content. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.
8.
9. 10.
11.
12.
13.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
15.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS. This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur. Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011
xi
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Alistair Matthews
A consultant with extensive and cutting-edge experience in Microsoft technologies, Alistair has spent the last 10 years developing with, consulting on, and communicating about both the developer and IT professional sides of SharePoint, Visual Studio, Active Directory, Exchange, and Windows. He is currently most interested in SharePoint Web Content Management and likes to impress clients with elegant publishing workflows and custom UI elements. Hes also more excited about Office 365 than he cares to admit. Alistair has a particular passion for writing about technology and
has contributed to many Microsoft Learning courses, MSDN and TechNet articles, and white papers. He is the principal consultant at Web Dojo Ltd and lives the telecommuting dream in Cornwall, UK.
Dan HolmesSubject Matter Expert

A graduate of Yale University and Thunderbird, Dan has spent 15 years as a consultant and trainer, delivering solutions to tens of thousands of IT professionals from the most prestigious organizations and corporations around the world. Dans company, Intelliem, is a boutique consulting and training firm with a Fortune-caliber clientele. He has deep expertise and experience in Microsoft Windows, Active Directory, and SharePoint. From his base in beautiful Maui, Dan travels around the globe supporting customers and delivering Microsoft technologies training. Dan is also a contributing editor for Windows IT Pro and SharePoint Pro Connections magazines, a Microsoft MVP (Windows Server Directory Services, 2007, and SharePoint Server, 2008-2010), and the community lead of SharePointProConnections.com. Dans most recent two books with Microsoftthe Windows Administration Resource Kit and the training kit for the 70-640 MCTS examare at the top of the bestseller list of Windows books. He recently returned from Vancouver where he built SharePoint solutions to support the broadcast of the 2010 winter Olympics as the Microsoft Technologies Consultant for NBC Olympics, a role he played last year in Beijing and previously in Torino.
Chris GivensSubject Matter Expert

Chris Givens is the CEO of Architecting Connected Systems, (ACS), a courseware development company focused on advanced development topics. ACSs credits include the top selling worldwide development course in SharePoint 2007. Chris past experiences include Microsoft, Avanade, several technology startups in the Seattle area and a 5-year career at IBM. Chris grew up in Oklahoma and is a computer science graduate of the University of Tulsa in Tulsa, Oklahoma.
Enrique LimaSubject Matter Expert

Enrique Lima, a proud member of the MCT Community, has over 18 years of experience in training, application development, database development and management, IT solutions architecture, and project management. In his role as a solutions architect at Apparatus, Enrique focuses on providing quality, informative, and engaging solutions and service to clients. As a speaker and presenter, he brings in the lessons learned from the field to provide guidance in how to best leverage the tools clients will be using and exploring as they move forward with their Microsoft SharePoint technologies and supporting tools. Enrique has been involved in architecting and developing solutions that leverage the integration of
xii
SharePoint technologies, BizTalk, Commerce Server, and Content Management Server with other Microsoft and non-Microsoft platforms.
John FerringerSubject Matter Expert

John Ferringer is a solutions architect with Apparatus, Inc. He has more than six years of experience administering and supporting SharePoint technologies and more than twelve years working in the technology consulting industry. John is certified as an MCTS on several platforms, including Windows Server 2008, SharePoint 2007, System Center Operations Manager 2007, and Project Server 2007. He has co-authored the SharePoint 2007 Disaster Recovery Guide and is hard at work on the forthcoming SharePoint 2010 Disaster Recovery Guide (http://tinyurl.com/spdr2010book). You can find him at his blog at MyCentralAdmin.com (http://www.MyCentralAdmin.com) and on Twitter at @Ferringer (http://twitter.com/ferringer).
Ryan PowellSubject Matter Expert

Ryan Powell is an infrastructure specialist with Apparatus, Inc. He has been administering SharePoint technologies since the very first release in 2001 and has more than eight years experience in technology consulting. Ryan is certified as a MCITP/MCTS in both SharePoint 2010 and SharePoint 2007. You can find him on Twitter at @ryanpowell20 (http://twitter.com/ryanpowell20).
Jason MederoTechnical Reviewer

Jason Medero, MCP, MCT, MCTS, MVP (WSS) is a systems architect with a concentration in SharePoint Products and Technologies and its related Microsoft technologies. Jason has been working with SharePoint Products and Technologies exclusively since 2003 and has presented at major conferences across the United States. His concentration within SharePoint is mainly on the infrastructure and architecture side. He also has in-depth experience performing large scale upgrade/migration efforts. He is currently co-authoring his third SharePoint book in which he will be writing about upgrading from SharePoint 2007 to SharePoint 2010. He is an active member of the SharePoint Users Group in New Jersey/New York City where he sits on the speaker selection committee. He speaks frequently at SharePoint events across the country. He also contributes his SharePoint knowledge as a mentor for several popular forums, such as TechNet and Yahoo groups.
Todd KlindtTechnical Reviewer

Todd has been a professional computer nerd for over 15 years, specializing in SharePoint for the last six years. His love affair with SharePoint began one slow day at the office when he discovered SharePoint Team Services 1.0 on the Office XP CD and decided to install it. The rest is history. In 2006 he was honored to be awarded the MVP award from Microsoft for Windows SharePoint Services. He has had the pleasure of working with SharePoint farms both large small. He has written several books and magazine articles on SharePoint. Todd has presented sessions on SharePoint at many major conferences both in the United States as well as Europe and Asia and does the user group circuit, SharePoint Saturday events, and the occasional childrens birthday party as well. He chronicles his SharePoint adventures on his blog, http://www.toddklindt.com/blog. His latest book, Professional SharePoint 2010 Administration published by Wrox is now available at fine booksellers everywhere. He is currently working his dream job as a consultant at SharePoint911 where he spends his days fixing broken SharePoint environments and bringing new SharePoint environments into the world. If youre bored you can follow him on Twitter @toddklindt.
xiii
Glen SmithTechnical Reviewer

Glen (Software) Smith MCM, MCT is the owner of his own consulting and training company SoftwareSmith. His specialties are SharePoint 2010 and Commerce Server and he has a long list of Microsoft Certifications from MCITP Administrator (for Windows 2008, SQL and SharePoint 2010) to MCPD Developer (for SharePoint 2010 and .NET), but it is his Microsoft Certified Master certification and the resultant community that means the most to him. You can find him on his blog at http://softwaresmith.blogspot.com/ and his book at http://www.software-smith.com/book/book.htm. He is passionate about teaching, and tries to get a good balance between consulting and teaching as he shuttles between Europe and North America.
Mike SmithTechnical Reviewer

Mike Smith is a Senior Instructor at MAX Technical Training in Cincinnati, Ohio. He has worn many IT hats over the last thirty years as a business owner, developer, tech writer, trainer, DBA and consultant. He is a SharePoint MVP and a Microsoft Certified Trainer (MCT) and has 13 other MC certifications. He specializes in SharePoint administration, SharePoint development, SQL Server and .NET development and is a member of the Cincinnati SharePoint User Group leadership team. Mike frequently presents at SharePoint events and blogs at TechTrainingNotes.blogspot.com. Mike is the author of "SharePoint 2007 and 2010 Customization for Site Owners" and is working on books on SharePoint Security and SharePoint Online.
xiv
Contents
Module 1: Introducing SharePoint 2010
Lesson 1: Evaluating the Features of Microsoft SharePoint 2010 Lesson 2: Preparing for SharePoint 2010 Lesson 3: Installing SharePoint 2010 Lesson 4: Advanced Installation of SharePoint 2010 Lab: Installing SharePoint 2010 1-3 1-26 1-41 1-57 1-67
Module 2: Creating a SharePoint 2010 Intranet

Lesson 1: Performing Initial Farm Configuration Lesson 2: Configuring the SharePoint Logical Structure Lesson 3: Exploring the SharePoint Web Application and Physical Architecture Lab: Creating a SharePoint 2010 Intranet 2-4 2-12 2-37 2-46
Module 3: Administering and Automating SharePoint

Lesson 1: Configuring Central Administration Lesson 2: Administering SharePoint from the Command Line Lesson 3: Automating SharePoint Operations with Windows PowerShell Lab: Automating SharePoint with Windows PowerShell 3-3 3-9 3-20 3-45
Module 4: Configuring Content Management

Lesson 1: Optimizing Content Storage and Access Lab A: Configuring List Throttling and Remote BLOB Storage Lesson 2: Managing Site Content Types and Site Columns Lesson 3: Configuring the Managed Metadata Service Lab B: Configuring Managed Metadata 4-3 4-23 4-30 4-40 4-72
Module 5: Configuring Authentication

Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated Authentication Lab A: Configuring Custom Authentication Lab B: Configuring Secure Store 5-3 5-19 5-28 5-33
Module 6: Securing Content

Lesson 1: Administering SharePoint Groups Lesson 2: Implementing SharePoint Roles and Role Assignments Lesson 3: Securing and Auditing SharePoint Content Lab: Configuring Security for SharePoint Content 6-3 6-14 6-25 6-29
xv
Module 7: Managing SharePoint Customizations

Lesson 1: Customizing Microsoft SharePoint Lesson 2: Deploying and Managing Features and Solutions Lesson 3: Configuring Sandboxed Solutions Lab A: Administering Features and Solutions Lab B: Administering Sandboxed Solutions 7-3 7-11 7-20 7-26 7-30
Module 8: Configuring and Securing SharePoint Services and Service Applications

Lesson 1: Securing the Enterprise SharePoint Service Lesson 2: Securing and Isolating Web Applications Lesson 3: Services and Service Applications Lab A: Administering SharePoint Services Lab B: Configuring Application Security Lab C: Configuring Service Applications 8-3 8-14 8-18 8-31 8-36 8-41
Module 9: User Profiles and Social Networking

Lesson 1: Configuring User Profiles Lesson 2: Implementing SharePoint 2010 Social Networking Features Lab: A: Configuring User Profiles Lab: B: Administering My Sites 9-3 9-14 9-26 9-34
Module 10: Administering and Configuring SharePoint Search

Lesson 1: Configuring Search Lab A: Configuring Search Lesson 2: Refining Search Lab B: Tuning SharePoint Search 10-3 10-16 10-27 10-33
Module 11: Implementing Productivity Service Applications

Lesson 1: Implementing Business Connectivity Services Lesson 2: Configuring Excel Services Lesson 3: Understanding PerformancePoint Services Lesson 4: Implementing InfoPath Forms Services Lesson 5: Implementing Visio Services Features Lesson 6: Implementing Access Services Lesson 7: Implementing Office Web Apps Lab: Implementing Office Web Apps 11-3 11-10 11-17 11-22 11-27 11-32 11-36 11-40
xvi
Module 12: Installing and Upgrading to SharePoint 2010

Lesson 1: Installing SharePoint Servers and Farms Lesson 2: Upgrading to SharePoint 2010 Lesson 3: Evaluating Installations and Upgrades Lesson 4: Configuring SharePoint Operational Settings Lesson 5: Updating SharePoint Lab A: Preparing SharePoint 2007 for Upgrade to SharePoint 2010 Lab B: Upgrading SharePoint 2007 to SharePoint 2010 12-3 12-13 12-25 12-28 12-35 12-43 12-51
Module 13: Implementing Business Continuity

Lesson 1: Protecting and Recovering Content Lesson 2: Working with Backup and Restore for Disaster Recovery Lesson 3: Implementing High Availability Solutions Lab A: Implementing a Backup Strategy Lab B: Implementing a Restore Strategy 13-3 13-10 13-23 13-33 13-40
Module 14: Monitoring and Optimizing SharePoint Performance

Lesson 1: Monitoring Logs Lesson 2: Configuring SharePoint Health Analyzer Lesson 3: Configuring Usage Reports and Web Analytics Lesson 4: Monitoring and Optimizing SharePoint Performance Lab A: Configuring SharePoint Monitoring Lab B: Analyzing SharePoint Health Lab C: Reporting SharePoint Usage 14-3 14-8 14-12 14-16 14-19 14-21 14-25
Module 15: SharePoint Online and Office 365

Lesson 1: Introducing Office 365 and SharePoint Online Lesson 2: Setting Up Office 365 Lesson 3: Administering SharePoint Online 15-3 15-10 15-23
About This Course
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This five-day instructor-led course teaches students how to install, configure, and administer Microsoft SharePoint and also how to manage and monitor sites and users by using Microsoft SharePoint 2010. It covers Microsoft SharePoint 2010 Service Pack 1 and SharePoint Online.
Audience
This course is intended for IT professionals who are experienced Windows Server 2003 or 2008 administrators and are interested in learning how to administer SharePoint 2010 Sp1 or SharePoint Online. The course is also intended for part-time Business Application Administrators (BAAs) who are engaged in administering Line of Business (LOB) applications in conjunction with internal business customers.
Student Prerequisites
In addition to their professional experience, students who attend this training should have experience: Administering Active Directory by creating and managing user and group accounts, delegation of administration, and configuring Group Policy in an Enterprise environment. Administering network infrastructureDNS and TCP/IP connectivity General conceptual awareness of Microsoft .NET Framework as it relates to SharePoint 2010 Administering Microsoft SQL Server 2005 or 2008 through creating logons, assigning roles and using Microsoft SQL Server Management Studio One years experience using Windows PowerShell cmdlets Understanding and implementing best practices for general security and authentication. Windows client management experience with either Windows Vista or Windows 7
Course Objectives
After completing this course, students will be able to: Prepare for and install Microsoft SharePoint 2010. Configure the fundamental service and logical components of a SharePoint implementation. Administer SharePoint using the user interface, the command line, and Windows PowerShell. Manage content in Lists and Libraries. Administer identities and authentication. Secure content in SharePoint sites. Manage customizations to a SharePoint implementation. Configure SharePoint services and applications. Configure SharePoint social networking features. Manage SharePoint Search. Configure farms, servers, service applications, and web applications. Install, upgrade, configure, and operate a SharePoint farm. Configure high availability and recoverability. Monitor and optimize SharePoint performance. Understand the differences between on premise and online deployments of SharePoint as well as how to subscribe to and Administer SharePoint Online
ii
About This Course
Course Outline
This section provides an outline of the course: Module 1: Introducing Microsoft SharePoint 2010: This module explores the role of Microsoft SharePoint 2010 in delivering business collaboration solutions in the enterprise and on the Internet. You are introduced to the various SharePoint product offerings, including SharePoint Online, and you examine what it takes to get SharePoint up and runningfrom preparing your infrastructure, to configuring related technologies and products, to deploying SharePoint servers and farms using both out of box installation wizards and scripts Module 2: Creating a SharePoint 2010 Intranet: In this module. you will create a SharePoint-based intranet and, as you do so, you will examine key concepts and skills related to the logical architecture of SharePoint, including web applications, site collections, sites, and content databases Module 3: Administering and Automating SharePoint: This module covers how to apply the full range of options for administering and automating SharePointCentral Administration, STSADM, and PowerShell. The module also introduces students to the logs. Module 4: Configuring Content Management: This module explains how to manage content (lists, libraries, items and documents). It examines how to configure SharePoint and SQL Server to ensure optimal content storage and access, how to create content types and site columns to describe your content as well, and how to set up the managed metadata service application to tag and classify content. Module 5: Configuring Authentication: This module describes the process of administering authentication to SharePoint web applications. It examines classic SharePoint authentication providers followed by details of Federated Authentication. Module 6: Securing Content: This module introduces you to managing security of SharePoint content within a web application. It examines how to assign permissions and administer groups, how to implement SharePoint roles and Role assignments, and providing details on securing and auditing of SharePoint content. Module 7: Managing SharePoint Customizations: This module describes how to customize the SharePoint environment to meet your organizational needs. It explores how to deploy and manage SharePoint features and solutions, and how to configure sandboxed solutions Module 8: Configuring and Securing SharePoint Services and Applications: This module shows you how to manage the SharePoint service as a whole, as well as individual services and service applications. It provides instruction on how to secure your enterprise-level SharePoint service, how to secure web applications, and how to configure SharePoint services and service applications. Module 9: User Profiles and Social Networking: This module describes how to manage and configure user profiles and My Sites, and how to implement SharePoint 2010 social networking features. Module 10: Administering and Configuring SharePoint Search: This module discusses how to administer and configure SharePoint Search, and how to refine searches. Module 11: Implementing Productivity Service Applications: This module examines how to configure specific service applications. It covers Business Connectivity Services (BCS), Excel services, PerformancePoint services, InfoPath services, Visio services, and Access services. This module also provides details on installing Office web applications. Module 12: Installing and Upgrading to SharePoint 2010: This module examines how to install and upgrade to SharePoint 2010 in a variety of scenarios, and how to keep SharePoint 2010 current. It examines the installation of SharePoint servers and farms, the upgrade of SharePoint 2007 to SharePoint
About This Course
iii
2010, and the planning of those installations and upgrades. This module also focuses on how to apply updates to your SharePoint environment. Module 13: Implementing Business Continuity: This module shows you how to configure business continuity for SharePoint. It examines how to protect and recover content, how to perform backup and restore operations, and how to implement high availability solutions with SharePoint server. Module 14: Monitoring and Optimizing SharePoint Performance: This module examines how to monitor SharePoint performance, health, and usage, and how to identify and remediate performance and health problems. It covers the monitoring of logs to establish a baseline for performance, how to configure SharePoint Health Analyzer, how to configure usage reports, web analytics, and details on overall performance and optimization of SharePoint servers. Module 15: SharePoint Online and Office 365: This module introduces Microsofts cloud services and Microsoft SharePoint Online. It examines the components of Office 365, compares the functionality of SharePoint Online to that of a SharePoint on-premise farm, and describes how to create and configure an Office 365 subscription to host a website, team collaboration sites, and connections to desktop software. This module examines how to enable users (in and outside your organization), and how to access SharePoint Online and perform other administrative tasks.
Exam/Course Mapping
This course, 10174B: Configuring and Administering Microsoft SharePoint 2010, has a direct mapping of its content to the objective domain for the Microsoft exam 70-667: TS: Microsoft SharePoint 2010, Configuring. The below table is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
Note: The exam objectives are available online at the following URL: http://go.microsoft.com/fwlink/?LinkId=241352
70-667 TS: Microsoft SharePoint 2010, Content Configuring Exam Objective Domain Module Installing and Configuring a SharePoint Environment Deploy new installations and upgrades. Module 1 Module 12
Labs Lesson Lessons 2/3/4 Lessons 1/2/3 Exercise Lab: Ex 1/2/3/6 Lab A: Ex 1/2/3/4 Lab B: Ex 1/2/3 Lab A: Ex 1
Module 14
Lesson 1
iv
About This Course
Configure SharePoint farms.
Module 1 Module 2 Module 11 Module 12 Module 13 Module 15 Module 1 Module 4 Module 8 Module 9 Module 11 Module 10
Lesson 2/3 Lesson 1/2/3 Lesson 4 Lesson 3/4/5 Lessons 1/2/3 Lesson 1/2 Lesson 1 Lesson 3 Lesson 1/2/3 Lesson 1 Lesson 1 > 6 Lesson 1 > 6
Lab: Ex 4/5 Lab: Ex 1/2/3 NA NA Lab A: Ex 1/2/3 Lab B: Ex 1/2/3 NA Lab: Ex 1/5 Lab B: Ex 1 Lab C: Ex 1 Lab A: Ex 1/2/3 Lab: Ex 1/2 Lab A: Ex 1 > 7 Lab B: Ex 1/2/3 NA Na Lab: Ex 1/2/3/4 NA Lab A: Ex 1 Lab B: Ex 1/2 Lab: Ex 5 Lab: Ex 2 & 3 Lab A: Ex 1 Lab B: Ex 1 Lab: Ex 1/2/3/4 NA Lab A: Ex 1/2 Lab B: Ex 1/2/3
Configure service applications.
Configure indexing and search. Managing a SharePoint Environment Manage operational settings.
Module 1 Module 2 Module 6 Module 7 Module 14 Module 1 Module 2 Module 5 Module 6 Module 15 Module 5
Lesson 1 Lesson 2 Lesson 1/2/3 Lesson 3 Lesson 1/2/3/4 Lesson 2 Lesson 1/2 Lesson 1 Lesson 1/2/3 Lesson 3 Lesson 1/2
Manage accounts and user roles.
Manage authentication providers. Deploying and Managing Applications Manage Web Applications.
Module 2 Module 3 Module 6 Module 8 Module 2 Module 6 Module 12 Module 15 Module 2 Module 7
Lesson 1/2/3 Lesson 3 Lesson 3 Lesson 2 Lesson 1/2/3 Lesson 1/2/3 Lesson 4 Lesson 2 Lesson 3 Lesson 2/3
Lab: Ex 1/2/3 NA Lab: Ex 4 Lab B: Ex 1/2 Lab: Ex 2/3 Lab: Ex 1/2 NA NA NA Lab A: Ex 2
Manage site collections.
Deploy and manage SharePoint solutions.
About This Course
Module 15 Maintaining a SharePoint Environment Back up and restore a SharePoint environment. Module 12 Module 13 Module 15 Module 14
Lesson 2 Lesson 5 Lesson 1/2/3 Lesson 1 Lesson 1/2/3/4 Lesson 1 Lesson 1
Lab B: Ex 1/2/3 NA Lab A: Ex 3 Lab B: Ex 2 Lab A: Ex 1/2/3 Lab B: Ex 1/2/3 NA Lab A: Ex 1 Lab B: Ex 1/2 Lab C: Ex 1/2 NA Lab A: Ex 1/2/3/4
Monitor and analyze a SharePoint environment.
Optimize the performance of a SharePoint environment.
Module 1 Module 4
Important Note: Attending this course alone will not successfully prepare you to pass any associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following: Minimum of 1-2 years real world, hands-on experience configuring and implementing a Microsoft SharePoint 2010 environment Additional study outside of the content in this handbook
There are additional study and preparation resources, such as practice tests, available for you to prepare for this exam. The details of these are available at the following URL: http://go.microsoft.com/fwlink/?LinkId=239934 You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://go.microsoft.com/fwlink/?LinkId=239935 The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.
vi
About This Course
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its needed.
Course Companion Content on the site http://www.microsoft.com/learning/companionmoc/ Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press and other locations SharePoint Online Demonstration Files: The below files, are also available to you as part of the companion content. These files are recordings of demonstrations that your instructor will carry out in Module 15. They contain basic features and functionality of Office 365 and SharePoint Online. SetupO365TrialSubscription_Demo.wmv SPOWebsiteConfiguration_Demo.wmv SetupO365TrialSubscription_TranscriptandDemoSteps.docx SPOWebsiteConfiguration_TranscriptandDemoSteps.docx
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
About This Course
vii
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs. The following table shows the role of each virtual machine used in this course. Virtual machine 10174A-CONTOSO-DC-A 10174A-CONTOSO-DC-B 10174A-CONTOSO-DC-C 10174A-CONTOSO-DC-D 10174A-CONTOSO-DC-E 10174A-CONTOSO-DC-F 10174A-CONTOSO-DC-FINAL 10174A-SP2007-WFE1-F 10174A-SP2007-WFE1-G 10174A-SP2010-WFE1-A 10174A-SP2010-WFE1-B 10174A-SP2010-WFE1-C 10174A-SP2010-WFE1-D 10174A-SP2010-WFE1-E 10174A-SP2010-WFE1-FINAL Role Domain controller in the Contoso domain Domain controller in the Contoso domain Domain controller in the Contoso domain Domain controller in the Contoso domain Domain controller in the Contoso domain Domain controller in the Contoso domain Domain controller in the Contoso domain SharePoint 2007 Server SharePoint 2007 Server SharePoint 2007 Server SharePoint 2007 Server SharePoint 2007 Server SharePoint 2007 Server SharePoint 2007 Server SharePoint 2007 Server
Note: This course is number 10174B while the virtual machine names all contain the number 10174A. This is entirely as expected and by design.
Software Configuration
The following software is installed on the virtual machines: Windows Server 2008 R2 Microsoft SharePoint 2010 Microsoft Office SharePoint Server 2007 Microsoft Office 2010 Microsoft SQL Server 2008 R2
viii
About This Course
Course Files
There are files associated with the labs in this course. The lab files are located on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. The course requires that you have a computer that meets or exceeds Hardware Level 6, which prescribes the following: Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) 64-bit processor. Dual 120-GB hard disks, 7,200 RAM Serial Advanced Technology Attachment (SATA) or better (configured as a stripe array). 4 GB of RAM expandable to 8 GB or higher (recommended). DVD drive. Network adapter. Super VGA (SVGA) 17-inch monitor. Microsoft mouse or compatible pointing device. Sound card with amplified speakers.
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 768, 16-bit colors.
Introducing Microsoft SharePoint 2010
1-1
Module 1
Contents:
Lesson 1: Evaluating the Features of Microsoft SharePoint 2010 Lesson 2: Preparing for SharePoint 2010 Lesson 3: Installing SharePoint 2010 Lesson 4: Advanced Installation of SharePoint 2010 Lab: Installing SharePoint 2010 1-3 1-26 1-41 1-57 1-67
1-2
Module Overview
Microsoft SharePoint 2010the collection of products and technologies that includes SharePoint Server 2010 and SharePoint Foundation 2010offers a broad range of functionality that addresses a vast number of business collaboration scenarios. The SharePoint platform sits on, and depends on, a number of other Microsoft products and technologies. In this module, you explore the role of SharePoint 2010 in delivering business collaboration solutions in the enterprise and on the Internet. You will be introduced to the various SharePoint product offerings and flavours, including SharePoint Online. You then learn what it takes to get SharePoint up and running from preparing your infrastructure, to configuring related technologies and products, to deploying SharePoint servers and farms using both out of box installation wizards and scripts.
Objectives
After completing this module, you will be able to: Describe the features of Microsoft SharePoint Server 2010 and other SharePoint products and technologies. Prepare hardware and software for a SharePoint Server 2010 installation. Perform and installation of a single-server SharePoint 2010 farm. Perform a scripted installation of SharePoint 2010 on a single server.
1-3
Lesson 1
Evaluating the Features of Microsoft SharePoint 2010
Microsoft SharePoint 2010 is the business collaboration platform for the enterprise and the Internet. SharePoint 2010 is a complex and potentially powerful product that delivers a lot of functionality to address varying day to day business needs. In this lesson, you learn just how much technology is available in the product, and you dissect the technical capabilities and features that are driving enterprises around the world to adopt SharePoint 2010. After completing this lesson, you will be able to: Describe the value proposition of SharePoint 2010. Describe the SharePoint 2010 platform. Describe the key SharePoint products and technologies. Describe the key SharePoint capabilities, such as sites, communities, content, search, insights, and composites. Identify the new features introduced in Service Pack 1. Describe how SharePoint Online makes SharePoint features available as a service in the cloud and how it fits into Office 365.
1-4
The Value Proposition of SharePoint 2010
The value proposition for SharePoint is, SharePoint is the business collaboration platform for the enterprise and the Internet. Microsoft invested heavily in the development of SharePoint Server 2010 to deliver features that enable an enterprise to do the following: Deliver the best productivity experience. The end-user experience of SharePoint Server 2010 builds on familiar user interfaces and tools. Cut costs with a unified infrastructure. SharePoint 2010 performs roles that have been, in many enterprises, provided by other disparate systems. Now those roles can be consolidated on to SharePoint 2010. Rapidly respond to business needs. SharePoint 2010 provides a diverse feature set addressing many business collaboration scenarios, with out of box functionality, a rich collection of communitygenerated solutions, and extensibility to support custom solutions.
1-5
The SharePoint Platform
SharePoint is a platform that itself extends and depends on many components of the broader Microsoft technologies suite. This visualization of the platform shows the dependenciesboth required and availablebetween components of the technology stack. Each component of the platform contributes specific features and functionality. Windows Server 2008 or Windows Server 2008 R2 provides the core operating system functionality, including the security subsystem. The Microsoft .NET Framework provides the framework for SharePoint, which is a .NET application running within Internet Information Services (IIS). SharePoint Foundation 2010 delivers fundamental SharePoint functionality including service management, security, integration with Microsoft Office client applications, and core collaborative features such as lists and libraries. SharePoint Server 2010 builds on SharePoint Foundation, adding social networking, enterprise search, business intelligence, and other features. Note: The features provided by SharePoint Foundation 2010 and SharePoint Server 2010 are detailed later in this module. SharePoint uses identity services that can include the Active Directory Directory Services or other claims-based authentication providers. Some of these identity services, such as forms-based authentication, rely on the .NET Framework. SharePoint content is stored in Microsoft SQL Server. SharePoint is a highly extensible platform. Independent software vendors (ISVs), the community, customers, and Microsoft itself deliver solutions that depend on SharePoint Foundation or SharePoint Server.
1-6
SharePoint Products and Technologies
There is a wide array of products and technologies that make up SharePoint, including the following: SharePoint Foundation 2010, which is licensed with Windows Server at no additional cost and provides many common features for building websites, portals, intranets, and content management solutions. SharePoint Server 2010 for Intranet Scenarios, which is licensed with Standard or Enterprise features. The features provided by SharePoint Foundation 2010 and SharePoint Server 2010 are detailed later in this module. SharePoint Server 2010 for Internet Sites, which is licensed for access by large numbers of users and by non-authenticated users. Office Web Apps, which enable users to view and edit Office documents in the browser. FAST Search for SharePoint 2010, which provides industry-leading, highly-scalable enterprise search facilities to SharePoint farms. FAST Search for SharePoint 2010 for Internet Sites, which is licensed for access by a large numbers of users and by non-authenticated users. Search Server 2010 and Search Server Express 2010, which provide the search functionality of SharePoint Server. SharePoint Online, which implements SharePoint as a cloud-based service. SharePoint Online is a key part of Office 365 and is covered in more detail in Module 15, SharePoint Online and Office 365.
Additionally, a vast selection of community-generated solutions and applications by ISVs extends the capabilities and feature set of SharePoint 2010. It is important that you understand your business requirements so that you can choose the best mix of products and technologies.
1-7
Sites
The sites capability includes functionality that delivers and personalizes content to users, provides manageability and scalability to administrators, enables developers to customize and extend SharePoint, and allows an enterprise to implement SharePoint along with other solutions or to consolidate the functionality provided by disparate collaboration solutions into SharePoint.
Content Delivery
The sites capability offers the following components, features, and functionality to deliver content to users: Core content structures Web applications, site collections, sites, lists, libraries Services to render content Multiple browsers Mobile browsers Accessibility standards (WCAG 2.0) Rich Web experience Ribbon user interface (UI): Familiar Office UI Web Edit: Rich content editing Interfaces for rich and offline client experiences Office client applications SharePoint Workspace Office Web Applications SharePoint Foundation 2010 delivers the core functionality of SharePoint and provides most of the features in the sites capability. Content structures such as Web applications, site collections, and sites, are discussed in Module 2, Creating a SharePoint 2010 Intranet.
Following are some important points related to content delivery:
1-8
SharePoint 2010 features significantly expand browser support, which are detailed in Lesson 2 of this module. Additionally, you can access content can using mobile browsers. SharePoint is compliant with WCAG 2.0 accessibility standards out of the box. A number of components, services, features, and interfaces of SharePoint are designed to deliver a unified, efficient, and familiar experience to end users. SharePoint 2010 offers a variety of modalities through which users can interact with content, including Office client integration, SharePoint Workspace and other applications that provide offline access to SharePoint, and Office Web Apps, which enable browser-based viewing, editing, and coauthoring of documents.
Question: What important business objectives do the content delivery capabilities in the sites capability its components, features, and the many ways it gives you to interact with contentsupport?
Content Personalization
The sites capability offers components, features, and functionality to support personalizing the delivery of content. Features that personalize the users experience with content include: My Sites User tagging Content targeting Multilingual support One user may not need, want, or be allowed to see the same content that another user sees. The SharePoint sites capability delivers functionality to individualizeto personalizethe user experience. My Site is a users individual Web page, exposing that users profile, shared information and documents, expertise, organizational relationships, and social activities to other users. Additionally, a users My Site can provide a personalized navigation and view of enterprise resources. User tagging is an important new functionality of SharePoint 2010. Documents, lists, libraries, sites, and users can be tagged. These tags can then be used to associate a user with content that is of interest to that person. Content targeting is the ability of an administrator to push content to one or more users based on those users shared characteristics, including their group membership. SharePoint provides multilingual support. SharePoint can support content, services, and tags in a wide range of languages. A site can be rendered in a particular language to a user in that users language and can be switched to another language on the fly.
It is important to consider the following points related to content personalization:
Manageability and Scalability

The sites capability offers the following components, features, and functionality to ensure scalable, manageable deployment in an enterprise: Central management Governance, security, and compliance at multiple levels of every feature Operations management Deploy, secure, configure, backup, monitor, audit, and update. Central Administration (UI) and Windows PowerShell support Tools and guidance Enterprise scalability, manageability, and availability Capacity Topology Performance High availability
1-9
SharePoint is centrally managed using the Central Administration site and Windows PowerShell. It supports governance, security, and compliance at multiple levels, for almost every feature. SharePoint Server 2010 provides greater scalability, manageability, and availability.
Customization and Extensibility

The sites capability offers the following components, features, and functionality to enable an organization to customize and extend SharePoint: Theming and branding Out of the box solutions, templates, and Web Parts Custom solutions: From no-code to Microsoft Visual Studio Workflow, SharePoint Designer, InfoPath Services, Microsoft Visio Services, Microsoft Excel Services, Microsoft Access Services Microsoft .NET, Microsoft Silverlight Business Connectivity Services: Interact with line-of-business data SharePoint and client object models Web services, application programming interfaces (APIs; SharePoint and client object models), REST ISV and community solutions Codeplex: http://go.microsoft.com/fwlink/?LinkId=111138 Manageability: Constrain, debug, manage application life cycle Themes and branding features support customizing the look and feel of SharePoint sites. You can deliver rich functional solutions using out of the box solutions, templates, and Web Parts. SharePoint is a platform on which you can easily create and deploy solutionsfrom simple, nocode solutions to more complex solutions developed with Visual Studio. SharePoint provides ways to interact with line-of-business applications and data sources. One of the most important data connection and interoperability features is Business Connectivity Services. There is a vast ecosystem of community and ISVs who support and extend SharePoint. With SharePoint, an enterprise can govern and manage code customizations and extensions.
Following are some important points related to customization and extensibility:
Interoperability and Platform Consolidation

The sites capability offers the following components, features, and functionality to support a variety of relationships with other systems in an enterprise: Interoperability Platform consolidation Replace point solutions Integrated capabilities: One platform for intranet, extranet, and Internet
SharePoint provides a unified infrastructure that delivers a broad range of functionality that might take several tools from other vendors to deliver, at which point you have to know how to integrate them. This infrastructure gives you a way to deploy, secure, manage, maintain, back up, and monitor operations. Question: What are the business outcomes supported by interoperability? Question: What are the business outcomes supported by platform consolidation?
Additional Reading
Microsoft SharePoint 2010 Sites (SP2010_Sites_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197249&clcid=0x409
1-10
Communities
The communities capability encompasses much of what people think of as business collaboration.
Enterprise Collaboration
The communities capability offers the following components, features, and functionality to enable collaboration between users: Lists Fundamental construct in which content is stored Out of box lists: Calendar, contacts, tasks, announcements, surveys Libraries Fundamental construct in which documents are stored Version control, check in, check out, document workflows Alerts and Really Simple Syndication (RSS) Business process automation: Workflows Out of box workflows Document routing SharePoint Designer 2010 SharePoint Foundation delivers much of the out of box enterprise collaboration functionality that makes up the communities capability.
Identity and Profile

The communities capability offers the following components, features, and functionality to define a user and the user profile: My Sites User profiles
1-11
Active Directory and other sources Attributes: Biography, job title, location, contact information, previous projects, interests, skills Photos, presence, and contact card Organizational relationships Manager, teams, colleagues (Add a Colleague) Expertise: Assigned or professed (Ask Me About) Social data mining SharePoint teams Office Communicator contacts E-mail communication patterns and content
Colleague and keyword suggestion Following are some important points related to identity and profiles: My Sites are the social networking hub for interacting with individuals in an organization, designed to help build relationships between users and to connect people in an organization. User profiles are a collection of attributes that can be synchronized with Active Directory and other sources. Users can also define their own attributes. A users My Site exposes the users profile, and SharePoint enables the organization and the individual to manage the visibility of profile attributes to various audiences. User photos, presence, and contact information is displayed throughout the SharePoint UI. Relationships are defined by authoritative sources, such as Active Directory, by user membership in teams, and by users who can add their own colleagues. Expertise can be defined centrally and by the user through the Ask Me About section of their profile. SharePoint can discover and suggest areas of expertise by mining the users memberships, contacts, e-mail communication patterns, and e-mail content. Through such mining activities, SharePoint can suggest keywords and colleagues to help users refine their profile.
User-Generated Content and User Feedback

The communities capability offers the following components, features, and functionality so that users can generate unstructured content and provide feedback regarding content of any type: User-generated content Blogs, wikis (with rich media), discussions, podcasting, videos Status update My Network feed Activity Recent Activities feed User feedback Share & Track tab on the ribbon Tags Social/content tagging and expertise tagging Tag cloud control Tag profiles: Communities of interest around a tag Ratings Note board: Comments and questions Social bookmarking User-generated content typically refers to less-structured forms of content, including blogs, wikis, and discussion forums. It also refers to microblogging activities such as when users update their status or even simply author a document.
Following are some important points related to user-generated content and user feedback:
1-12
User feedback encompasses activities and channels through which users give input on content. User feedback information can help users discover and make use of content based on what others think of the content. The note board is similar to the wall in Facebook. A users My Site has a note board, but any site, library, list, or document can also have a note board. Social bookmarking is a way to share favorite sites with a community of users and to discover new sites and resources from colleagues with similar interests. It replaces the My Links feature in SharePoint 2007.
Business Communities
By combining the power of collaborative capabilities with social computing technologies, SharePoint enables an organization to achieve the goals of both the customer (user base) and manager (IT) of the technology.
Manageability and Extensibility

The communities capability offers the following components, features, and functionality to enable an organization to manage and extend SharePoint: Security, privacy, and compliance Centralized configuration and management of business policies Monitoring, auditing, and reporting Balance governance with empowerment Extensibility Enterprise social networking with SharePoint is manageable, secure, and compliant.
1-13
Content
A fundamental output of users and business collaboration activities is content. The content capability delivers functionality that supports the management of content throughout its life cycle. SharePoint interoperates with or replaces other content management systems.
Support for Content and Interaction with Content

The content capability offers the following components, features, and functionality to support a tremendous range of content and a diverse set of modalities with which to interact with content. Support for a tremendous range of content Documents Records Web content Rich media: Audio, video Interaction with content Viewing Editing Coauthoring Output (Word Automation) Users can store just about any type of content in SharePoint, including content that has been traditionally stored in distinct systems. SharePoint provides numerous modalities in which users can interact with content, including viewing (in the browser or in client applications), output, editing, and even concurrent coauthoring, with the Office Web Apps.
Following are some important points related to support for content and interaction with content:
Question: What business outcomes does SharePoints support for a variety of content types and modalities of interaction with the content facilitate?
1-14
Document and Records Management

The content capability offers the following components, features, and functionality to enable an enterprise to manage documents and records: Content Organizer: Document routing Unique document IDs and permalinks Document sets In-place records management Cross-farm content policy and rules Access, information rights Retention, legal holds, disposition Location-based policy Automatic application of metadata Document and records management features are integrated into every site. You can specify document routing rules that allow documents to be dropped into a library and then automatically moved to the appropriate library based on metadata and business logic. You can create document sets, which are collections of documents that can be treated as a unit, with a collective version history and metadata that applies to the collection. You can specify metadata, retention schedules, record declarations, and legal holds and apply them consistently. SharePoint provides for multistage disposition of documents. Policies can be locationbased. SharePoint can automatically apply metadata based on a documents location and other business logic.
Following are some important points related to document and records management:
Question: What are the business outcomes supported by SharePoints support for a variety of content types and modalities of interaction with the content?
Definition of Content and Metadata

The content capability offers the following components, features, and functionality to define content and metadata, and thereby to create and manage content: Structured and unstructured content Blogs, wikis, discussion forums Defined content types with metadata, workflows, templates, and rights management Managed Metadata Service Tags: Taxonomy & folksonomy Multilingual metadata Enterprise content types Use of metadata Tagging content: Manual and automatic Visibility of tags: Item, site, client Metadata-driven navigation Search refiners SharePoint supports content that is unstructured and free-form, such as blogs, wikis, and discussion forums, as well as highly structured content and everything in between. The Managed Metadata Service (MMS), new in SharePoint 2010, provides a central repository and management capability for what are generally called tags. Tags are arranged in a hierarchical
Following are some important points related to definition of content and metadata:
1-15
structure that can be delegated to appropriate business owners. Tags can be centrally driven (taxonomy) or user submitted (folksonomy) or both, and tags are enabled for multiple languages. The MMS also deploys content types across sites, site collections, Web applications, and farms so that an enterprise can maintain better control over the definition of and metadata associated with content, as well as information management policies for that content. You can use metadata (tags) in numerous ways, and SharePoint 2010 provides a variety of methods with which to tag content and view tags. You can even have tags applied to content automatically, based on the items location or other rules. Additionally, you can use metadata to create dynamic navigation and to provide search refiners.

The content capability offers the following components, features, and functionality to enable an organization to manage and extend SharePoint: Manageability Deploy across sites, site collections, Web applications, and farms Secure, configure, and audit use of metadata Remote binary large object (BLOB) storage Integrate with other systems and legacy repositories Open, highly documented, extensible platform Support for interoperability standards XML, SOAP, RSS, REST, WebDAV, and WSRP The MMS and other services related to the content capability are manageable and governable across your entire enterprise. SharePoint can store content in remote systems, including the file system, using remote BLOB storage. SharePoint is a platform that you can extend in numerous ways, and it supports many interoperability standards.
Some important points related to manageability and extensibility of the content capability are as follows:
Question: What are the business outcomes supported by extensibility and interoperability in the content capability?
Additional Reading
Microsoft SharePoint Server Content (SP2010_Content_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197250&clcid=0x409
1-16
Search
Users can browse SharePoints content structuressites, lists, and librariesfor content, but searching is often a more effective means of locating content. The search capability is self-explanatory and is detailed in Module 11.
People and Expertise Search

The search capability offers the following components, features, and functionality to search for people and expertise: Unlock knowledge not found in documents Communications Behaviors Relationships Organization chart browser Search Nickname and phonetic matching Recently authored content People- and expertise-specific refinement Responsibilities, memberships, past projects, interests You can connect with people and expertise by using search skills, tools, and experiences that you typically apply to searching for content. With people and expertise search, you can unlock the knowledge that is not stored in traditional content and the value that is found in people-to-people connections and social behavior. SharePoint 2010 features an organization browser that exposes a visual, navigable view of organizational relationships. In addition to looking for people and expertise, you can use people and expertise metadata to improve the relevance and refine the results of traditional content searches.
Following are some important points related to people and expertise search:
1-17
Content Sources, Indexing, and Query

The search capability offers the following components, features, and functionality to make content available for effective and efficient searching: Content sources and indexing Support for 400+ structured and unstructured content types Advanced content processing with strong linguistics Eighty-five languages Ability to build and manage connections to external content repositories Common connector framework Query Search scopes Enhanced query syntax Thesaurus and noise words Phonetic and nickname people search Query suggestions (Did you mean?) SharePoint is able to connect to and index a staggering range of content sources and content, and with the common connector framework, a developer can build connections to other content sources that can then be managed and queried like out of box content sources. The query experience is rich and is supported with features that significantly improve your ability to find the information you are looking for.
Following are some important points related to content sources, indexing, and query:
Results and Relevance

The search capability offers the following components, features, and functionality to produce accurate and helpful results: Results are security trimmed. Results are federated. Results have improved relevance based on usage and history. Results are presented in context to the user and the users profile. Results have social relevance. Click-through behavior of results from related queries Social distance Related searches. Users see only results for content to which they have access. SharePoint search results are federated, meaning that you see a unified list of results from all query services. Search results are relevant, presented using algorithms that include click-through behavior, usage, history, the users own profile, and social distance. SharePoint even lists related searches along with search results, thereby pointing you toward search queries that may help you find the information you need.
Following are some important points related to results and relevance:
User Search Experience

The search capability offers the following components, features, and functionality to provide users with a rich search experience: Results
1-18
Hit highlighting Results summaries Visual search Thumbnails Previews View in browser Refinement panel and sorting driven by metadata Includes social distance, other people, and expertise metadata Exact result counts with refiners (FAST) Search from the desktop, browser, or Windows mobile device Search results are rich, with hit highlighting, summaries, and visual search features including thumbnails, previews, and view-in-browser. Metadata-driven refinement including social metadata provides navigation, sorting, filtering, and narrowing down your results. Adding FAST provides exact result counts. Users can search SharePoint from the desktop using Windows 7 federated search, from one of several browsers on several platforms, or from a Windows mobile device.
Following are some important points related to user search experience:

The search capability offers the following components, features, and functionality to enable an organization to manage and extend SharePoint: Infrastructure Scalability: Improved topology, algorithms, and performance FAST integration Manageability Tune index and query behavior: Relevance, best bets Monitor user search behavior Extensibility Leverage the query object model and Web Parts Create search-driven applications to enrich platform Integrate with and aggregate other systems and information SharePoint search is highly scalable. FAST enhances the out of box SharePoint search experience with numerous performance-enhancing and value-added features. SharePoint provides a unified administrative and management experience. SharePoint is extensible to support federation, aggregation, integration, and custom search applications.
Following are some important points related to manageability and extensibility of the search capability:
Additional Reading
SharePoint Search Datasheet (SP2010_Search_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197251&clcid=0x409
1-19
Insights
The insights capability encompasses functionality that you can use to connect to data sources and present the data in meaningful ways that support decision making. It is the capability that most closely aligns with what the industry refers to as business intelligence.
Information Sources
The insights capability offers the following components, features, and functionality to connect with information from a broad range of data sources: SharePoint Business Connectivity Services: External data and systems PerformancePoint Services: Interactive scorecards and dashboards Visio Services: Browser-based rendering of Visio diagrams, including filtering, interaction with objects, and connections to data Excel Services Secure, manage, and share Excel workbooks Rendered in the browser Embed workbooks in apps, desktop, blogs, and wikis Programmability: JavaScript object model and REST API PowerPivot, SQL Analysis Services
Following are some important points related to information sources: With self-service access to information, users can discover and manage their aspect of the business with access to the right information. Business Connectivity Services connects you with external data and systems. PerformancePoint Services provide interactive scorecards and dashboards. Visio Services provides browser-based rendering of Visio diagrams and includes filtering, interaction with objects, and connections to data sources.
1-20
With Excel Services, you can secure, manage, and use Excel workbooks as interactive reports rendered in the browser. You can embed workbooks in applications, blogs, and wikis and on the desktop. New programmability features include JavaScript object model and REST API. PowerPivot and SQL Analysis Services provide powerful reporting and analysis of very large data sets.
Presentation and Visualization of Information

The insights capability offers the following components, features, and functionality to aggregate information and present it in meaningful and productive ways: Presentation of information Dashboards Scorecards Chart Web Part Generate charts from Excel workbooks, Business Connectivity Services, or SharePoint lists Status Indicator Lists Key Performance Indicator (KPI) details highlighting ownership, date stamps, and thresholds Analytics and visualizations Drill-down for deeper analysis and to understand issues and causality Root cause analysis Decomposition tree Simplified navigation and interaction with information Dashboards and scorecards are collections of information created from reusable components and data from SharePoint, PerformancePoint Services, Business Connectivity Services, Excel Services, Visio Services, PowerPivot, SQL Server Analysis Services, chart Web Parts, status indicators, and other Web Parts. Chart Web Part generates charts from Excel workbooks, Business Connectivity Services, or SharePoint lists. Status Indicator Lists show Key Performance Indicator (KPI) details highlighting ownership, date stamps, and thresholds. Rich analytics and visualizations provide root cause analysis and the decomposition tree. You can drill-down on scorecards to understand issues and causality and to perform deeper analysis.
Following are some important points related to presentation and visualization of information:
Additional Reading
Microsoft SharePoint Server 2010 Insights (SP2010_Insights_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197252&clcid=0x409
1-21
Composites
The composites capability offers the following components, features, and functionality to empower users to create no-code solutions that target specific needs and to enable an enterprise to manage ad hoc solutions: Access Services: Publish Access databases as Web apps Business Connectivity Services Read-write access to back-end data Disconnected experience: Microsoft Office Outlook, Microsoft Office Word, SharePoint Workspace Customizations: Browser, SharePoint Designer Workflows: Out of box, SharePoint Designer, Visio Forms: Customized Web forms or forms-based applications Visio: Publish diagrams, interact with objects and data Manageability Governance over all no-code solutions features Control over infrastructure, data, and applications
Following are some important points related to the composites capability: SharePoint gives you a plethora of ways to create a custom application without writing a single line of code. The enterprise gains control over such custom applications and can apply governance and security measures that are not possible when applications are ad hoc and not centrally managed.
Additional Reading
Microsoft SharePoint Composites (SP2010_Composites_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197253&clcid=0x409
1-22
Features of SharePoint 2010 Service Pack 1
Service Pack 1 (SP1) for SharePoint 2010 products and technologies adds a range of extra features and functionality, as follows: Site Recycle Bin: Without SP1, when an administrator deletes a site or site collection, it cannot be recovered, except by restoring it from a backup. Recovering accidentally deleted sites and site collections in this way is very time consuming. After you apply SP1, deleted sites and site collections are automatically placed in a Recycle Bin and can be recovered in the same way as accidentally deleted items and documents. For more information about the Site Recycle Bin, see Module 13, Implementing Business Continuity. Shallow Copy: In SharePoint 2010, you can configure files, such as documents, images, and videos, to be stored outside the content database. This configuration, which is called Remote BLOB Storage (RBS), improves performance in some circumstances. After you install SP1, if you have set up RBS and want to move a content database, you can do so without moving the BLOB files. This database movement technique is called Shallow Copy and can vastly reduce the volume of data that needs to be moved. For more information about Shallow Copy and RBS, see Module 4, Configuring Content Management. Office Web Applications Browser Support: Microsoft Office Web Applications, which enable you to create and edit Office documents in the web browser, now support Internet Explorer 9 and Google Chrome. Office Web Application Improvements: Extra functionality has been added to Office Web Applications in SP1. For example, in Excel, you can insert a chart; in Word, you can print in Edit Mode. StorMan.aspx: This page displays a list of a users files and compares them to the users quota. By providing access to this page, you can enable users to assess their data usage and avoid quota restrictions. This page was available in SharePoint Server 2007, but not in SharePoint Server 2010 without SP1. Search: The SharePoint Search crawler process has a new file type handler that enables it to index PowerPoint .ppsx files. SQL Server 2012 support: After you have installed SP1, you can create content and service application databases on the SQL Server 2012 database servers. SQL Server 2012 is the latest SQL Server version from Microsoft.
1-23
Additional Reading
Service Pack 1 for SharePoint Foundation 2010 and SharePoint Server 2010 at: http://go.microsoft.com/fwlink/?LinkId=234972 Service Pack 1 Tutorial at: http://go.microsoft.com/fwlink/?LinkId=234973
1-24
Introducing SharePoint Online
You can choose to subscribe to SharePoint as a cloud-based service from Microsoft instead of purchasing and implementing SharePoint on your premises. This cloud-based service, known as SharePoint Online, supports many of the features available in an on-premise SharePoint farm, and is part of Microsofts Office 365 cloud-service package.
SharePoint Online Features

If you subscribe to SharePoint Online, you receive almost all of the features found in an on-premise farm, such as: Team Sites: SharePoint Online includes a predefined site called Team Site. You can use this as the basis of all your organizations content creation and management activities. For example, you can create subsites for projects, products, or teams; use a wide range of site templates; create and apply metadata to content; and create custom workflows to manage processes. My Sites and User Profiles: Just like in SharePoint Server, in SharePoint Online each user has a profile of properties and can create content in their own personal Web site called My Site. This site can become the basis of social networking within your organization. Web Sites: A simple Web-facing Internet site is included with each SharePoint Online subscription. Many subscribers use this as their principal customer-facing Web site. It includes rich Web content along with management capabilities, and a range of pre-built site templates and themes. Office Web Applications: By using Office Web Applications, users can create and edit Microsoft Office documents in the browser, even when they do not have Office installed. This is helpful when users access SharePoint from a kiosk computer, a non-Windows computer, a tablet, or another mobile device.
This is not a complete list of features, but illustrates the functionality that is available in SharePoint Online. A small number of SharePoint Server features, such as farm solutions, are not available in SharePoint Online because they have the potential to compromise stability in a shared environment. However, power users and developers can customize functionality with user solutions. For more details about SharePoint Online, see Module 15: SharePoint Online and Office 365.
1-25
Office 365
SharePoint Online is part of Microsofts Office 365 subscription service. This includes the following components, in addition to SharePoint: Exchange Online: Exchange provides email storage, delivery, and processing. Users can collect and respond to emails by using Outlook 2010, a browser, or a Windows Phone. Other devices may also be able to connect and text messaging services are included. Lync Online: Microsoft Lync is an integrated messaging platform that includes presence information, instant messaging, file exchange, and audio, video, and desktop conferencing. Office Professional Plus: An enterprise subscription to Office 365 includes licenses for the Office 2010 desktop suite of software.
When you subscribe to Office 365, choose from a Small Business subscription or an Enterprise subscription. A Small Business subscription has some limitations. For example, you can only create one website. An Enterprise subscription has fewer limitations and includes the Office Professional Plus desktop software.
Why Choose SharePoint Online and Office 365?

The software-as-a-service model provides a number of substantial benefits to subscribers. In the case of SharePoint Online, Microsoft is responsible for running and maintaining SharePoint, not your own IT staff. In addition, a subscription includes a Service Level Agreement (SLA) that guarantees up to 99.9% up time. In other words, high availability is built into the service and is not your responsibility as a customer. Furthermore, Microsoft backs up all data on your sites and can restore it on request, although you may choose to implement your own extra disaster recovery regime. Most importantly, the service scales smoothly and seamlessly as your business grows. All you have to do is add user accounts and contentMicrosoft adds server resources to your subscription as required. This means you need not monitor for system bottlenecks, or purchase and implement extra hardware. Capacity planning is also very straightforward. All these responsibilities are taken out of your hands. In addition, because Microsoft hosts and runs the SharePoint farm, it is not necessary to employ and train a large staff of SharePoint professionals. This is particularly attractive to small and medium-sized businesses. Some organizations prefer to take a hybrid approach. For example, they might use SharePoint Server onpremise to support their office-based users, and SharePoint Online to support sales staff who are constantly travelling and need access from client sites and wireless access points. Content synchronization can be used to exchange documents and items between these farms. You can also integrate SharePoint Online with other cloud-based services, such as applications built on Windows Azure or SQL Azure.
Additional Reading
Office 365 Homepage: http://go.microsoft.com/fwlink/?LinkId=225285 What is Office 365?: http://go.microsoft.com/fwlink/?LinkId=234974 SharePoint Online Homepage: http://go.microsoft.com/fwlink/?LinkId=234975
1-26
Lesson 2
Preparing for SharePoint 2010
As you learned in the previous lesson, SharePoint 2010 is a platform that itself relies on a wide range of other Microsoft technology platforms. Before you can install SharePoint 2010, you must prepare your hardware and software environment to support the dependencies and interactions with SharePoint products and technologies. After completing this lesson, you will be able to: Identify the roles and topologies in SharePoint farms. Describe the infrastructure requirements for installing SharePoint 2010. Describe the prerequisites for installing SharePoint 2010. Install the software prerequisites for SharePoint. Describe the interaction between SharePoint services, Active Directory, and SQL Server. Create the various user accounts required to install SharePoint. Assign permissions and rights required to install SharePoint. Describe the client browser and application requirements for installing SharePoint 2010.
1-27
Roles and Topologies in SharePoint Farms
A SharePoint farm consists of one or more servers playing one or more roles. The Web front-end (WFE) role renders content to users, and therefore hosts the Web applications (Web sites) with which users interact. The content of those Web sites is stored in a SQL Server database, which is therefore another role, the database role. A number of services and applications provide functionality, such as search, and administrative and management capabilities, such as Central Administration. Each of these is a distinct role, and a server hosting one of these back-end services or administrative sites is referred to as playing an application server role. The roles can be consolidated on a single server or spread across multiple servers in a variety of topologies. These topologies are summarized on the slide and are detailed in Module 12, Installing and Upgrading to SharePoint 2010.
1-28
Infrastructure Requirements
SharePoint Server 2010 is a powerful platform that can scale to meet the most demanding enterprise scenarios. As such, the hardware requirements for SharePoint begin with a minimum hardware base with at least four processor cores running 2.5 GHz and 8 GB of RAM. SharePoint 2010 is a 64-bit platform, and therefore you must use 64-bit versions of the operating system on each SharePoint server and for SQL Server. Windows Server 2008 with Service Pack 2 (64-bit) or Windows Server 2008 R2 (which is only 64-bit) is required. SQL Server is the required database platform. SharePoint Server 2010 requires one of the following: SQL Server 2005 Service Pack 3 (SP3) with Cumulative Update 3 (64-bit) SQL Server 2008 SP1 with Cumulative Update 2 or Cumulative Update 5 or later (64-bit) SQL Server 2008 R2 (which is only 64-bit) SQL Server 2012 (requires SharePoint Server 2010 SP1)
It is highly recommended that you use the latest versions of the operating system and SQL Server to take advantage of the maximum number of features. For example, you need SQL Server 2008 R2 to take advantage of failover, Power Pivot, and Access Services reporting features. If you are investing in infrastructure for Microsoft Office SharePoint Server 2007, invest in 64-bit hardware to reduce the number of steps required to migrate to SharePoint Server 2010. Migration from 32-bit to 64-bit platforms is detailed in Module 12.
Additional Reading
Hardware and software requirements (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=234752
1-29
Infrastructure Options
Microsoft allows you to install SharePoint on a client operating system to support development. The following are supported, with at least 4 GB of RAM: The Windows Vista operating system with Service Pack 2 or later (64-bit). The Windows 7 operating system (64-bit) client to support development. Such a model should not be used for production purposes.
You can also access SharePoint through a hosted service such as one of several offerings from Microsoft and its partners, including the following: Microsoft Online, which offers Office 365, a per-user subscription to SharePoint Online, Microsoft Exchange Online, and Microsoft Lync Online. Microsoft Online also offers dedicated SharePoint hosting to large customers. You will learn more about SharePoint Online in Module 15. Microsofts consumer and small business services, Windows Live and Office Live, provide some SharePoint functionality. For example, at the time of publication Windows Live SkyDrive allows users to edit Excel and PowerPoint documents in the browser, which is functionality provided by Office Web Apps.
You can mix and match internally hosted farms with externally hosted services to meet varied business requirements.
Additional Reading
Setting Up the Development Environment for SharePoint Server, at http://go.microsoft.com/fwlink/?LinkID=164557 Microsoft Online, at http://go.microsoft.com/fwlink/?LinkId=191565
1-30
Overview of SharePoint Licensing
SharePoint licensing is complex because of the number of products that are involved. It is important that you consult with your licensing representative to ensure compliance for your SharePoint implementation. The most typical implementation involves purchasing licenses for Windows Server 2008 or Windows Server 2008 R2 for each SharePoint server and a quantity of per-user client access licenses (CALs) for each SharePoint user. SQL Server is typically installed with a per-processor license, which does not require CALs for users. If you are using SharePoint Foundation 2010, no additional license is required. If you are using SharePoint Server 2010, however, you need a server product license for each SharePoint server and CALs for each user. SharePoint Standard CAL provides access to the basic level of SharePoint Server 2010 functionality including My Sites and search. With the Enterprise CAL, which is an add-on to the Standard CAL, you can deploy features such as Excel Services and Office Web Applications.
Enterprise Client Access License

The Enterprise CAL is for organizations looking to enable advanced scenarios for end users to locate, create, and act on data and documents in disparate sources from within a familiar and unified infrastructure. Use the Enterprise CAL capabilities of SharePoint to interoperate fully with external line-ofbusiness applications, Web services, and Microsoft Office client applications; make better decisions with rich data visualization, dashboards, and advanced analytics; and build robust forms and workflow-based solutions.
Standard Client Access License

The Standard CAL is for organizations looking to deploy a business collaboration platform across all types of content. Use the core capabilities of SharePoint to manage content and business processes, find and share information and expertise, and simplify how people work together across organizational boundaries.
Additional Reading
SharePoint editions at http://go.microsoft.com/fwlink/?LinkID=196255
1-31
Role, Software, and Configuration Prerequisites
There is a long list of software and configuration prerequisites: The following server roles: Web Server (IIS), Application Server Hotfix for Microsoft Windows (KB976394 for Windows Server 2008 / KB976462 for Windows Server 2008 R2) Windows Identity Foundation (KB974405) Microsoft Sync Framework Runtime v1.0 (x64) Microsoft Chart Controls for Microsoft .NET Framework 3.5 Microsoft Filter Pack 2.0 Microsoft SQL Server 2008 Analysis Services ADOMD.NET Microsoft Server Speech Platform Runtime (x64) Windows PowerShell 2.0 (for Windows Server 2008) Optional: Microsoft Server Speech Recognition Language Optional: Microsoft SQL Server 2008 R2 Reporting Services Add-in for SharePoint Technologies (SSRS)
Additional Reading
Details and links to all prerequisites can be found at Hardware and software requirements" (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=234752
1-32
Installing Prerequisites
You must install SQL Server prior to installing other SharePoint prerequisites.
Microsoft SharePoint 2010 Products Preparation Tool

Microsoft SharePoint 2010 Products Preparation Tool, also known as the prerequisite installer, can download and install all of the prerequisites for you, automatically. To run the Preparation Tool, log on as the setup user account, for example, SP_Admin. The setup user account is further described in a later topic. Then, launch the tool from the Install software prerequisites link on the SharePoint Server 2010 Start page (Default.hta), shown in the following graphic, or directly by using PrerequisiteInstaller.exe.
1-33
The Preparation Tool scans for each prerequisite. If a prerequisite is not found, the tool downloads, installs, and configures the prerequisite. If there is an error, for example, if downloading the prerequisite fails, the tool stops and produces an error message that indicates which prerequisite failed. You can find details of the failure in the error log, which is located in the %TEMP% folder. The tool displays a link to the log. After you have remediated the problem, rerun the tool. Repeat the process until all prerequisites have been installed and configured successfully.
Optional Prerequisites
Two prerequisites are optional: Microsoft Server Speech Recognition Language and Microsoft SQL Server 2008 R2 Reporting Services Add-in for SharePoint Technologies (SSRS). If the Preparation Tool cannot find or install these prerequisites, it generates an error, but you can continue to the next step in installing SharePoint Server 2010. Question: Does your organization allow servers to access the Internet directly. If not, why not?
1-34
Additional Prerequisites
You must install and configure several prerequisites manually. Use the information on this slide as a checklist of prerequisites to evaluate in the context of your enterprise and your SharePoint implementation. After class, read about these items and determine whether they are necessary in your environment. The ADO.NET Data Service Update is used by services like REST Web services. If you use Claims-based authentication, you need to apply KB979917 (http://go.microsoft.com/fwlink/?LinkID=196882&clcid=0x409) for ASP.NET. The third prerequisite is to disable loopback checking. Windows Server 2008 (and Windows Server 2008 R2) blocks access to a Web site if the request for the Web site originates on the server itself. This prevents you from using a browser on a SharePoint server to browse to a site on the same server farm. Of course, it is not recommended that you log on to a SharePoint server and use a browser in the production environment, but this scenario may be more common in a development, testing, or training environment. However, the loopback checking also prevents SharePoint servicesmost notably the search crawler that indexes SharePoint contentfrom accessing sites on the same server farm. The crawl process will generate Access Denied events, and no content will be indexed. The problem is solved by removing or controlling the loopback checking. Microsoft Knowledge Base article 896861 has the details. The article discusses two options. Method 1 involves specifying all sites hosted on the server so that the server allows requests to those sites to originate on the same server. Method 2 entails disabling loopback checking altogether, for all sites. Method 2 reduces the security of the server much more than Method 1. Therefore, Method 2 is recommended only for development and test environments.
Additional Reading
An update is available that provides additional features and improvements for ADO.NET Data Services in the .NET Framework 3.5 SP1 on a computer that is running Windows 7 or Windows Server 2008 R2, at http://go.microsoft.com/fwlink/?LinkID=200826&clcid=0x409
1-35
Two issues occur when you deploy an ASP.NET 2.0-based application on a server that is running IIS 7.0 or IIS 7.5 in Integrated mode, at http://go.microsoft.com/fwlink/?LinkID=196882&clcid=0x409 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version, at http://go.microsoft.com/fwlink/?LinkID=196884&clcid=0x409
1-36
SharePoint, SQL Server, and Active Directory
SharePoint has close relationships with and dependencies on SQL Server and Active Directory. Active Directory provides identity and authentication services. In other words, it stores user accounts (user names and passwords), other identity and group information, and validates account logons. These services support users logging on to SharePoint sites. They also support the accounts used by SharePoint and SQL services themselves. SQL Server stores almost all of the configuration and content of a SharePoint farm. SQL Server services, like all Windows services, run using an identity. SharePoint services also run with Active Directory credentials. The credentials are used by SharePoint to access data in SQL Server. These accounts must have SQL logins so that SQL can authorize the access. These SQL logins are created automatically by SharePoint during setup and the creation of Web applications.
1-37
Service Accounts
Before installing SharePoint, you must ensure that there are appropriate accounts, logins, and permissions to support the interdependencies between SharePoint, SQL Server, Active Directory, and the SharePoint server itself.
SQL Server Service Account: SVC_SQL

SQL Server services use identities, or accounts. Like most Windows services, you can use a special identity such as System, Network Service, or Local Service, but it is a highly recommended best practice to use a domain user account. If the SQL Server is on a different computer than SharePoint is, it is required to use a domain account.
Setup User Account (Human Being): SP_Admin

The setup user account, SP_Admin, is used by a human being to install and configure SharePoint. During setup and configuration, SharePoint creates SQL databases and logins, and modifies the server itself (for example, creating local groups). SharePoint setup and configuration uses the credentials of SP_Admin to perform such tasks, so SP_Admin must be a securityadmin and dbcreator on the SQL server, and must be a member of the local Administrators group. The only SQL login that you must manually create is the login for the setup user, SP_Admin, who actually performs the initial setup of the farm.
Server Farm Account: SP_Farm

During installation and configuration, the setup user, SP_Admin, assigns an account to the SharePoint farm (SP_Farm), which is the service account representing the SharePoint farm. The SP-Farm account is used by SharePoint to configure and manage the server farm. It is the identity used by the Central Administration sites (application pool, and the identity used by the Timer service. It is critical that the SP_Farm account be added to the local Administrators group on each server on which SharePoint will be installed.
1-38
The SharePoint Products Configuration Wizard automatically assigns the account the permissions it needs.
Web and Service Application Pool Account(s): SP_Service

Each Web application runs in an application pool. The application pool identity is a domain user account that is functionally equivalent to a service account, with permissions to access the content database for the Web application on the SQL Server. Service applications, such as Search or the Office Web Applications, are also Web applications. Therefore, they also run in an application pool with a domain user identity. Web and service application pool accounts are granted the permissions they need automatically during the provisioning of the application.
Search Crawler (Indexer) Account: SP_Crawl

The search crawler account is used to index content. It is automatically granted permissions to read all SharePoint content. It should be a unique account that cannot access content at any higher level. You must manually grant it permission to read any other content source that you configure it to index, for example, shared folders on servers.
User Profile Synchronization Account: SP_Sync

SharePoint user profile synchronization uses an account to synchronize profile attributes between Active Directory and SharePoint. This account is detailed in Module 9, User Profiles and Social Networking.
1-39
Client Browser and Application Requirements
SharePoint 2010 generates most of its content using Web-standard XHTML that renders well across most browsers. Microsoft categorizes browsers into two categoriesLevel 1 and Level 2to help customers align browser choice with the desired level of functionality. Level 1 browsers support ActiveX and all SharePoint functionality on user and administrative pages. Operating System Browser Windows XP Internet Explorer 7 (32-bit) Windows Internet Explorer 8 (32-bit) Vista Mozilla Firefox 3.5* Windows Note: Features provided by ActiveX controls, such as list Datasheet Server 2003 view and the control that displays user presence information, do Windows not work in Mozilla Firefox 3.5, which does not support ActiveX. Server 2008 Windows 7 Windows Server 2008 R2 Internet Explorer 8 (32-bit) Mozilla Firefox 3.5*
Level 2 browsers support basic read, write, and administrative activities. Operating System Apple Mac OS X Snow Leopard Windows Browser Apple Safari 4.x Mozilla Firefox 3.5 Internet Explorer 7 (64-bit)
1-40
Operating System XP Windows Vista Windows Server 2003 Windows Server 2008
Browser Internet Explorer 8 (64-bit)
Windows 7 Windows Server 2008 R2 UNIX/Linux 8.1
Internet Explorer 8 (64-bit) Mozilla Firefox 3.5
Other standards-based browsers work with SharePoint with the same limitations as Level 2 browsers, however Microsoft has not done extensive testing on browsers other than those listed and does not support use of other browsers. If you want to use a browser other than one listed in the preceding tables, you should perform testing to ensure that the browser delivers an acceptable user experience. For published sites, page designers can apply Web Content Management features to control markup and styling so that published sites are compatible with additional browsers, including Microsoft Internet Explorer 6. However, it is the page designers responsibility to create pages that target the browsers that are designated for support. Page designers and content authors must use a standards-based browser, such as Internet Explorer 8 or Firefox 3.5, to author content. SharePoint-compatible applications can provide a rich, client-side interaction with SharePoint. Microsoft Office 2003 and later are compatible with SharePoint.
Additional Reading
Plan Browser Support, at http://go.microsoft.com/fwlink/?LinkID=196887&clcid=0x409
1-41
Lesson 3
Installing SharePoint 2010
You can use several methods to install and upgrade a SharePoint 2010 farm. In this lesson, you learn how to install SharePoint by using the wizard-driven setup and configuration tools, which make it easy to create a simple farm. In the next lesson, you learn about methods to automate installation, and in Module 12, you learn about ways to upgrade an existing farm to SharePoint 2010. After completing this lesson, you will be able to: Describe the process for installing and configuring SharePoint 2010. Identify the configuration parameters required to install SharePoint. Install SharePoint to create a single-server farm. Configure SharePoint on a single-server farm. Apply service packs and cumulative updates to a single-server farm.
1-42
Process for Installing and Configuring SharePoint 2010
Installing SharePoint is a multiphase process. The four high-level steps for installing and configuring SharePoint are the following: 1. 2. 3. 4. Install the prerequisites. Install the SharePoint binaries. Configure the SharePoint server and farm. Configure services and applications on the farm.
You can perform each step with user interface tools or commands or scripts. In the following topics and lesson, you learn how to perform each of these steps.
Applying Service Packs and Cumulative Updates to a New Farm

If you are installing a new farm, ensure that your server software is up-to-date before users start to create content. Therefore, the application of service packs and updates is an important part of the installation. You can use two strategies to apply updates: Apply service packs and cumulative updates after you complete the installation of SharePoint. This approach can be taken at any time. However, because it requires an interruption in service, you should complete it before any users are given access to your new SharePoint farm. After update installation, you must run the configuration wizards. Therefore, for a new farm installation, apply updates after SharePoint binary installation and before configuring SharePoint. Slipstream the installation of updates by integrating them with the SharePoint installation media. If you choose this approach, the updates are installed simultaneously with the SharePoint binaries. Therefore the sequence of the installation steps listed above remains the same.
For more information about Slipstreaming updates, see Module 12: Installing and Upgrading to SharePoint 2010.
1-43
Configuration Parameters Checklist
Before you install SharePoint Server 2010, you must collect information that is required during the installation. Use the following items as a pre-installation checklist: You must know the user name and passwords for the accounts discussed in the previous lesson. You must know the SQL Server server name and instance name. You will be prompted for a configuration database name, for example, SharePoint_Config. Determine a naming strategy for SharePoint databases. You will be prompted for a port on which to host Central Administration. You must determine this. You will be prompted for a farm passphrase. You must determine this.
You use the farm passphrase when making certain changes to the farm, for example, when adding a new server to the farm. With the farm passphrase, an administrator can perform farm-level changes without needing to know the password for the SharePoint farm account (SP_Farm). The farm passphrase should be long, complex, unique and should not be the same as the password used by any of the SharePoint administrative or service accounts. Be sure to document the password and store it in a physically secure location. You must know the product key or trial key. You must enter the product key during setup, but you can change it later in Central Administration.
1-44
Walkthrough: Install SharePoint to Create a Single-Server Farm
The following steps walk you through the manual installation of SharePoint Server 2010 binaries. During this step, program files are installed, components are registered, security settings are applied, and services are configured but not enabled. Installation with the user interface is wizard-driven. As long as you know the configuration information presented earlier in this lesson, installation is very straightforward. 1. 2. Log on as the setup user account (SP_Admin). Run the SharePoint Server 2010 Start Page (default.hta).
1-45
SharePoint Server 2010 installation now features a splash screen. 3. Click Install SharePoint Server.
Installation requires administrative credentials, so a User Account Control dialog box appears. 4. Click Yes.
5.
Enter your product key or a trial key. You can change it later.
1-46
6.
Click I accept the terms of the agreement.
7.
Click Server Farm. Important: It is recommended that you use the Server Farm installation.
The Standalone installation fully installs and configures SharePoint Server 2010 with all defaults, including the installation of SQL Server 2008 Express as the database server on the same server. The result is a
1-47
standalone, single-server farm with all roles on one server. Standalone installation is not supported on a server that is a domain controller because SQL Server Express cannot be installed on a domain controller. It is not possible to add servers to a farm that was installed with the Standalone installation. Therefore, it is recommended that you use Standalone only for the most simple testing or development environments. In all other scenarios, you should use the Server Farm installation option. You must have already installed SQL Server on the same server or on another server. However, with a Server Farm installation, you have the option of, later, moving roles to other servers in the farm.
If you select a Server Farm installation, you can specify the location of the SharePoint binaries and the SharePoint Root (formerly known as the 12 Hive, now the 14 Hive) in the File Location tab.
1-48
8.
Select Complete.
The Stand-alone option presented on this page of the installation wizard creates a single-server farm with all components and roles. It is not possible to add another server to a farm that was installed with the Stand-alone option. This option is identical to the Standalone installation option discussed in an earlier step.
Installation proceeds.
At the end of the installation phase, the Setup application offers you the chance to proceed to the Configuration phase.
1-49
9. Clear the Run the SharePoint Products Configuration Wizard now check box. 10. Click Close. The result is a SharePoint server that is ready to add to a farm. Until you add the server to a farm, no SharePoint functionality is available on the server.
1-50
Walkthrough: Configure SharePoint on a Single-Server Farm
After installing the SharePoint binaries, you can configure the server and, in the process, create a SharePoint farm or add the server to an existing farm. Configuration with the user interface is wizard-driven. As long as you know the configuration information presented earlier in this lesson, installation is very straightforward. 1. 2. Log on as the setup user account (SP_Admin). Run the SharePoint Products Configuration Wizard, which you can find in the Microsoft SharePoint 2010 Products program group on the Start menu.
1-51
3.
Click Next.
You are warned that IIS and SharePoint services will be restarted. 4. Click Yes.
1-52
5.
Select Create a new server farm.
6. 7.
Enter the configuration for the SQL Serverthe name of the Database server (SERVER\instance if you are connecting to a specific instance of SQL Server) and the Database name. Enter the farm account (SP_Farm) user name and password.
1-53
8.
Enter the farm passphrase.
9. Enter the port number on which Central Administration will be hosted. 10. Choose an authentication provider. NTLM allows Central Administration to use Active Directory as the authentication provider. This is typically the best option for Central Administration.
1-54
11. Review the configuration, and then click Next. Configuration takes several minutes.
12. Click Finish. The SharePoint 2010 Central Administration site opens.
1-55
Applying Service Packs and Upgrades to Single-Server Farms
After you have installed SharePoint, you must verify that you are using the latest version of the software. Microsoft publishes updates that include security fixes; so, you may be vulnerable to malicious attacks if you do not install all updates. Furthermore, service packs such as SP1 include new features that may help your users and other stakeholders. It is particularly important to install the following update types: Service Packs (SPs): These are regression-tested baselines and include both issue fixes and new functionality. Cumulative Updates (CUs): Cumulative Update packages apply fixes and optimizations, but do not include new features and are not regression tested. For SharePoint, CUs are published every 2 months. Each CU includes all the previous CUs; so, for example, it is not necessary to install the August 2010 CU and the October 2010 CU. Only the latest package is required. Note: You should not install the June 2010 CU or later CUs until you have installed SP 1. For more information about the latest updates for SharePoint 2010 products and technologies, and for the latest updates, refer to the following site: http://go.microsoft.com/fwlink/?LinkId=234976
Which Service Pack and Cumulative Update?

Microsoft published SP1 for both SharePoint Foundation 2010 and SharePoint Server 2010. If your server runs SharePoint Foundation, then only one SP is required, but if you run SharePoint Server 2010, you must apply the SharePoint Foundation SP1 first, followed by the SharePoint Server 2010 SP1. There are also separate SPs for Project Server 2010 and FAST Search Server 2010. Starting from August 2010, the same rule is not true of CUs. Since that date, CU packages have been published every two months for the following products: SharePoint Foundation 2010 SharePoint Foundation 2010 and SharePoint Server 2010 SharePoint Foundation 2010, SharePoint Server 2010 and Project Server 2010
1-56
Therefore, you need only download and install a single package for the combination of products that you have installed.
The Importance of Testing and Recoverability

Because SPs and CUs are tested by Microsoft before they are published, installation problems should be rare. However, your environment is unique and may include customizations made by developers in your organization and third-party software. Therefore, it is important never to assume that the update installation will always proceed without problems, and you should prepare to recover from them. One way to ensure smooth deployment is to create and maintain a test farm, which is a lab-based SharePoint farm that matches the production farm as closely as possible, including any third-party software and custom code. All updates should be installed without errors on the test farm before you install them in the production environment. A test farm can also be used for other purposes, such as testing custom code and capacity. Furthermore, you should fully back up your production farm before deploying an update. If a problem arises when installing the update, you can quickly return to a working farm, prior to the update, and cause the minimum disruption to users. For more information about backing up and restoring a SharePoint farm, see Module 13: Implementing Business Continuity.
Recommended Installation Steps

As a best practice, use the following steps to apply an update: 1. 2. 3. 4. 5. 6. 7. 8. 9. Deploy the updates in a test farm and examine the results carefully. Back up the production farm and perform a test restore to ensure recoverability. Obtain the latest SP and CU. Install the SPs. Ensure that you apply all the relevant SPs for your combination of products. Reboot the server and run the SharePoint Configuration Wizard (PSConfig.exe). Verify that the SP installed successfully. Install the latest CU. Reboot the server and run the SharePoint Configuration Wizard (PSConfig.exe). Back up the production farm and perform a test restore.
This procedure is designed for production farms that are already in use and have live content. When you apply SPs and CUs to newly-installed SharePoint servers that have no content, you may decide to take fewer precautions because you can always reinstall from the beginning. Consider how long such a reinstallation might take when you decide whether to, for example, back up the farm at step 2.
For information about how to verify the updates, go to: http://go.microsoft.com/fwlink/?LinkId=234977
1-57
Lesson 4
Advanced Installation of SharePoint 2010
Manual installation and configuration, as presented in the previous lesson, is time consuming and prone to inconsistent implementation. In this lesson, you learn how to script the installation and configuration of SharePoint. You also learn how to install a language pack. After completing this lesson, you will be able to: Perform a scripted installation of SharePoint prerequisites. Perform a scripted installation of SharePoint Server 2010. Execute a scripted configuration of SharePoint and a SharePoint farm. Install SharePoint language packs.
1-58
Overview of Scripted Installation
.8 By scripting installation, an organization can reduce the time required to deploy a SharePoint server. Scripting also ensures that configuration is applied consistently, and therefore reduces the chance for errors and failure. Scripting is also required to automate the provisioning of SharePoint. There are three different mechanisms for scripting SharePoint installation and configuration, one mechanism for each of the phases of installation.
1-59
Scripted Installation of Prerequisites
Many organizations do not allow servers to have direct access to the Internet. The Preparation Tool can be directed to install prerequisites from a specific location, rather than downloading prerequisites from the Downloads Center at Microsoft.com. First, you must download all prerequisites. You can find links to prerequisites by using one of the following two options: Links to prerequisites are listed at http://go.microsoft.com/fwlink/?LinkId=234752 Run the Preparation Tool and examine the log for error messages that are generated when the tool attempts to download each prerequisite. The URL to the attempted download is listed.
PrerequisiteInstaller.exe supports parameters that specify the location of each prerequisite. The syntax of each parameter is /PrerequisiteName:PathToInstallationFile. The PrerequisiteName parameters are listed on the slide. The path can be a local or Universal Naming Convention (UNC) path to which the setup user (SP_Admin) account used to run the prerequisite installer has Read permission. The /unattended parameter causes the Preparation Tool to run in silent, unattended mode. No prompts or messages are displayed. Use this mode only when you are confident that prerequisite installation will be successful. You can type PrerequisiteInstaller.exe /? to display the help documentation for the switches. Now that you know the parameters of PrerequisiteInstaller.exe, you can script prerequisite installation by using one of two methods: Open the command prompt and type a command line with PrerequisiteInstaller.exe and all of the switches on a single command line. Open Notepad and enter all switches on a single line. Save the file as PrerequisiteInstaller.Arguments.txt in the same folder as PrerequisiteInstaller.exe. Then, run PrerequisiteInstaller.exe. It automatically looks for the arguments file, called PrerequisiteInstaller.Arguments.txt, in the working directory.
1-60
You create a PrerequisiteInstaller.Arguments.txt file in the lab for this module.
1-61
Scripted Installation of SharePoint Server
You can script the installation of SharePoint binaries by specifying installation parameters in an Extensible Markup Language (XML) file named Config.xml by default. Microsoft provides sample Config.xml files in the SharePoint distribution. You can simply modify these files to match your environment. In most cases, you need only to remove the comment tags () and enter a valid product ID. The following Config.xml file installs a SharePoint server using the Server Farm installation option and the Complete server type.
<Configuration> <Package Id="sts"> <Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/> </Package> <Package Id="spswfe"> <Setting Id="SETUPCALLED" Value="1"/> </Package> <Logging Type="verbose" Path="%temp%" Template="SharePoint Server Setup(*).log"/> <PIDKEY Value="36BY2-DVVJY-6426X-PXWVQ-BM342" /> <Display Level="none" CompletionNotice="no" /> <Setting Id="SERVERROLE" Value="APPLICATION"/> <Setting Id="USINGUIINSTALLMODE" Value="0"/> <Setting Id="SETUP_REBOOT" Value="Never" /> <Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/> </Configuration>
The following sample Config.xml files are available in the Files folder in the SharePoint distribution: Configuration File Setup\Config.xml Description Stand-alone server installation using Microsoft SQL Server 2005 Express Edition3
1-62
Configuration File SetupFarm\Config.xml SetupFarmSilent\Config.xml SetupFarmUpgrade\Config.xml SetupSilent\Config.xml SetupSingleUpgrade\Config.xml
Description Server farm installation Server farm installation in silent mode In-place upgrade of an existing farm Stand-alone server installation using SQL Server 2005 Express Edition in silent mode In-place upgrade of an existing single-server installation
1-63
Scripted Configuration of SharePoint and the Farm
You can automate the Microsoft SharePoint 2010 Products Configuration Wizard using a Windows PowerShell script. Windows PowerShell is discussed in Module 3, Administering and Automating SharePoint, so it is beyond the scope of this topic to explain Windows PowerShell. The cmdlets (pronounced command-lets) listed on this slide are for reference purposes. However, in the lab for this module, you have the option of using a preexisting Windows PowerShell script to automate the configuration of the farm.
Additional Reading
Quick start: Deploy single server in an isolated Hyper-V environment (SharePoint Server 2010), at http://go.microsoft.com/fwlink/?LinkID=196892&clcid=0x409 Install SharePoint Server 2010 by using Windows PowerShell, at http://go.microsoft.com/fwlink/?LinkID=196893&clcid=0x409
1-64
Language Packs
If you are working in an environment that needs to support multiple languages, you must also install language packs for SharePoint Server 2010.
Installation Process
The process by which you install language packs is described in the following sections. 1. Install Windows operating system language files Before installing SharePoint language packs, you must ensure that the language files for the Windows operating system have been installed. Windows includes language files for many languages in its default configuration. However, if the languages you are supporting include any of the following, you must install the Windows language files manually: East Asian languages, including Chinese, Japanese, and Korean Complex script and right-to-left-oriented languages, including Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese
You can install Windows language files by using the Regional And Language Settings application in Control Panel. 2. Install SharePoint You must install SharePoint before installing a SharePoint language pack. The language of the SharePoint installation becomes the default language for the farm and the language of administrative interfaces such as Central Administration. As you learned in the previous lesson, to install SharePoint you must first install the SharePoint binaries. 3. Run the SharePoint Products Configuration Wizard Next, run the SharePoint Products Configuration Wizard to configure the farm with the default language.
1-65
4. Download the language pack You can download language packs from the Microsoft Downloads Center. At the time of writing, there are 40 language packs available. You must download a language pack for each language you want to support with SharePoint. There is no single package of all languages. It is possible that the downloads for different languages may have the same file name. Watch out for this situation, and if it occurs, rename the downloads or save them to separate folders so that you do not overwrite a previously downloaded language pack. 5. Install on all Web servers so that content can be rendered Install the language pack on all SharePoint servers that host user-facing Web applications so that content can be rendered in the required languages. Be prepared for the fact that the installation routine for a language pack is in the language of the pack, so the setup wizards text and buttons will not be in the default language of the farm. 6. Run the SharePoint 2010 Products Configuration Wizard Run the SharePoint 2010 Products Configuration Wizard on all servers on which language packs have been installed. This completes the installation and configuration of the language pack. Uninstalling SharePoint when language packs have been installed Uninstall all language packs before uninstalling SharePoint.
What Changes Are Made by Language Packs

When you install a language pack, language-specific site definitions are added to the language templates folder of the server, %COMMONPROGRAMFILES% \Microsoft Shared\Web server extensions\14\template\LocaleID. Afterward, when you create a web site, you can select the language of the new site. The default language is the language of the SharePoint installation. The new site uses the language for site toolbars, navigation bars, list names, and column headings. Left-to-right orientation is also rendered according to the language. You cannot change the language of a site after the site has been created. Additionally, with the Managed Metadata Service, you can assign terms to term stores in the languages that you have installed. The Managed Metadata Service is detailed in Module 4, Configuring Content Management.
What Does Not Change

Some UI elements such as error messages, notifications, and dialog boxes do not change, specifically those that are generated by supporting technologies, for example, the .NET Framework, Windows Workflow Foundation, or SQL Server. The File Not Found error page does not change. However, you can use Windows PowerShell to modify the SPWebApplication.FileNotFoundPage property to direct users to a single page for File Not Found errors, and you can create the custom page to present the error in any language.
Upgrade Alert
The following issue applies in only rare and specific situations, but it is important to raise the issue to the attention of administrators it affects. If you are upgrading from SharePoint 2007 and you are using Group Approval (eApproval) features with Chinese (Simplified), Chinese (Traditional), Japanese, or Korean languages, you must do the following before running the SharePoint Products Configuration Wizard:
1-66
1. 2. 3.
Install the language pack. Run psconfig.exe cmd upgrade inplace v2v. Then, run the SharePoint Products Configuration Wizard.
Additional Reading
Deploy language packs (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=199614&clcid=0x409
1-67
Lab: Installing SharePoint 2010
Scenario
You have been asked to deploy a SharePoint farm to support Contosos strategic initiatives related to enterprise collaboration. This single-server farm will act as a prototype, and executives, developers, and end users will use it to evaluate the new features of SharePoint Server 2010.
Start the virtual machines.

1. 2. Start 10174A-CONTOSO-DC-A. After CONTOSO-DC-A has completed startup, start 10174A-SP2010-WFE1-A.
1-68
Exercise 1: Creating Active Directory Accounts for SharePoint

Although you are creating a prototype environment, you must adhere to security best practices, including least privilege. In this exercise, you create accounts for SharePoint administration, services, and access to SQL Server. The main tasks for this exercise are as follows: 1. 2. 3. Create Active Directory accounts. Create a SQL login for the SharePoint administrator. Delegate administration of the SharePoint server.
Task 1: Create Active Directory accounts.

1. 2. 3. Log on to SP2010-WFE1 as CONTOSO\Administrator with the password Pa$$w0rd. Open Active Directory Users and Computers. Expand the contoso.com domain and then in the SharePoint OU, create the following user accounts. For each account, set the password to Pa$$w0rd, clear the User must change password at next logon check box, and select the Password never expires check box. Full Name SharePoint Administrator SharePoint Farm Service SharePoint Service Applications 4. User Logon Name SP_Admin SP_Farm Description E-mail
SharePoint Administrator and Setup User SharePoint Farm Service
SP_Admin @contoso.com SP_Farm@contoso.com SP_ServiceApps@contoso.com
SP_ServiceApps SharePoint Service Applications
Close Active Directory Users and Computers.
Task 2: Create a SQL Server login for the SharePoint administrator.

1. 2. 3. 4. Open SQL Server Management Studio and connect to SP2010-WFE1 as CONTOSO\SQL_Admin with the password of Pa$$w0rd. Create a login for CONTOSO\SP_Admin. Assign the login the dbcreator and securityadmin server roles. Close the Microsoft SQL Server Management Studio.
Task 3: Delegate administration of the SharePoint server.

1. 2. Add CONTOSO\SP_Admin to the local Administrators group of SP2010-WFE1. Log off of SP2010-WFE1. Results: After this exercise, you should have accounts for SharePoint administration, services, and database access, each of which has been delegated the least privilege permissions required to install and configure SharePoint.
1-69
Exercise 2: Installing SharePoint Server Prerequisites

Scenario
You must install certain software components and perform specific configuration prior to installing SharePoint 2010. You use the Prerequisites Installer to ensure that the required elements are in place. The main tasks for this exercise are as follows: 1. 2. 3. 4. Attempt to install SharePoint Server prerequisites. Identify prerequisite installation errors. Copy SharePoint prerequisite installation files. Script the installation of SharePoint Server prerequisites.
Task 1: Attempt to install SharePoint Server prerequisites.

1. 2. 3. 4. Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password Pa$$w0rd. Run D:\Software\SharePointServer2010\default.hta. Click Install software prerequisites. Step through the Microsoft SharePoint 2010 Products Preparation Tool. The prerequisite installer prepares the server. The Microsoft SharePoint 2010 Products Preparation Tool displays the message, There was an error during installation. A summary of prerequisite installation status is also displayed.
Task 2: Identify prerequisite installation errors.

1. 2. 3. Click Review the log file. Find the first instance of the text 976462. Observe the lines in the log file that indicate that the prerequisite installer checked for the existence of Hotfix for Microsoft Windows (KB976462). Find the next instance of the text 976462. Observe the lines in the log file that indicate that the prerequisite installer attempted to download Hotfix for Microsoft Windows (KB976462) from microsoft.com. Observe the URL that was used. You can use this URL to download the prerequisite manually. Click Cancel and then close the log file. 4. Close the Microsoft SharePoint 2010 Products Preparation Tool and the SharePoint Server 2010 Start page.
Task 3: Copy SharePoint prerequisite installation files.

Copy and paste all of the files from D:\Software\SharePoint Prerequisites to D:\Software\SharePointServer2010\PrerequisiteInstallerFiles.
Task 4: Script the installation of SharePoint Server prerequisites.

1. Open Notepad. Type the following, on one line, with spaces between each switch:
/SQLNCli:PrerequisiteInstallerFiles\sqlncli.msi /ChartControl:PrerequisiteInstallerFiles\MSChart.exe /KB976462:PrerequisiteInstallerFiles\Windows6.1-KB976462-v2-x64.msu /IDFXR2:PrerequisiteInstallerFiles\Windows6.1-KB974405-x64.msu /Sync:PrerequisiteInstallerFiles\Synchronization.msi /FilterPack:PrerequisiteInstallerFiles\FilterPack.msi /ADOMD:PrerequisiteInstallerFiles\SQLSERVER2008_ASADOMD10.msi /ReportingServices:PrerequisiteInstallerFiles\rsSharePoint.msi /Speech:PrerequisiteInstallerFiles\SpeechPlatformRuntime.msi /SpeechLPK:PrerequisiteInstallerFiles\MSSpeech_SR_en-US_TELE.msi
1-70
Alternately, you can copy the contents of the file D:\Labfiles\Lab01 \PrerequisiteInstaller.Arguments.txt and paste it into your Notepad document. 2. 3. 4. 5. Save the file as D:\Software\SharePointServer2010 \PrerequisiteInstaller.Arguments.txt. Close Notepad. Start the Command Prompt using the Run as administrator option. Type the following commands, each followed by ENTER:
D: CD Software\SharePointServer2010 PrerequisiteInstaller.exe
The Microsoft SharePoint 2010 Products Preparation Tool appears. In a production environment, you would also add the /unattended switch to the PrerequisiteInstaller.Arguments.txt file to specify a silent, unattended installation of SharePoint prerequisites. An unattended installation skips the Welcome page and the license agreement. For this lab, however, you did not use the /unattended switch so that you may observe the progress of the prerequisite installer and ensure that there are no errors in your script. 6. Step through the Microsoft SharePoint 2010 Products Preparation Tool. When installation has completed successfully, click Finish to close the tool. Results: After this exercise, you should have installed and configured all SharePoint Server 2010 prerequisites.
1-71
Exercise 3: Installing SharePoint Server

Scenario
You are ready to install SharePoint Server 2010. In this exercise, you install the SharePoint binaries. In the next exercise, you finish the initial configuration of the SharePoint installation. You may choose to perform installation manually or to script the installation of SharePoint Server. The main tasks for this exercise are as follows: 1A.Install SharePoint Server. or 1B.Script the installation of SharePoint Server.
Task 1A: Install SharePoint Server.

1. 2. In the SharePointServer2010 folder, double-click default.hta. On the SharePoint Server installation splash screen, click Install SharePoint Server. Complete the installation wizard using the following configuration information: For the Product Key, type 36BY2-DVVJY-6426X-PXWVQ-BM342. On the Permissions page, select the I accept the terms of this agreement check box, and then click Continue. On the Choose the installation you want page, click Server Farm. On the Server Type page, select the Complete option, and then click Install Now. Installation proceeds for approximately 710 minutes. 3. 4. When installation completes, clear the Run the SharePoint Products Configuration Wizard now check box, and then click Close. On the SharePoint installation splash screen, click Exit, and then close the Windows Explorer window that displays the contents of the SharePointServer2010 folder.
Task 1B: Script the installation of SharePoint Server.

1. 2. Edit D:\Software\SharePointServer2010\Files\SetupFarmSilent \config.xml. Replace line 11 with the following line:
<PIDKEY Value="36BY2-DVVJY-6426X-PXWVQ-BM342" />
Remove the comment tags, . 3. Replace the Display element with the following:
<Display AcceptEULA="yes" Level="basic" CompletionNotice="yes" />
Alternately, copy D:\Labfiles\Lab01\config.xml to the D:\Software \SharePointServer2010\Files\SetupFarmSilent folder, overwriting the existing file. 4. 5. 6. Save the file and close Notepad. Start Command Prompt using the Run as administrator option. Type the following command on one line, and then press ENTER:
"D:\Software\SharePointServer2010\setup.exe" /config "D:\Software\SharePointServer2010\Files\SetupFarmSilent\ config.xml"
1-72
Installation takes approximately 710 minutes. 7. You can monitor the progress of the SharePoint installation using any of these methods: Click Start, type %temp%, and then press ENTER. Open the log named SharePoint Server Setup*.log. Open Task Manager, and then monitor processes including Msiexec.exe, Setup.exe, Mscorsvw.exe, and Psconfigui.exe. 8. Clear the Run the SharePoint Products Configuration Wizard now check box and then close the Run Configuration Wizard page. Results: After this exercise, you should have installed SharePoint Server 2010.
1-73
Exercise 4: Configuring the SharePoint Installation

Scenario
You are ready to complete the configuration of the SharePoint installation. In this exercise, you use the SharePoint Products Configuration Wizard to configure the server and the farm. You may choose to perform configuration manually or to script the configuration of SharePoint Server and of the new farm. The main tasks for this exercise are as follows: 1A.Run the SharePoint Products Configuration Wizard. or 1B.Perform a scripted configuration of SharePoint Server.
Task 1A: Run the SharePoint Products Configuration Wizard.

1. 2. Open the SharePoint 2010 Products Configuration Wizard. Complete the wizard using the following configuration information: Connect to a server farm: Create a new server farm Database server: SP2010-WFE1 Database access username: CONTOSO\SP_Farm Database access password: Pa$$w0rd Farm passphrase: 10174_SharePoint_2010 Central Administration port number: 9999 The Configuring SharePoint Products page indicates the progress of configuration, which takes approximately five minutes. 3. When configuration has completed successfully, click Finish. Windows Internet Explorer appears and opens the Help Make SharePoint Better page. This is the Customer Experience Improvement survey page of the SharePoint 2010 Central Administration Web site. 4. 5. Select Yes, I am willing to participate (Recommended), and then click OK. Close Internet Explorer. You configure SharePoint in a later lab.
Task 1B: Perform a scripted configuration of SharePoint Server.

1. 2. Start Windows PowerShell 2.0 using the Run as administrator option. Type the following command, and then press ENTER:
D:\Labfiles\Lab01\ConfigureSharePoint.ps1
The Windows PowerShell Credential Request dialog box appears. 3. In the Password box, type Pa$$w0rd, and then press ENTER. A prompt appears to enter the farm passphrase. 4. Type 10174_SharePoint_2010, and then press ENTER. Configuration proceeds for 710 minutes. 5. When the prompt Press Enter to exit appears, press ENTER.
1-74
Results: After this exercise, you should have configured SharePoint Server 2010 as a single-server farm with the Central Administration application on port 9999.
1-75
Exercise 5: Configuring the Farm with the Farm Configuration Wizard

In this exercise, you use the Farm Setup Wizard to configure the SharePoint farm and service applications with default settings. The main tasks for this exercise are as follows: 1. Run the Farm Configuration Wizard.
Task 1: Run the Farm Configuration Wizard.

1. Open SharePoint 2010 Central Administration and start the Farm Configuration Wizard. For the service account, create a new managed account using the SP_ServiceApps account with the user name CONTOSO\SP_ServiceApps, and the password Pa$$w0rd. Observe the list of service applications that will be created by the Farm Configuration Wizard. Clear the check box next to User Profile Service Application and then proceed with the wizard by clicking Next. Farm service applications are created and started. This takes several minutes. Optionally, you can open SQL Server Management Studio to follow the progress of the service application database creation. When the configuration is complete, the Create Site Collection page opens. 3. Click Skip. You create an intranet in the following exercises. 4. On the Initial Farm Configuration Wizard page, click Finish.
2.
Results: After this exercise, you should have a SharePoint farm and service applications configured with default settings.
1-76
Exercise 6 (Optional): Install a Language Pack

In this exercise, you install the French language pack. The main tasks for this exercise are as follows: 1. 2. 3. Install the French language pack. Complete the configuration of the language pack. Validate the installation of the language pack.
Task 1: Install the French language pack.

1. 2. 3. Run D:\Software\SharePointLanguagePackFR \ServerLanguagePack.exe. Select the Jaccepte les termes de ce contrat check box. Click Continuer. The language pack installs. 4. 5. On the Excuter lAssistant Configuration page, clear the Excuter lAssistant Configuration des produits SharePoint check box. Click Fermer.
Task 2: Complete the configuration of the language pack.

Run the SharePoint 2010 Products Configuration Wizard. After configuration is complete, SharePoint 2010 Central Administration opens.
Task 3: Validate the installation of the language pack.

1. 2. 3. In SharePoint 2010 Central Administration, in the Quick Launch, click System Settings. In the Servers section, click Manage servers in this farm. Confirm that SP2010-WFE1 has the Language Pack for SharePoint, Project Server, and Office Web Apps 2010 - French/Franais installed.
To prepare for the next module.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. On the host computer, start Microsoft Hyper-V Manager. 2. 3. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
1-77
Module Review and Takeaways
Review Questions
1. 2. 3. 4. 5. 6. What are the most salient benefits of SharePoint 2010 to your enterprise and to you as an IT professional? How can you automate the installation of SharePoint prerequisites? In which scenarios would you consider a standalone installation of SharePoint 2010? What pre-requisites are required to install SharePoint Server 2010? What new configuration setting has been added to the setup of a SharePoint Farm? You have just installed a new single-server SharePoint Server 2010 farm in your organization. What service packs and updates should you apply?
Common Issues and Troubleshooting Tips

Identify the causes of the following common issues related to SharePoint installation and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue The server cannot download a prerequisite from the Microsoft Web site. The prerequisite installer reports an error. Troubleshooting Tip Download the prerequisite and install it manually, or direct the prerequisite installer to an available copy of the prerequisite by using a switch with the PrerequisiteInstaller.exe command or in the PrerequisiteInstaller.Arguments.txt file. Examine the log in the %TEMP% folder.
While running the SharePoint Products Ensure that you are logged on as the setup user account and Configuration Wizard, you are unable that the account has been given a login on the SQL server with to connect to the SQL database. the dbcreator and securityadmin server roles.
1-78
Real-World Scenarios
1. The training department wants to conduct a course in which site collection administrators will learn skills required to manage their site collections. Each site collection administrator in the course requires a test SharePoint farm. You do not want the test farms to connect to the production SQL Server environment. What type of installation will you prepare for each site collection administrator? IT security policy dictates that servers shall have no direct connectivity to the Internet. However, you need to be able to install SharePoint prerequisites. What can you do to achieve your goals while maintaining compliance with security policy? A remote office requires team sites to support its collaboration. The remote office is connected to the datacenter with a slow connection that will not provide adequate performance against a team site hosted on the farm at the datacenter. How would you propose addressing the remote office requirements while minimizing additional software costs?
2.
3.
Best Practices
Supplement or modify the following best practices for your own work situations: Follow best practice, least privilege best practices in your planning and implementation of the user accounts required for SharePoint. Download all SharePoint prerequisites and configure the PrerequisiteInstaller.Arguments.txt file to automate the installation of prerequisites. Create a Config.xml file to script the installation of SharePoint. Document the farm passphrase and store it in a secure location.
Tools
Tool SharePoint Server 2010 Start page Use for Starting prerequisite installation and SharePoint installation Where to Find It Default.hta PrerequisiteInstaller.exe Setup.exe On the Start menu or Psconfig.exe
Prerequisite installer Installing and configuring SharePoint prerequisites SharePoint Installation Wizard Installing SharePoint binaries
SharePoint Products Configuring SharePoint services and Configuration features Wizard
Creating a SharePoint 2010 Intranet
2-1
Module 2
Contents:
Lesson 1: Performing Initial Farm Configuration Lesson 2: Configuring the SharePoint Logical Structure Lesson 3: Exploring the SharePoint Web Application and Physical Architecture Lab: Creating a SharePoint 2010 Intranet 2-4 2-12 2-37 2-46
2-2
Start the Virtual Machines
Before starting this module, start and log on to the virtual machines. 1. 2. 3. Start 10174A-CONTOSO-DC-B. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-B. Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password, Pa$$w0rd.
2-3
Module Overview
After installing your Microsoft SharePoint farm, you are ready to begin establishing content, such as an organizational intranet site. In this module, you will create a SharePoint-based intranet and, as you do so, you will learn key concepts and skills related to the logical architecture of SharePoint including web applications, site collections, sites, and content databases.
Objectives
After completing this module, you will be able to: Use the SharePoint Farm Configuration Wizard and configure managed accounts. Create web applications, site collections, and sites to logically structure content. Describe how web applications and content database underpin the SharePoint logical architecture.
2-4
Lesson 1
Performing Initial Farm Configuration
After you have installed Microsoft SharePoint 2010 on your first server in the farm, and after you have run the SharePoint Products Configuration Wizard, you still must configure services, accounts, and settings on the farm itself. In this lesson, you'll use the Configure Your Farm Wizard to automate the process of initial farm configuration, and you'll begin the exploration of SharePoint's components, technologies, and features by examining the high-level tasks that the wizard performs. After completing this lesson, you will be able to understand the high-level structure, components, and functioning of the farm.
2-5
Walkthrough: Farm Configuration Wizard
Run the Farm Configuration Wizard

1. 2. 3. Open SharePoint 2010 Central Administration. At the User Account Control dialog box, click Yes. In the Central Administration Quick Launch, click Configuration Wizards. In the Farm Configuration section, click Launch the Farm Configuration Wizard. If the Help Make SharePoint Better page opens, click Yes, I am willing to participate (Recommended), and then click OK. 4. 5. 6. 7. On the Configure your SharePoint farm page, click Start the Wizard. In the Service Account section, take note of the existing managed account. Observe the list of service applications that are selected or can be selected. Click Next. Farm service applications are created and started. This takes several minutes. Optionally, you can open SQL Server Management Studio to follow the progress of the service application database creation. When the configuration is complete, the Create Site Collection page opens. 8. 9. On the Create Site Collection page, click Skip. On the Initial Farm Configuration Wizard page, click Finish.
2-6
Farm Configuration Wizard
The Farm Configuration Wizard applies the default settings for services, proxies, proxy groups, and accounts. The wizard makes it easy to get a farm up-and-running using out of the box defaults. It is particularly well suited to configuring a SharePoint farm for testing, training, or development when there are no requirements for farm or service customization. In most production environments, however, business requirements lead to farm topology designs and configuration that is not the same as SharePoint's out-of-box defaults. Therefore, it is generally recommended to configure the farm manually in a production environment. You will learn, through the modules in this course, how to configure services, service applications, proxies, application proxy groups, managed accounts, and other farm components.
2-7
Service Applications: An Overview
Service applications are a very important concept to understand in SharePoint 2010. Although they perform a role similar to Shared Service Providers (SSPs) in SharePoint 2007, there are significant differences between service applications and SSPs.
Service Application
A service application provides specific functionality, such as search, that may be required by a web application. In the end, web applications connect to and consume the service provided by a service application. Examples of service applications are: The Search Service Application, which supports crawling, indexing, and querying. The Business Connectivity Service, which enables SharePoint to connect to external data sources. The Managed Metadata Service, which provides taxonomy and managed content types. The User Profile Service, which synchronizes user profile attributes from Active Directory and other sources.
Application Connection (Proxy)

A service application's application connection, also called proxy, creates the connection point for the web application.
Application Connection Group (Proxy Group)

Typically, a web application requires more than one service application, and several web applications require the same service applications. To make it easier for you to manage the connection between web applications and service applications, application connection groups, also called proxy groups, create a logical grouping of service application connections (proxies). A web application connects to an application connection group and, thereby, connects to all of the connections that are members of that connection group.
2-8
The Farm Configuration Wizard sets up all service applications and creates a single application connection group, default, that is available and can be used by any web app in the farm.
Architecture
Service applications are part of SharePoint Foundation 2010. This means that the architecture is part of the platform, in contrast to SharePoint 2007 in which SSPs were introduced by Microsoft Office SharePoint Server 2007 and not by Windows SharePoint Services v3. In SharePoint 2010, most new services are built on the Windows Communications Framework (WCF), which means they have optimization built into their protocol, using binary streams instead of XML to transfer data.
Setup and Administration

Service apps are administered in Central Administration like all web applications. In MOSS 2007, the SSP had a separate administrative application. Service apps can be remotely managed and monitored. Service apps can be administered by using Windows PowerShell.
Flexible Topology
A service application provides a single set of functionality. A web application can, through application connection groups, connect to one or more service applications based on the needs of the web app. This is in contrast to the SSP in SharePoint 2007, which contained a bundle of services and a web application that was connected to the SSP and incurred the overhead of all services in the SSP. A service app can also be published so that it can be consumed by applications on another farm.
2-9
Whiteboard Diagram
Label the following components in the preceding diagram: SharePoint server Service instance, for example, the instance of the Search service Service application, for example, the instance of the Search Service application Application connection (proxy) Application connection group (proxy group) Web application Association of the web application to the application connection group
Additional Reading
Module 8, Configuring and Securing SharePoint Services and Service Applications, details managed accounts.
2-10
Managed Accounts: An Overview
Service accounts are user accounts used by a service to log on to Windows. When you configure a service, you associate an identitya user name and passwordwith the service. When the service starts, it authenticates using that account just as a user authenticates when logging onto a system. The service account must have sufficient permissions for the service to perform its tasks. Traditionally, service accounts have been difficult for enterprises to manage, because when you change the password of the service account in Active Directory, you must then reconfigure the service with the new password, otherwise it will be denied logon. Because of this challenge, enterprises have typically sacrificed security best practices and have configured service accounts with passwords that never expire. SharePoint 2010 introduces the concept of managed accounts. Managed accounts are service accounts with which SharePoint services run. Unlike traditional service accounts, however, SharePoint is able to perform password resets on the accounts in Active Directory, and it can update the service with a new password. All of this can be done automatically, without administrative intervention. A managed account starts like any service account: a domain user account is created in Active Directory. You then register the account as a managed account using SharePoint 2010 Central Administration. At that time, you enter both the username and password of the account. When you configure a service application, application pool, or any other component that requires an identity, you can specify which managed account should be used. In this way, SharePoint is able to maintain a database of associations between managed accounts and services. Additionally, and in contrast to SharePoint 2007, when you assign an identity to a service application, SharePoint 2010 configures any permissions or rights required for the identity. When it comes time to change the password of a managed account, you do so with SharePoint Central Administration, rather than with Active Directory Users and Computers. SharePoint is able to change the password of the account in the domain, and it can reconfigure the services associated with that identity to allow the use of a new password.
2-11
You can also configure SharePoint to change passwords automatically based on the domain password expiration and complexity policies. In this way, the managed account passwords are known only to the farm, and cannot be used by an administrator, accidentally or intentionally, to cause damage to the farm. The managed account credentials are encrypted. The encryption process begins with the farm passphrase that is specified during SharePoint configuration. The farm passphrase is stored in a secure key of the Registry. The farm passphrase encrypts a private key that is stored in the SharePoint Config database. Private keys are used to encrypt account credentials.
Additional Reading
Module 8, Configuring and Securing SharePoint Services and Service Applications, details managed accounts.
2-12
Lesson 2
Configuring the SharePoint Logical Structure
Now that the SharePoint farm is installed and configured, you can turn your attention to the creation of web applications, site collections, sites, and content databases. These are the primary components of the SharePoint logical structure. In this lesson, you will learn how to create the architecture for a simple SharePoint intranet and, along the way, come to understand the characteristics of and issues related to each of these logical components. After this lesson, you will be able to: Identify components of a logical architecture Manage web applications Manage Site collections Delegate site collection administration Configure quotas Manage sites Configure managed paths Manage content databases
2-13
SharePoint Logical Structure
The diagram shown on the slide above represents the logical structure of SharePoint. A web application is the highest level component of the logical structure within a farm. A farm can have one or more web applications. Within a web application are one or more site collections. Site collections have a URL that is a managed path. A site collection contains one or more sites. When you create a site collection, you also create the top-level site in that site collection. Below that top-level site can be one or more additional sites, often referred to as subsites or subwebs. Within a site are pages, lists, and libraries. Lists and libraries can contain folders. Within lists and librariespossibly organized into foldersare items and documents, respectively. A site collection and all of its content is hosted in a content database. There can be one or more content databases associated with a web application.
An important element of the diagram shown above is that when you create a site collection, you also create a top-level site. They are two separate components, but they always go hand-in-hand. You cant have a site collection without a top-level site, and you cant have a top-level site without also having a site collection.
2-14
Request a Page from a SharePoint Site
The top-level logical component within a farm is the web application. A web application in SharePoint corresponds to a site and Internet Information Services (IIS). To understand the configuration parameters you must provide when you create a web application, it is helpful to understand how a clienta web browser, for exampleconnects to a site. This slide illustrates the process with which a browser retrieves a page from a SharePoint site. With a browser opened, a user enters a URI (Universal Resource Identifier), also called a URL (Uniform Resource Locator). This is the request that the user makes. The URI includes a protocol, such as http: and an address, typically specified as a domain name system (DNS) name, such as intranet.contoso.com. Often, the URI also includes a path or page that specifies a resource within the target site, such as /default.aspx. The request must be sent to the server hosting the website. Therefore, the DNS name of the server must be resolved to its IP address. The client sends a query to its DNS server requesting a lookup of the web servers DNS name, intranet.contoso.com. The DNS server resolves the query and returns the IP address of the server, for example, 10.0.0.11. The client can now send the request to the web server using the servers IP address. The request is sent to a specific port on the server based on the protocol or a port specified in the URI. For web requests, port 80 is used unless otherwise specified. IIS on the server receives the request and must hand the request to the correct site. The server knows which site should get the request based on the sites bindings. A site can be bound to a specific IP address or port. Typically, however, a web server hosts multiple sites and it is not efficient or sometimes even possible to assign a unique IP address or port to each site. Therefore, it is typical to see a web server hosting multiple sites all bound to the same IP address and port. How then can the server know which site should handle the inbound request? While the inbound request targets a specific IP address and port, the request itself contains the DNS name of the website
2-15
in a field called the host header. Sites on the server can be bound to the host headers that correspond to the DNS name of the site. Therefore, while requests for different sites may be coming into the same IP address and port, IIS is able to forward requests to the correct sites based on the host header. If a site happens to be a SharePoint site, SharePoint takes the request, examines the URI, and retrieves the content from the appropriate content database on the SQL Server. At each point in the process, security controls can be applied to ensure that users can get only to the content they need.
2-16
Create a Web Application
A web application is a logical unit that contains one or more site collections. A web application is associated with an IIS website, but can have up to five IIS websites with which it is associated. Each web applications IIS website runs in the context of an application pool. You use web applications to isolate content, processes, features, and users. You can separate content that is accessible by anonymous users from content that is accessed by authenticated users, or content that is accessible by partners from content that is accessible by employees, by hosting the content in separate web applications. Each web application has a unique domain name, which helps to prevent cross-site scripting attacks. You can assign a unique application pool to a web application, which isolates its processes. When you create a new web application, you also create a new content database that defines the authentication method used by the application pool to connect to the database. When you create a new web application, you specify the authentication method used to connect to the IIS website. SharePoint Server 2010 provides a set of service applications that are available for each web application. You can select which service applications you want to use for each web application that you create by associating the web application with a proxy group or by specifying a custom set of service applications for the web application. For more information, see Module 8, Configuring and Securing SharePoint Services and Service Applications. Service applications are associated with web applications. Policy can be specified uniquely for each web application. For more information, see Module 6, Securing Content.
2-17

The following procedures create a web application that uses Windows-classic authentication, and NTLM as the authentication provider. In other words, the web application will use your Active Directory domain for authentication. Create a Web Application by Using Central Administration 1. In the Central Administration Quick Launch, click Application Management. 2. 3. In the Web Applications section, click Manage web applications. On the Web Applications tab of the ribbon, click New. The Create New Web Application page appears. 4. In the Authentication section, select the authentication method, for example, Classic Mode Authentication. For more information, see Module 5, Configuring Authentication. 5. In the IIS Web Site section, in the Port box, type 80. Note: The default port number for HTTP access is 80, and the default port number for HTTPS access is 443. If you want users to access the web application without typing in a port number, they should use the appropriate default port number. 6. In the Host Header box, type the unique DNS name for the web application, for example, intranet.contoso.com. This field is used so that a server can host more than one web application on the same port. If the server is hosting only one web application on the specified port, this field can be left blank. 7. In the Name box, type a descriptive name for the web application, for example, Intranet intranet.contoso.com. SharePoint populates the Name box automatically, based on the port and host header. You should always use a meaningful, descriptive name for the web site. Use the naming standards of your organization to determine the name. 8. In the Application Pool section, ensure that Create new application pool is selected. Microsoft supports up to ten application pools per web server, however the limit is dependent largely upon the amount of RAM allocated to front-end servers and the workload that the farm is serving: the user base and its usage characteristics. 9. In the Application Pool Name box, type SharePoint Web Applications. You should use a meaningful, descriptive name for each application pool that you create. Use the naming standards of your organization to determine the name. 10. Under Select a security account for this application pool, in the Configurable list, select the managed account that will be used as the identity for the application pool, for example, CONTOSO\SP_ServiceApps. 11. In the Database Name and Authentication section, in the Database Name box, type a name for the database, for example, WSS_Content_Intranet. You should always use a meaningful name for your content databases. Use the naming standards of your organization to determine the name. 12. Click OK.
2-18
The web application and content database will be created. When this process is complete, the Application Created page appears. 13. Click OK. The new web Application is displayed on the Web Applications Management page. Tip: Be sure that you have created a host record (A or AAAA) in DNS for the web application. Create a Web Application by Using Windows PowerShell The following example shows the use of the New-SPWebApplication cmdlet to create a new web application:
New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> ApplicationPoolAccount <ApplicationPoolAccount> -Port <Port> -URL <URL>
Where: <Name> is the name of the new web application. <ApplicationPool> is the name of the application pool. <ApplicationPoolAccount> is the user account that this application pool will run as. <Port> is the port on which the web application will be created in IIS. <URL> is the public URL for the web application.
Additional Reading
Create a Web Application (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192703&clcid=0x409
2-19
Load Balancing
When you create a web application, you specify the load balanced URL, for example, intranet.contoso.com:80. Load-balancing is a technology that allows the distribution of requests across more than one web front end. Windows Server 2008 can provide load-balancing, but it is common for organizations with more than one web front end to utilize hardware-based load balancers. A load balancer is assigned the IP address associated with the DNS name of the website. Each web front end has a unique IP address that is known to the load balancer. The load balancer receives the clients request, and then forwards the request to one of the web front ends based on the logic applied by the load balancer.
Load Balancing and Session State

HTTP is fundamentally a stateless protocol, that is, each request is treated separately and independently from the previous request. However, some actions, such as the completion of an InfoPath form, require two or more requests to share data. Such data is called the session state. Load balancing can cause trouble for session state data because two consecutive requests can be sent to different web front-end (WFE) servers. The second WFE server may not have access to the session state data created on the first WFE server. You can prevent this problem by enabling the SharePoint State Service. This service application stores session state data in a SQL Server database that is accessible to all WFE servers. In a basic installation, the State Service is automatically configured. In an advanced installation, when you run the farm configuration wizard, you can enable and configure the state service.
2-20
Create a Site Collection
A site collection is a group of SharePoint websites that share common ownership and administrators, as well as common settings, such as quotas, locks, site use confirmation and deletion, and self-service site creation. When you create a site collection, you also create a top-level site in the site collection. The top-level site can be configured to use a template, also called a site definition. Create a Site Collection by Using Central Administration 1. In the Central Administration Quick Launch, click Application Management. 2. 3. In the Site Collections section, click Create site collections. In the Web Application section, ensure that you are focused on the web application in which you want to create a site collection. If necessary, click the web application picker, and then click Change Web Application. Click the correct web application. 4. 5. 6. 7. In the Title box, type a title for the site collection. In the Template Selection section, select the site definition you want to apply to the top-level site of the new site collection. In the Primary Site Collection Administrator section, in the User name box, type the user name of the site collection administrator. Click OK. The site collection is created, and the Top-Level Site Successfully Created page appears. 8. Click OK.
When you create a site collection, you also create a top-level site within that site collection. The top-level site is typically created using a site definition, for example, Team Site or Publishing Site, but it is also possible to create a blank top-level site that can then be customized later.
2-21
Create a Site Collection by Using Windows PowerShell The following example shows the use of the New-SPSite cmdlet to create a new site collection.
Get-SPWebTemplate $template = Get-SPWebTemplate "STS#0" New-SPSite -Url "<URL for the new site collection>" -OwnerAlias "<domain\user>" Template $template
Where: <URL> is the URL of the site collection you want to create. The -OwnerAlias parameters <domain\user> value defines the primary site collection administrator. The -SecondaryOwnerAlias parameter defines the secondary site collection administrator. The -Template parameters value specifies the site definition for the top-level sitein this example, STS#0, the Team Site template.
Delete a Site Collection

If you have installed SP1, when you delete a site collection, you can recover it by using the Restore-SPSite cmdlet. If you have not installed SP1, when you delete a site collection, you permanently destroy all content and user information in the site collection, which includes the top-level site and all subsites. Delete a Site Collection by Using Central Administration 1. In the Central Administration website, in the Quick Launch, click Application Management. 2. On the Application Management page, in the Site Collections section, click Delete a site collection. The Delete Site Collection page opens. 3. On the Delete Site Collection page, expand the Site Collection list, and then click Change Site Collection. Use the Select Site Collection page to select a site collection: 1. In the Web Application drop-down list, click the down arrow, and then click Change Web Application. The Select Web Application dialog box appears. Click the name of the web application that contains the site collection that you want to delete. Relative URLs of sites in the site collections of the web application that you have selected appear on the Select Site Collection dialog box. Click the relative URL of the site collection that you want to delete, and then click OK.
2.
3. 4. 5.
Read the Warning section and verify that the site collection information is correct. On the Delete Site Collection page, click Delete. The site collection that you select is deleted.
Delete a Site Collection by Using Windows PowerShell The following example shows the use of the Remove-SPSite cmdlet to delete a site collection:
Remove-SPSite -Identity "<URL>" GradualDelete
Where: <URL> is the URL of the site collection you want to delete.
2-22
The -GradualDelete parameter specifies that you use gradual deletion, which reduces the load on the system during the deletion process.
When you use Remove-SPSite to delete a site collection, you cannot restore it by using the Restore-SPSite cmdlet.
Additional Reading
Create a site collection (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=221520
Delete a site collection (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192706&clcid=0x409
2-23
Site Collection Settings
After creating the site collection, you should configure site collection settings. In Central Administration, this is done on the Application Management page. In SharePoint 2010 Central Administration Quick Launch, click Application Management.
Ownership, Administration, and Access

Site collection ownersthe primary and secondary site collection administrators of a site collection receive quota and auto-deletion notices. In addition, they have all the rights associated with site collection administrators. Assign Site Collection Owners by Using Central Administration 1. In SharePoint 2010 Central Administration Quick Launch, click Application Management. 2. On the Site Collection Administrators page, in the Site Collection section, confirm that the site collection for which you want to assign ownership is selected. If not, expand the Site Collection drop-down list, and then click Change Site Collection. Use the Select Site Collection page to select the site collection: 1. Confirm that the Web Application list displays the web application that contains the site collection for which you want to assign ownership. If not, expand the Web Application list, and then click Change Web Application. On the Select Web Application page, click the web application. In the URL list, click the site collection. Click OK.
2. 3. 3. 4. 5.
In the Primary site collection administrator box, type the name of the primary owner, using the format, DOMAIN\username. In the Secondary site collection administrator box, type the name of the secondary owner, using the format, DOMAIN\username. Click OK.
2-24
Assign Site Collection Owners by Using Windows PowerShell The following example shows the use of the cmdlet cmdlet to assign the site collection owners:
Set-SPSite -Identity "<SiteCollection>" -OwnerAlias "<DOMAIN\User>"-SecondaryOwnerAlias "<DOMAIN\User>"
Where: <SiteCollection> is the URL of the site collection to which you want to add a site collection administrator. <DOMAIN\User> is the name of the user whom you want to add as a site collection owner. The -OwnerAlias parameter defines the primary site collection administrator. The -SecondaryOwnerAlias parameter defines the secondary site collection administrator.
Assign Site Collection Administrators Site collection administrators are owners of the site collection. They are given full control of the site collection and always have the ability to change permissions on objects within the site collection. They also have permission to perform a wide range of administrative tasks within the site collection. 1. 2. 3. 4. In the top-level site of a site collection, click Site Actions, and then click Site Settings. Click Site Collection Administrators. In the Site Collection Administrators box, type the names of the site collection administrators, separated by semicolons. Click OK.
Whereas you can assign two site collection owners in Central Administration, you can assign more than two site collection administrators within the site collection. Two Sets of Site Collection Administrators Site collection owners assigned in Central Administration receive e-mail notifications related to site usage and quotas. Otherwise, the permissions and capabilities of the two types of site collection administrators are identical. A farm administrator can assign the primary and secondary site collection administrators in Central Administration. A site collection administrator can add or remove site collection administrators in the site collection settings. Assign Permissions to the Top-Level Site Each SharePoint site has at least three default groups: Owners, Members, and Visitors. These three groups have full control, contribute, and read permission respectively. 1. 2. 3. Click Site Actions, and then click Site Permissions. Click the name of a group to which you want to add members, for example, Contoso Intranet Visitors. Click New. The Grant Permissions page opens. 4. In the Users/Groups box, type the name of users or groups that you want to add to the selected SharePoint group, and then click OK.
To give all authenticated users the ability to browse a site, add the Authenticated Users group to the sites Visitors group. Before you use this option, be careful to verify which users are included in the Authenticated Users group. For example, if you work with partners and contractors, their accounts are included because they enter credentials to access your site.
2-25
Additional Reading
Add or remove site collection administrators (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192707&clcid=0x409
Quotas
One of the important site collection settings is the quota template associated with the site collection. A quota template specifies the maximum storage permitted for each site in a site collection. Quotas also define the resource utilization limits for Sandboxed Solutions. Sandboxed Solutions are discussed in Module 7, Managing SharePoint Customizations. Quotas define the following: Storage limit (in MB) The storage warning level at which site collection owners (primary and secondary site collection administrators) are notified that the site is approaching its storage limit. This value must be lower than the storage limit. Resource usage limit for Sandboxed Solutions (per day). Resource usage warning level at which site collection owners (primary and secondary site collection administrators) are notified that the site is approaching its resource usage limit. This value must be lower than the resource usage limit.
Create or Modify a Quota Template Quota templates are defined at the farm level. When you create a quota template, you simplify the management of storage limits on new site collections. 1. 2. In the Central Administration Quick Launch, click Application Management. On the Application Management page, in the Site Collections section, click Specify quota templates. The Quota Templates page opens.
You can create, modify, or delete a quota template from the Quota Templates page.
2-26
3.
4.
On the Quota Templates page, in the Template Name section, in the Template to modify list, select the template that you want to change. Alternately, to create a new quota template, click Create a new quota template and then, in the New template name box, type a name for a new quota template. In the Storage Limit Values section, specify the values that you want to apply to the template. If you want to modify the amount of data that can be stored in the database, select the Limit site storage to a maximum of check box, and type the new storage limit, in megabytes, in the text box. If you want an e-mail message to be sent to the site collection administrator when a storage threshold is reached, select the Send warning E-mail when Site Collection storage reaches check box, and then type the threshold, in megabytes, in the box.
5.
In the Sandboxed Solutions With Code Limits section, set the values for a template for Sandboxed Solutions. If you want to limit the resource usage of Sandboxed Solutions in the site collection, select the Limit maximum usage per day to check box, and then type the daily resource usage limit, in points, in the text box. If you want an e-mail message to be sent to the site collection administrator when a resource usage threshold is reached, select the Send warning e-mail when usage per day reaches check box, and then type the daily resource usage warning limit, in points, in the box. A point is a relative measurement of resource usage, for example, CPU cycles, memory, or page faults. Points enable comparisons between measurements of resource usage that could not be compared otherwise. See Module 7, Managing SharePoint Customizations, for more detail about Sandboxed Solutions.
6.
Click OK.
Apply a Quota Template to a Site Collection A site collection can be associated with one of the farm's quota templates. When a new site is created in the site collection section, the properties of the quota templates are applied to the site. 1. 2. In the Central Administration Quick Launch, click Application Management. On the Application Management page, in the Site Collections section, click Configure quotas and locks. The Site Collection Quotas and Locks page opens.
2-27
3.
4. 5.
If you want to change the selected site collection, in the Site Collection section, expand the Site Collection list, and then click Change Site Collection. Use the Select Site Collection page to select a site collection. On the Site Collection Quotas and Locks page, in the Site Quota Information section, expand the Current quota template list, and then select the new quota template to apply. Click OK.
Updating Quotas If you update a quota template, or update the site collection quota, the change does not apply to existing sites. To update quotas on existing sites, you can use Windows PowerShells Set-SPSite cmdlet with the MaxSize parameter.
Site Collection Locks

You can apply locks to prevent users from accessing or modifying content in a site collection. The following table describes the locking options that are available in Microsoft SharePoint Server 2010. Option Not locked Adding content prevented Read-only (blocks additions, updates, and deletions) No access Description Unlocks the site collection and makes it available to users. Prevents users from adding new content to the site collection. Updates and deletions are still allowed. Prevents users from adding, updating, or deleting content. Prevents access to content completely. Users who attempt to access the site receive an access-denied message.
To Lock or Unlock a Site Collection by Using Central Administration 1. In Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections section, click Configure quotas and locks.
2-28
The Site Collection Quotas and Locks page opens. 3. If you want to change the selected site collection, in the Site Collection section, on the Site Collection menu, click Change Site Collection. Use the Select Site Collection page to select a site collection. On the Site Collection Quotas and Locks page, in the Site Lock Information section, select one of the following options: 5. 6. Not locked. To unlock the site collection and make it available to users. Adding content prevented. To prevent users from adding new content to the site collection. Updates and deletions are still allowed. Read-only (blocks additions, updates, and deletions). To prevent users from adding, updating, or deleting content. No access. To prevent access to content completely. Users who attempt to access the site receive an access-denied message.
4.
If you select Adding content prevented, Read-only (blocks additions, updates, and deletions), or No access, type a reason for the lock in the Additional lock information box. Click OK.
Lock or Unlock a Site Collection by Using Windows PowerShell The following example shows the use of the Set-SPSite cmdlet with the -LockState parameter to lock or unlock a site.
Set-SPSite -Identity "<SiteCollection>" -LockState "<State>"
Where: <SiteCollection> is the URL of the site collection that you want to lock or unlock. <State> is one of the following values: Unlock. To unlock the site collection and make it available to users. NoAdditions. To prevent users from adding new content to the site collection. Updates and deletions are still allowed. ReadOnly. To prevent users from adding, updating, or deleting content. NoAccess. To prevent access to content completely. Users who attempt to access the site receive an access-denied message.
Additional Reading
Manage site collection storage limits (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192708&clcid=0x409
2-29
Subsites, Site Collections, and Content Databases
Subsites
A site collection can contain one or more sites. Below the top-level site, you can create additional sites, also called subsites or subwebs. The preceding diagram shows subsites for HR and Engineering. The URL for HR would be http://intranet.contoso.com/HR. The site hierarchy can be even deeper, but be aware of the 260-character URL length limit.
Multiple Site Collections

A number of governance controls, including content ownership and quota configuration, are configured at the site collection level. Governance objectives often drive organizations to create multiple site collections that configure unique properties for each site collection.
Multiple Content Databases

The content from all sites in a site collection is stored in the content database. A site collection cannot span more than one content database. The content database is the core component of storage management, including backup and restore. Because of this relationship between content databases and storage management, governance and service level agreements often drive an organization to create multiple site collections so that site collections can be distributed across content databases. The only way to store sites in separate content databases is to put sites in separate site collections.
2-30
Managed Paths
To create a new site collection within a web application, there must be a managed path at which to create the site collection. A managed path is a portion of the URI namespace where the site collections exist. A managed path is not directly mapped to content within the web application. Instead, it is used by SharePoint as a namespace (path) node where site collections can be created. An explicit managed path is useful for creating only a single site collection, at the exact URL specified. For example, the default (root) managed path for our intranet site is http://intranet.contoso.com/ and a single site collection can be created at that exact URL. A wildcard managed path, for example, http://intranet.contoso.com/sites/ indicates that child URLs of the path are site collections. A wildcard managed path such as sites/ allows for unlimited number of site collections to be created directly under the provided path. It is important to note that a site collection (and therefore, a website) cannot be created at this explicit URL. The default managed path, created when you create any new web application, is sites/. However, you can define managed paths with other descriptive names such as depts (for departments), teams, clients, or projects. Managed paths allow a SharePoint server to receive a request in the form of a URI and to determine which part of the URI corresponds to a site collection, by looking at the list of managed paths for a given Web Application. SharePoint can then go to the correct content database of the site collection to retrieve the content based on the remaining portion of the URI. This means that SharePoint has to look at every managed path for each request. So Microsoft only supports up to 20 managed paths per web application. Add Managed Paths for a Web Application by Using Central Administration 1. On the SharePoint 2010 Central Administration website, in the Quick Launch, click Application Management.
2-31
2. 3. 4. 5. 6. 7.
On the Application Management page, click Manage web applications. Click the web application for which you want to manage paths. The ribbon becomes active. On the ribbon, click Managed Paths. On the Define Managed Paths page, in the Add a New Path section, type the path you want to include. Click Check URL to confirm the path name. Use the Type drop-down menu to identify the path as either Wildcard inclusion or Explicit inclusion. The Wildcard inclusion type includes all URLs that are immediately subordinate to the specified URL. The Explicit inclusion type includes only the URL that is indicated by the specified path.
8. 9.
Click Add Path. When you have finished adding paths, click OK.
Remove Managed Paths for a Web Application by Using Central Administration 1. On the SharePoint 2010 Central Administration website, in the Quick Launch, click Application Management. 2. On the Application Management page, click Manage Web Applications. 3. Click the web application that you want to manage paths. The ribbon becomes active. 4. 5. 6. On the ribbon, click Managed Paths. On the Define Managed Paths page, in the Included Paths section, click the check box next to the path that you want to remove. Click Delete selected paths. Warning: Deletion is immediate. You will have no additional opportunity to confirm. 7. When you have finished removing paths, click OK.
Add a Managed Path by Using Windows PowerShell The following example shows the use of the cmdlet named cmdlet to add a managed path to a web application:
New-SPManagedPath [-RelativeURL] "</RelativeURL>" -WebApplication <WebApplication>
Where: </RelativeURL> is the relative URL for the new managed path. The type must be a valid partial URL, such as site or sites/teams/. <WebApplication> is the URL of the web application to which the managed path will be added.
Remove a Managed Path by Using Windows PowerShell The following example shows the use of the cmdlet cmdlet to add a managed path to a web application:
Remove-SPManagedPath [-Identity] <ManagedPathName> -WebApplication <WebApplication>
Where: <ManagedPathName> is the name of the managed path to delete.
2-32
<WebApplication> is the URL of the web application that hosts the managed path to delete.
Additional Reading
SharePoint 101: Managed Paths, at http://go.microsoft.com/fwlink/?LinkID=192710&clcid=0x409 Define managed paths (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192709&clcid=0x409
2-33
Content Databases
Site Collections and Content Databases

A site collection is hosted in one content database. A site collection cannot span across content databases. Out-of-box recovery tools require the restoration of a content database. The time required to restore a content database should be within the service level defined by your SharePoint governance plan. A large content database may take so long to restore that you might fail to achieve your service level objective.
Scalability
From a logical storage management perspective, it would make sense for each site to be a separate site collection in a separate content database. However, for performance reasons, such an approach is often not feasible. In fact, several scalability guidelines apply to SharePoint Server 2010. Become aware of scalability boundaries: 300 content databases per web application are supported. Additionally, the RAM and performance of your SQL Server limits the total number of content databases that should be hosted on that server. 200 GB per content database is supported. Content database sizes up to 1 terabyte are supported only for large, single-site repositories and archives with non-collaborative I/O and usage patterns, such as Records Centers. Larger database sizes are supported for these scenarios because their I/O patterns and typical data structure formats have been designed for, and tested at, larger scales. 100 GB per site collection is supported. If a content database contains only one site collection, then the site collection can be up to 200 GB. 250,000 websites per site collection are supported. Up to 2,000 subsites of a given website are supported.
2-34
When designing a strategy for content databases, consider your service level objectives. Include the recovery time objective (how quickly your deleted or corrupted content is brought back online) and your recovery point objective (how far back in time are your historical backups maintained)? You must also consider performance, such as the scalability guidelines mentioned above.
Additional Reading
SharePoint Server 2010 Capacity Management: Software Boundaries and Limits at http://go.microsoft.com/fwlink/?LinkID=192711&clcid=0x409
Create a Content Database

When you create a web application, you specify the name of the initial content database. You can later create additional content databases for the web application. Add a Content Database by Using Central Administration 1. In the Central Administration Quick Launch, click Application Management. 2. In the Databases section, click Manage content databases. 3. On the Manage Content Databases page, in the Web Application section, ensure that you are focused on the web application in which you want to create a site collection. If necessary, click the web application picker, and then click Change Web Application. Click the correct web application. 4. 5. Click Add a content database. In the Database Name box, type a name for the database, for example, WSS_Content_Intranet_IT. Use the naming standards of your organization to determine the name. 6. Click OK.
Add a Content Database by Using Windows PowerShell The following example shows the use of the New-SPContentDatabase cmdlet to create a new content database:
New-SPContentDatabase -Name <ContentDbName> -WebApplication <WebApplicationName>
Where: <ContentDbName> is the name of the content database that you want to create. <WebApplicationName> is the name of the web application to which the new database is attached.
Additional Reading
Add a content database (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192712&clcid=0x409
Add a Site Collection to a Content Databases

After you create a content database, you can create site collections in that content database. When you use Central Administration to create a site collection, Central Administration automatically determines which content database will contain the site collection. You cannot specify a content database in Central Administration. Instead, each content database is evaluated to determine which content database has the most available sites, based on the content databases maximum sites property and the current number of sites in the content database. The content database with the most available sites is used to host a new site collection.
2-35
Its important to mention that the size of the content database is not taken into consideration. In the event that more than one content database has the same number of available sites, the content database with the lowest GUID is selected as a tie-breaker. As you can see, the lack of fine-grained control in Central Administration can be problematic when you are trying to manage the association of site collections to content databases. The -ContentDatabase parameter of the New-SPSite cmdlet can be used to create a site collection in a specific content database. You can move site collections between content databases by using Windows PowerShell. The following example shows the use of the Move-SPSite cmdlet to move a site collection between content databases:
Move-SPSite <http://ServerName/Sites/SiteName> -DestinationDatabase <DestinationContentDb>
Where: <http://ServerName/Sites/SiteName> is the name of the site collection. <DestinationContentDb> is the name of the destination content database.
2-36
Example Logical Architecture
The preceding slide presents a simple view of the logical infrastructure of a typical intranet or collaboration web application. At the root of the web application is a site collection with a top-level site that serves as the home page, and may contain general content that applies across divisions. Under a managed path, each division, department, or team gets a unique site collection. The URL to a divisional site is web application \ [managed path \] site, for example, http://intranet.contoso.com/depts./HR. The divisions site collection scopes the ownership, user and group definitions, quotas, and other configuration for the site. Site collections also impose functional boundaries. Features can be activated or deactivated at the site collection level. You will typically need far more site collections than you would anticipate, because governance designs typically require more than one set of configuration at the site collection level. Optionally, you can put each divisions site collection in a dedicated content database to manage storage, backup and restore. Keep in mind, however, that there are performance-related scalability guidelines that might prevent you from putting every division in a separate site collection in particularly large or complex implementations.
2-37
Lesson 3
Exploring the SharePoint Web Application and Physical Architecture
In the previous lesson, you examined the process where a browser requests and receives content from a SharePoint site. In this lesson, you will explore in detail the components of SharePoint, IIS, and Microsoft SQL Server that are responsible for handling the request on the web front end. After this lesson, you will be able to: Understand the SharePoint enginethe components of the web application and service itself.
Among the components you will explore are: SharePoint and IIS 7.0 SharePoint Web Applications Components Web.config SharePoint Root SharePoint Databases Customized vs. Uncustomized Pages
2-38
SharePoint and Internet Information Services (IIS) 7.0 and 7.5
As you learned in Module 1, Introducing SharePoint 2010, SharePoint 2010 sits on top of IIS 7.0 and relies on Internet Information Services to process requests. IIS 7.0 has several features that will make managing your SharePoint 2010 environment easier and increase performance: HttpModules and HttpHandlers participate in all requests to the server without having to be associated with the ASP.NET ISAPI filter, which improves the performance of request processing. HttpModules and HttpHandlers are two types of component that process web requests. ASP.NET configuration was managed directly in XML files in previous versions of IIS. The new IIS Manager allows you to visualize configuration values and make changes in the user interface. Traditionally, it has been difficult to troubleshoot and debug 500 errors. Now, with failed request tracing, you can trace the events that lead to such errors. You can make changes to IIS configuration settings using a .NET API, which makes it possible to configure IIS using Windows PowerShell. IIS configuration used to be stored in the metabase. Now, configuration is stored in the applicationHost.config file. IIS supports more granular delegation of administration, which makes it possible to assign roles to administrators without giving them the keys to the entire web server.
2-39
SharePoint Web Application Components
Key Points
When you create a new SharePoint web application, several things happen. A new site is created in IIS. The site is bound to the port and host header specified by SharePoint. An application pool is associated with the site. As you learned in the previous lesson, an existing application pool can be used by more than one site, which allows the sites to share a single process and to share the overhead associated with the application pool, leaving certain efficiencies. Alternately, you can create a new application pool for the site, which will isolate the site in a separate process and will incur its own app pool overhead. Microsoft supports up to ten application pools per SharePoint server. This number may be reduced depending primarily on the RAM of the server. A root directory for the web application is created as a subfolder of c:\inetpub\wwwroot\wss\virtualdirectories. Inside the root directory is a .NET configuration file, web.config. The web.config file defines the application as a SharePoint application. Virtual directories within the site point to other folders, each with its own .NET configuration (web.config). HttpModules add the SharePoint object model properties to the memory space.
2-40
Web.config
The web.config file is the key component that makes an IIS website a SharePoint web application. The web.config file is a typical XML-based .NET config file with several configuration sections added to it. Several common configuration sections are: SafeControls. Defines what controls can be used on a SharePoint page SafeMode. Determines whether pages are allowed to execute inline .NET code MergedActions. Allows changes to web.config without actually modifying the fileit merges the actions specified in selected and other files BlobCache. Enables caching various file types in a location on the web front end, rather than pulling files from the database for each request For more information, see Module 4, Configuring Content Management.
2-41
SharePoint Root
If you open the folder that acts as the root directory of a SharePoint web applicationthe Physical Path of the IIS websiteyou will discover that there are no .aspx files in the folder. Where, exactly, do SharePoint files and pages reside? Content that is specific to the individual web application is stored in the web application content database(s) in SQL Server. However, a significant amount of content is shared across sites and web applications in a SharePoint farm. These files are stored in the folder:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\14
This folder is called the SharePoint root. You'll also hear it referred to as the 14 hive, because in SharePoint 2007, the folder was named 12 and was called the 12 hive. However, the proper name for the folder in SharePoint 2010 is the SharePoint root. The folder has many subfolders that drive the core functionality of the SharePoint farm and web applications.
Top-level folders
The top-level folders in the SharePoint root include: ADMISAPI. Web services that manage content deployment. BIN. Executables that manage search, timer jobs, upgrade, configuration, and administration. CONFIG. Configuration files that control code security, web application security, and extensions to stsadm.exe and Windows PowerShell. HCCab. .cab-based help files. Help. .chm-based Help files.
2-42
ISAPI. SharePoint .NET object model .dlls, administration application pages, SharePoint web services, and the SharePoint RPC .dll. LOGS. Usage analysis processing logs and SharePoint log files. Policy. .dll and .config files. Resources. .resx files used to create SharePoint objects using an installed language pack. TEMPLATE. Site definitions, workflow settings, feature additions, and user controls. UserCode. Files that support sandboxed solutions. WebClients. Configuration files used for the client object model. WebServices. Files that support service applications.
TEMPLATE folder
The TEMPLATE folder in the SharePoint root contains files that support content and functionality across SharePoint sites in a farm. The TEMPLATE folder includes the following subfolders: 1033. English-language SharePoint configuration files. Other folders with names that correspond to a specific language will exist for other installed languages. ADMIN. The site applications for Central Administration. CONTROLTEMPLATES. User controls that are used across sites. DocumentTemplates. Document templates that are used across sites. FEATURES. Features that have been added to extend the SharePoint functionality. GLOBAL. A site definition that is inherited by all other site definitions. IMAGES. Common graphic elements. LAYOUTS. Pages that implement functionality that is available to all SharePoint sites. SITETEMPLATES. Site definitions. SQL. Scripts that create configuration, search, and content databases, and to upgrade older versions of databases. THEMES. Styles that can be applied to change the look and feel of a SharePoint site. XML. XML configuration files.
Synchronization of the SharePoint Root

When the farm has more than one server, it is critical that the SharePoint root is the same on each server in the farm. Numerous activities make changes to the SharePoint root, including: Adding user controls Adding site definitions Adding global images Adding application pages Adding themes
It is best to deploy files and functionality to a SharePoint farm using SharePoint solutions. Solutions are packages, similar to Windows Installer (.MSI) files, which deploy files and functionality. When you use a solution, the farm does the job of ensuring that the solution is deployed to all servers.
2-43
SharePoint Databases
A SharePoint implementation consists of numerous databases stored in SQL Server: Each farm has a configuration, or config database. The configuration database contains data about SharePoint databases, Internet Information Services (IIS) websites, web applications, trusted solutions, Web Part packages, site templates, and web application and farm settings specific to SharePoint 2010 products, such as default quota settings and blocked file types. Each service application can have one or more databases. Each web application stores its content in one or more content databases, in addition to using shared content in the SharePoint root. Content databases include content from list and document libraries, document versions, workflow instances, Web Part properties, audit logs, and sandboxed solutions, in addition to user names and rights.
As you learned earlier in this module, all the data for a specific site collection resides in one content database on only one server. A content database can be associated with more than one site collection.
Content Database Tables

Content data base tables include: AllDocs. Stores data for all documents in the SharePoint Store. AllDocStreams. Stores the document stream and related data for unghosted pages and documents with content streams stored in the content database. AllDocVersions. Stores streams for previous versions of files. AllUserData. Stores data for all list and document libraries. The table provides a fixed number of generic columns in various data types, affording storage for application-defined variable schemas. A list item may be represented by more than one row in this table, if its list's schema requires more entries of a particular data type than are available in a single row. Application-defined metadata for documents in document libraries also resides in AllUserData, and it is accessed via joins with the Docs View.
2-44
RecycleBin. Contains deleted items from all sites in the site collection. WebParts. Provides available web parts. Webs. Provides configuration of each site (web) in the site collection.
Additional Reading
Database types and descriptions (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192713&clcid=0x409 Storage and SQL Server capacity planning and configuration (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192714&clcid=0x409
2-45
Customized vs. Uncustomized Pages
Key Points
When you create a site, a special collection of files called the site definition generates the initial, default content for the site. A subset of this content is the pages that make up the site, for example, default.aspx, the home page. The default.aspx page does not reside in the content database itself. Instead, it resides in the SharePoint root on the file system of the web front-end servers. All sites in a SharePoint farm, by default, use the same default.aspx page. Of course, the home page of each site is typically different. This is supported because the default.aspx page defines content areas and Web Part zones, but the actual content and the properties of each Web Part are specific to each site, and are stored in the site's content database. When a page such as default.aspx is pulled from the SharePoint root, it is said to be uncustomized. In previous versions of SharePoint, this was called ghosted. Using a tool such as SharePoint Designer, you can customize the page itself. When you do so, the customized page is saved to the content database. At this point, the uncustomized version in the SharePoint root is no longer used for that site. Thus, your customized page is said to be customized. In previous versions of SharePoint, this was called unghosted. It is possible to reset a site or page to the site definition, which removes the customized page. It is not recommended to modify files directly in the SharePoint root. Among other problems that could arise: SharePoint updates and service packs may overwrite your changes.
2-46
Lab: Creating a SharePoint 2010 Intranet
Scenario
You have been asked to build an intranet to support communication and collaboration requirements at Contoso, Ltd. You have recently completed the installation of SharePoint 2010. You must now configure the farm using the Farm Configuration Wizard, and create the logical topology to support the initial business requirements. You are tasked with establishing a SharePoint 2010 intranet site so that business users can review the new features of the publishing site definition. Additionally, you have been asked to configure sites to meet the collaboration requirements of several divisions within the organization. You will begin by creating a site for the Information Technology (IT) department.

1. 2. Start 10174A-CONTOSO-DC-B. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-B.
2-47
Exercise 1: Creating a Web Application

Scenario
In this exercise, you will create a new SharePoint web application for the intranet. The main task for this exercise is as follows: Create a new web application.
Task 1: Create a new web application.

1. 2. 3. Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password, Pa$$w0rd. In SharePoint 2010 Central Administration, navigate to the Web Applications Management page. Create a new web application with the following configuration: Authentication: Classic Mode Authentication Port: 80 Host header: intranet.contoso.com Application pool name: SharePoint Web Applications Application pool identity: CONTOSO\SP_ServiceApps Database name: WSS_Content_Intranet
Results: After this exercise, you should have created a new web application, intranet.contoso.com.
2-48
Exercise 2: Creating a Site Collection

Scenario
In this exercise, you will create a site collection for the Intranet, and you will solve problems accessing the new web application. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Create a new site collection. Attempt to open the new site. Add a DNS host record for the new web application. Open the new site. Create a publishing site page. Configure permissions.
Task 1: Create a new site collection.

In SharePoint 2010 Central Administration, create a new site collection with the following configuration: Web application: http://intranet.contoso.com Title: Contoso Intranet Website address: http://intranet.contoso.com/ Site definition: Publishing Portal Primary site collection administrator: CONTOSO\SP_Admin
Task 2: Attempt to open the new site.

In Microsoft Internet Explorer, in the address bar, type http://intranet.contoso.com, and then press ENTER. An Internet Explorer cannot display the webpage error page is displayed. Question: What is the cause of this error?
Task 3: Add a DNS host record for the new web application.
Start DNS Manager using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Connect to the DNS server running on CONTOSO-DC. Create a new host record in the contoso.com zone with the name, intranet, and the IP address, 10.0.0.21. Close DNS Manager.
Task 4: Open the new site.

1. In Internet Explorer, in the address bar, type http://intranet.contoso.com, and then press Enter. An Internet Explorer cannot display the webpage error message is displayed. If this error does not appear on your system, continue to the next task. Question: What is the cause of this error? 1. 2. Open Command Prompt, and then run the command, ipconfig /flushdns. Then, close the command prompt. In Internet Explorer, in the address bar, type http://intranet.contoso.com, and then press Enter.
2-49
The website begins to load. Because this is the first time that the site has been requested from the server, it must be compiled. This takes several seconds. The intranet web application opens.
Task 5: Create a publishing site page.

Create a new page on the site with the name, Important Phone Numbers, and with the following page content: In case of emergency, call 911
Task 6: Configure permissions.

Add the CONTOSO\Domain Users group to the Contoso Intranet Visitors group. Results: After completing this exercise, you should have successfully created a Contoso intranet website.
2-50
Exercise 3: Creating a Site Collection in a New Content Database

Scenario
In this exercise, you will create a website for the Information Technology (IT) department on the Contoso intranet. To support backup and restore operations according to Contosos SharePoint governance plan, you will create the IT intranet website in its own content database. This will allow you to back up or restore the website independently of the corporate intranet website you created in the previous exercise. The main tasks for this exercise are as follows: 1. 2. 3. Create a content database. Create a site collection in a specific content database. Examine the information technology website.
Task 1: Create a content database.

In SharePoint 2010 Central Administration, create a new content database with the following configuration in the web application, http://intranet.contoso.com: Database name: WSS_Content_Intranet_IT
Task 2: Create a site collection in a specific content database.

In SharePoint 2010 Central Administration, create a new site collection with the following configuration: Web application: http://intranet.contoso.com Title: Information Technology Website address: http://intranet.contoso.com/sites/IT Site definition: Team Site Primary site collection administrator: CONTOSO\SP_Admin
Task 3: Examine the information technology website.

Navigate to http://intranet.contoso.com/sites/IT. Spend some time reviewing and experimenting with the new site. You can make changes to the site, but those changes will not persist after this Lab. Results: After this exercise, you should have created the intranet website for the Contoso Information Technology department.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
2-51
Review Questions
1. 2. Why would you create more than one content database in a web application? If you were to create another site collection in the intranet web application, in which content database would it be created?
2-52
Administering and Automating SharePoint
3-1
Module 3
Contents:
Lesson 1: Configuring Central Administration Lesson 2: Administering SharePoint from the Command Line Lesson 3: Automating SharePoint Operations with Windows PowerShell Lab: Automating SharePoint with Windows PowerShell 3-3 3-9 3-20 3-45
3-2
Module Overview
In previous modules, you used Central Administration to perform common administrative tasks related to the installation and configuration of Microsoft SharePoint. In this module, you learn more about what it means to be an administrator of a SharePoint farm and what it takes to administer SharePoint using both Central Administration and command-line options. Among the most powerful tools at your disposal as a SharePoint administrator is Windows PowerShell. SharePoint 2010 offers rich support for Windows PowerShell as the primary command-line interface for administering and automating SharePoint, and in this module you learn the fundamentals of Windows PowerShell for SharePoint.
Objectives
After completing this module, you will be able to: Configure the Central Administration site and describe administrative roles. Administer SharePoint by using PowerShell and STSADM.EXE. Automate SharePoint administration operations by writing PowerShell scripts.
3-3
Lesson 1
Configuring Central Administration
In this lesson, you take a high-level look at the available options for administering SharePoint: Central Administration, Stsadm, and Windows PowerShell. You learn to configure Central Administration and to identify the various administrative roles in a SharePoint environment. Later lessons explore Stsadm and Windows PowerShell in detail. After completing this lesson, you will be able to: Describe the options for administering SharePoint farms. Configure and manage the Central Administration Web application. Describe the administrative roles that you can use to manage SharePoint farms.
3-4
Administrative Options
In addition to SharePoint 2010 Central Administration, you have at least two other options with which to administer a SharePoint farm: Stsadm and Windows PowerShell. Stsadm is a command (Stsadm.exe) located in the folder C:\Program Files \Common Files\Microsoft Shared\web server extensions\14\BIN. Windows PowerShell is the administrative framework for SharePoint 2010 and other Microsoft technology platforms. SharePoint 2010 Management Shell is the preferred interface for performing task-based commands and for running scripts. The SharePoint 2010 Management Shell supports both Stsadm and Windows PowerShell. In this module, you learn about all three of these administrative options.
3-5
Central Administration
Remember that Central Administration is a Web application. Every action you perform in Central Administration is being executed using the application pool identity for the Central Administration Web application and the timer service, for example, SP_Farm. Actions performed in Central Administration are not executed in the context of your administrative accounts identity. If something is not working, be sure that the SP_Farm identity has the permissions it requires. For example, some tasks performed in Central Administration require that the account have the following attributes: Local Administrators group membership on each SharePoint server Microsoft SQL Server permissions
These permissions are assigned automatically if you follow the procedures outlined earlier in this course. However, if something happens that removes or denies a required permission, administrative tasks may fail.
Change the Port for Central Administration

When you run the SharePoint Products Configuration Wizard (Psconfigui.exe), you specify the port to which the Central Administration Web site is bound. You can change the port using one of these two methods: Windows PowerShell. You can use the Set-SPCentralAdministration cmdlet -Port parameter to modify the port to which Central Administration is bound.
Set-SPCentralAdministration -Port <PortNumber>
Where: <PortNumber> is an available port, greater than 1023 and less than 32767. Stsadm. You can use the setadminport operation to modify the port to which Central Administration is bound.
stsadm o setadminport <PortNumber>
3-6
Where: <PortNumber> is an available port.
Additional Reading
Change the Central Administration Web site port number (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192720&clcid=0x409 Setadminport: Stsadm operation (Office SharePoint Server) at http://go.microsoft.com/fwlink/?LinkID=192721&clcid=0x409
3-7
Administrative Roles
Farm Administrators
The Farm Administrators group represents the accounts that can use the Central Administration application to perform administrative tasks. Manage the Farm Administrators Group In SharePoint 2010 Central Administration Quick Launch, click Security, and then, in the Users section, click Manage The Farm Administrators Group. Members of the Farm Administrators group have permissions to and responsibility for all servers in the server farm. Members can perform all administrative tasks in Central Administration for the server or server farm. Members of this group can also use Windows PowerShell to create and manage configuration database objects and can perform command-line operations, for example, Stsadm.exe. They can assign administrators to manage service applications, which are instances of shared services. The Farm Administrators group does not have permissions to access individual sites or their content, by default. However, members can take ownership of a site collection by assigning themselves as a site collection owner in Central Administration. For example, if a site collection administrator leaves the organization and a new administrator must be added, a member of the Farm Administrators group can take ownership of the site collection to make the change.
Local Administrators
Members of the Administrators group on the local server are members of the Farm Administrators group by default. Therefore, members of the Administrators group on the local server can perform all farm administrator actions and more, including installing new products or applications, deploying Web Parts and new features to the global assembly cache, creating new Web applications and new Internet Information Services (IIS) Web sites, and starting services. Like Farm Administrators, members of this group on the local server have no access to site content, by default, but can take ownership of a site collection.
3-8
Service Application Administrators

Many service applications also have administrators, and the administration of these service applications can therefore be delegated. Farm administrators always have rights to manage all service applications. Those rights cannot be removed. Service application administrators are delegated by members of the Farm Administrators group. The administrators of a service application can configure settings for a specific service application in a farm. However, these administrators cannot create service applications, access any other service applications in the farm, or perform any farm-level operations, including topology changes. For example, the service application administrator for a Search service application in a farm can configure settings for that Search service application only. Delegate Administration of a Service Application 1. In Central Administration Quick Launch, click Application Management, and then, in the Service Applications section, click Manage Service Applications. 2. Click the row of a service application. Do not click the name of a service application. Most service application names are links to the service applications management application. 3. In the ribbon, click Administrators.
Service Application Feature Administrators

A feature administrator is associated with a specific feature or features of a service application. These administrators can manage a subset of service application settings but not the entire service application. For example, a feature administrator might manage the Audiences feature of the User Profile service application.
Site-Level Administrators
The following two roles are administrative roles, but they do not have any capability to perform tasks in Central Administration: Site collection administrators The Owners group of a site
The scope of their permissions is the site collection or site. Site collection administrators have the Full Control permission level on all Web sites in a site collection. They have access to content in all sites in that site collection, even if they do not have explicit permissions on that site. For more information, see Module 2, Creating a SharePoint 2010 Intranet. By default, members of a sites Owners group have the Full Control permission level on that site. They can perform administration tasks for the site and for any list or library in that site. They receive e-mail notifications for events, such as the pending automatic deletion of inactive sites and requests for site access.
Additional Reading
Choose administrators and owners for the administration hierarchy (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192722&clcid=0x409
3-9
Lesson 2
Administering SharePoint from the Command Line
In this lesson, you move away from the user interface of the Central Administration Web application and turn to command-line options for administering SharePoint. You explore Stsadm (Stsadm.exe), which is included with SharePoint 2010 to support mixed environments, and Windows PowerShell, which is the recommended tool for administering and automating SharePoint 2010. After completing this lesson, you will be able to: Administer SharePoint from the command prompt with Stsadm. Identify the role of Windows PowerShell for administering SharePoint.
3-10
SharePoint and Command-Line Administration
SharePoint has introduced new command-line administration interfaces with each successive version of the product. SharePoint 2010 aligns with other Microsoft technologies around the use of Windows PowerShell as the primary command-line interface for administration. SharePoint 2010 provides more than 600 Windows PowerShell cmdlets to support administration of a SharePoint farm. PowerShell provides a superset of capabilities found in Central Administration. Windows PowerShell 2.0 is required to install SharePoint and is installed by the Microsoft SharePoint Products Preparation Tool (PrerequisiteInstaller). As you learn in the next topic, Stsadm has been deprecated but is still supported in SharePoint 2010.
3-11
Stsadm
Stsadm is deprecated but is included to support compatibility with previous product versions. There are, however, a small number of rarely used Stsadm operations for which no Windows PowerShell equivalent exists. Some Stsadm operations are no longer supported because of feature or architectural changes in SharePoint 2010. For example, commands used to create, enumerate, and manage Shared Service Providers (SSPs) are not supported because SSPs have been replaced by service applications. To use Stsadm, you must start Command Prompt on a SharePoint server with the Run As Administrator option, and then navigate to the folder that contains Stsadm.exe: C:\Program Files\Common Files\Microsoft Shared\web server extensions \14\BIN
You can avoid having to navigate to this deeply nested folder by adding the path to the folder to the %PATH% environment variable. For example, type the following command:
set path=%path%;C:\Program Files\Common Files\Microsoft Shared\web server extensions\14\BIN
Alternately, use the SharePoint 2010 Management Shell, which includes the path to the \BIN folder in its path variable. Stsadm exposes functionality through operations. Each operation is invoked with this syntax:
stsadm o <OperationName> [-parameter <Value> ...]
Where: <OperationName> is the name of an Stsadm operation. <Value> is the value for a parameter used by the operation.
To discover the operations that are supported, type the following command:
3-12
stsadm -?
To read documentation about a specific operation and the parameters it supports, type the following command:
stsadm help <OperationName>
3-13
Introducing Windows PowerShell
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the Microsoft .NET Framework, Windows PowerShell helps IT professionals control and automate the administration of several Microsoft technologies, including the Windows operating system, SharePoint 2010, the Active Directory directory service, and Microsoft Exchange Server. With Windows PowerShell commands, called cmdlets, you can perform management tasks from the command line. With Windows PowerShell providers, you can access data stores, such as the registry and certificate store, as easily as you access the file system. In addition, Windows PowerShell has a rich expression parser and a fully developed scripting language. Windows PowerShell includes the following features: Cmdlets for performing common system administration tasks. A task-based scripting language. Support for existing scripts and command-line tools. For example, you can perform most Cmd.exe commands with Windows PowerShell. Consistent design. Because cmdlets and system data stores use common syntax and naming conventions, data can be shared easily and the output from one cmdlet can be used as the input to another cmdlet without reformatting or manipulation. Providers that expose system resources such as the registry, certificate store, and directory service for simplified navigation by using the same techniques that users employ to navigate the file system. Powerful object manipulation capabilities. You can manipulate objects directly or send them to other tools or databases. Extensible interface. Independent software vendors and enterprise developers can build custom tools and utilities to administer their software.
There is significant overlap between Stsadm and Windows PowerShell in support for operations that are common to both SharePoint 2007 and SharePoint 2010. However, Windows PowerShell provides unique capabilities related to the management of all new features, including support for the following tasks:
3-14
Installation and configuration of SharePoint 2010 Management of service applications Granular control of backup and restore
Additional Reading
About Windows PowerShell at http://go.microsoft.com/fwlink/?LinkID=192723&clcid=0x409
3-15
Demonstration: Windows PowerShell Basics
Open the SharePoint 2010 Management Shell

To open the SharePoint 2010 Management Shell: Click Start, click All Programs, click Microsoft SharePoint 2010 Products, and then click SharePoint 2010 Management Shell.
Cmdlets
Windows PowerShell commands are called cmdlets, pronounced command-lets. List Available Cmdlets The Get-Command cmdlet lists cmdlets. Type Get-Command.
Cmdlets are not case sensitive. The following cmdlets are equivalent: Get-Command get-command GET-COMMAND
Cmdlets always follow the Verb-Noun, also called the Action-Object format. The Noun is always singular. For example, the cmdlet to list all processes running on a machine is Get-Process. To list all processes running on a machine: Type Get-Process.
There are a limited number of verbs, which can be listed with the Get-Verb cmdlet. Nouns follow naming standards managed by the Windows PowerShell team. For example, all SharePoint nouns begin with SP. List All SharePoint cmdlets To list all SharePoint cmdlets:
3-16
Type Get-Command -noun SP* | more.
Additional Reading
Understanding Important Windows PowerShell Concepts at http://go.microsoft.com/fwlink/?LinkID=192724&clcid=0x409 Learning Windows PowerShell Names at http://go.microsoft.com/fwlink/?LinkID=192725&clcid=0x409
Tab Completion
Windows PowerShell supports tab completion, so you can type a few letters and then press TAB to complete your typing. This applies not only to paths, which is possible in Command Prompt as well, but also to cmdlets and their parameters. To experience tab completion, perform the following steps in SharePoint 2010 Management Shell, which creates a new content database for a Web application: 1. Type New-SPCont, and then press TAB. Windows PowerShell completes the name of the cmdlet, New-SPContentDatabase. The first parameter of the New-SPContentDatabase cmdlet is the name of the database you want to create. 2. Press SPACEBAR, type TestContentDB, and then press SPACEBAR. The next parameter is the name of the database server on which to create the content database. 3. Type -Da, and then press TAB. Windows PowerShell completes the name of the parameter, -DatabaseServer. 4. Press SPACEBAR, type SP2010-WFE1, and then press SPACEBAR. The other required parameter is the name of the Web application with which the content database is associated. 5. Type -W, and then press TAB. Windows PowerShell completes the name of the parameter, -WebApplication. 6. 7. Press SPACEBAR, and then type http://intranet.contoso.com. Press CTRL+C to cancel the command without executing it.
Additional Reading Using Tab Expansion at http://go.microsoft.com/fwlink/?LinkID=192729&clcid=0x409
Get-Help
Windows PowerShell cmdlets are well documented with a standard documentation format. Get Help About a Cmdlet To get help about a cmdlet, use the Get-Help cmdlet. Type Get-Help <cmdlet>, where cmdlet is the name of the cmdlet about which you want help.
The Get-Help cmdlet has the following syntax:

Get-Help cmdlet [-examples | -detailed | -full ]
Where optional parameters produce various types and levels of detail. -examples. Shows examples of the cmdlet.
3-17
-detailed. Shows detailed information about the cmdlet and each of its parameters. Also shows examples. -full. Shows all documentation of the cmdlet.
Without a parameter, the Get-Help cmdlet shows a synopsis, a more detailed description, and the syntax of the cmdlet. For example, to get help, including examples, about the New-SPContentDatabase cmdlet, type the following:
Get-Help New-SPContentDatabase detailed
Additional Reading
Getting Information About Commands at http://go.microsoft.com/fwlink/?LinkID=192730&clcid=0x409 Getting Detailed Help Information at http://go.microsoft.com/fwlink/?LinkID=192731&clcid=0x409
Objects
Unlike Command Prompt, in which commands return text that then must be parsed and processed as text, Windows PowerShell returns objectsrepresentations of the component itself. For example, the Get-Process cmdlet returns objects representing processes on a computer. Type the following to retrieve all processes on a computer:
Get-Process
To limit the processes, use a parameter of the Get-Process cmdlet. For example, the -Name parameter limits processes returned based on their name. The following command retrieves all processes on a computer named iexplore:
Get-Process Name iexplore
The -Name parameter is the default parameter for the Get-Process cmdlet, so it can be omitted:
Get-Process iexplore
In these examples, Windows PowerShell outputs several properties of each process it returns. You are not doing anything with the objects other than showing properties. However, objects returned by a cmdlet can be stored in variables for later use or piped to a subsequent cmdlet as input for the cmdlet.
Pipeline
Windows PowerShell features a pipelinea channel through which the output of a cmdlet can be passed to the following cmdlet. The pipeline is represented by the pipe character (|). For example, type the following to stop all processes named iexplore on a computer:
Get-Process iexplore | Stop-Process
The Get-Process cmdlet gets running processes on a machine. The Stop-Process cmdlet stops processes. In this example, the Get-Process cmdlet gets processes named iexplore, and then passes the processes through the pipeline to the Stop-Process cmdlet.
3-18
As you learn later in this lesson, one of the most important differences between Windows PowerShell and Command Prompt is that cmdlets return objects, not text. In Command Prompt, commands return text, and the text can be piped to another command. In Windows PowerShell, cmdlets return objects, which can be manipulated in much more powerful ways further down the pipeline. For example, the Get-Process cmdlet returns objects representing processes named iexplore. The next command in the pipeline stops those processes, but it could just as easily be a cmdlet that changes the priority of the processes or that returns specific information about the processes, such as their memory and processor utilization.
Additional Reading
Understanding the Windows PowerShell Pipeline at http://go.microsoft.com/fwlink/?LinkID=192732&clcid=0x409
Aliases
Windows PowerShell allows a cmdlet to have aliases, which are alternate names for the cmdlet. For example, gps and ps are aliases for Get-Process. Also, kill is an alias for Stop-Process. List Available Aliases The Get-Alias cmdlet lists aliases. Type Get-Alias.
List Aliases for a Specific Cmdlet To list aliases for a specific cmdlet: Type Get-Alias -definition <cmdlet>, where cmdlet is the cmdlet for which you want to list aliases.
For example, type the following to list aliases for Stop-Process:

Get-Alias definition Stop-Process
If you see a cmdlet that is not following the Verb-Noun syntax, it is certain that the cmdlet is using an alias. Sometimes it can be difficult to interpret what a command is doing when an alias is used. List the Cmdlet Associated with an Alias To list the cmdlet for a specific alias: Type Get-Alias <Alias>, where Alias is the alias you want to define.
For example, type the following to list the cmdlet for the alias kill:
Get-Alias kill
Additional Reading
Using Familiar Command Names at http://go.microsoft.com/fwlink/?LinkID=192733&clcid=0x409
Variables
As you begin to find and create Windows PowerShell scripts, theres one more concept you must understand: variables. Variables are memory locations that store a value or object and are represented in Windows PowerShell by a name that starts with a dollar sign ($). To assign a variablethat is, to create and define a variablesimply use the following syntax:
$variable = value
For example, the following script stops all processes named iexplore:
3-19
$process = "iexplore" Get-Process $process | Stop-Process
The result is the same as the one-liner shown earlier. However, by separating the name of the process from the line that performs the action of finding and stopping the process, you can more easily modify the script. Or you could use the Read-Host cmdlet to prompt a user for the name of a process, instead of hard-wiring the name of the process into the script. To assign a string value to a variable, enclose the value in single or double quotation marks, as shown earlier. Variables can also store one or more objects. Examine the following script:
$process = Get-Process "iexplore" $process | Select ID, name, description $process | Stop-Process
In this example, the variable $process is set to the collection of processes named iexplore. The variable is then used in two following commands. The first reports the ID, name, and description of each process in $process. The second stops each process.
$_
The special variable $_ represents the current object in the pipeline. You see examples of this later in the module. For now, simply imagine that you are looping through a collection of objectsfor example, each site collection in a Web applicationand you want to do something to each objectfor example, list the site collection administrators. As you loop through the collection, you can use the $_ variable to represent the current site collection. Again, you learn more about $_ and put it to use later in the module.
Additional Reading
Using Variables to Store Objects at http://go.microsoft.com/fwlink/?LinkID=192734&clcid=0x409 Windows PowerShell on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkID=192735&clcid=0x409 Windows PowerShell Scripting Center at http://go.microsoft.com/fwlink/?LinkID=192736&clcid=0x409
3-20
Lesson 3
Automating SharePoint Operations with Windows PowerShell
Now that you have learned some of the fundamental concepts of Windows PowerShell, you can turn your attention to how you can use Windows PowerShell to administer and automate SharePoint 2010. After completing this lesson, you will be able to: Describe the SharePoint 2010 management shell. Delegate permissions to use Windows PowerShell Examine the SharePoint logical structure. Create a SharePoint intranet by using Windows PowerShell. Describe objects, members, properties, and methods in Windows PowerShell. Describe how to select, sort. and format output in Windows PowerShell. Describe how to filter objects. Describe Iteration and iteration in scripts. Automate SharePoint operations with Windows PowerShell.
3-21
SharePoint 2010 Management Shell
SharePoint 2010 Management Shell vs. Windows PowerShell

There are two ways to manage SharePoint with Windows PowerShell: the Windows PowerShell console and SharePoint 2010 Management Shell. SharePoint 2010 Management Shell loads a Windows PowerShell profile located in the SharePoint root: SharePointRoot\CONFIG\POWERSHELL\Registration \SharePoint.ps1. A Windows PowerShell profile is a script that configures the initial user environment for Windows PowerShell. In the case of SharePoint 2010 Management Shell, the profile does three important things: Loads the SharePoint snap-ins. The SharePoint 2010 Management Shell profile loads the SharePoint snap-ins. If you run Windows PowerShell, you cannot actually perform any SharePoint tasks because the snapins are not loaded. To load snap-ins, you must run the following command:
Add-PSSnapin Microsoft.SharePoint.PowerShell
Another way to add SharePoint functionality to Windows PowerShell is to use a process called reflection, through which you load the SharePoint .dll files directly. This was required in SharePoint 2007 but is not recommended in SharePoint 2010 now that the SharePoint snap-in is available. Sets the PSThread option to ReuseThread. This is a setting that improves the utilization of memory in Windows PowerShell and reduces the likelihood of memory leaks. In Windows PowerShell, each lineeach commandis started in its own thread, or process. When ThreadOptions are set to Reuse Thread, each command is run in the same thread. If you use Windows PowerShell, you must run the following command:
$Host.Runspace.ThreadOptions = "ReuseThread"
3-22
Adds the Stsadm (SharePoint Root/BIN folder) to the path. SharePoint Management Shell adds the path to the Stsadm.exe command to its path. This allows you to use Stsadm to perform tasks, in addition to Windows PowerShell.
Additional Reading
PS Thread Options at http://go.microsoft.com/fwlink/?LinkId=183145
3-23
Delegate Permissions to Use Windows PowerShell
Requirements to Use Windows PowerShell to Administer SharePoint

To use Windows PowerShell to administer SharePoint 2010, an administrator must be assigned the SharePoint_Shell_Access role on any databases against which Windows PowerShell will be used. For example, to perform tasks that read or manipulate data in the configuration database, an administrator must have the SharePoint_Shell_Access role for the configuration database. Likewise, to work with a specific site collection, the administrator must have the SharePoint_Shell_Access role for the appropriate content database. Additionally, the administrators account must be a member of the WSS_ADMIN_WPG local group on all servers in the farm. To assign these two roles, and thereby to delegate permission to use Windows PowerShell, you can and should use the Add-SPAdmin cmdlet. The process is straightforward.
Delegate Permissions with Add-SPShellAdmin

1. 2. Open SharePoint 2010 Management Console. Use the Add-SPAdmin cmdlet to grant a user the ability to use Windows PowerShell against that content database. Use the following example:
Add-SPShellAdmin -username <DOMAIN\user> -database (Get-SPContentDatabase <Content Database Name>)
So, with just one command, youve given the user the SharePoint_Shell_Access role on the database and added the user to the WSS_ADMIN_WPG local group on each server in the farm. If the user is currently logged on, the user will of course have to log off and log back on for the new local group membership to take effect. To perform this delegation, your account must have the Security_Admin server role for the SQL Server instance and the db_owner role for the database, and you must be in the Administrators group of each server in the farm. In other words, you must be a high-level administrator to delegate to another user the
3-24
ability to use Windows PowerShell. Practically speaking, youll likely be administrator of the SQL Server and of each server in the farm, though technically speaking you dont need quite that much power.
Site Collection Ownership

You must also be a site collection owner, as defined in Central Administration, to use Windows PowerShell against a site collection in the content database. To assign a site collection owner by using Windows PowerShell, follow this example:
Set-SPSiteAdministration <SiteCollectionURL> -OwnerAlias <DOMAIN\user> SecondaryOwnerAlias <DOMAIN\user>
Where: <SiteCollectionURL> is the URL of the site collection. The -OwnerAlias parameters <DOMAIN\User> is the primary site collection administrator. The -SecondaryOwnerAlias parameters <DOMAIN\User> is the secondary site collection administrator.
Run SharePoint 2010 Management Shell with the Run As Administrator Option
Finally, many cmdlets require that you are an administrator of the computer on which the cmdlet is being executed. These cmdlets fail unless you use the Run As Administrator option when opening SharePoint 2010 Management Shell.
Additional Reading
SharePoint 2010 Products administration by using Windows PowerShell at http://go.microsoft.com/fwlink/?LinkID=192737&clcid=0x409
3-25
Examine the SharePoint Logical Structure Using Windows PowerShell
Examine the SharePoint Logical Structure with Get

You can use the Get verb to retrieve objects from the SharePoint object model. Retrieve a Reference to the Farm To retrieve a reference to the farm: Type Get-SPFarm.
Retrieve a Collection of Web Applications in the Farm To retrieve a collection representing the Web applications: Type Get-SPWebApplication.
The Get-SPWebApplication cmdlet leaves out Central Administration by default as a measure of protection against scripts that are designed to perform actions against every Web application in a farm. To include the Central Administration Web application, include the parameter IncludeCentralAdminsitration. Retrieve a Collection of All Site Collections in the Farm To retrieve a collection of site collections in the farm: Type Get-SPSite.
To prevent runaway memory and processing, the Get-SPSite cmdlet limits the number of site collections it returns to 20, by default. Add the -limit parameter to increase this limit, or add -limit all to return all site collections. The Get-SPSite cmdlet always excludes the Central Administration site collection. Retrieve a Collection of Web Sites The Get-SPWeb cmdlet retrieves a collection of Web sites in a scope specified by the cmdlets parameters. The -Site parameter specifies a site collection as the scope, and the -Filter parameter specifies a filter as the scope.
3-26
For example, the following command retrieves the Web sites in the intranet site collection:
Get-SPWeb Site http://intranet.contoso.com
The Get-SPWeb cmdlet limits the number of objects it returns to 200 by default. Like the Get-SPSite cmdlet, use the -limit parameter to increase this limit, or use -limit all to return all Web sites in a site collection.
User Interface Terminology vs. Object Model Terminology

As youve no doubt noticed in this discussion, terminology used to describe the logical hierarchy of SharePoint is different in Windows PowerShell from terminology in the user interface. Thats because the SharePoint object model, which drives terminology used by developers and by the .NET Framework, has a legacy that dates back to the beginning of SharePoint time. The terminology is particularly tricky around the word site. Notice the different ways in which the word site is used both in describing the components of SharePoint as shown in the user interface and in the object model. User Interface and Documentation Farm Web application Site collection Site, Web site, Web, subweb, subsite Object Model SPFarm SPWebApplication SPSite SPWeb
It gets even more tricky when users say something like, I cant access my site. Is that a site collection (SPSite), Web site (SPWeb), or are they really saying that theyre typing http://intranet.contoso.com and getting an error, in which case it may even be the Web application (SPWebApplication) that needs to be examined? Its recommended that when you discuss SharePoint and particularly when you are gathering information for troubleshooting that you avoid the word site by itself. Clarify: Web application, site collection, or subweb.
Using the Pipeline

As you learned earlier, the Get-SPWeb cmdlet uses a -Site parameter to specify the site collection in which Web sites should be returned:
Get-SPWeb -Site "http://intranet.contoso.com"
The Get-SPSite cmdlet, also presented earlier, retrieves all site collections. If you use an Identity parameter, it retrieves only matching site collections. For example, the following command retrieves only one site collection:
Get-SPSite "http://intranet.contoso.com"
You can use the site collection returned by Get-SPSite instead of the -Site parameter of Get-SPWeb:
Get-SPSite "http://intranet.contoso.com"| Get-SPWeb -limit all
You can also save SPSite objects and SPWeb objects to parameters:
3-27
$site = Get-SPSite "http://intranet.contoso.com"
However, when you do this with SPWeb and SPSite objects, you should ensure that you dispose of them properly at the end of your script. This ensures that their memory usage is cleaned up and is done with the Stop-SPAssignment cmdlet:
$site | Stop-SPAssignment
Question: How can you get a list of all site collections in the farm, incding Central Administration, when the Get-SPSite cmdlet always excludes Central Administration? Question: How can you get a list of all Web sites in the farm, including Central Administration, when the Get-SPSite cmdlet always excludes Central Administration?
Additional Reading
Understanding the Windows PowerShell Pipeline at http://go.microsoft.com/fwlink/?LinkID=192732&clcid=0x409
3-28
Create a SharePoint Intranet Using Windows PowerShell
You can use Windows PowerShell to create logical components of SharePoint, just as you did by using Central Administration in Module 2.
Delete a Web Application

To delete a Web application, use the Remove-SPWebApplication cmdlet. For example, the following command deletes the intranet Web application, including the IIS Web site and the content databases:
Remove-SPWebApplication http://intranet.contoso.com -DeleteIISSite RemoveContentDatabase -Confirm:$false
Note the use of the -Confirm:$false parameter. The -Confirm parameter is common to all Windows PowerShell commands that have potentially detrimental effects. By default (-Confirm:$true), the cmdlet will prompt for confirmation. Specifying Confirm:$false suppresses such prompts. You can also use the -WhatIf parameter to simulate a command and report its effects. The -WhatIf parameter is particularly helpful when you are performing a command on a variable or collection of objects so that you know exactly what is being done to which objects.

The following example shows the use of the New-SPWebApplication cmdlet to create a new Web application:
New-SPWebApplication -Name <Name> -Port <Port> -HostHeader <HostHeader> -URL <URL> ApplicationPool <ApplicationPool> -ApplicationPoolAccount <ApplicationPoolAccount> DatabaseName <DatabaseName>
Where: <Name> is the name of the new Web application. <Port> is the port on which the Web application will be created in IIS.
3-29
<HostHeader> is the host header, in the format server.domain.com. Note that the Get-Help documentation for the cmdlet states that the format for <HostHeader> is http://server.domain.com. The documentation is incorrect. <URL> is the public (load-balanced) URL for the Web application. <ApplicationPool> is the name of the application pool. <ApplicationPoolAccount> is the managed account that the application pool will use. This is required if you are specifying an <ApplicationPool> that does not already exist. Use the GetSPManagedAccount cmdlet as shown in the following example. <DatabaseName> is the name for the first content database for the Web application.
For example, the following command creates the intranet Web application with configuration similar to the intranet that was created by using Central Administration in Module 2.
New-SPWebApplication -Name "Contoso Intranet" -Port 80 -HostHeader "intranet.contoso.com" -URL "http://intranet.contoso.com:80" -ApplicationPool "SharePoint Web Applications" -ApplicationPoolAccount (Get-SPManagedAccount "CONTOSO\SP_Service") -DatabaseName "WSS_Content_Intranet
Create a Site Collection

The following example shows the use of the New-SPSite cmdlet to create a new site collection.
New-SPSite -Url "<URL for the new site collection>" ContentDatabase <Content Database Name> -OwnerAlias "<domain\user>" -Template <Template>
Where: <URL> is the URL of the site collection you want to create. <Content Database Name> is the name of the content database within which the site collection should be created. This parameter is optional. The -OwnerAlias parameters <domain\user> value defines the primary site collection administrator. The -SecondaryOwnerAlias parameter is used to define the secondary site collection administrator. <Template> specifies the site definition for the top-level sitefor example, BLANKINTERNET#1, the Publishing Site, or STS#0, the Team Site.
For example, the following command creates a site collection at the root of the intranet Web application and creates a top-level site with the Publishing site definition.
Create a Content Database

The following example shows the use of the New-SPContentDatabase cmdlet to create a new content database:
New-SPContentDatabase -Name <ContentDbName> -WebApplication <WebApplicationName>
Where: <ContentDbName> is the name of the content database to create. <WebApplicationName> is the name of the Web application to which the new database is attached.
For example, the following command creates a content database for the Sales departments intranet site collection:
New-SPContentDatabase -Name WSS_Content_Intranet_Sales -WebApplication http://intranet.contoso.com
3-30
Create a Site Collection in a Specific Content Database

Use the -ContentDatabase parameter of the New-SPSite cmdlet to create a new site collection in a specific content database. For example, the following command creates a site collection for the Sales departments intranet site in the content database created in the previous example:
New-SPSite -Url "http://intranet.contoso.com/sites/Sales" -ContentDatabase WSS_Content_Intranet_Sales -Name "Sales" -OwnerAlias "CONTOSO\SP_Admin" -Template "STS#0"
The command also creates a top-level site in the site collection based on the Team Site site definition.
List Available Site Definitions

Type the following command for a list of available site definitions:
Get-SPWebTemplate
Create a Web Site

The following example shows the use of the New-SPWebApplication cmdlet to create a new Web application:
New-SPWeb <Identity> -Name <Name> -Template "STS#0"
Where: <Identity> is the URL of the new Web site. <Name> is the name of the Web site. <Template> specifies the site definition for the Web site, for example, BLANKINTERNET#1, the Publishing Site, BLOG#0, the Blog Site, or STS#0, the Team Site.
For example, the following command creates a subweb for blogs beneath the Sales Web site:
New-SPWeb "http://intranet.contoso.com/sites/Sales/Blogs" -Name "Sales Blogs" -Template "BLOG#0"
3-31
Objects, Members, Properties, and Methods
As you learned in the previous lesson, Windows PowerShell returns objectsrepresentations of the component itself. You can store objects returned by a cmdlet in variables for later use or pipe them to a subsequent cmdlet as input for the cmdlet. Objects have members: properties and methods. Methods are actionsthings you can do with or to the object. Properties are attributes. A special kind of property is a collection, which can contain zero, one, or more items.
Discover Members (Methods and Properties)

The Get-Member cmdlet exposes the members of an object. Get-Member takes an object as input. The following commands list the methods and properties, respectively, of an object:
object | Get-Member MemberType Methods object | Get-Member MemberType Properties
For example, the following command lists the properties of the Sales site collection:
Get-SPSite "http://intranet.contoso.com/sites/sales" | Get-Member -MemberType Properties
Additional Reading
Viewing Object Structure (Get-Member) at http://go.microsoft.com/fwlink/?LinkID=192738&clcid=0x409
3-32
Select, Sort, and Format Output
Write-Output
If you type the following command:
Get-SPWeb "http://intranet.contoso.com/sites/sales"
the URL of the Web site is returned. As you know, Windows PowerShell works with objects, but when a command completesat the end of the pipelinean implicit Write-Output cmdlet displays the default properties of the object(s) at the end of the pipeline. In the example shown, the default property is a URL, and the default display format is a table.
Select-Object (Alias: Select)

You can change what is displayed at the end of the pipeline. For example, you can use the Select-Object cmdlet, the alias of which is Select, to display specific properties. Display All Properties of Pipeline Objects Add Select * to the end of the pipeline. For example, the following command displays all properties of the sales Web site:
Get-SPWeb "http://intranet.contoso.com/sites/sales"| Select *
Display Specific Properties You can limit the properties that are displayed by adding property names to the Select cmdlet. For example, the following command displays the URL and template of the sales Web site:
Get-SPWeb "http://intranet.contoso.com/sites/sales"| Select-Object URL,WebTemplate
3-33
Additional Reading
Selecting Parts of Objects (Select-Object) at http://go.microsoft.com/fwlink/?LinkID=192739&clcid=0x409.aspx
Sort-Object (Alias: Sort)

If you type the following command:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb limit all | Select-Object URL,WebTemplate
the URL and template of all Web sites in the intranet Web application are displayed. If you want to sort the results by template, you can use the Sort-Object cmdlet, the alias of which is Sort. For example, the following command displays the URL and template of the all Web sites in the intranet Web application, sorted by template name:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb limit all | Select-Object URL,WebTemplate | Sort WebTemplate
You can add the -Descending parameter to the Sort cmdlet to sort in descending order. The default is ascending order, and there is no -Ascending parameter.
Additional Reading
Sorting Objects at http://go.microsoft.com/fwlink/?LinkID=192740&clcid=0x409
Format-Table and Format-List (Aliases: ft and fl)

The format of the output of cmdlets depends somewhat on how many properties of how many objects are returned. Some of the examples shown earlier return properties as lists, and others return properties as tables. You can specify a particular display format using the Format-List (alias fl) and Format-Table (alias ft) cmdlets. For example, the following command displays the URL and template of the all Web sites in the intranet Web application, sorted by template name and formatted as a list:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb limit all | Select-Object URL,WebTemplate | Sort WebTemplate | Format-List
Note: Using Format-List (or fl) at the end of the pipeline adds an implicit Select *. All properties are returned. If you want to limit properties returned, add the properties to the Select cmdlet.
Additional Reading
Using Format Commands to Change Output View at http://go.microsoft.com/fwlink/?LinkID=192741&clcid=0x409
Other Output Formats

Windows PowerShell can save, export, and convert objects to a wide variety of formats. Some of the most useful include the following: Comma-separated value (CSV) files Extensible Markup Language (XML) files The GridView
3-34
Export-CSV To save output to a CSV file, add | Export-CSV <filename> to the end of the pipeline. ConvertTo-XML Add | ConvertTo-XML to the end of the pipeline to convert output to an XML object. An XML object is not immediately viewable because it is an object, not the text output of an XML file. Therefore, you must save the pipeline, and thereby save the XML file. Follow this example:
( command | ConvertTo-XML ).Save("filename")
For example, the following command creates an XML file consisting of the URL and template of all the Web sites in the intranet Web application, sorted by template name:
(Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb -limit all | Select-Object URL,WebTemplate | Sort WebTemplate | ConvertToXML).Save("C:\Users\SP_Admin\Desktop\SharePointWebSiteTemplates.xml")
Out-GridView Windows PowerShell 2.0 includes an Integrated Scripting Environment (ISE), which provides a data grid view application. You must make sure that the ISE feature is installed. The following example outputs to the data grid view application:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb limit all | Select-Object URL,WebTemplate | Sort WebTemplate | Out-GridView -Title "Web Site Templates Report"
Additional Reading
Redirecting Data with Out-* Cmdlets at http://go.microsoft.com/fwlink/?LinkID=192742&clcid=0x409
3-35
Filtering Objects
Where-Object (Aliases: Where, ?)

Sometimes, you need to work with a subset of objects. In the previous topic, for example, the Get-SPWeb cmdlet returned all Web sites. What if you wanted to return only Web sites that were based on the Blog site definition? The Where-Object cmdlet filters objects in the pipeline. Subsequent cmdlets in the pipeline operate on only the objects that made it through the filter. For example, the following retrieves the Web sites that are based on the Blog site definition, by using the WebTemplate property of the Web object:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -Limit ALL | Get-SPWeb Limit ALL | Where-Object { $_.WebTemplate -eq "BLOG"}
Notice the use of the $_ variable, which you learned in Lesson 2 represents the current object in the pipeline. The Where-Object cmdlet operates on each object in the pipeline, checking each against the filter defined by the expression, which itself is surrounded by braces. As each object in the pipeline is examined, it is represented by the $_ variable, and the objects WebTemplate property must be equal to BLOG for the object to successfully continue down the pipeline. A limited number of cmdlets support a -Filter parameter, which uses server-side filtering. In the example shown previously, all objects are retrieved by the Get-SPWeb cmdlet, and then the Windows PowerShell client must filter the objects. You can reduce the burden on the server by using server-side filtering whenever possible. The SPWeb object can be filtered server-side for the Title and Template properties. The SPSite and SPSiteAdministration objects can be filtered server-side for Owner, SecondaryContact, and LockState. Because, in this example, you have the option of using server-side filtering, it is recommended you do so.
3-36
For example, the following retrieves the Web sites that are based on the Blog site definition by using server-side filtering of the SPWeb object:
Get-SPSite -Limit All | Get-SPWeb -Limit All -Filter {$_.Template -eq "BLOG#0"}
Operators
In the filter expressions shown earlier, you might have noticed the -eq comparison operator, which means equals. The following operators are commonly used in expressions: Comparison Operators -lt. Less than -le. Less than or equal to -gt. Greater than -ge. Greater than or equal to -eq. Equal to -ne. Not equal to -like. Like; uses wildcards for pattern matching Logical Operators -and -or
Additional Reading
Removing Objects from the Pipeline (Where-Object) at http://go.microsoft.com/fwlink/?LinkID=192743&clcid=0x409
3-37
Typical Pipeline
As objects are passed through the pipeline of a Windows PowerShell command or script, there is a common approach and order to working with those objects: Get. Use the Get verb to retrieve objects. Filter. Use the Where cmdlet to filter objects so that the only objects remaining in the pipeline are those with which you want to work. Manipulate. Do something to the objects by using cmdlets appropriate to the type of objects in the pipeline. Select. Use the Select cmdlet to select the properties of objects that you want to output. Sort. Use the Sort cmdlet to sort the results, before output. Output. Use the Format, Export, Out to produce output in the desired format. If you want to convert the pipeline object(s) to a specific format, you can use the Convert cmdlet to do so, and then use the Save method of the pipeline to save an object to a file. An example is shown earlier in which pipeline output is converted to an XML object, and then saved to an XML file.
Examine the following example:

Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -Limit ALL | Get-SPWeb Limit ALL | Where-Object { $_.WebTemplate -eq "BLOG"} | Select URL,Title,WebTemplate, LastItemModifiedDate, Created | Sort LastItemModifiedDate | Export-CSV desktop\StaleBlogs.csv
This command does the following: Gets Web sites in the intranet Web application Filters the pipeline so that only Web sites with the Blog site definition remain Selects properties of the Web sites Sorts the results by the date at which the last item in the Web site was modified Exports the results to a CSV file
3-38
Variables
As you work toward reading and writing more complex scripts, you undoubtedly begin working with variables. As you learned already, all variable names are prefixed with the dollar sign ($). To assign a variable, use this syntax:
$variable = value
To return the current value of a variable, simply type the variable name and press ENTER. For example, the following command assigns the value CONTOSO\SP_Admin to the variable $username:
$username = CONTOSO\SP_Admin"
The following command prompts you to enter the password for the account:
$password = Read-Host "Enter the password: " AsSecureString
Windows PowerShell cmdlets that require a password do not accept plain text. Passwords must be contained in a secure string, the contents of which cannot be displayed. Windows PowerShell also has built-in variables, including the following: $true. Boolean true $false. Boolean false $error. Contains the error object of the last error
Additional Reading
Using Variables to Store Objects at http://go.microsoft.com/fwlink/?LinkID=192734&clcid=0x409
3-39
Iteration (Looping)
ForEach-Object (%, ForEach)

One of the strengths of Windows PowerShell is the ease with which you can perform an operation on multiple objects. One of the most important cmdlets for working on multiple objects is the ForEachObject cmdlet, commonly used by its alias, ForEach, or its superabbreviated alias, %. The ForEach-Object cmdlet iterates through each object in the pipeline, performing one or more actions that are contained in a script block. The script block is enclosed in brackets. For example, the following command enables the Ratings feature for all sites in the intranet Web application:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite | ForEach-Object { Enable-SPFeature "Ratings" -url $_.url }
Sometimes, iteration is done implicitly by a cmdlet on the receiving side of the pipeline. Earlier, you learned that the Where-Object cmdlet applies a filter to all objects in the pipeline. You also saw that each object in a collection of site collection objects retrieved by Get-SPSite was processed by Get-SPWeb, resulting in a list of all Web sites in all site collections. For-Each is helpful where a cmdlet does not do its own iteration. In the previous example, the EnableSPFeature cmdlet does not do its own iteration.
Additional Reading
Repeating a Task for Multiple Objects (ForEach-Object) at http://go.microsoft.com/fwlink/?LinkID=192744&clcid=0x409
3-40
Iteration in Scripts
Examine the following script, which creates intranet sites for HR and Marketing in their own site collections and content databases:
$i = ("HR", "Marketing") ForEach($url in $i) { New-SPContentDatabase -Name WSS_Content_Intranet_$url -WebApplication http://intranet.contoso.com New-SPSite -Url http://intranet.contoso.com/sites/$url -ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin -Template "STS#0" }
This topic examines this script line by line.

$i = ("HR", "Marketing")
This line creates an arraya collection of multiple items. In this case, the items are string values. The array items are separated by commas. The parentheses around the items are optional, but make it easier to read.
ForEach($url in $i)
This line starts the iteration. For each item in the array variable $i the script block that follows, enclosed in braces, is executed. The current object in the array during each iteration is assigned to the variable $url. During each iteration, $url contains the current item.
{
The left brace begins the script block.
3-41
New-SPContentDatabase -Name WSS_Content_Intranet_$url -WebApplication http://intranet.contoso.com
The $url variable is used to create a unique content database name for each departmentit is the last component of the content database name.
New-SPSite -Url http://intranet.contoso.com/sites/$url -ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin -Template "STS#0"
The $url variable is used to create a unique URL for the site collection and to assign the site collection to the content database created by the previous command.
}
The right brace ends the script block. There is a blank line at the end of the script. If you are entering the script directly in the Windows PowerShell console, you must enter a blank line to begin the execution of the script.
3-42
Local, Global, and Remote Commands
There are two categories of SharePoint cmdlets: local and global: Local cmdlets affect something on a single SharePoint server. For example, to start a service on a server, use the Start-SPServiceInstance cmdlet. To connect a new SharePoint server to a farm, use the Connect-SPConfigurationDatabase cmdlet. To perform a command on multiple servers in a farmfor example, to start a service on multiple serversyou need to iterate through the servers in the farm. Global cmdlets affect the farm as a whole, generally by making changes to the SQL Server database. For example, when you set the property of a Web application using Set-SPWebApplication, the property affects all servers hosting that Web application. You do not need to touch each server. Similarly, when you create a new site collection with New-SPSite, the site collection is available to all SharePoint servers.
Additional Reading
Running Remote Commands at http://go.microsoft.com/fwlink/?LinkID=192745&clcid=0x409
3-43
Windows PowerShell Scripts
Windows PowerShell scripts are text files saved with a .ps1 file name extension.
Reading and Creating Scripts

As you discover Windows PowerShell scripts that others have written, youll find that many are not written in ways that make them easy to read or interpret. Some people make a sport out of creating one-liners, which can actually be a complex script in which each command line is separated by a semicolon (;). Semicolon (;) is used to combine separate commands into a single line. Combining lines makes a script difficult to read. It is a best practice to keep commands on separate lines.
Some people overuse aliases, making it difficult for others to make sense of the script. This is particularly true for single- and double-character aliases such as % (ForEach-Object), ? (Where-Object).
Executing Scripts
By default, Windows PowerShell scripts are not allowed to run. This is done to prevent malicious scripts from damaging your environment. The Windows PowerShell ExecutionPolicy determines which scripts are allowed to run. The default ExecutionPolicy is Restricted. To Allow All Windows PowerShell Scripts to Execute You can remove all restrictions by setting ExecutionPolicy to Unrestricted. Type Set-ExecutionPolicy -unrestricted, and then press ENTER.
There are, of course, significant security risks by doing so. However, in a test environment, you may decide that such risks are acceptable. You can also configure Windows PowerShell to allow the execution of scripts with specific characteristics, including scripts signed with a trusted digital signature. In a production environment, you should sign
3-44
scripts. Code signing is beyond the scope of this course, but you can learn more in the resources listed in the Additional Reading section.
Scheduling Windows PowerShell Scripts

You can use Task Scheduler to schedule a Windows PowerShell script. This topic is revisited in Module 13, Implementing Business Continuity, to schedule SharePoint backup operations. Of course, the scripts run only if the execution policy allows.
Additional Reading
Running Windows PowerShell Scripts at http://go.microsoft.com/fwlink/?LinkID=192746&clcid=0x409 Stop Malicious Code in Windows PowerShell with Execution Policies at http://go.microsoft.com/fwlink/?LinkID=192747&clcid=0x409 Using Windows PowerShell to Sign Scripts with Digital Certificates at http://go.microsoft.com/fwlink/?LinkID=192748&clcid=0x409
3-45
Lab: Automating SharePoint with Windows PowerShell
You are responsible for ensuring that the SharePoint farm can be built consistently in both lab and production environments, and that the farm can be rebuilt in the event of a catastrophic failure. Additionally, you are required to produce weekly reports showing the webs and storage utilization of each site collection in the production farm. To meet these goals, you must build Windows PowerShell scripts that can automate SharePoint management tasks.

1. 2. Start 10174A-CONTOSO-DC-C. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-C.
3-46
Exercise 1: Adding SharePoint Functionality to Windows PowerShell

Scenario
To automate SharePoint management, you must use Windows PowerShell. But Windows PowerShell does not load SharePoint .dll files or snap-ins by default. In this exercise, you learn several ways to add SharePoint management functionality to Windows PowerShell. The main tasks for this exercise are as follows: 1. 2. 3. Load SharePoint .dll files using .NET reflection. Add the SharePoint snap-in using the Add-PSSnapin cmdlet. Open the SharePoint 2010 Management Shell.
Task 1: Load SharePoint .dll files using .NET reflection.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password Pa$$w0rd. In the Windows Quick Launch, click Windows PowerShell. To identify the assemblies that are currently loaded, type the following command and then press ENTER:
[AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object { Split-Path $_.Location Leaf } | Sort
Microsoft.SharePoint.dll is not in the list. To use the SharePoint object model, you must load the SharePoint .dll files. Type the following command and then press ENTER:
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
The output displays GAC, version, and location information for the assembly. Repeat the third bullet point in this task to display the loaded assemblies. Tip: You can press the UP key to scroll through previously executed commands. The listing includes the Microsoft.SharePoint.dll.
Task 2: Add the SharePoint snap-in using the Add-PSSnapin cmdlet.

Type the following command and then press ENTER:
Get-PSSnapin
The output lists the snap-ins that have been added to the current session. The SharePoint snap-in is not listed. Type the following command and then press ENTER:
Get-PSSnapin Registered
The output lists the snap-ins that are registered on the system, except for those that are installed with Windows PowerShell. Type the following command and then press ENTER:
Add-PSSnapin Microsoft.SharePoint.PowerShell

Get-PSSnapin
The output lists the snap-ins that have been added to the current session. The SharePoint snap-in is now added.
3-47
To identify the assemblies that are currently loaded, type the following command and then press ENTER:
The listing includes numerous SharePoint assemblies. Rather than loading each assembly one by one, use the Add-PSSnapin cmdlet to load them all at once. Close Windows PowerShell.
Task 3: Open SharePoint 2010 Management Shell.

Click Start, click All Programs, click Microsoft SharePoint 2010 Products, and then click SharePoint 2010 Management Shell. Type the following command and press ENTER:
Get-PSSnapin
The output lists the snap-ins that have been added to the current session. The SharePoint snap-in is already added to the session. To identify the assemblies that are currently loaded, type the following command and press ENTER:
The listing demonstrates that SharePoint 2010 Management Shell preloads the SharePoint .dll files. Results: After this exercise, you will have learned how to run Windows PowerShell with the ability to administer SharePoint.
3-48
Exercise 2: Delegating the Ability to Use Windows PowerShell to Manage SharePoint

You have been asked to report the storage utilization of SharePoint site collections. In this exercise, you discover that, without a delegation, you cannot use Windows PowerShell to manage SharePoint. You perform the appropriate delegation, and then, in the next exercise, you continue with the task of producing reports of SharePoint storage utilization. The main tasks for this exercise are as follows: 1. 2. Attempt to use Windows PowerShell to enumerate webs. Configure least privilege rights to manage SharePoint with Windows PowerShell.
Task 1: Attempt to use Windows PowerShell to enumerate webs.

In SharePoint 2010 Management Shell, type the following command and then press ENTER:
$spsite = Get-SPSite "http://intranet.contoso.com"
To enumerate all of the webs in the site collection, type the following command and press ENTER:
$spsite | Get-SPWeb
An error appears indicating that login failed. The SP_Admin user account does not have the permissions required to access the information about the intranet site collection with Windows PowerShell.
Task 2: Configure least privilege rights to manage SharePoint with Windows PowerShell.
Start SharePoint 2010 Management Shell using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Type the following commands each followed by ENTER:
$spcdb = Get-SPContentDatabase WSS_Content_Intranet Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database $spcdb
Close Administrator SharePoint 2010 Management Shell. Results: After this exercise, you will have delegated SP_Admin the ability to manage SharePoint with Windows PowerShell.
3-49
Exercise 3: Reporting Web and Site Collection Properties

You have been asked to produce a weekly report of the webs and storage utilization of SharePoint site collections. In this exercise, you use Windows PowerShell to list all the webs in a site collection and to produce reports of site collection properties. The main tasks for this exercise are as follows: 1. 2. 3. 4. Use Windows PowerShell to report web properties. Attempt to use the grid-view to report site collection properties. Install the Windows PowerShell Integrated Scripting Environment. Use the grid-view to report site collection properties.
Task 1: Use Windows PowerShell to report Web properties.

Switch to SharePoint 2010 Management Shell. List all of the sites in the site collection, http://intranet.contoso.com. Include the LastItemModifiedDate, URL, and Created properties, and sort the results by Created. Tip: You need to use the Get-SPSite, Get-SPWeb, and Select cmdlets.
Task 2: Attempt to use the Grid-View to report site collection properties.

To enumerate all of the site collections in the farm, except Central Administration, type the following command and then press ENTER:
Get-SPSite

Get-SPSite | Select URL, @{Name="Storage"; Expression={"{0:N2} MB" -f ($_.Usage.Storage/1000000)}}, @{Name="Quota"; Expression={"{0:N2} MB" -f ($_.Quota.StorageMaximumLevel/1000000)} }
The listing displays various properties of each site collection. Type the following command and then press ENTER:
Get-SPSite | Select URL, @{Name="Storage"; Expression={"{0:N2} MB" -f ($_.Usage.Storage/1000000)}}, @{Name="Quota"; Expression={"{0:N2} MB" -f ($_.Quota.StorageMaximumLevel/1000000)} } | Out-GridView -Title "Sites with Usage"
An error indicates that the Windows PowerShell Integrated Scripting Environment feature is not installed.
Task 3: Install the Windows PowerShell Integrated Scripting Environment.

Type the following two commands each followed by ENTER:
Import-Module ServerManager Add-WindowsFeature PowerShell-ISE
An error indicates that you must run the command with elevated permissions. Start Windows PowerShell using the Run as administrator option. Type the following two commands each followed by ENTER:
Import-Module ServerManager Add-WindowsFeature PowerShell-ISE
Close Administrator: Windows PowerShell.
3-50
Task 4: Use the Grid-View to report site collection properties.

In SharePoint 2010 Management Shell, press the UP arrow several times until you see the command you typed in Task 2, and then press ENTER to rerun the command.
An error indicates that the Windows PowerShell Integrated Scripting Environment feature is not installed. This occurs because you must close and reopen SharePoint 2010 Management Shell to load the component. Close SharePoint 2010 Management Shell. Open SharePoint 2010 Management Shell. Type the following command and then press ENTER, which is the same as the command you executed in the beginning of this task:
A Grid-View window appears displaying the output of the command. Close the Sites With Usage window. Results: After this exercise, you will have used Windows PowerShell to produce reports of your SharePoint environment.
3-51
Exercise 4: Creating Site Collections Using Windows PowerShell

You have been asked to create sites on the intranet for Sales, Marketing, and HR. To create the site collections and webs consistently in both the lab and production environments, you must create Windows PowerShell scripts to create the new sites. The main tasks for this exercise are as follows: 1. 2. Create a single site collection using Windows PowerShell. Create multiple site collections using Windows PowerShell.
Task 1: Create a single site collection using Windows PowerShell.

In SharePoint 2010 Management Shell, type the following commands:
New-SPContentDatabase -Name WSS_Content_Intranet_Sales -WebApplication http://intranet.contoso.com $spsite = New-SPSite -Url "http://intranet.contoso.com/sites/Sales" -ContentDatabase WSS_Content_Intranet_Sales -OwnerAlias CONTOSO\SP_Admin -Template "STS#0"
A site collection and top-level web for the Sales department is created using the Team Site site definition. Open the Sales site with Windows Internet Explorer.
Task 2: Create multiple site collections using Windows PowerShell.

In SharePoint 2010 Management Shell, create a script with a loop that creates two new sites called HR and Marketing. Tip: Refer to the commands from the previous task and the following example of a loop.
$i = ("A", "B") foreach($s in $i) { Write-Host $s }
To enumerate all of the site collections in the farm, except Central Administration, type the following command and then press ENTER:
Get-SPSite
The output lists the new site collections. Results: After this exercise, you will have used Windows PowerShell cmdlets and scripts to create new content databases, site collections, and sites.
3-52
Exercise 5: Creating and Updating Items

You want to modify the default announcement that is created on a new team site when you provision a new site with your Windows PowerShell scripts. The main task for this exercise is as follows: 1. Modify a list item using Windows PowerShell.
Task 1: Modify a list item using Windows PowerShell.

Open your newly created Sales site. Open the Announcements list, and then observe the title of the only item in the list. In SharePoint 2010 Management Shell, type the following commands:
$gc = Start-SPAssignment $spsite = $gc | Get-SPSite "http://intranet.contoso.com/sites/Sales" $splist = $spsite.rootweb.lists["Announcements"] $splistitem = $splist.items[0] $splistitem["Title"] = "Our SharePoint 2010 Sales site is now live!" $splistitem.update() $gc | Stop-SPAssignment
The list item will be updated. Notice that you did not use a cmdlet to update a list item. There are things that will require direct access to the object model and, as such, you need to be careful to dispose of objects you create. Switch to Internet Explorer and then refresh the Announcements list, and then observe that the title of the list item has been updated. Close all Internet Explorer and Windows PowerShell windows. Results: After this exercise, you will have updated a list item using a Windows PowerShell script.

3-53
Review Questions
1. What are the advantages of using Windows PowerShell to manage SharePoint? 2. In what scenarios would it be preferable to use Stsadm instead of Windows PowerShell cmdlets to manage SharePoint? 3. By default, who can use Windows PowerShell to manage SharePoint?
3-54
Configuring Content Management
4-1
Module 4
Contents:
Lesson 1: Optimizing Content Storage and Access Lab A: Configuring List Throttling and Remote BLOB Storage Lesson 2: Managing Site Content Types and Site Columns Lesson 3: Configuring the Managed Metadata Service Lab B: Configuring Managed Metadata 4-3 4-23 4-30 4-40 4-72
4-2
Module Overview
As you learned in Module 1, Introducing SharePoint 2010, one of the six capabilities of Microsoft SharePoint 2010 is content. After you have built your SharePoint farm and the logical components of SharePointWeb applications, site collections, sites, lists, and librariesyour users will begin to populate SharePoint with content. Although many content management features of SharePoint 2010 are considered end-user features, and are therefore out of scope for this course, several features warrant coverage because they require configuration by farm, service application, and site collection administrators: list throttling, remote binary large object (BLOB) storage (RBS), site content types and columns, and managed metadata service applications.
Objectives
After completing this module, you will be able to: Configure SharePoint and SQL Server to ensure optimal content access deployment. Create content types and site columns to describe your content. Set up the managed metadata service application to tag and classify content.
4-3
Lesson 1
Optimizing Content Storage and Access
In this lesson, you explore the administrative tasks related to lists and libraries, the two most important containers for content in sites. You then learn about two important new features of SharePoint Server 2010 with which you can better manage and govern both the performance and storage of SharePoint content: list throttling and RBS. After completing this lesson, you will be able to: Describe the content structure in a site collection. Configure and optimize the performance of large lists. Configure and manage storage of document libraries.
4-4
Lists and Libraries
In Module 2, Creating a SharePoint 2010 Intranet, you examined a diagram of the logical hierarchy of SharePoint. A piece of that diagram, shown in the slide, illustrates the hierarchical structure of contentrelated objects in a SharePoint farm: In a site collection, content is collected into lists and document libraries, also called, simply, libraries. Lists are collections of items, which can optionally be grouped in folders. Libraries are a specialized form of list designed to hold files, called documents, which can also be grouped in folders.
Create a List or Library

The steps to create a list or library are straightforward and well documented. But it is important that you create a document library or list that is easy to find, with a user-friendly URL, and navigation hooks so that users can quickly browse to locate the list or library. 1. Determine an easy, user-friendly URL. Users read and sometimes type the URL to a list or library, so it should be easy to read, remember, and type. Use the following best practices when determining the URL for a list or library: Use a consistent style of capitalization, such as MixedCase. Although Internet Information Services (IIS) Web site addresses are not case sensitive, thoughtful use of capitalization can create a consistent environment and can facilitate readability. Some organizations use a standard of alllowercase URLs; however, mixed-case URLs, such as HumanResources, are more popular because they provide readability for multiword URLs. Keep URLs short. A shorter URL is easier to remember and type. Additionally, remember that URLs are limited in length, to 260 characters, so short URLs reduce the risk of overrunning that limit for content nested in this list or library. Avoid spaces. Spaces in URLs are escaped by browsers and become %20, for example, http://intranet.contoso.com/Shared%20Documents. The escaped space is difficult to read and interpret and can be problematic in certain access scenarios. Avoid spaces in your URLs.
4-5
2.
When creating the list or library, configure the Name field to be the URL. When you create a list or library in the user interface, you are prompted to enter a value for the Name. Unfortunately, the value you enter in the Name box is used to create the Tile and the URL of the list or library. If you use bad practicesfor example, if you include a space in the Namethe space becomes part of the URL. The URL is somewhat challenging to change after it has been createdyou must use Windows PowerShell or SharePoint Designer to change it. The name can easily be changed. Therefore, follow these steps when creating a list or library: 1. 2. Configure the Name so that the result is a URL that follows the rules discussed previously. Do not add the list or library to the Quick Launch when creating the list or library.
3.
After creating the list or library, change the Title. Immediately after creating the list or library, navigate to the List Settings or Library Settings page and click Title, Description And Navigation. Enter a value for the Name. In this interface, the name is used only for the list or library Title property, not for the URL. Therefore, you can use any nameincluding a long name with spacesand thereby configure navigation controls such as the Quick Launch and navigation breadcrumb to display a more descriptive, viewer-friendly name.
4.
Configure list and library settings. When you create a list or library, you should consider the following: Enforce check-out. For document libraries, it is highly recommended to enforce check out if users have the ability to modify documents in the library. Click the Versioning link on the Library Settings page. Consider versioning and approval. Consider implementing versioning and approval based on the business requirements for the list or library. Click the Versioning link on the Library Settings page. Add columns. To modify the metadata of a list or library, add list columns. First, check to see whether an existing site column meets your needs and, if so, add the site column to the list. Otherwise, create a new column.
Manage Navigation to Lists and Libraries

Users can type the URL to a list or library to navigate to it, but as the administrator of a SharePoint environment, you should ensure that there are easier options for users to navigate to commonly used lists, libraries, and sites.
Deploy Favorites Using Group Policy Preferences

Users can navigate to a site, list, or library by using Windows Internet Explorer. Of course, a user can add the location as a Favorite manually. But you can also deploy, or push, Favorites into users Internet Explorer Favorites. Use Group Policy Preferences to deploy Favorites. Group Policy Preferences is a component of Group Policy, and therefore of Active Directory Domain Services (AD DS). The details of how to configure preferences are beyond the scope of this course, but you can find information in the resources listed under Additional Reading. The following graphic shows a Group Policy shortcut properties setting that is configured to create a link to the SpecialProjects document library on the consulting site:
4-6
The configuration elements of the properties are the following: Action: The Update action creates a Favorite if one does not exist and updates the Favorite if it has changed. Name: The Name is the user-friendly name of the Favorite, as it will appear in the users Favorites folder. Using the foldername\Favorites Name format creates a folder in the Favorites folder. In the preceding figure, a folder named SharePoint Sites is created or updated with a Favorite called Consulting Special Projects. Target Type: This is URL. Location: Explorer Favorites. Target URL: The URL for the SharePoint content.
Additional Reading
Deploying Shortcuts and Favorites to SharePoint Sites at http://go.microsoft.com/fwlink/?LinkID=197205&clcid=0x409
Deploy Network Locations for Quick Access to SharePoint Sites Using Windows Explorer Users dont always access SharePoint libraries by using Internet Explorer. They also navigate to libraries when opening and saving documents from Microsoft Office client applications and other SharePointaware applications. You should make it easier for users to navigate to commonly used libraries when they are using Windows Explorer interfaces, including Open and Save dialogs. The Windows Vista operating system and later clients provide such functionality using network locations. A network location is a node in the Windows Explorer interface that behaves like a mapped drive but that has a name rather than a drive letter. To create a network location, complete the following steps: 1. 2. 3. Open the Computer folder. Right-click in a blank area of the window, and then click Add a Network Location. Complete the wizard by providing a path to the library and a user-friendly name for the network location.
4-7
After you create a network location, you can navigate to the library from the Computer folder. The network location appears in the Network Locations folder. In the Open and Save dialogs, click Computer in the Favorite Links bar. It is easy to deploy network locations to users as long as you know that a network location is a collection of objects in a folder in the following path: %appdata% \Microsoft\Windows\Network Shortcuts, for example, c:\users\username \AppData\Roaming\Microsoft\Windows\Network Shortcuts. You can copy network locations that you have created to a shared folder on the network, and then copy the network locations to the Network Shortcuts folders of other users profiles. You can use Robocopy.exe in a logon script, for example, to update users Network Shortcuts folders. The Windows XP operating system provides identical functionality using network places. Network places are created in the Network Places folder, instead of the Computer folder. They are stored in %userprofile%\NetHood. You can copy network places created on one Windows XP system into the NetHood folder of other Windows XP user profiles. Unfortunately, you cannot copy Windows XP network places to a client running Windows Vista or later operating system, and you cannot copy network places to a Windows XP client.
4-8
What Is New in Lists and Libraries?
SharePoint 2010 lists expose important functionality that was not available in previous versions of SharePoint: Large lists. SharePoint 2010 lists are supported for up to 50 million items. This is possible because of performance enhancements and new features such as multicolumn lists. Multicolumn indexes. You can create an index that contains more than one column. List relationships. SharePoint 2010 lists support relationships. Related lists can enforce referential integrityboth cascade delete and prevent delete. For example, if you have a list of customers that is related to a list of orders, you can configure SharePoint so that you cannot delete a customer for whom orders exists (prevent delete) or so that when you delete a customer, related orders are deleted (cascade delete). Related lists also support projected fields. These are fields from the parent list that can be shown on the child list. For example, an order item that is related to a customer item can display the customers name, address, email address, and telephone number. Data validation. You can perform simple data validation in an out of box SharePoint list. A list column can have data validation, which ensures that a columns value meets specified rules. A list can also have unique columns, which ensures that no two items have the same value in the columns. For example, you can set the email address column of a contacts list to be unique so that no two contacts are created with identical email addresses. Document sets. A Document set is a collection of documents with its own metadata and versions. With Document sets, you can manage an entire collection of documents, worksheets, presentations, or other types of document content as an entire end-to-end work product. Metadata is applied to each document in a Document set, and additional metadata is applied to the Document set as a whole. For documents inside of a Document set, administrators can select columns that they want marked as read-only. The property can be edited only on the Document set. Any changes to the column that are marked as read-only are applied to all of the documents inside.
4-9
A Document set includes a Welcome page that acts as a customizable home page for the Document set, displaying the properties of the Document set. Document sets support templates and versioning. You can create templates in Microsoft Visual Studio 2010. Versioning makes it possible to capture the state of the Document set at different points in its life cycle, view its history, and restore previous versions of the Document set. Content organizer. The content organizer uses an advanced routing engine and administratordefined routing rules to route documents from a drop library to a specific location, based on document metadata, and can apply metadata automatically to a document based on its location. Digital asset management. SharePoint lists now provide capabilities for managing audio, video, and image content types. Document IDs. The Document ID service is a new feature at the site-collection level that adds a unique identifier (ID) to all documents throughout the site collection. This feature enables retrieval of documents by document ID regardless of their current or future location. Location-based metadata defaults. Library administrators can specify different default column values for each folder in a document library. Metadata navigation and filtering. Metadata navigation creates a folder hierarchy based on metadata. Each folder is effectively a filter. This provides a dynamic and effective way for users to discover documents. Filtering produces a multiselect list of filters based on metadata values that allow users to filter a view further.
Additional Reading
What's New: List Enhancements at http://go.microsoft.com/fwlink/?LinkID=197206&clcid=0x409
4-10
Large Lists
SharePoint 2010 can handle tens of millions of items in a list or library. However, operations involving large numbers of items can reduce performance, limit access to data, and cause timeouts. Examples of such operations include the following: Query with no item limit Query with a filter or sort on a column that is not indexed Deleting large lists or sites with large lists Adding a column to a large list
SharePoint 2010 introduces large list throttling, which protects a SharePoint farm and users accessing the farm from the effects of large operations by other users.
Configuring List Throttling

To configure list throttling, complete the following steps: 1. In Central Administration, in the Application Management section, click Manage web applications. The Web Applications Management page opens. 2. 3. Click the Web application for which you want to configure list throttling. On the ribbon, click the General Settings drop-down arrow, and then click Resource Throttling. The Resource Throttling page opens. It is important to understand the following points about list throttling: List throttling is enabled and configured per Web application in Central Administration. If list throttling is enabled at the Web application level, you can enable or disable throttling per list through the object model. Lists and libraries have an EnableThrottling property.
4-11
List throttling is configured separately for what is done in the user interface versus what is done using the object model. List throttling is applied differently depending on whether the user is a typical user or a super user.
List Throttling Settings

The following graphic shows the list throttling settings on the Resource Throttling page.
The most commonly configured settings are as follows: List View Threshold. This value configures the maximum number of items that can be queried by standard users. The default is 5,000 items. It is strongly recommended that you do not change this default. If poorperforming queries are used on lists with more than 5,000 items, overall throughput may significantly decrease when raising this limit. Object Model Override. You can apply a second level of throttling to super users. The override allows a super user to retrieve a larger number of items. To configure super user override, you must configure both of the following: List View Threshold For Auditors And Administrators. This value configures the maximum number of items that can be queried by super users. The default is 20,000 items. Object Model Override. This option specifies that the list view threshold for auditors and administrators is in effect.
Super user override does not allow large list viewsaccess must be through the object model. Developers can set the QueryThrottleMode property of SPQuery and SPSiteDataQuery objects to retrieve up to the number of items specified in the list view threshold for auditors and administrators. Daily Time Window For Large Queries. You can specify a period of time during which large queries can be executed. You should ensure that the time window is configured to minimize the risk of affecting users based on your usage patterns.
There are exemptions to list throttling in the following two scenarios:
4-12
If the user is a member of the Administrators group of Web front end (WFE) with Read permissions, all items are returned. If the EnableThrottling property of the SPList object is set to false, all items are returned. You can do this using the object model, including by using Windows PowerShell. Doing so allows you to set list throttling settings for a Web application, and then exempt specific large lists and libraries from throttling.
Several other list throttling settings are available on the Resource Throttling page. Warning level for administrators. This value configures the warning level shown on the List Settings page. The default value is 3,000. You can configure the warning level by using Windows PowerShell, as in the following example:
$sitecol = Get-SPSite http://intranet.contoso.com/sites/IT $sitecol.WebApplication.MaxItemsPerThrottledOperationWarningLevel = 2500
List View Lookup Threshold. This value, 6 by default, specifies the number of Lookup, Person/Group, or Workflow Status fields that a database query can involve at one time. List Unique Permissions. If a list contains too many unique permissions, the system can experience performance degradation. The default value for this setting is 50,000. As the number of unique permissions in a list increases, performance degrades. Reconsider any design in which all or most content in a large list must be uniquely secured. The throughput difference for operations on a list between 0 and 1,000 unique permissions is around 20 percent. There is a configurable default of 50,000 unique permissions per list; however, Microsoft recommends that you consider lowering this limit to 5,000, and for large lists consider using a design that uses as few unique permissions as possible. This aids not only performance but also manageability.
If you are upgrading to SharePoint 2010, and you have a list in SharePoint 2007 that has a default view with a number of items greater than 5,000, after upgrade the large list will not be available until a new default view is created that returns a number of items lower than the threshold. Another upgrade consideration is related to code that returns large numbers of items. Developers should update their code to account for list throttling. The EnableThrottling property on the list and the RequestThrottleOverride on the query must be specified. Developers can find more information about list throttling on MSDN.
Additional Reading
Designing Large Lists and Maximizing List Performance at http://go.microsoft.com/fwlink/?LinkID=197207&clcid=0x409
4-13
Remote BLOB Storage
Binary large objects (BLOBs) are used to store large binary data such as documents and media. By default, BLOBs are stored in the Microsoft SQL Server content database. With Remote BLOB Storage, you can move storage of BLOBs to a different data store.
BLOBs
BLOBs are fields that contain binary data. Following are examples of BLOBs: Unstructured data with no schema, such as encrypted data Large amounts of binary data with simple schema, such as a document or digital asset
SQL Server stores BLOB data in databases by default. But as BLOB data expands, it consumes server storage. Additionally, BLOBs use server resources, for example, cache, that are optimized for database access patterns, not for storing large files. Therefore, performance can be degraded.
Remote BLOB Storage

Remote BLOB Storage (RBS) moves the storage of BLOBs to commodity storage solutions that can be less expensive and that are configured to handle simple storage. The benefits of RBS include the following: Database server resources, for example, cache, are freed for database operations. Integration with third-party technologies and data stores.
RBS is a library application programming interface (API) that is integrated into SQL Server 2008. RBS works on a provider model. An RBS provider connects SQL Server and the RBS APIs of the BLOB store. RBS ships with RBS FILESTREAM provider. Therefore, you can immediately start to use the RBS FILESTREAM provider to move BLOBs from the database to a folder on a local NTFS volume.
RBS and SharePoint 2010

SharePoint 2010 supports RBS FILESTREAM provider with the following constraints:
4-14
Local hard disks only. SharePoint does not support RBS remote storage, such as network attached storage (NAS). Content databases only. Other databases cannot use RBS. No Encryption. BLOBs are not encrypted by the RBS FILESTREAM provider, although you can use the Encrypting File System (EFS). SQL Server versions. SharePoint 2010 supports RBS on SQL Server 2008 with Service Pack 1 (SP1) and Cumulative Update 2 or SQL Server 2008 R2. RBS version. You must use the version of RBS that is included with the SQL Server Remote BLOB Store installation package from the Feature Pack for Microsoft SQL Server R2.
SharePoint also supports third-party RBS providers. You can add features such as storage on remote hard disks and encryption by implementing a third-party RBS provider. For full details of a providers functionality, contact the providers manufacturer before purchasing and installing their provider.
Additional Reading
Overview of RBS (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197208&clcid=0x409
Guidance: Should I Use RBS?

When you determine whether RBS is appropriate for a particular content database, you should balance considerations of storage, performance, and manageability. You should evaluate the following three questions: What kind of content is being accessed? RBS is likely to be beneficial for large content databases for example, when BLOBs average greater than 256 kilobytes (KB), such as with digital media. Smaller BLOBs, such as those greater than 80 KB, may benefit from RBS if monitoring suggests that the database server is a bottleneck. How is content being accessed? RBS is well suited for BLOBs that are less frequently or infrequently accessed, such as document archives. Frequent access to many small files in a library can lead to increased latency if RBS is in place. What are the characteristics of the RBS provider? You should familiarize yourself with both the performance and management features of an RBS provider. For example, the FILESTREAM provider is a simple provider that effectively moves BLOB storage out of the database to a local folder on the computer running SQL Server; however, it is not a high-performance provider. Therefore, it is well suited for infrequently accessed content, such as archives, but would not be well suited for use in a high-activity environment.
Additional Reading
FILESTREAM Storage in SQL Server 2008 at http://go.microsoft.com/fwlink/?LinkID=197209&clcid=0x409
4-15
Configure RBS for SharePoint 2010
Configuring RBS for SharePoint 2010 is a multistep process. In this topic, each step is detailed. To perform these procedures, you must log in with an account with the following characteristics: Account must be a member of the Administrators group on the Web servers and application servers. Account must be a member of the Farm Administrators group for the SharePoint Server 2010 farm. Account must log in with the Dbcreator and Securityadmin fixed server roles on the computer running SQL Server.
Enable FILESTREAM
First, you must enable FILESTREAM by using SQL Server Configuration Manager.
Enable FILESTREAM
1. 2. 3. 4. 5. 6. 7. 8. Start SQL Server Configuration Manager. Click SQL Server Services. Right-click SQL Server (MSSQLServer), and then click Properties. Click the FILESTREAM tab. Select the Enable FILESTREAM for Transact-SQL access check box. Select the Enable FILESTREAM for file I/O streaming access check box. Select the Allow remote clients to have streaming access to FILESTREAM data check box. Click OK.
Configure FILESTREAM Access Level to Full

Next, configure the access level for FILESTREAM to full by using SQL Server Management Studio.
4-16
Configure FILESTREAM Access Level

1. 2. 3. 4. Start SQL Server Management Studio. In Object Explorer, right-click the SQL Server, and then click Properties. In the Select a page section, click Advanced. Click Filestream Access Level, click the drop-down arrow, click Full access enabled, and then click OK. A message appears indicating that you must restart SQL Server. 5. In Object Explorer, right-click the computer running SQL Server, and then click Restart. A confirmation dialog appears. 6. Click Yes.
Alternately, you can execute the following query to set the FILESTREAM access level:
EXEC sp_configure filestream_access_level, 2 RECONFIGURE
Additional Reading
How to: Enable FILESTREAM at http://go.microsoft.com/fwlink/?LinkID=166110&clcid=0x409
Provision a BLOB Store

The next step is to provision the BLOB store that, in this case, is a folder on a local storage volume, for example, C:\Blobstore. IMPORTANT: Do not create the folder by using Windows Explorer. Use the following procedure, and SQL Server will create the folder automatically. 1. 2. Start SQL Server Management Studio. Select the content database for which you want to provision a BLOB store, and then click the New Query button on the toolbar. The Query Editor opens a new query in the details pane. 3. To set the database master key, type the following query into the Query Editor:
use [ContentDBName] if not exists (select * from sys.symmetric_keys where name = N'##MS_DatabaseMasterKey##')create master key encryption by password = N'EncryptionKeyPassword'
Where: 4. 5. ContentDBName is the name of the content database for which Remote BLOB Store will be provisioned. EncryptionKeyPassword is a password used to generate an encryption key. It should be a unique, complex passphrase.
Click the Execute button in the toolbar. Click the New Query button on the toolbar. The Query Editor opens a new query in the details pane.
4-17
6.
To enable a new filegroup for your RBS provider, type the following query into the Query Editor:
use [ContentDBName] if not exists (select groupname from sysfilegroups where groupname=N'RBSFilestreamProvider')alter database [ContentDBName] add filegroup RBSFilestreamProvider contains filestream
Where: 7. 8. ContentDBName is the name of the content database for which Remote BLOB Store will be provisioned.
Click the Execute button in the toolbar. Click the New Query button on the toolbar. The Query Editor opens a new query in the details pane.
9.
To add a file system mapping for your RBS provider, type the following query into the Query Editor:
use [ContentDBName] alter database [ContentDBName] add file (name = RBSFilestreamFile, filename = 'BlobStorePath') to filegroup RBSFilestreamProvider
Where: ContentDBName is the name of the content database for which Remote BLOB Store will be provisioned. BlobStorePath is the path to the BLOB store folder you want to create, for example, D:\Blobstore. For best performance, simplified troubleshooting, and as a general best practice, you should create the BLOB store on a volume that does not contain the operating system, paging files, database data, log files, or the Tempdb file.
10. Click the Execute button on the toolbar. Repeat the procedure for each content database for which RBS should be provisioned.
Install RBS on All SharePoint Servers

Next, you must install RBS on all SharePoint servers in the farm. Start on a server that is a front-end server. Then, install all other servers, including dedicated application servers. Install RBS on a Front-End Server 1. Download RBS.msi from http://go.microsoft.com/fwlink/?LinkID=177388 You must install the version of RBS that is included in the SQL Server Remote BLOB Store installation package from the Feature Pack for SQL Server 2008 R2. The version of RBS must be 10.50.xxx. No earlier version of RBS is supported for SharePoint Server 2010. 2. Use the following command to install RBS. Do not simply double-click the package.
msiexec /qn /lvx* <InstallLogFile> /i RBS.msi TRUSTSERVERCERTIFICATE=true FILEGROUP=PRIMARY DBNAME="<ContentDbName>" DBINSTANCE="<DBInstanceName>" FILESTREAMFILEGROUP=RBSFilestreamProvider FILESTREAMSTORENAME=FilestreamProvider_1
Where: InstallLogFile is the name and optional path of a log file that will be generated by the installation, for example, rbs_install_log.txt.
4-18
ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned. DBInstanceName is the server and instance name of SQL Server.
Installation takes a few minutes. You can monitor installation by using Task Manager. You can also monitor the log file for the text Installation completed successfully. For example, use the following command:
type rbs_install_log.txt | find "successfully" /i
Install RBS on Other Servers in the Farm After installing the first SharePoint front-end server, continue with all other servers in the farm. Use the following command to install RBS on the additional servers:
msiexec /qn /lvx* <InstallLogFile> /i RBS.msi DBNAME="<ContentDbName>" DBINSTANCE="<DBInstanceName>" ADDLOCAL="Client,Docs,Maintainer,ServerScript,FilestreamClient,FilestreamServer"
Where: ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned. DBInstanceName is the server and instance name of SQL Server.
Confirm RBS Installation

You can confirm the installation of RBS by examining the content database for tables that begin with mssqlrbs. You can use the following query to determine whether the tables exist:
USE [ContentDBName] SELECT * from dbo.sysobjects WHERE name like 'mssqlrbs%'
Enable RBS Using Windows PowerShell

You must enable RBS on one Web server in the SharePoint farm. It does not matter which Web server you choose for this activity, as long as RBS was installed on it by using the previous procedure. In SharePoint 2010 Management Shell, type the following commands:
$cdb = Get-SPContentDatabase "<ContentDBName>" $rbss = $cdb.RemoteBlobStorageSettings $rbss.Installed() $rbss.Enable() $rbss.SetActiveProviderName($rbss.GetProviderNames()[0]) $rbss
Where: ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned.
Configure BLOB Size Threshold Using Windows PowerShell

You can configure the BLOB size threshold above which BLOBs are stored in the RBS provider. If a BLOB is below the threshold, it is stored in the SQL Server database. In SharePoint 2010 Management Shell, type the following commands:
4-19
$cdb = Get-SPContentDatabase "<ContentDBName>" $rbss = $cdb.RemoteBlobStorageSettings $rbss.MinimumBlobStorageSize = 1048576 $cdb.update()
Where: ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned.
Additional Reading
Install and configure RBS (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197210&clcid=0x409 Set a content database to use Remote Blob Storage (RBS) (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197211&clcid=0x409 Migrate content into or out of Remote BLOB Storage (RBS) (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197212&clcid=0x409
4-20
How Remote BLOB Storage Works
BLOB objects stored with the FILESTREAM provider are stored on the file system with globally unique identifier (GUID)-based names that provide a unique link from the RBS tables. BLOB content is not encrypted. Transparent Data Encryption (TDE), which can encrypt the content of BLOBs in SQL Server, is not applied to the FILESTREAM provider. However, you can use NTFS Encrypting File System (EFS): Configure the Blobstore folder to be encrypted after the folder has been created by SQL Server. NTFS EFS is transparent to components accessing the NTFS file system. If you are using RBS, it is important that you consider how you will back up and restore the BLOB store. If you use the SharePoint built-in tools for backup, RBS BLOB stores are included in the backup. You can even restore such a backup to a computer running SQL Server without RBSthe BLOBs will be restored into the database itself. The SQL Server backup command does not necessarily back up BLOBs in RBS for all providers. However, the procedure for properly backing up both a database and the BLOB store is straightforward. First, back up the database. Then, back up the file store. To perform a restore, first restore the file store, and then restore the database.
4-21
Using Shallow Copy with RBS to Move Sites
When you use RBS with SharePoint Server 2010 SP1 or later, you can use shallow copy when you move a SharePoint site collection from one content database to another.
Shallow Copy and Deep Copy

A SharePoint content database includes structured list items such as tasks, calendar entries, and announcements, and unstructured BLOBs such as Microsoft Office documents, images, and videos. You can choose to store BLOBs within the SQL content database or set up RBS to store them outside the database on the file system. When you want to move a site collection from one content database to another and the BLOBs are stored within the database, you must move the entire database. However, if you are using RBS, BLOBs are outside the database, which leaves you with two options: Deep Copy: In a deep copy, BLOBs are uploaded into the database before the site collection is moved. Shallow Copy: In a shallow Copy, BLOBs remain in place on the file system. Only the structured content database is moved.
The Advantages of Shallow Copy

BLOB files are often large and numerous. In many SharePoint farms, BLOBs make up 80% or more of the total content size. Shallow copy enables you to move a site collection, without uploading, transferring, and saving all the content. Therefore, its principal advantage is speed, and because a site collection move operation requires an interruption in service to users, high performance can be critical. When you use shallow copy, the load placed on database and SharePoint servers is also vastly reduced, which can avoid contention for server resources and poor service to users in other site collections. Whenever possible, a shallow copy is highly recommended.
4-22
Requirements to Use Shallow Copy

Before you use shallow copy, you must configure RBS in both the source and destination databases, and apply the following updates: SharePoint Server 2010 SP1 or later Microsoft SQL Server 2008 R2 SP1 Feature Pack
Using the Move-SPSite Cmdlet

A shallow copy is performed by running the Move-SPSite cmdlet in PowerShell and specifying the -RbsProviderMapping parameter with the names of the RBS providers in the source and destination databases. The Move-SPSite cmdlet appears as follows.
Move-SPSite -Identity <SiteUrl> -DestinationDatabase <DatabaseName> -RbsProviderMapping @{"<SourceProvider>"="<TargetProvider>"}
Where: <SiteUrl> is the URL of the site collection to be moved. <DatabaseName> is the name of the content database to move the site collection to. <SourceProvider> is the name of the RBS provider in the source database. <TargetProvider> is the name of the RBS provider in the destination database.
4-23
Lab A: Configuring List Throttling and Remote BLOB Storage
Scenario
You have just installed a new SharePoint 2010 server farm at Contoso, Ltd. Your previous SharePoint 2007 environment included some very large lists that performed poorly for end users and large document libraries that increased the size of content databases and therefore the time required to perform backup and restore operations. Your revised governance policy for SharePoint 2010 requires that large lists have controls to manage performance and that the size of content databases be more carefully managed. To support these requirements, you have been tasked with implementing list throttling and Remote BLOB Storage.
Log on to the virtual machine for this lab.

1. 2. Start 10174A-CONTOSO-DC-D. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-D.
4-24
Exercise 1: Configuring List Throttling

In this exercise, you experience latency problems when performing operations on very large lists. You apply list throttling to ensure that such operations do not cause excessive stress on the SharePoint farm. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create a computer inventory list. Configure least privilege rights to manage SharePoint using Windows PowerShell. Create a large list using Windows PowerShell. Observe the list view threshold. Add items to exceed the list threshold. Experience list throttling. Configure list throttling.
Task 1: Create a computer inventory list.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin using the password Pa$$w0rd. Open Internet Explorer, and then browse to http://intranet.contoso.com /sites/IT. Create a custom list named ComputerInventory. After creating the list, change its name and description to Computer Inventory (with a space). Create two single-line text columns named Computer Name and Serial Number.
Task 2: Configure least privilege rights to manage SharePoint using Windows

PowerShell.
Start SharePoint 2010 Management Shell using the Run as different user option. Enter the user name CONTOSO\Administrator and the password Pa$$w0rd. Type the following command, and then press ENTER:
Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database (Get-SPContentDatabase "WSS_Content_Intranet_IT" )
Close the Windows PowerShell window.
Task 3: Create a large list using Windows PowerShell.

In SharePoint 2010 Management Shell, create 4,000 items in the new list by typing the following commands:
$site = Get-SPSite "http://intranet.contoso.com/sites/IT" $web = $site.rootweb $list = $web.Lists["Computer Inventory"] $i = 1 do { #add item $newitem = $list.items.Add() $newitem["Title"] = "Client-" + $i.ToString().PadLeft(4, "0"); $newitem["Computer Name"] = "Client-" + $i.ToString().PadLeft(4, "0"); $newitem["Serial Number"] = $i.ToString().PadLeft(8,"0"); $newitem.Update() $i++ } while ($i -le 4000)
4-25
$web.dispose() $site.dispose()
You can watch the progress of the script by refreshing the Computer Inventory list page in the IT Web.
Task 4: Observe the list view threshold.

Open the List Settings of the Computer Inventory list, and then verify that the List view threshold message indicates that the list contains 4,000 items.
Task 5: Add items to exceed the list threshold.

In SharePoint 2010 Management Shell, create 5,000 additional items in the Computer Inventory list by typing the following commands:
$site = Get-SPSite "http://intranet.contoso.com/sites/IT" $web = $site.rootweb $list = $web.Lists["Computer Inventory"] $i = 4001 do { #add item $newitem = $list.items.Add() $newitem["Title"] = "Client-" + $i.ToString().PadLeft(4, "0"); $newitem["Computer Name"] = "Client-" + $i.ToString().PadLeft(4, "0"); $newitem["Serial Number"] = $i.ToString().PadLeft(8,"0"); $newitem.Update() $i++ } while ($i -le 9000) $web.dispose() $site.dispose()
You can watch the progress of the script by refreshing the Computer Inventory list page in the IT Web.
Task 6: Experience list throttling.

Switch to Internet Explorer and refresh the view of the Computer Inventory list. Open the List Settings of the Computer Inventory list, and then verify that the List view threshold message indicates that the list contains 9,000 items. Attempt to delete the list. An Error page appears that indicates the operation is prohibited because it exceeds the list view threshold. Return to the Computer Inventory list, point at the Title column header, and then click the dropdown arrow that appears. A message appears: Cannot show the value of the filter. The field may not be filterable, or the number of items returned exceeds the list view threshold enforced by the administrator.
Task 7: Configure list throttling.

Open SharePoint 2010 Central Administration. In Central Administration, change the resource throttling settings for the SharePoint intranet.contoso.com80 Web application. Configure the List View Threshold to 10000.
4-26
Switch back to the Computer Inventory list. In the Computer Inventory list, point at the Title column header, and then click the drop-down arrow that appears. Verify that the Show Filter Choices command is now available. In Central Administration, change the resource throttling settings for the SharePoint intranet.contoso.com80 Web application. Configure the List View Threshold to 7000, with a daily time window for large queries from 11pm to 4am. Open the List Settings of the Computer Inventory list, and then observe the List view threshold. Verify that the new list threshold of 7,000 items has been applied. Results: After this exercise, you should have modified list throttling settings for a site collection.
4-27
Exercise 2: Enabling FILESTREAM and Provisioning the RBS Data Store

In this exercise, you enable FILESTREAM and configure RBS on the computer that is running SQL Server 2008. The main tasks for this exercise are as follows: 1. 2. Enable FILESTREAM on the computer running SQL Server. Provision a BLOB store.
Task 1: Enable FILESTREAM on the computer running SQL Server.

Start SQL Server Configuration Manager using the Run as a different user option. Enter the user name CONTOSO\Administrator and the password Pa$$w0rd. Click SQL Server Services, and then open the properties of SQL Server (MSSQLServer). In the FILESTREAM tab, select all three check boxes, and then close SQL Server Configuration Manager. Start SQL Server Management Studio using the Run as a different user option. Enter the user name CONTOSO\Administrator and the password Pa$$w0rd. Open the properties of SP2010-WFE1, and then configure Filestream Access Level so that full access is enabled. Then, restart SQL Server services.
Task 2: Provision a BLOB store.

In SQL Server Management Studio, select the WSS_Content_Intranet_IT content database. Set the database master key by executing the following query:
use [WSS_Content_Intranet_IT] if not exists (select * from sys.symmetric_keys where name = N'##MS_DatabaseMasterKey##')create master key encryption by password = N'Master Key Pa$$w0rd'
Add a filegroup for the RBS provider by executing the following query:
if not exists (select groupname from sysfilegroups where groupname=N'RBSFilestreamProvider')alter database [WSS_Content_Intranet_IT] add filegroup RBSFilestreamProvider contains filestream
Add a file system mapping for the RBS provider by executing the following query:
alter database [WSS_Content_Intranet_IT] add file (name = RBSFilestreamFile, filename = 'c:\Blobstore') to filegroup RBSFilestreamProvider
Results: After this exercise, you should have enabled FILESTREAM and configured RBS on the computer running SQL Server.
4-28
Exercise 3: Installing RBS on All SharePoint Web and Application Servers

In this exercise, you install RBS on all Web and application servers in the SharePoint farm. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install RBS on the first Web server. Confirm the installation of RBS. Enable RBS for a content database. Test the RBS provider.
Task 1: Install RBS on the first Web server.

Start Command Prompt using the Run as administrator option. Change to the D:\Labfiles\Lab04 folder, type the following command, and then wait one minute for the operation to complete:
msiexec /qn /lvx* rbs_install_log1.txt /i RBS.msi TRUSTSERVERCERTIFICATE=true FILEGROUP=PRIMARY DBNAME="WSS_Content_Intranet_IT" DBINSTANCE="SP2010-WFE1" FILESTREAMFILEGROUP=RBSFilestreamProvider FILESTREAMSTORENAME=FilestreamProvider_1
Task 2: Confirm the installation of RBS.

Open D:\Labfiles\Lab04\rbs_install_Log1.txt, and then confirm that you see the following line within the last 20 lines of the end of the file:
Product: SQL Server 2008 R2 Remote Blob Store -- Installation completed successfully.
In SQL Server Management Studio, refresh the view of the Object Explorer tree, and then verify that several tables exist in the WSS_Content_Intranet_IT database that have names that begin with the letters mssqlrbs.
Task 3: Enable RBS for a content database.

In SharePoint 2010 Management Shell, enable RBS for the WSS_Content_Intranet_IT database by typing the following commands:
$cdb = Get-SPContentDatabase "WSS_Content_Intranet_IT" $rbss = $cdb.RemoteBlobStorageSettings $rbss.Installed() $rbss.Enable() $rbss.SetActiveProviderName($rbss.GetProviderNames()[0]) $rbss
Task 4: Test the RBS provider.

Open the C:\Blobstore folder, and then observe the number of items in the folder. Open Internet Explorer, and then browse to http://intranet.contoso.com /sites/IT. Navigate to the Shared Documents document library, and then upload the file D:\LabFiles\Lab04\rbs_install_log1. Switch to Windows Explorer and verify that the file has been added to the Blobstore folder. Results: After this exercise, you should have configured RBS on the SharePoint farm and tested its functionality.
4-29
Exercise 4: Configuring the BLOB Size Threshold for RBS

You have discovered that, by default, RBS stores all BLOBs in the Blobstore folder. After testing in your lab, you determined that optimal performance is achieved on your infrastructure when BLOBs of less than 1 Megabyte (MB) are stored in the content database, and BLOBs greater than 1 MB are stored in the file system. In this exercise, you configure RBS so that only files greater than 1 MB are stored in the file system. The main tasks for this exercise are as follows: 1. 2. Configure the minimum blob storage size. Validate the behavior of minimum blob storage size.
Task 1: Configure the minimum BLOB storage size.

In SharePoint 2010 Management Shell, configure the MinimumBlobStorageSize property to 1 MB by typing the following commands:
$cdb = Get-SPContentDatabase "WSS_Content_Intranet_IT" $rbss = $cdb.RemoteBlobStorageSettings $rbss.MinimumBlobStorageSize = 1048576 $cdb.update()
Task 2: Validate the behavior of minimum BLOB storage size.

Switch to Internet Explorer, and then upload the D:\LabFiles\Lab04\SharePoint_2010_Walkthrough_Guide.pdf to the IT document library. Upload the D:\LabFiles\Lab04\SharePoint_2010_Datasheet.pdf to the IT document library. Switch to Windows Explorer, open the C:\Blobstore folder, and, by examining file sizes and timestamps, verify that SharePoint_2010_Walkthrough_Guide.pdf was moved to Blobstore whereas SharePoint_2010_Datasheet.pdf was not moved to Blobstore. Results: After this exercise, you should have modified the RBS configuration to store files larger than 1 Mbyte in the file system.
Do not shut down the virtual machines.

Leave the virtual machines running. You use them for Lab B.
4-30
Lesson 2
Managing Site Content Types and Site Columns
In lists and libraries, users create content. SharePoint Server 2010 offers impressive content management functionality, which begins with the ability to describe content with metadata using columns and to define content types. In this lesson, you learn how to manage site content types and such columns. Although power users can perform these tasks in certain environments, IT professionals must know how to support these tasks. Furthermore, you must have a solid understanding of columns and content types at the site level before you can take advantage of the managed metadata service, the topic of the next lesson. After completing this lesson, you will be able to: Describe the purpose of content types and site columns. Configure content types. Configure templates for document libraries. Configure site columns.
4-31
Content Types
Content types are definitions of types of content that can be stored in lists and libraries. They are, in effect, a schema for the types of objects that can exist in a site. Content types are an important component of your information architecture (IA), which typically refers to both the content type hierarchy and taxonomy. The sites content type gallery lists available content types and exposes content type management functionality. To open to the site content type gallery, complete the following steps: 1. 2. Click Site Actions, and then click Site Settings. In the Galleries section, click Site Content Types.
Content types are scoped to the site in which they are created and all subsites. You can create content types in any site. However, it is a best practice, when possible, to create content types in the top-level site of a site collection so that the content types are available to all sites in the site collection. To deploy content types across multiple site collections, you can use Visual Studio to define and package the content type as a solutions package (.wsp file). This is possible in both SharePoint 2007 and SharePoint 2010. SharePoint 2010 introduces the managed metadata service application, which publishes content types and columns from one site collection across site collections, Web applications, and farms. You learn more about the managed metadata service application in the next lesson. There are two basic steps to make use of content types in a Web site: 1. 2. Create a site content type. Use a content type in a list or library.
These two steps are covered in detail in the next two topics.
4-32
Create a Site Content Type
To work with content types in a site, you first create the content type, and then associate it with a list or library. 1. 2. 3. Click Site Actions, click Site Settings, and then click Site Content Types. Click Create. Configure the following: Name. The content type name. Description. A description of the content type. Parent content type. A content type is derived fromis the child ofanother content type. For example, when you create a custom document content type, you typically want to make it a child of the built-in Document content type. A content type inherits its properties from its parent content type. Content types are grouped for organizational purposes. The Document content type is in the Document Content Types group. Group. When you create a content type, you can put it in a content type group to make it easier to locate the content type. The group has no technical impact whatsoeverit is purely organizationalbut it is recommended to keep custom content types that you create separate from content types that are built-in or that are created by third-party tools. Document template. If you create a document content type, you can associate a template with the content type. On the Site Content Type Information page for the content type, click Advanced Settings. Use the Upload option to upload the appropriate template. The template can be any file format.
4-33
Using Content Types in a List or Library
By default, a list contains one type of item, and a library contains one content type: Document. To use content types in a list or library, you must first enable the management of content types in the list or library.
Enable the Management of Content Types in a List or Library

1. 2. On the list or library Settings page, in the General Settings section, click Advanced settings. In the Content Types section, click Yes, and then click OK.
Then, you can add content types to the list or library.
Add Content Types to a List or Library

1. 2. On the list or library Settings page, in the Content Types section, click Add from existing site content types. Select the content type, click Add, and then click OK.
If you have more than one content type in a list or library, you can change the order in which the content types appear on the New menu of the ribbon. Click Change New Button Order And Default Content Type. The content type that is listed first is the default content type used if a user clicks the New button. Other content types appear if a user clicks the New buttons drop-down arrow. If you are using custom content types and no longer require the default Document or item content type, you can delete it. In the Content Types list, click Document. Click Delete This Content Type, and then click OK when prompted to confirm.
Create a Document from a Template

When you click the New button on the ribbon of the list or library, or you click its drop-down menu, you create a new document based on the template specified by the content type.
4-34
When you save the document to the content library, you do not overwrite the template. In the case of Microsoft Office documents, the Office client application remembers the library from which the document was created so that when you save the document, the library is the default location automatically.
4-35
Content Type Properties
Content types expose many properties, in addition to the document template property for document content types. Content types define the following: Workflows. You can associate workflows with content types. Document Information Panel (DIP). The DIP is a form that appears above the document in some Microsoft Office client applications, such as Microsoft Office Word. The DIP displays the properties of the document, giving users a way to read and modify properties in the client application instead of or in addition to using the SharePoint Web user interface. The DIP can be customized by using InfoPath to include business logic, access to other data sources, and rich interaction. Information management policy settings. You can configure document and record policies including retention, auditing, bar codes, and labels. Columns. You can define columns, also called attributes, properties, or metadata, for a content type. For example, a content type for contracts might be given a date column that specifies the expiration date of the contract.
Content types are an important component of your enterprise information architecture (IA). IA, which also includes taxonomythe subject of the next lessondefines how users identify, locate, and search for content. You can implement IA by classifying content based on content typesfor example, being able to identify contracts versus proposals, and then to be able to bubble up properties such as contract expiration dates.
4-36
Columns
As you discovered in the previous topic, columns are used to define pieces of information that can be associated with a document or list item. Synonyms for columns include fields, attributes, properties, and metadata. Columns describe content and can thus be used to organize and manage content in views, reports, and alerts. Columns can also be used as search attributes, allowing users to locate content more efficiently. A column is scoped to the site in which it is created and to all subsites. As with content types, it is recommended you create site columns at the top-level site of a site collection whenever possible so that it is available to all sites in the site collection. To deploy a column across multiple site collections, you can use Visual Studio to define and package the column as a solutions package (.wsp file). This is possible in both SharePoint 2007 and SharePoint 2010. SharePoint 2010 introduces the managed metadata service application, which publishes content types and columns from one site collection across site collections, Web apps, and farms. You learn more about the managed metadata service application in the next lesson.
4-37
Site Columns
There are two basic steps to make use of site columns in a website: 1. 2. Create a site column. Use a column in a content type, list, or library.
Create a Site Column

To create a site column, perform the following steps: 1. 2. 3. 4. Click Site Actions, and then click Site Settings. In the Galleries section, click Site Columns. Click Create. Configure the following: Name. The column name, which must be unique at the site level. Description. A description of the column. Once a site column is defined, it can be incorporated into lists, libraries, and content types. If the column should be reserved for a specific purpose, or if its role is not self-explanatory based on the columns name, be certain to provide a thorough description. Group. Columns are grouped for organizational purposes. When you create a content type, you can put it in a column group to make it easier to locate the column. The group has no technical impact whatsoeverit is purely organizationalbut we recommend that you keep custom columns that you create separate from columns that are built-in or that are created by thirdparty tools.
Add Site Columns to a Content Type

To add a site column to a content type, perform the following steps: 1. Click Site Actions, click Site Settings, and then click Site Content Types.
4-38
2. 3.
Click the content type you want to modify. Click Add from existing site columns.
Add Site Columns to a List or Library

To add a site column to a list or library, perform the following steps: 1. 2. 3. Click Site Actions, click Site Settings, and then click Site Content Types. Click the content type you want to modify. Click Add from site columns.
4-39
Content Type and Column Inheritance
Content types are a hierarchy, beginning with a limited number of top-level content types such as item. When you create a site content type, you must specify the parent. When you add the site content type to a list or library, you are actually creating a child content type, called a list content typea content type scoped only to the list. A child content type has the same properties as its parent, initially, but because it is an independent object, you can modify and thus override the properties that it obtained from its parent. The same applies to columns. When you add a site column to a list or library, you create a list or library column that is a child of the site column, and it inherits its initial property set from the parent. You can then modify properties of the list or library column. When you update a content type or column at the site level, you have the option to propagate updates to child content types or columns. The change you have made is then copied to child objects, overwriting whatever was the previous state of the object. This is done on a property by property basis, so only properties that you change at the site level are propagated to child objects.
4-40
Lesson 3
Configuring the Managed Metadata Service
In the previous lessons, you learned how to define metadata and content types at the list and site levels. In this lesson, you learn how to configure an important new service application in SharePoint Server 2010, the managed metadata service, which makes terms and content types available across site collections, Web applications, and even farms. After completing this lesson, you will be able to: Describe the roles of the managed metadata service. Configure taxonomy. Configure managed content types.
4-41
Managed Metadata Service
The managed metadata service is an important new feature of SharePoint Server 2010. It plays a critical role in enterprise content management because it supports the two primary components of information architecture: enterprise metadata management (taxonomy), and content type syndication. In this lesson, you learn how to use the managed metadata service to manage enterprise taxonomy, and then you learn how to syndicate content types.
Understanding Managed Metadata Service Terminology

Managed metadata is a hierarchical collection of centrally managed terms that you can define and then use as attributes for items in SharePoint Server 2010. A term is a word or a phrase that can be associated with an item in SharePoint Server 2010. A term set is a collection of related terms. You can specify that a SharePoint Server column must contain a term from a specific term set. Managed metadata is a way of referring to the fact that terms and term sets can be created and managed independently from the columns themselves. Managed terms, which are usually predefined, can be created only by users with the appropriate permissions and are often organized into a hierarchy. Enterprise keywords are words or phrases that have been added to SharePoint Server 2010 items. All enterprise keywords are part of a single, nonhierarchical term set called the keyword set. Local term sets are created in the context of a site collection. For example, if you add a column to a list in a document library and create a new term set to bind the column to, the new term set is local to the site collection that contains the document library. Global term sets are created outside the context of a site collection. For example, the term store administrator could create a term set group called Human Resources and designate a person to manage
4-42
the term set group. The group manager would create term sets that relate to human resources, such as job titles and pay grades in the Human Resources term set group.
4-43
Create and Use Terms: The Big Picture
First, take a look at managing and using terms, from beginning to end, at a very high level. This topic focuses on the main tasks involved with creating and using terms.
Term Store Management Tool

A managed metadata service application maintains a database that contains the term store for the service application. The Term Store Management Tool is the administrative interface with which you manage terms in the term store. Open the Term Store Management Tool 1. On the Central Administration site, in the Application Management section, click Manage service applications. 2. Click the Managed Metadata Service link. You can click the link of either the service application or the service application connection. Both open the same Term Store Management Tool. The Term Store Management Tool opens. 3. Confirm that the tool is focused on the metadata application that you want to administer. In the Available Service Applications list, select the correct metadata application.
An Introduction to the Term Store Hierarchy

The term store contains terms in a hierarchical structure consisting of term set groups, term sets, and terms. (See the following graphic.) Web applications that connect to the service application can use any of the terms in the term store. You learn more about the term store hierarchy as this lesson progresses.
Create Terms in a Term Set

In a term set, you can create terms.
4-44
Create a Term
To create a term, complete the following steps: 1. 2. 3. 4. 5. 6. Open the Term Store Management Tool. Expand the term store. Expand the term group and the term set in which you want to create the term. Point at the term set or term beneath which you want to create the term, and then click the dropdown arrow that appears. Click Create Term. Type the term, and then press ENTER.
Use Managed Metadata in Content

After a term set has been established, you can begin to use the terms in the term set as tags for items and documents. To do this, you must add a managed metadata column to a list, library, or content type. The managed metadata column type is new to SharePoint Server 2010. When you create a managed metadata column, you specify a single term set from which the columns valid values come. Create a new content type or modify an existing content type, and add the managed metadata column to the content type. Important: A managed metadata column can be associated with only one term set.
Add a Managed Metadata Column to a Site as a Site Column

1. 2. 3. 4. 5. 6. 7. 8. 9. Open the site in which you want to use managed metadata. Click Site Actions, and then click Site Settings. In the Galleries section, click Site columns. Click Create. In the Column name box, type a name for the column. In the list of column types, click Managed Metadata. In the Group section, select a column group or create a new column group. In the Term Set Settings section, expand the term store, expand the term group that contains the term set, and then click the term set. Optionally, configure other settings for the column. For example, you can specify that the column allows multiple values. Also, if the term set is an open term set, you can configure the column to allow fill-in choices. Click OK.
Add a Managed Metadata Site Column to a Site Content Type

1. 2. 3. 4. 5. 6. Click Site Actions, and then click Site Settings. In the Galleries section, click Site content types. Click the site content type to which you want to add managed metadata. Click Add from existing site columns. In the Select columns from list, select the column group that contains the managed metadata column. In the Available columns list, click the managed metadata column, and then click Add.
4-45
7. 8.
Click OK to add the column. Click OK to close the content type.
Pick Terms
After adding a managed metadata column to a list, library, or content type, users can apply terms from the term set as values for the column. The new and edit forms of an item or document display the managed metadata control for a managed metadata column, and the user interacts with this control to enter the columns value. With the managed metadata control, the user can either type a value or select a value by hierarchically navigating the term set that is associated with the column. If the user begins typing a value, the AJAXdriven control displays all terms in the associated term set that begin with the characters the user has typed. The name of the term set and the terms position in the hierarchy are indicated along with the term itself. If the columns definition allows multiple values, the user can select more than one term. If both the term set and the columns definition allow new terms to be added, the user can also create a new term and insert it at the appropriate place in the term sets hierarchy. It is important to note the following about the control: The control consists of a text box, a browse button, and a term selection page. You can type a term into the text box. As you type, the control provides suggestions. If the highlighted suggestion is appropriate, you can press ENTER. Alternately, you can select any suggestion by using the arrow keys to select the suggestion and then pressing ENTER or by clicking the suggestion. If you type a term that does not exist in the term store, your entry is displayed in red with a red dashed underline. You cannot save the change until you correct the entry. Click the Browse For A Valid Choice button. The term selection page opens. The term selection page shows all terms in the term set. To select a term, click the term, click Select, then click OK, as shown in the following graphic:
4-46
If the term set has an email address in the term sets Contact property, the term selection page displays a Send Feedback link. The link is a simple <mailto:> link that opens the users email client with the To: address prepopulated with the term set contacts email address. If the term set is an open term set, the Add New Item link appears. Click the link, and a new, blank term appears. Type the label for the term, and then press ENTER.
Here is a review of some important points about terms: Terms are stored in a term set in a term group. A managed metadata service application can contain multiple term sets. Typically, terms are tightly managed. Most term sets are usually closed, meaning that only term set managers and contributors can add, modify, or delete terms in the term set. A managed metadata column can expose terms from only one term set.
Keywords
Often, enterprises want to allow folksonomythe development of terms and metadata that is driven by users adding tags to content and people. Terms in a folksonomy are typically unmanagedusers can tag content or people with whichever words and phrases they want to apply. Folksonomy in SharePoint Server 2010 is supported by keywords. Keywords are terms that are stored in a single, nonhierarchical term set called the keyword set. When content is tagged and a term does not exist, it is added to the keyword set. There is very little difference, really, between keywords and terms. Both are terms that can be used to tag content. Both are stored in the term store. The primary differences are the following: Terms are highly managed. They have numerous properties, about which you learn later in this lesson. Terms are structured in term sets and term groups and can be reused across term sets and term groups. Term sets are typically closed. The keyword set is typically openusers can add keywords to the keyword set when they tag content with words or phrases that do not already exist in the keyword set.
Add an Enterprise Keywords Column to a Site Content Type

1. 2. 3. 4. 5. 6. 7. 8. Click Site Actions, and then click Site Settings. In the Galleries section, click Site content types. Click the site content type to which you want to add managed metadata. Click Add from existing site columns. In the Select columns from list, select the column group that contains the managed metadata column. Click Enterprise Keywords, and then click Add. Click OK to add the column. Click OK to close the content type.
Tag Content Using Keywords

After adding an enterprise keywords column to a list, library, or content type, users with permission to modify the content type can apply terms from the keyword set to content.
4-47
The EditForm.aspx page of an item or document displays the managed keyword control for enterprise keyword columns. It is important to note the following about the control: The control consists of a text box, a browse button, and a term selection page. As you type, the control provides suggestions. If the highlighted suggestion is appropriate, you can press ENTER. Alternately, you can select any suggestion by using the arrow keys to select the suggestion and then pressing ENTER or by clicking the suggestion. You can type a word or phrase that does not already exist as a keyword, and it will be added to the keyword set. This is the default behavior of the enterprise keywords column; however, SharePoint can be configured to prevent adding new keywords to the keyword set.
Create a Keyword
Keywords are often created by users when they tag content with a word or phrase that is not already in the keyword set. However, if you want to add a keyword directly to the keyword set, you can do so by following this procedure: 1. 2. 3. 4. 5. Open the Term Store Management Tool. Expand System, and then expand Keywords. Point at the Keywords, and then click the drop-down arrow that appears. Click New Keyword. Type the term, and then press ENTER.
4-48
Manage Terms
Now that you understand the end resulthow terms are incorporated into items and documentsyou can learn how to administer managed metadata, from the bottom up, starting at the terms themselves.
Term Properties
Terms are more than simply words or phrases. They are objects with a variety of properties. Modify a Term To modify the properties of a term, follow this procedure: 1. 2. 3. 4. Open Term Store Management Tool. Select the term. Modify one or more properties of the term. Click Save.
The term properties that you can modify include the following: Sort order. By default, terms are sorted alphabetically in the parent term set or term. However, you can manually specify the sort order by completing the following steps: 1. 2. 3. Click the Custom Sort tab. Click Use custom sort order. Modify the sort order.
Available for tagging. By default, terms are available to be used for tagging. Why would you create a term and then not make it available? Terms themselves are hierarchical in a term set. That is, a term can have one or more terms as child objects. For example, you might have terms for teams or departments in the IT group. If you have a term hierarchy in a term set, you might want nodes that have child terms to be unavailable for tagging.
4-49
Language. If you have a language pack installed, and the term store has the language specified as a working language, you can select each language and modify the Default Label and Other Labels. Description. Use a description to help users understand when to use the term and to disambiguate among similar terms. Default label. This is the default label for the term for the selected language. The default label is what is referred to as the term. However, as you are learning, the term is more than just the label. In fact, behind the scenes, everything is managed with unique identifiers. Other labels. These are synonyms and abbreviations for the term for the selected language. When other labels are configured for a term, users can enter any of the synonyms or abbreviations in a managed metadata control, and their entry will be changed into the default label for the term. The other labels even appear as suggestions when a user begins to type in a managed metadata control. Member of. A term can be reused in multiple locations. The Member Of list is a list of locations in which the term exists. Source. When a term exists in more than one location, the terms properties can be edited in only oneits source. The permissions that apply to the source location affect who can modify the terms properties.
Term Tasks
Use the drop-down menus in the term store hierarchy of the Term Store Management Tool to perform actions. You can perform the following actions related to terms in a term store: Create term. Create a new term in a selected term set or as a child of a selected term. Copy term. Create a new term that is a copy of an existing term. The source terms properties are copied to the new term, and then the new term is a unique object with no relationship or linkage to its original source. Move term. Move a term to another location in the term hierarchy. Delete term. Remove a term from the term store. Deprecate term. Disable the term so that it no longer can be used as a valid term but stays part of the system. Merge term. To merge terms, select a source term, click Merge Term, and then select a target term. The result is that the source term and its synonyms are added as synonyms of the target term. Reuse term. A term can be placed in more than one location in the taxonomic hierarchy. To use a term in a new locationin a term set or as a child of another termselect the target location, click Reuse Term, and then select the source term. The source term is added as a kind of link to the selected target location. Changes to a terms properties affect every instance of the term. The terms Source property defines the location in the hierarchy in which the term can be modified, and the permissions on that location determine which users can modify the term. The terms source can be changed to any of its locations by a user who currently has permission to modify the term.
Enterprise Keywords
As you learned in a previous topic, keywords are stored in a flat, nonhierarchical keyword set. Keywords have only one property: Available For Tagging. You can perform only three actions. The first two are New Keyword and Delete Keyword, which are self-explanatory. The third action is Move Keyword. With this option, you can move a keyword into a term set, where it becomes a managed term and acquires all of the additional properties associated with terms. This process is how an organization can organically grow a folksonomy and migrate resulting terms into a taxonomy.
4-50
Manage Term Sets
A term set is a collection of related terms.
Term Set Properties

A term set has a Term Set Name and Description. It also has an Available For Tagging property. A term set also has the following properties: Contact. An email address for a contact for the term set. If an email address is entered in the Contact property, the managed metadata control displays a Submit Feedback link in the term picker. A user who wants to submit feedback or request a change to the term set can click the link and an email message is started with the To address populated by the value of the term set contact. Submission Policy. The submission policy determines whether users can add terms to the term set from the managed metadata control. If a submission policy is open, the managed metadata control displays an Add New Item link. So, if a user wants to tag content with a term that is not already in the term set for a managed metadata column, the user can add a new term on the fly. This allows for folksonomy in the context of a managed term set. The newly added term is available to other managed metadata columns that reference the same term set. Note: For a user to add a new item to a term set, the term set must have an open submission policy, the managed metadata column must allow fill-in choices, and the user must have permission to change an item or document that contains the managed metadata column. Owner, Stakeholders. These two propertiesas well as Contactare informational only. They are used to document individuals or groups who are associated with the term set. These two properties do not assign any permissions to the term set whatsoever.
4-51
Term Set Tasks

From a design perspective, the most important point to remember is that a term set is used as the source of terms for a managed metadata column. A managed metadata column can use only one term set, and all terms that are available for tagging in that term set can be applied as values to the column. Therefore, any time you need a column with managed metadata, you should check to see whether a term set already exists that meets your needs exactlyhas the appropriate labels and propertiesand, if not, create a new term set. Remember that terms can be reused in more than one term set. Create a Term Set 1. In Term Store Management Tool, point at the term group in which you want to create a term set, click the drop-down menu of the term group, and then click New Term Set. 2. 3. Type a name for the term set, and then press ENTER. Using the term sets drop-down menu, you can perform the following actions: Delete Term Set. This option deletes the term set and its terms. Move Term Set. This option moves a term set to another term group. Copy Term Set. This option creates a new term set with the same properties as the source term set. All terms in the source term set are added, as reused terms, to the new term set. This allows you to create variations on a term set for scenarios in which a managed metadata column needs to contain a superset, subset, or other variation of terms that are already in use in another term set.
4-52
Manage Term Groups
A term group is a collection of one or more term sets. A term group has a Group Name and a Description. Most important, the term group defines two roles: Contributors. Contributors have full permission to edit terms and term set hierarchies in the term group. Group Managers. Group Managers have Contributor permissions plus the ability to import term sets. Group Managers can also add users to the Contributors role.
You can create a term group from the term store. Create a Term Group To create a term group, complete the following steps: 1. 2. Point at the term store, click the drop-down menu, and then click New Term Group. Type a name for the term group, and then press ENTER.
The following options appear on the term groups drop-down menu: New Term Set. You can use this option to create a new term set in the term group. Delete Term Group. You can use this option to delete the term group. Import Term Set. You can use this option to import a term set using a comma-separated values (.csv) file. You can find a sample import file in the root of the term store. In Term Store Management, click the term store, and then click View A Sample Import File.
Additional Reading
Managed metadata input file format (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197214&clcid=0x409
4-53
Manage the Term Store
Each managed metadata service application has one term store. Metadata service applications cannot share term stores. The term store properties define the following: Term Store Administrators. Term Store Administrators have full control over the term store. Term Store Administrators can perform all actions of Group Managers, can create and delete term groups, and can assign users to the Group Managers role. Term store administrators can also modify the default and working languages of a term set. Default Language. Each term store must have a default language specified, and every term must have a label defined in the default language. Working Languages. After you have installed a language pack, you can add installed languages as a working language for a term set. Then, you can select a term and specify the default label and other labels for each working language. Unlike the default language, you are not required to have a label for every term in a working language. Terms are not added to a term store by default when you add a language pack. There is no automatic translation service. You must manually configure the labels for terms in each language that you want a term set to expose. When a term has labels in multiple languages, the language of the site determines which labels are visible. For example, if the Department term set has terms defined in both French and English, an English-language team site allows users to use English terms from the term set in a managed metadata column, and a French team site allows users to use French terms from the term set. To create a term store, you must create a managed metadata service application. The steps for this procedure are listed later in this lesson. To delete a term store, you must delete the managed metadata service application.
4-54
Assign Term Set Administrators A farm administrator must assign term set administrators. In fact, when you create a new managed metadata service application, even though you created the application, you are not a term set administratoryou must give yourself permission. 1. 2. 3. Open the Term Store Management Tool. In the Term Store Administrators box, type the names of term set administrators separated by semicolons. Click Save.
Note: When working with SharePoint Online deployments the SharePoint Online Term Store can be managed via the Term Store management Tool in the SharePoint Online Administration Center. This allows you to manage metadata within your site, and the same principles and procedures that are called out here for an on premise environment are applicable.
4-55
Term Store Design
Term Store Hierarchy

Now you have explored each component in the term store hierarchy shown in the following graphic.
Here is a review of the characteristics of each component from the perspective of term store design: One or more terms are contained in a term set. Terms can also be created as child objects of other terms. A term set is a group of related terms and is the scope of a managed metadata column. When you add a managed metadata column to a content type, list, or library that will use tags, you specify the term set that is used in the column. Each managed metadata column can use terms from only one term set, and all terms in the term set are available. One or more term sets are contained in a term group. A term group is a security container that manages who can modify term sets and terms. You can specify, for a term group, who has permission to modify the term sets and terms in the term group.
4-56
One or more term groups are contained in a term store. A term store is the database that contains the terms for a managed metadata service application. The scalability of a managed metadata service application is related to performance, but the following guidelines should be used: 1,000 term sets per term store 30,000 terms per term set 1 million terms per term store
The keyword set is a flat, nonhierarchical term set that is used to apply terms to enterprise keyword columns. The managed keyword control displayed by an enterprise keyword column exposes terms from the keyword set as well as all other term sets that are available to the Web application. Term sets can be global or local. A global term set is what you have been examining thus fara term set that is maintained using the Term Store Management Tool and available to all Web applications that connect to the service application. A local term set is maintained in the term store, but it is created and managed in a site collection, rather than in the Term Store Management Tool. The resulting term set is available to all sites in the site collection but not to other site collections. Using a local term set has advantages over legacy methods for tagging datafor example, choice and lookup fieldsbecause the local term set is maintained by the managed metadata service, so you can define synonyms and manage terms just as you would a global term set. Users who are site collection administrators have permissions to create local term sets.
Term Store Design

Because permissions to modify terms are applied at the term group level, and because SharePoint 2010 supports multitenancy for the managed metadata service application, most organizations need only one term store. Most organizations maintain only one managed metadata service application, and therefore one term store. However, it is possible to deploy more than one metadata application. For example, the Research and Development department may want to maintain a separate term store to contain terms related to R&D and to products under development. Web applications that do not connect to the R&D term store do not have any visibility into those terms. The R&D department can connect to its own term store and to the enterprise term store so that its content can be tagged both with terms that are common to the entire organization and with terms unique to R&D. A Web application can connect to zero or more managed metadata service applications. The key point is that a separate managed metadata application creates a completely partitioned term store. In other words, separate term stores create security isolation of data. Farm administrators give Web applications visibility into appropriate term stores when they connect Web applications to managed metadata service applications. An alternative to separate term stores hosted by separate managed metadata service applications is to implement multitenancy. Multitenancy is beyond the scope of this course, but in sum it allows a single database to be partitioned between customers. Perhaps a more important driver toward multiple term stores is the fact that separate metadata applications and term stores provide various levels of scalability. Web applications in the farm and from other farms connect to the term store, so if, for example, you need a term set to span multiple farms but other term stores are used only within one farmand perhaps contain terms that you do not want visible
4-57
to enterprise keyword fields in the other farmyou should create a separate metadata application and term store to publish to both farms.
Additional Reading
Plan terms and term sets (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197215&clcid=0x409
4-58
Benefits of the Managed Metadata Service
Terms
You can use the managed metadata service to practice enterprise metadata management. As discussed in a previous topic, metadataalso known as attributes, properties, fields, columns, terms, tags, and keywordsis a critical component of taxonomy and therefore of information architecture. Terminology About Terms The term you hear most in relation to the managed metadata service is term. A term is a word or phrase that can be used as an attribute for content. When people refer to taxonomy, they are generally referring to structured, centralized, and managed terms. A closely related concept is folksonomy, which is used to refer to user-generated tags. Terms can be managed and controlled in a variety of ways so that an enterprise can expose a managed taxonomy while allowing user-generated tags (folksonomy). A taxonomy and folksonomy that are designed and managed to support the requirements of a business can allow information architecture to grow organically and change over time. Applying Terms (Tagging) Once you have tagswhether structured or user-drivenyou must be ready to support taggingthe task of assigning descriptors (metadata) to content. SharePoint refers to tagging with several terms, each of which are somewhat ambiguous and are therefore used differently in different contexts. Content tagging or social tagging is the addition of terms to content to describe what it is, what it contains, and what it does. This is in contrast to expertise tagging, which is the association of terms with a person, to describe what the person does, what projects the person works on, and what skills the person has. Tags in SharePoint can be public or private. They can be assigned manually by a user or automatically.
4-59
Using Terms Tags are everywhere in SharePoint Server 2010. You can tag items, documents, pages, and sites from the SharePoint Web interface or by using SharePoint-aware applications such as Microsoft Office 2010. One of the primary reasons to tag content is to make it easier to locate by browsing or by searching. SharePoint uses tags to provide metadata-driven navigation and filtering and to produce a tag cloud control. Tags can be used as search refiners, and tags can be used by the routing rules of the Content Organizer to route content to the appropriate location.
Benefits of the Managed Metadata Service

The managed metadata service offers features that are important for creating an enterprise information architecture: Managed metadata separates the management of terms themselves from the columns that use the terms. You can delegate term management to librarian roles, represented by the term groups Contributor and Group Manager roles. You can support multiple languages. After you have installed a language pack, you can add installed languages as working languages for a term set. Then, you can select a term and specify the default label and other labels for each working language. Unlike the default language, you are not required to have a label for every term in a working language. Managed terms encourage more consistent use of terminology. Terms are available across content types, site collections, Web applications, and even farms. Terms are findable, thanks to the term suggestions and term picker that are inherent in the managed metadata control. Finally, terms are used more accurately because they are presented in the context of their term set and can be found using synonyms and abbreviations. Terms are dynamic. As soon as a keyword or term is added to the term store, it is available to all enterprise keyword or managed metadata columns in all Web applications that connect to the managed metadata service application. Changes to terms, including new labels, synonyms, and merged terms, cascade through the system. Managed metadata can be used to refine search results and provide metadata-based navigation so that users can locate content more efficiently.
Extensibility
There is no out of the box feature that connects the managed metadata service to external data sources or term stores. However, the managed metadata service is extensible. You can expect numerous solutions to be developed by independent software vendors and by the community. Tools will be available to migrate enterprise taxonomy from other sources into the managed metadata service and to integrate the managed metadata service with other taxonomy management tools.
Additional Reading
Managed metadata overview (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197216&clcid=0x409
4-60
Content Type Syndication
It is common that sites in different site collections require similar content types. For example, the Legal department at Contoso creates a template for nondisclosure agreements (NDAs) and a content type for NDAs that uses the template and declares all new NDAs as records. Each of Contosos business units has SharePoint site collections with document libraries in which NDAs are maintained. The content type can be published, in a manner of speaking, from the Legal department to all Contoso business units. Sharing content types across site collections, Web applications, and farms is quite challenging in SharePoint 2007. The managed metadata service makes it easy in SharePoint 2010. Each managed metadata service application has a Content Type Hub property that specifies the URL of a site collection from which to publish content types. All other Web applications that connect to the managed metadata service receive copies of the content type from the content type hub, and updates made at the hub can be propagated. You must complete several steps to publish content types. They are described in the sections that follow.
Configure the Service Application

Each managed metadata service application has a Content Type Hub property that specifies the URL of a site collection from which to publish content types. Configure the Content Type Hub of a Managed Metadata Service Application 1. In Central Administration, in the Application Management section, click Manage service applications. 2. Click the row of the managed metadata service application. Do not click the name of the service application. The name is a link that opens the Term Store Management Tool. 3. On the ribbon, click Properties.
4-61
4. 5.
In the Content Type hub box, type the URL of the site collection from which the service application will consume content types. Select the Report syndication import errors from Site Collections using this service application check box, and then click OK. When a Web application tries to import the content types from its managed metadata service applications and encounters an error, the error is always logged to that Web application. This option creates a second error associated with the content type hub site collection so that import errors from all subscriber sites are centralized and can be viewed in one place: the hub.
Configure the Service Application Connection

Whereas the service application controls whether content types are published, and from which site collection, the application connection controls whether Web applications using that connection subscribe to the content types that are being published. Configure Content Type Subscription for a Managed Metadata Service Application Connection 1. In Central Administration, in the Application Management section, click Manage service applications. 2. Click the row of the managed metadata service application connection. Do not click the name of the service application connection. The name is a link that opens the Term Store Management Tool. 3. 4. On the ribbon, click Properties. Select the Consumes content types from the Content Type Gallery check box.
Publish the Content Type

After a site collection has been designated as a content type hub, content types in the site collection can be published to the managed metadata service application, and thereby made available to other Web applications that use that managed metadata service application. Publish a Content Type 1. In the content type hub site collection, click Site Actions, and then click Site Settings. 2. 3. 4. 5. Click Site content types. Click the content type that you want to publish. Click Manage publishing for this content type. Click Publish, and then click OK.
You can use the same Manage Publishing For This Content Type command to republish, or update, a content type and to unpublish a content type.
Run the Timer Jobs

Two timer jobs are responsible for content type syndication. The Content Type Hub job finds new content types in the designated content type hub. The Content Type Subscriber jobthere is one for each Web application in the farmimports content types from the content type hub of each managed metadata service application to which the Web application subscribes. Manually Run Timer Jobs for Content Type Syndication If you do not want to wait for content type syndication jobs to run, you can run them manually by completing the following steps:
4-62
1. 2. 3. 4. 5.
In Central Administration, click Monitoring. Click Review job definitions. Click Content Type Hub. Click Run Now. Wait a few moments for the job to complete. Optionally, you can click Content Type Hub to return to the job definition. Refresh the page and monitor the Last run time property. When it updates to the current time, the job is complete.
6. 7. 8.
Click Content Type Subscriber on the row for the subscriber Web application. Click Run Now. Wait a few moments for the job to complete. Optionally, you can click Content Type Hub to return to the job definition. Refresh the page and monitor the Last run time property. When it updates to the current time, the job is complete.
4-63
Manage Managed Metadata Service Applications
Create and Configure a Managed Metadata Service Application

You can use the Farm Configuration Wizard to create a managed metadata service application, if the farm does not already have one. Create a Managed Metadata Service Application Using Central Administration Farm administrators can create a managed metadata service application by following this procedure: 1. 2. In Central Administration, in the Application Management section, click Manage service applications. On the ribbon, click New, and then click Managed Metadata Service. The Create New Managed Metadata Service dialog appears. 3. In the Name box, type the name for the service application. The service application created by the Farm Configuration Wizard is Managed Metadata Service. If you are manually creating the first metadata application in your farm, you can use the same name so that the result looks familiar to SharePoint administrators. Alternately, you can consider using a name such as Managed Metadata Service Application, which is more accurateit is a service application, after all. 4. In the Database Name box, type a name for the database. The database created by the Farm Configuration Wizard is Managed Metadata Service_GUID. If you are manually creating the first metadata application in your farm, you can use a similar name, perhaps without the GUID component, so that the result looks familiar to SharePoint administrators. 5. In the Application Pool section, select an existing application pool. Alternately, create a new application pool and select or create a managed account for the application pool identity.
4-64
6. 7.
Optionally, in the Content Type hub box, enter the URL to the site collection that will serve as the content type hub. It is recommended that you select the Report syndication import errors from Site Collections using this service application check box. When a Web application tries to import the content types from its managed metadata service applications and encounters an error, the error is always logged to that Web application. This option creates a second error associated with the content type hub site collection so that import errors from all subscriber sites are centralized and can be viewed in one place: the hub.
8.
When you create a new managed metadata service application, a connection to the newly created managed metadata service is automatically created in the same Web application as the service. If you want that connection to be added to the default application connection group, select the Add this service application to the farms default list check box. Click OK.
Create a Managed Metadata Service Application Using Windows PowerShell Use the New-SPMetadataServiceApplication cmdlet to create a managed metadata service application:
New-SPMetadataServiceApplication -ApplicationPool "<ApplicationPoolName>" -Name "<ServiceName>" -DatabaseName "<DatabaseName>" -DatabaseServer "<DatabaseServerName>" HubUri "<HubURI>"
Where: <ApplicationPoolName> is the name of an existing application pool in which the new managed metadata service should run. <ServiceName> is the name of the new managed metadata service. <DatabaseName> is the name of the database that will host the term store. Each managed metadata service must use a unique term store. <DatabaseServerName> is the name of the database server that will host the term store. <HubURI> is the URL of the site collection that contains the content type library that the new managed metadata service will provide access to.
A connection to the newly created managed metadata service is automatically created in the same Web application as the service. Update a Managed Metadata Service Application Using Central Administration 1. In Central Administration, in the Application Management section, select Manage service applications. 2. Select the row that corresponds to the service to update. Note: Do not select the row by clicking in the Name column. Clicking the name of the managed metadata service opens the Term Store Management Tool. Instead, click in another column in the same row. 3. On the ribbon, click Properties. You can then change any properties of the service application. Update a Managed Metadata Service Application Using Windows PowerShell Use the Set-SPMetadataServiceApplication cmdlet to update properties of a managed metadata service application:
4-65
Set-SPMetadataServiceApplication -Identity "<ServiceApplication>" -HubURI "<HubURI>"
Where: <ServiceApplication> is the name of the managed metadata service application that you are modifying. <HubURI> is the URL of the site collection that contains the content type library that the new managed metadata service will provide access to.
Delete a Managed Metadata Service Application You can delete a managed metadata service application by using the Manage Service Applications page. Click Delete on the ribbon. Publish and Connect to Managed Metadata Service Applications Across Farms SharePoint 2010 supports publishing some service applications across farms. The managed metadata service is one such application. See Module 8, Configuring and Securing SharePoint Services and Service Applications, for more details.
Additional Reading
Create, update, publish, and delete a managed metadata service application (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197217&clcid=0x409
Configure a Managed Metadata Service Application Connection

Web applications must connect to a managed metadata service application to have the opportunity to use term sets in the term store and to subscribe to content types from the content type hub. Previously, you learned that application connections provide a way for a Web application to connect to a service application. Application connections, also called proxies, are grouped into connection groups, also called proxy groups. Typically, Web applications connect to services using connections that are part of a defined connection group that can be used by other Web applications. The farm has a default connection group, and you can create additional connection groups. You can also define a custom connection group for a single Web application, and this custom connection group will not be available for other Web applications. To use managed metadata, a Web application must have a connection to a managed metadata service. A Web application can have connections to multiple services, and the services can be local to the Web applicationthat is, in the same farm as the Web applicationor remotethat is, in another farm. When you create a managed metadata service, a connection to the service is created automatically in the same Web application as the service. As you learned in a previous section, when you create a managed metadata service, the connection is added to the default connection group unless you clear the Add This Service Application To The Farms Default List check box. You do not need toand cannotcreate additional connections to a managed metadata service in the local farm. However, if you want to connect to a managed metadata service in a remote farm, you must create a connection. In Central Administration, on the Manage Service Applications page, click Connect, and then click Managed Metadata Service. The process of connecting to service applications in remote farms is detailed in Module 8. After a connection to a managed metadata service has been created, you can configure the following four options: Default keyword location. If selected, Web applications using this connection store new enterprise keywords in the keyword set in the term store associated with this managed metadata service.
4-66
IMPORTANT: For a given Web application, do not make more than one connection the default keyword location. If no connection is specified as the default keyword location, users cannot create new enterprise keywords. Default term set location. Web applications using this connection store local term setscustom term sets created for site columns in site collections in the Web applicationin this managed metadata services term store. IMPORTANT: For a given Web application, do not define more than one connection as the default term set location. If no connection is specified as the default term set location, users can specify only an existing term set when they create a site column whose data type is managed metadata. Use of content types. You can use this option to decide whether to make the content types that are associated with this managed metadata service (if any) available to users of sites in this Web application. This option is available only if the service has a hub defined to share content types. Pushing down content type publishing updates from the content type gallery to subsites and lists using the content type. Use this option to update existing instances of the changed content types in subsites and libraries.
Update a Managed Metadata Service Application Connection Using Central Administration 1. In Central Administration, in the Application Management section, select Manage service applications. 2. Select the row that corresponds to the service application connection to update. Do not select the row by clicking in the Name column. Clicking the name of the managed metadata service opens the Term Store Management Tool. Instead, click in another column in the same row. 3. On the ribbon, click Properties. You can then change any properties of the service application connection.
Additional Reading
Create, update, and delete a managed metadata service connection (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197218&clcid=0x409 Plan to share terminology and content types (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197219&clcid=0x409
Multiple Managed Metadata Service Applications

The design of managed metadata service applications is beyond the scope of this course; however, it is worth remembering that each managed metadata service application provides a distinct term store, giving the opportunity to delegate administration distinctly. Each managed metadata service application also publishes one content type hub. Most enterprises use one managed metadata servicethe primary managed metadata serviceto provide enterprise taxonomy services to every Web application. The primary managed metadata service supports the default keyword set and is the term set location for all site-specific (local) term sets. You can deploy additional managed metadata service applications to publish content types from additional hubs. Occasionally, you might deploy additional managed metadata service applications to provide specific term stores.
4-67
Additional Reading
Plan to share terminology and content types (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197219&clcid=0x409 Managed metadata service application overview (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=201254
4-68
Roles, Capabilities, and Permissions
A number of roles, capabilities, and permissions determine a users ability to modify or use terms in a term store. A managed metadata service application and its term store can be modified directly, with Central Administration or the Term Store Management Tool, and by site administrators and end users on a site.
Modify the Term Store from Central Administration

Farm and service application administrators can perform tasks related to managed metadata service applications by using the Manage Service Applications page of Central Administration. Modify the Term Store with the Manage Service Applications Page The following roles can perform tasks related to managing managed metadata service applications and connections: Farm Administrators. Farm administrators can create and connect to managed metadata service applications and term stores, can delete a managed metadata service application or connection, can assign permissions to the service, and can manage the Term Store Administrators role. Service Application Administrators. A farm administrator can delegate administration of a managed metadata service application to users who are not farm administrators. A service application administrator for a managed metadata service application has full control over the application and therefore can modify any property of the managed metadata service application and can even delete the application.
Modify the Term Store with the Term Store Management Tool The following roles can perform tasks on the term store by using the Term Store Management Tool: Contributors. A term groups Contributors have full permission to edit terms and term set hierarchies in the term group. Contributors can do the following within a term group: Create, rename, copy, reuse, move, and delete term sets.
4-69
Modify all term set properties. Create, rename, copy, reuse, merge, deprecate, move, and delete terms. Modify all term properties
Group Managers. A term groups Group Managers have Contributor permissions plus the ability to import term sets. Group Managers can also add users to the Contributors role. Term Store Administrators. Term Store Administrators have full control over the term store. Term Store Administrators can perform all actions of Group Managers, can create and delete term groups, and can assign users to the Group Managers role. Term Store Administrators can also modify the default and working languages of a term set.
Modify the Term Store from a Site

You can modify a term store from a site as well. Modify the Term Store with Managed Metadata and Keyword Controls All users can make changes to the term store in the context of a task by interacting with the managed metadata and managed keyword controls. Presuming that a user has permission to change an item or document that uses a managed metadata column or an enterprise keywords column, the user can do the following: Add terms to a term set. By using the managed metadata control, a user can add a term to a term set. The term set must have an open submission policy, the managed metadata service application must allow writes to the term store (part of the Restricted connection permission), and the column must allow fill-in choices. Add keywords to the keyword set. By using the managed keyword control, a user can add a keyword to a keyword set. The Web application must have a managed metadata service application connection that designates the managed metadata service application as the default storage location for keywords. The managed metadata service application must allow writes to the keyword set (part of the Restricted connection permission), and the column must allow fill-in choices.
Modify the Term Store with the Managed Column Properties Page A user with permission to add or modify columns can do the following: Create a local term set. An administrator of a site can create a local term set that is available only to sites in the site collection. This local term set, also called a site collection term set or a column-specific term set, is stored in the managed metadata service term store specified by the Web applications connections as the default term set location. The default term set location must be specified, and the user must have permission to create or modify columns in the site.
Informational Roles
The term set Owner, Contact, and Stakeholders properties are informational only. They are used to document individuals and groups that have an interest in the term set. The properties do not convey any permission of any kind. However, the Contact email address is used to create a Submit Feedback link in the managed keyword control so that users can propose changes or request new terms by email.
Use Terms
Numerous tasks can be performed that use managed metadata. These tasks are performed in the user interface and security context of the task.
4-70
Create new managed metadata columns. Users with permission to create columns can create a managed metadata column that validates its terms against a local or global term set. Add managed metadata columns to content types. Users with permission to create content types can create a content type that includes a managed metadata column or an enterprise keywords column. Add managed metadata to SharePoint documents and items. Users with permission to create or modify content can use the managed metadata control and managed keyword control in managed metadata columns and enterprise keyword columns, respectively, to tag content. Add enterprise keywords to non-SharePoint items. If social tagging is allowed, users can add tags from the keyword set to non-SharePoint items, such as external Web sites or blog posts. Create and refine queries based on term sets. Users can use terms in term sets in search queries, and, when a list of search results is returned, they can use terms in term sets to create refinersfilters that narrow down search results.
Connection Permissions
A managed metadata service application, by default, allows all Web applications that connect to it to have full access to the term store. With this default, all Web applications connecting to the managed metadata service application can perform all of the activities listed previously. Some scenarios may require restricting the capabilities of specific Web applications. To support these scenarios, a managed metadata service application has connection permissions. Configure Connection Permissions Connection permissions are configured in Central Administration on the Manage Service Applications page. 1. 2. In Central Administration, click Application Management. Click the row of the managed metadata service application. Do not click the name of the service application. The name is a link that opens the Term Store Management Tool. 3. On the ribbon, click Permissions.
By default, the Local Farm group has Full Access To Term Store permission. The Local Farm group includes all app pools for all Web applications in the farm. To restrict permissions, you must first remove the permission assigned to Local Farm. You can then add individual Web application app pool accounts and assign permissions to the accounts. Connection permissions are as follows: Read Access To Term Store. This permission grants read access to the term store and content types that are associated with the managed metadata service. A Web application with this permission to the managed metadata service can use terms and content types from the managed metadata service but cannot make any changes. Read And Restricted Write Access To Term Store. This permission grants Read access to the term store and content types that are associated with the managed metadata service. Additionally, this permission grants the ability to create local term sets and to add terms to open term sets, and permission to create enterprise keywords. A Web application with this permission can allow users to create local term sets, to add keywords, and to add terms to open global term sets. Full Access To Term Store. This permission grants Read and Write access to the term store and Read access to content types that are associated with the managed metadata service. A Web application
4-71
with this permission can publish content types to the content type hub and can manage terms and term sets. To reiterate, the default permission for all Web applications is Full Access To Term Store. With this permission in place, a users capabilities are governed by permissions on the term store, on the site collection, and on content in the site. Any permission more restrictive than this limits the activities that were listed earlier in this topic. The following table summarizes connection permissions. Action View terms and term sets Read Yes Restricted Yes Yes Yes Yes Yes Yes Yes Full Yes Yes Yes Yes Yes Yes Yes Yes Yes
Add existing terms and existing enterprise keywords to documents and list Yes items Bind columns to existing term sets View and use content types from the content type hub (if the service provides a hub) Add new terms to open term sets Create new enterprise keywords (if the connection is configured to enable this) Create local term sets (if the connection is configured to enable this) Add and modify content types in the content type hub (if the service provides a hub) Manage terms and term sets (if the user is authorized to do this) Yes Yes
Additional Reading
Plan to share terminology and content types (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197219&clcid=0x409 Managed metadata service application overview (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=201254
4-72
Lab B: Configuring Managed Metadata
Scenario
The knowledge management team at Contoso is excited about the ability of SharePoint 2010 to support an enterprise taxonomy. They have asked you to prototype the functionality of the managed metadata service and of terms.
Exercise 1: Configuring and Implementing Managed Metadata

In this exercise, you create a term set of departments at Contoso. You use the term set as metadata in a list that helps you keep track of help desk support requests. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Assign Term Set Administrators. Create a group, a term set, and terms. Add a managed metadata column to a list. Add items with managed metadata. Configure metadata navigation.
Task 1: Assign Term Store Administrators.

In Central Administration, assign CONTOSO\SP_Admin as a Term Store Administrator.
Task 2: Create a group, a term set, and terms.

In Term Store Management, create a new group named Organization. Create a new term set named Department. Configure the term set with a closed submission policy. Add terms for the following departments: Marketing, Finance, IT, and Sales.
4-73
Task 3: Add a managed metadata column to a list.

Open Internet Explorer, and then browse to http://intranet.contoso.com/sites/IT. Create a new custom list named SupportRequests. Create a single-line text column named User Name. Create a managed metadata column named Department using the Department term set. Create a managed metadata column named Request Type using a custom term set. Configure the custom term with an open submission policy.
Task 4: Add items with managed metadata.

Add the following items to the Support Requests list: Title Create a new account for Andy Ruth Reset password for Christa Geller Problem starting computer Create a new account for Sean Chai Reset password for Lola Jacobsen User Name AndyR ChristaG FrankM SeanC LolaJ Department Finance IT Marketing Sales Sales Request Type New User Password Reset Desktop Support New User Password Reset
Tip: To add a new term you must add it to the term store by clicking the Browse For A Valid Choice icon, and then clicking the Add New Item link.
Tip: Use the Suggestions list to enter departments without having to type the entire department name.
Task 5: Configure metadata navigation.

Configure the metadata navigation settings of the SupportRequest list so that Department and Request Type are the selected hierarchy fields. Observe the tree view below the Quick Launch. Click the terms in the Department and Request Type term sets to filter the list. Results: After this exercise, you should have created term sets and a SupportRequest list with managed metadata columns, and you should have configured metadata navigation to filter the list.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog, click Revert.
4-74
Review Questions
1. 2. 3. 4. Why does list throttling benefit the users of a SharePoint farm? What are the advantages of using RBS with SharePoint? What advantage does the managed metadata service provide to an enterprise that is implementing an information architecture. What are the advantages of using metadata navigation?
Configuring Authentication
5-1
Module 5
Contents:
Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated Authentication Lab A: Configuring Custom Authentication Lab B: Configuring Secure Store 5-3 5-19 5-28 5-33
5-2
Module Overview
Authentication is the process of verifying the identity of a user making a request to an application. The application must be assured that the user is authentic before the system performs authorization, which is the process of verifying that the user has permission to make the request, and personalization, which determines how the application interacts with the user.
Objectives
After completing this module, you will be able to: Describe Microsoft SharePoint Server 2010 authentication. Describe SharePoint Server 2010 federated authentication.
5-3
Lesson 1
Understanding Classic SharePoint Authentication Providers
Classic-mode authentication is one of two types of authentication supported by SharePoint 2010. Classicmode authentication supports one authentication providerWindowsand several methods of Windows authentication, each of which are described in this lesson. You can use classic-mode authentication in simple environments that do not require the benefits of claims-based authentication.
Objectives
After completing this lesson, you will be able to: Describe identity and classic-mode authentication. Configure classic-mode authentication. Describe integrated Windows authentication. Configure Kerberos authentication. Describe additional Windows authentication methods. Configure the Secure Store Service.
5-4
Identity and Authentication in SharePoint
SharePoint Server 2010 is a distributed application that is logically divided into three tiers: the front-end Web server tier, the application server tier, and the back-end database tier. Each tier is a trusted subsystem, and authentication can be required, and by default is required for access to each tier. Controlling access to each tier requires an authentication provider. Authentication providers are software components that support specific authentication methods. In SharePoint Server 2010, there are two types of authentication: Classic-mode authentication. Classic-mode authentication is the same type of authentication that was used in Microsoft Office SharePoint Server 2007. Classic-mode authentication uses Microsoft Windows as the authentication provider. Claims-based authentication. Claims-based authentication is a new authentication mode, built on the Windows Identity Framework (WIF). It supports Windows authenticationjust as classic-mode doesas well as forms-based authentication (FBA) and Security Assertion Markup Language (SAML) token-based authentication.
If you are upgrading from Microsoft Office SharePoint Server 2007, consider using classic-mode authentication if you have no plans to implement forms-based authentication or SAML token-based authentication in the future. If you ever plan to use forms-based authentication or SAML token-based authentication, claims-based authentication is a requirement because classic-mode authentication only supports the Windows authentication provider. FBA is not supported by classic-mode authentication, even though FBA was supported in SharePoint 2007. You must use claims-based authentication to use FBA. The table below summarizes the authentication modes, providers, and methods. You will learn about each as this lesson progresses. Type Classic Provider Methods Windows Anonymous, Basic, Digest, Certificates, NTLM, Negotiate (Kerberos or NTLM)
5-5
Type
Provider Methods Windows Anonymous, Basic, Digest, Certificates, NTLM, Negotiate (Kerberos or NTLM)
Claims-based
FBA SAML
LDAP, SQL database, Other DB, Custom ADFS 2.0, Windows Live ID, Third Party
5-6
Configure Classic-Mode Authentication
You can configure classic-mode authentication (CMA) when creating a new Web application or subsequently by editing the authentication option as listed below for both situations.
Create a New Web Application

When you create a Web application, you can specify authentication settings on the Create New Web Application page. At the authentication section of the page, you will be able to select classic-mode authentication.
Edit Authentication
After a Web application is created, you can modify authentication settings on the Edit Authentication page. You will then be able to change the settings for Security Configuration, and review the settings under Authentication Type. You can access the Edit Authentication page from the Web Applications Management or the Authentication Providers page. To configure authentication settings from the Web Applications Management page, follow these steps: 1. 2. 3. 4. 5. In the Central Administration Quick Launch, click Application Management. In the Web Applications section, click Manage web applications. Select the Web application that you want to modify. On the ribbon, click Authentication Providers. Click the link to the zone that you want to modify. By default, each new Web application has a single zone, called Default. You will learn more about zones later in this module. The Edit Authentication page appears. 6. Make your changes, and then click Save.
5-7
To configure authentication settings from the Authentication Providers page, follow these steps: 1. 2. 3. 4. In the Central Administration Quick Launch, click Security. In the Web Applications section, click Specify authentication providers. Click the Web Application menu to select the Web application that you want to modify. Click the link to the zone that you want to modify. The Edit Authentication page appears. 5. Make your changes, and then click Save.
5-8
Integrated Windows Authentication
Windows authentication is available in both classic-mode and claims-based authentication. However, when a Web application is using classic-mode authentication, only the Windows authentication provider is supported. Windows authentication supports the following authentication methods: Integrated Windows authentication. Can use either NT LAN Manager (NTLM) or Negotiate (Kerberos or NTLM) authentication methods. Basic. In the same fashion as Windows authentication, basic authentication relies on a set of credentials for the user in Active Directory. However, basic authentication enables a Web browser to submit credentials while making an HTTP request, and so the credentials are sent in plaintext, and unencrypted, to the server. Anonymous. Anonymous authentication enables users to connect to a Web application without providing credentials. Digest. Digest authentication provides the same functionality as basic authentication, but with increased security. User credentials are encrypted instead of being sent over the network in plain text. Client certificates. Client-certificate authentication supports the exchange of public key certificates using Secure Sockets Layer (SSL) encryption over HTTP.
NTLM
NTLM is the most established form of authentication in Microsoft products, as it was introduced more than a decade ago. The Process Behind NTLM Authentication When a user logs on to a computer, the user is prompted for a user name and password. The user name is sent to the domain controller, but the password is never sent over the network. Instead, a hash of the password is passed through a one-way hashing algorithm (the challenge) by both the client and the domain controller through an encrypted challenge/response protocol. The client sends the result (the
5-9
response) to the domain controller. If the result matches what the domain controller obtained as a result, then the password entered by the user must have been correct, and the user is authenticated. It gets more complicated when a user connects to a server, such as a SharePoint server. If the SharePoint server is a member servernot a domain controllerthen it has no way of knowing the users password. Therefore, when the user connects to the server, the server has to pass the authentication request to a domain controller. If the domain controller responds to the server that the user is valid, then the authentication succeeds. NTLM Summary While NTLM is not the most efficient authentication method, and while it is slightly less secure than Kerberos, it is often chosen as the authentication method for SharePoint Web applications because it is easy to set up.
Kerberos
Kerberos is the default authentication method for Windows clients and servers in an Active Directory domain. The Process Behind Kerberos Authentication Kerberos uses a process that involves encrypted tickets to verify authenticity. When a user logs on and authenticates with the domain, the domain controllers Key Distribution Center (KDC) issues the user a ticket-granting-ticket (TGT) that effectively represents that the user has been authenticated. For the lifetime of the TGTten hours by defaultthe user no longer needs to be authenticated. When the user wants to connect to a service, such as a SharePoint Web application that uses Kerberos authentication, the client application returns to a domain controllers KDC, presents the TGT, which confirms that the client has already been authenticated, and requests from a domain controller a service ticket for the specific service to which the client will connect. The client then goes to the service and presents the service ticket. Because the entire process is encrypted with keys unique to each requestor (the client, the service, and the domain), the service is able to examine the service ticket and determine that it is being presented by an authenticated client. The service ticket contains the clients identity and roles; the session is established. Summary of Kerberos Authentication One of the benefits of Kerberos is that when the client connects to the service, the service does not have to send back to the server and back to the client for the authentication to happen to a domain controller, as in NTLM. Instead, the clients ticket for the service ensures the client has been authenticated. This results in improved authentication performance for Kerberos as compared with NTLM. Another benefit is that Kerberos tickets can be delegatedforwarded or proxiedbetween tiers. For example, a client connecting to a Web site provides a Kerberos ticket, and the Web site can pass the ticket to a back-end data source that can authenticate the user for data access. The Web tier does not need to know the users password to achieve this double-hop authentication. The Web tier also does not need permissions to the back-end data source, since it is all done by using the authentication of the client. Kerberos is considered by many organizations to be a preferable authentication mechanism because of the following advantages: More secure than NTLM. Kerberos protocols ensure mutual authentication, which prevents what are called man in the middle attacks whereby a rogue service could pretend to be a domain controller and intercept authentication requests from clients. Kerberos tickets also contain timestamps that reduce the likelihood of replay attacks in which an authentication token can be intercepted and used later for malicious purposes.
5-10
More scalable than NTLM. Kerberos supports authentication across trusted realms and, because it is an industry standard, is supported by platforms other than Windows. Supports delegation. Delegation was explained previously. It allows a service to impersonate a user without knowing the users password. Windows Server 2003 and later support constrained delegation as well, which adds a further level of security to the implementation of Kerberos in a Windows enterprise. Reduced load on domain controllers. Kerberos requires fewer trips to a domain controller for authentication than NTLM.
The disadvantage of Kerberos is that it requires additional steps to configure. For example, the process of setting the SPN entries for services.
Kerberos Constrained Delegations

Kerberos Constrained Delegations is used on many implementations of SharePoint, PerformancePoint, Reporting Services, and so forth. It is required when you do a double-hop such as between a SharePoint server and a Microsoft SQL Server Reporting Services server. Constrained delegation is not required for Kerberos to work with SharePoint 2010, but it is highly recommended. Constrained delegation restricts which services are allowed to delegate user credentials. This prevents unauthorized applications from logging into remote services on behalf of the user. If you choose to configure constrained delegation, we recommend that you test your Kerberos configuration with unconstrained delegation and resolve any issues you might encounter prior to configuring constrained delegation. To configure constrained delegation, you must specify which services trust the application pool identity to present credentials. For constrained delegation to work properly, each application pool identity must be trusted for delegation for the specific services associated with the data source.
Considerations and Known Issues

Web applications that will use Kerberos should be running on an application pool that uses a domain account. If you have used local accounts to install and configure SharePoint, then you would need to change the account through Central Administration (not through IIS). Service Principal Name (SPN) has to be registered in the domain controller being used. Kernel-mode authentication has to be disabled in order to use the app pool account to receive the ticket from the KDC. Crawl has problems with communication and ticket handling when the site is running on non-default ports (HTTP: 80 and HTTPS: 443) and configured for Kerberos authentication. Kerberos authentication requires the creation of SPNs in Active Directory Domain Services (AD DS). If the services to which these SPNs correspond are listening on non-default ports, the SPNs should include port numbers.
Negotiate (Kerberos or NTLM)

To use Kerberos authentication, select the Negotiate (Kerberos or NTLM) authentication method. Negotiate tries to use Kerberos authentication. However, if Kerberos authentication is not supported in the deployed environment, or if the client does not support Kerberos, authentication falls back to NTLM. IIS passes the Negotiate security header when Windows Integrated authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:
5-11
One of the systems involved in the authentication cannot use Kerberos authentication. The calling application does not provide enough information to use Kerberos authentication.
If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.
5-12
Configure Kerberos Authentication
Configuring Kerberos authentication requires that you create service principal names, or SPNs, for your SharePoint services, Web applications, and SQL Server. To summarize the process of Kerberos Authentication, it is important to keep in mind that when a client wants to connect to a Web application that uses Kerberos authentication, the client requests a service ticket from a domain controllers KDC. The request indicates the service to which the client will connect by specifying the services SPN. The SPN is made up of the following three components: 1. 2. 3. The service class for the request, which is always HTTPthe HTTP service class includes both the HTTP and HTTPS protocols. The host name. The port (if not port 80) of the Web application.
For example, a request to http://intranet.contoso.com on port 80 equates to an SPN of HTTP/intranet.contoso.com. Note that the SPN syntax uses a single forward slash between the service class and host name portions of the name. A request to http://sp2010-wfe1:9999 for Central Administration equates to an SPN of HTTP/sp2010-wfe1:9999. A security principala user or computer account in Active Directorycan have one or more associated SPNs. When a domain controllers KDC receives the service ticket request from a client, it looks up the requested SPN. The KDC then creates a session key for the service and encrypts the session key with the password of the account with which the SPN is associated. The KDC issues a service ticket containing the session key, to the client. The client presents the service ticket to the service. The service, which knows its own password, decrypts the session key and authentication is complete. If a client submits a service ticket request for an SPN that does not exist in the identity store, no service ticket can be established, and the client will cause an access denied error to occur.
5-13
For this reason, each component of a SharePoint infrastructure that uses Kerberos authentication requires at least one SPN. For example, the intranet Web application app pool account must have an SPN of HTTP/intranet.contoso.com. Note that it is the app poolnot the serverthat is associated with the SPN because the app pool is the security context within which the servicethe Web application in this caseis running. It also makes sense if you consider that each SPN can be associated with only one security principal. Therefore, if a Web app is load balancedrunning on several serversit is the one app pool account that is constant across all servers and therefore must have the SPN. For each Web application, you should assign two SPNsone with the fully qualified domain name for the service, and one with the NetBIOS name of the service. Thats why the intranet Web application pool account should also be assigned an SPN of HTTP/intranet. In many environments, a single application pool may be used by multiple Web applications. The app pool account should be given a pair of SPNs for each of its Web applications that use Kerberos authentication. Configure Service Principal Names for a Service or Application Pool Account Using ADSI Edit To configure an SPN for a service or application pool account, you must have domain administrative permissions or a delegation to modify the servicePrincipalName property. 1. 2. Start ADSI Edit. In the console tree, right-click ADSI Edit, and then click Connect To. The Connection Settings dialog box appears. 3. 4. 5. Click OK. In the console tree, expand Default naming context, expand the domain, and then expand the nodes representing the OU(s) in which the account exists. Click the OU in which the account exists. In the details pane, right-click the service or application pool account, and then click Properties. The Properties dialog box appears. 6. In the Attributes list, double-click servicePrincipalName. The Multi-Valued String Editor dialog box appears. 7. In the Value to Add field, type the SPN, and then click Add. Repeat Step 7 for additional SPNs. Remember that an app pool account should have two SPNs, in the form HTTP/site.domain.com and HTTP/site, for each Web application that uses Kerberos authentication in the app pool. Remember also to add the port number if the site runs on a port other than port 80, for example, HTTP/site.contoso.com:9999 and HTTP/site:9999. 8. 9. Click OK. Click OK.
Configure Service Principal Names for a Service or Application Pool Account Using SetSPN You can also use the command line tool Setspn.exe to add SPNs to an account. The following example adds the SPNs for the intranet Web application to the app pool account:
setspn CONTOSO\SP_Service a HTTP/intranet.contoso.com setspn CONTOSO\SP_Service a HTTP/intranet
Type Setspn.exe /? for more information. Be careful about using setspn.exemany typing mistakes do not cause an error message, but result in configuration problems.
5-14
Configure Service Principal Names for SQL Server To configure Kerberos authentication for SQL Server, you will need to add SPNs to the SQL Server service account, for example, CONTOSO\SVC_SQL. By default, SQL Server communication is over port 1433, so the two SPNs for a SQL Server running on a server named SQLSERVER01 would be the following: MSSQLSvc/sqlserver01:1433 MSSQLSvc/sqlserver01.contoso.com:1433
Additional Reading
Plan for Kerberos Authentication (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197059&clcid=0x409 Kerberos (Windows Server 2008 and Windows Server 2008 R2 Technical Library) at http://go.microsoft.com/fwlink/?LinkID=197060&clcid=0x409 Kerberos Authentication Technical Reference (Windows Security Collection) at http://go.microsoft.com/fwlink/?LinkID=197061&clcid=0x409 Windows Authentication at http://go.microsoft.com/fwlink/?LinkID=197062&clcid=0x409 Kerberos Explained at http://go.microsoft.com/fwlink/?LinkID=197063&clcid=0x409 How to use SPNs when you configure Web applications that are hosted on Internet Information Services at http://go.microsoft.com/fwlink/?LinkID=197065&clcid=0x409 SETSPN at http://go.microsoft.com/fwlink/?LinkID=198479&clcid=0x409
5-15
Additional Windows Authentication Methods
Although NTLM or Negotiate (Kerberos or NTLM) are the most commonly-used authentication methods, classic-mode and Windows authentication also support anonymous, basic, digest, and client certificate authentication methods.
Anonymous
You can enable anonymous authentication on either the Create New Web Application or Edit Authentication pages. Anonymous authentication does not provide anonymous users with permission to view content within a Web application. Anonymous access must be granted at the securable object level. You can grant anonymous users permission to an entire site or to specific lists and libraries.
Basic
Because basic authentication relies on the exchange of plaintext, unencrypted credentials if you choose to use basic authentication, it is recommended to enable Secure Sockets Layer (SSL) encryption to provide a secure implementation.
Digest
User credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. Digest authentication for SharePoint is not particularly common. To implement digest authentication, you must: 1. 2. Select Windows authentication in Central Administration. Configure the IIS Web site for digest authentication.
5-16
Client Certificates
Client certificates are issued by a Certificate Authority (CA), and they must conform to the Public Key Infrastructure (PKI). To implement client certificate authentication, you must: 1. 2. 3. 4. Select Windows authentication in Central Administration. Configure the IIS Web site for certificate authentication. Enable SSL. Obtain and configure certificates from a CA.
5-17
Secure Store Service
Secure Store Service, or SSS, is the replacement to Microsoft Single Sign On. An important point: SSO and SSS are an enterprise single sign on solution. This means that it only stores the user name and passwords. It is not the responsibility of the SSS to do any logging on. An application must make a call to SSS, and then based on the application or services that make the call, a set of credentials are returned. The new SSS has improved APIs and more integration across the SharePoint farm through various service applications. BCS, Excel Services, and PerformancePoint are examples of this. They require credentials for users that execute reports when they do not explicitly have access to those data sources.
How Does SSS Work?

An application or user requests credentials for an application, via an application ID. The SSS will then respond with credentials if there is a mapping for the user making the request. Secure Store Service Preparation When you prepare to deploy the Secure Store Service, be aware of the following important guidelines: Run the Secure Store Service in a separate application pool that is not used for any other service. Run the Secure Store Service on a separate application server that is not used for any other service. Create the Secure Store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases. Back up the Secure Store database before generating a new encryption key. You should also back up the Secure Store database after it is initially created, and again each time credentials are re-encrypted. When a new key is generated, the credentials can be re-encrypted with the new key. If the key refresh fails, or the passphrase is forgotten, the credentials will not be usable. Back up the encryption key after initially setting up the Secure Store Service, and back up the key again each time it is regenerated.
5-18
Do not store the backup media for the encryption key in the same location as the backup media for the Secure Store database. If a user obtains a copy of both the database and the key, the credentials stored in the database could be compromised.
Application IDs Each Secure Store Service entry contains an application ID that is used to retrieve a set of credentials from the Secure Store database. Each application ID can have permissions applied so that only specific users or groups can access the credentials that are stored for the application ID. Applications use application IDs to retrieve credentials from the Secure Store database on behalf of a user. The application can then use the retrieved credentials to access a data source. Application IDs map your users IDs to credential sets. Mappings are available for groups or individuals. In a group mapping, every user that is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials. Secure Store Service Mappings The Secure Store Service supports individual mappings and group mappings. The Secure Store Service maintains a set of credentials for the application IDs of resources stored in the Secure Store database. The application ID retrieves individual credentials. Individual mappings are useful when you need logging information about individual user access to shared resources. For group mappings, a security layer checks group credentials for multiple domain users against a single set of credentials for a resource identified by an application ID that is stored in the Secure Store database. Group mappings are easier to maintain than individual mappings and can provide improved performance. Secure Store Service and Claims Authentication The Secure Store Service is a claims-aware service. It can accept security tokens and decrypt them to get the application ID, and then perform a lookup. When a SharePoint Server 2010 Security Token Service (STS) issues a security token in response to an authentication request, the Secure Store Service decrypts the token and reads the application ID value. The Secure Store Service uses the application ID to retrieve credentials from the Secure Store database. The credentials are then used to authorize access to resources.
5-19
Lesson 2
Understanding Federated Authentication
Federated authentication provides a unified approach to combining credentials from a heterogeneous environment where multiple methods for authentication exist and different authentication databases play a role. While this lesson does not focus on setting a standard, it does cover the process of unifying an enterprise and giving access to the SharePoint Server resource.
Objectives
After completing this lesson, you will be able to: Describe federated identity. Describe Active Directory Federated Services (ADFS). Describe how claims authentication works. Understand the federated sign-in process. Describe SharePoint identity normalization. List the forms-based authentication changes. Compare claims with the Windows token service.
5-20
Overview of Federated Identity
Key Points
Federated identity allows you to use credentials hosted in select external authentication systems. This results in lower costs from not having to manage your own authentication provider. In addition, usability increases because users have only one user name and password that they can use with any application. There are many large identity providers in the world; for example, the largest is Windows Live ID and OpenID. In most cases, your users are not located in a single authentication system, which means you must set up a gateway to map each of those external users into a gateway with a single integration point for your own applications to use. This is an alternative to implementing your own gateway in each of your applications. When we talk about federating these attributes, we call them claims. Since the authentication system is external, these claims are not known to contain valid facts about the users until further identified.
What Are Claims?

A claim is the process of establishing a mechanism as proof or having privileges that allow a transaction to be completed and accepted. For example, when presenting a credit card to complete a purchase transaction, the store requires a validation for the identity of the individual making the purchase.
Claims Providers
Claim providers are the entities that do all the work. They implement the WS-* standards and provide the claims back to the calling clients (in this case, SharePoint). Keep in mind that a system can be a consumer and provider at the same time. SharePoint implements its own claims provider for forms-based identity in 2010. Claims providers perform the following tasks: Augmentation of Claims Add application-specific claims Authorize over the claims
5-21
Search and Resolve Enumerate and select claims Use the claims in SharePoint applications
Federated identity uses the following three industry standard specifications: WS-Federation 1.1. Provides the architecture for a clean separation between trust mechanisms, security tokens formats, and the protocols for obtaining tokens. WS-Trust 1.4. Requests and receives security tokens. SAML Token 1.1. XML vocabulary represents claims in an interoperable way.
5-22
Active Directory Federated Services (ADFS)
Key Points
ADFS is a platform for integrating external authentication stores and trusting them with federated authentication. This means that instead of creating a user name and password database for external users or creating a new domain, you can simply point to an external authentication store and allow users to continue to use their own user name and password. As part of any authentication system, users have attributes. ADFS implements industry standards of the WS-* stack which means that it can integrate with any authentication system in the world that implements these global standards. ADFS has a simple to use interface that allows you to build rules around the target systems and the claims that will be trusted. You can build rules to use these claims and allow or disallow requests based on claims information.
5-23
Claims Authentication Process and Normalization
Key Points
When authenticating to an external system, a token is generated that contains the information about the user. This token can be used by the target application to make decisions about what you will let the user do in the system. A key element about a claims-based system is trust. An external system can claim many things about a user, but you have to determine if your systems trust what that external system claims about that user. Advanced claims-based authentication systems may pull claims from more than one system and aggregate them together to make an authorization decision. The following describes the federated sign-in process for a user to perform an action that requires authentication: As a user, you will request to access the SharePoint site you are interested in visiting. You are then redirected to the Identity Provider (IP) and after that, the external Secure Token Service (STS) generates the requested token. You are given a token, which will then be forwarded to the application (in this case, SharePoint). SharePoint uses the token to authorize you for the actions requested.
For example, most Microsoft sites require you to have a Live ID to log in. When you click login on the Microsoft system, it will redirect you to Live ID where Live ID will let the user logon. Then the user will be redirected to the application with claims data, for example, a token. The site then uses that token to allow the user to access its resources.
SharePoint Identity Normalization

NTLM works by passing NT Tokens, commonly known as credentials. In SharePoint 2007, a NT Token is translated to SPUser, and then access to resources is determined based on that SPUser object.
5-24
In SharePoint 2010, at logon, all identities are converted to ClaimsIdentities. These claims identities are then translated to the SPUser. That is what happens behind the scenes, but we see it represented by an identity (or user name claim) and it being translated to a valid and recognized (therefore validating the claim) SharePoint user.
SharePoint and the Security Token Service

An Identity Provider-STS (IP-STS) is a Web service that handles requests for trusted identity claims. IP-STS uses a database called an identity store to store and manage identities and their associated attributes. For example, IP-STS can use a SQL database table to store and manage identities. IP-STS can also use a complex identity store. For example, IP-STS can use Active Directory Domain Services or Active Directory Lightweight Directory Service (AD LDS). There are two parts in this process, IP-STS and the relaying party STS. There is a federated trust relationship between each IP-STS and the federated partner RP-STS Web applications. Clients can create managed information cards that will represent the identities registered and known by the IP-STS. An example of this information card system is Windows CardSpace. After authentication, the IP-STS issues a trusted security token that the client can present to a relying party application. Relying party applications can establish trust relationships with an IP-STS. This enables them to validate the security tokens issued by IP-STS. After the trust relationship is established, relying party applications can examine security tokens presented by clients to determine the validity of the identity claims they contain.
5-25
Forms-Based Authentication Changes
Key Points
Forms-based authentication has changed in SharePoint Server 2010. It is no longer based on ASP.NET Generic Identities, but rather a claims identity is created. This is accomplished by the SecurityToken.svc service and a custom Microsoft Identity Framework Token Service Host Factory. You must also enable your forms membership and role providers in this SecurityToken service or your Web application will not be able to use forms-based authentication. Forms-based authentication is an identity management system that uses the ASP.NET membership and role provider authentication. In SharePoint Server 2010, FBA is only available when you use claims-based authentication. FBA is used for authentication purposes. The process accounts that connect to Microsoft SQL Server database software and run the farm must be Windows accounts, even when using alternative methods of authentication to authenticate users. SharePoint Server 2010 supports SQL Server authentication and local computer process accounts for farms that are not running Active Directory Domain Services. For example, you can implement local accounts by using identical user names and passwords across all servers within a farm. To use FBA to authenticate users against an identity management system that is not based on Windows, or that is external, you must register the custom membership provider in the Web.config file. In addition to registering a membership provider, you can register a role manager. SharePoint Server 2010 uses the standard ASP.NET role manager interface to gather group information about the current user. Each ASP.NET role is treated as a domain group by the authorization process in SharePoint Server 2010. You register role managers in the Web.config file the same way you register membership providers for authentication. When you want to manage membership users or roles from the Central Administration site, you can register the membership provider and the role manager in the Web.config file for the Central
5-26
Administration site. You would do this in addition to registering those membership users in the Web.config file for the Web application that hosts the content. Ensure that the membership provider name and role manager name that you registered in the Web.config file is the same as the name that you entered in Central Administration. If you do not enter the role manager in the Web.config file, the default provider specified in the Machine.config file might be used instead. For example, the following string in a Web.config file specifies a SQL membership provider: <membership defaultProvider="AspNetSqlMembershipProvider">. Integrating with FBA places additional requirements on the authentication provider. In addition to registering the various elements in the Web.config file, the membership provider, role manager, and HTTP module must be programmed to interact with SharePoint Server 2010 and ASP.NET methods.
5-27
Claims to Windows Token Service
Key Points
Since SharePoint uses claims identities, SharePoint must convert that identity to the corresponding NT Token in order for a user to access Windows-only authenticated resources. In SharePoint 2010, claims to Windows Token Service (C2WTS) are responsible for converting the claims identity to the NT Token. C2WTS is a Windows service that monitors requests and then creates the mappings and token (NT Token) creation. If this service is not running, then calls to Windows authenticated resources will not succeed.
5-28
Lab A: Configuring Custom Authentication
Scenario
The Client Services department at Contoso, Ltd. has asked you to establish a SharePoint site with which employees and clients can collaborate. Your organizational IT Policy states that only employees shall have an Active Directory account. Therefore, you must configure a custom authentication mechanism using forms based authentication, so that user accounts for clients can be maintained in a separate database.

5-29
Exercise 1: Creating and Configuring an ASP.NET Membership Database

In this exercise, you will create a membership and role database using the schema and tools provided with ASP.NET. You will configure the .NET framework and SharePoint Central Administration to connect to the database, and then you will create user accounts in the database. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create an ASP.NET membership database. Configure the connection to the database. Create users. Enable the Secure Token Service to use forms-based authentication.
Task 1: Create an ASP.NET membership database.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password, Pa$$w0rd. Start Command Prompt with the Run as administrator option. Type the following commands:
cd c:\windows\microsoft.net\framework\v2.0.50727 aspnet_regsql.exe
Accept all of the defaults in the ASP.NET SQL Server Setup Wizard.
Task 2: Configure the connection to the database.

With Notepad, open c:\windows\microsoft.net\framework \v2.0.50727\config\machine.config. Modify the connectionStrings element of the XML file to match the following, and then save and close the file.
<connectionStrings> <clear/> <add name="LocalSQLServer" connectionString="Server=.;Database=aspnetdb;uid=sa;pwd=Pa$$w0rd;" providerName="System.Data.SqlClient"/> </connectionStrings>
Repeat the previous step for the file, c:\windows\microsoft.net \framework64\v2.0.50727\config\machine.config.
Task 3: Create users.

Start SharePoint 2010 Management Shell with the Run as administrator option, and then type the following commands:
$member = New-Object System.Web.Security.SQLMembershipProvider $vals=New-Object System.Collections.Specialized.NameValueCollection $vals.Add("name", "sql") $vals.Add("connectionStringName", "LocalSQLServer") $vals.Add("applicationName", "/") $member.Initialize("sql", $vals); $status = New-Object System.Web.Security.MembershipCreateStatus $member.CreateUser('SiteAdministrator', 'Pa$$w0rd', 'SharePoint@contoso.com', 'first person kissed', 'mom', $true, $id, [ref] $status)
Ignore the error message that indicates the membership provider name specified is invalid. Type the following command.
$status
Verify that the last message you see is Success.
5-30
Type the following commands.

$member = New-Object System.Web.Security.SQLMembershipProvider $vals=New-Object System.Collections.Specialized.NameValueCollection $vals.Add("name", "sql") $vals.Add("connectionStringName", "LocalSQLServer") $vals.Add("applicationName", "/") $member.Initialize("sql", $vals); $status = New-Object System.Web.Security.MembershipCreateStatus $member.CreateUser('JamesF', 'Pa$$w0rd', 'JamesF@tailspintoys.com', 'favorite pet', 'Spot', $true, $id, [ref] $status)
Ignore the error message that indicates the membership provider name specified is invalid. Type the following command.
$status
Verify that the last message you see is Success. Close SharePoint 2010 Management Shell.
Task 4: Enable the secure token service to use forms-based authentication.

With Notepad, open the file, c:\program files\common files\microsoft shared\web server extensions\14\webservices\root\web.config. Remove the <clear> statements within system.web\membership\providers and roleManager\providers xpath elements. Then save and close the file. Results: After completing this exercise, you should have a new custom database to support formsbased authentication for SharePoint, and you should have two user accounts in the database.
5-31
Exercise 2: Creating a Web Application That Uses Claims-Based Authentication

In this exercise, you will create a Web application to support collaboration with external clients. You will provide Windows authentication for employees and forms-based authentication for clients. The main tasks for this exercise are as follows: 1. 2. 3. Create a Web Application that uses both Windows and forms-based authentication. Add a DNS host record for the new Web application. Test claims-based authentication.
Task 1: Create a Web application that uses both Windows and forms-based
authentication.
In Central Administration, click the Manage web applications link and create a new Web application with the following settings: Authentication: Claims Based Authentication Port: 80 Host Header: clients.contoso.com Claims Authentication Types: Integrated Windows Authentication (NTLM) and Forms Based Authentication ASP.NET Membership provider name: AspNetSqlMembershipProvider ASP.NET Role manager name: AspNetSqlRoleProvider Application Pool: SharePoint 80 (CONTOSO\SP_ServiceApps) Database name: WSS_Content_Clients
Create a site collection in the new Web application with the following settings: Title: CONTOSO Client Portal Template Selection: Publishing Portal Primary Site Collection Administrator: CONTOSO\SP_Admin Secondary Site Collection Administrator: SiteAdministrator
Task 2: Add a DNS host record for the new Web application.
Start DNS Manager using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. In the contoso.com forward lookup zone, create a new host record named clients with the address 10.0.0.21. Close DNS Manager.
Task 3: Test claims-based authentication.

Open Internet Explorer, and then browse to http://clients.contoso.com. Sign in using Forms Authentication with the user name SiteAdministrator and the password, Pa$$w0rd. Click Sign in as Different User and then sign in with Windows Authentication as SP_Admin with the password, Pa$$w0rd.
5-32
Results: After completing this exercise, you should have created a Web application that is accessible both by employees, using Windows authentication, and by clients, using forms-based authentication.

Leave the virtual machines running. You will use them for Lab B.
5-33
Lab B: Configure Secure Store
Scenario
Information workers at Contoso, Ltd. have started using the new intranet portal site and would like to start using SharePoint Designer 2010 to add Business Connectivity Services applications to pages. Organizational IT policy states that under no circumstances shall credentials be stored in an unencrypted manner in applications. Because of this policy, users will not be allowed to embed credentials in the ASP.NET pages. You have been tasked with configuring Secure Store Service to facilitate the authentication for these information workers.
5-34
Exercise 1: Creating User Accounts for Access to External Data

Scenario
In this exercise, you will establish user accounts in Active Directory that will be assigned to target applications in the Secure Store in the next exercise. The main tasks for this exercise are as follows: 1. Create Active Directory accounts.
Task 1: Create Active Directory accounts.

On SP2010-WFE1, start Active Directory Users and Computers using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. In the Users container, create the user accounts listed in the table below. For each account, set the password to Pa$$w0rd, clear the User must change password at next logon check box, and select the Password never expires check boxes. Full name Excel Unattended Service Account PerformancePoint Unattended Service Account Visio Graphics Unattended Service Account Close Active Directory Users and Computers. User logon name SP_Excel_USA SP_PerfPoint_USA SP_Visio_USA
5-35
Exercise 2: Configuring Secure Store Services

In this exercise, you will configure Secure Store Services to store credentials that can be used by service applications to access data. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Initialize an instance of a Secure Store Service application. Create a target application for Excel Services. Configure the Secure Store credentials for Excel Services. Create a target application for Visio Graphics. Configure the Secure Store credentials for Visio Graphics.
Task 1: Initialize an instance of a Secure Store Service application.

In Central Administration, navigate to the Manage Service Applications page, and then click the Secure Store Service link on the Secure Store Service Application row. Generate a new key with the pass phrase, 10174_SSS_2010.
Task 2: Create a target application for Excel Services.

Create a target application with the following configuration:
Target Application ID: ExcelUnattendedSA Display Name: Excel Unattended Service Account Contact E-mail: sharepoint@contoso.com Target Application Type: Group Target Application Page URL: None Target Application Administrators: CONTOSO\SP_Admin Members: Domain Users
Task 3: Configure the Secure Store credentials for Excel Services.

Set the credentials of the ExcelUnattendedSA application. Enter the user name, CONTOSO\SP_Excel_USA, and the password, Pa$$w0rd.
Task 4: Create a target application for Visio Graphics.

Create a target application with the following configuration:
Target Application ID: VisioUnattendedSA Display Name: Visio Unattended Service Account Contact E-mail: sharepoint@contoso.com Target Application Type: Group Target Application Page URL: None Target Application Administrators: CONTOSO\SP_Admin Members: Domain Users
Task 5: Configure the Secure Store credentials for Visio Graphics.

Set the credentials of the VisioUnattendedSA application.
5-36
Enter the user name, CONTOSO\SP_Visio_USA, and the password, Pa$$w0rd. Results: After completing this exercise, you should have fully configured the Secure Store Service and created two target applications.
5-37
Exercise 3: Configuring Secure Store Unattended Accounts

In this exercise, you will configure three service applications to use credentials in the Secure Store. The main tasks for this exercise are as follows: 1. 2. 3. Configure Excel Services Secure Store account. Configure Performance Point Secure Store account. Configure Visio Graphics Secure Store account.
Task 1: Configure Excel Services Secure Store account.

Configure the Excel Services Application global settings to use the Application ID, ExcelUnattendedSA, to access external data. Excel Services can now use the credentials in Secure Store to render spreadsheets and connect to external data connections.
Task 2: Configure Performance Point Secure Store account.

Configure the Performance Point Service Application settings so that the Secure Store and unattended service account is the user name, CONTOSO\SP_PerfPoint_USA, and the password, Pa$$w0rd.
Task 3: Configuring Visio Graphics Secure Store account.

Configure the Visio Graphics Service global settings to use the application ID, VisioUnattendedSA, to access external data. Visio can now execute diagrams, and data connection refreshes using the unattended account. Results: After completing this exercise, you should have configured Excel Services, PerformancePoint and Visio to have an Unattended Secure Store account.

When you finish the lab, reset the virtual machines back to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
5-38
Review Questions
1. 2. What does SPN stand for and which authentication provider uses SPNs? How would you describe the role of the Secure Store Service?
Securing Content
6-1
Module 6
Securing Content
Contents:
Lesson 1: Administering SharePoint Groups Lesson 2: Implementing SharePoint Roles and Role Assignments Lesson 3: Securing and Auditing SharePoint Content Lab: Configuring Security for SharePoint Content 6-3 6-14 6-25 6-29
6-2
Module Overview
Many organizations must store sensitive or confidential information. Microsoft SharePoint 2010 includes a complete set of security features. You can use these features to ensure that users can access the information they need, can modify the data they are responsible for, but cannot view or modify confidential information. The SharePoint 2010 security model is highly flexible and adaptable to your organizations needs. In this module, you explore the objects you can use to authorize users in SharePoint 2010, including users, groups, permissions, and roles. You also experience the integration with Active Directory Domain Services (AD DS) users and groups and set up and test an authorization scheme.
Objectives
After completing this module, you will be able to: Describe how security principals assign permissions in SharePoint 2010 and administer group membership. Describe and assign SharePoint Roles to security principals. Assign permissions and configure auditing on SharePoint content.
Securing Content
6-3
Lesson 1
Administering SharePoint Groups
In SharePoint 2010, you can grant permissions and roles directly to user accounts in AD DS in addition to other identity providers. However, if you have more than a small number of users, or if you plan to have more users in the future, you should organize users into groups and grant those permissions and roles to the groups. By using groups, you can manage large numbers of users in single operations and help to ensure that permissions oversights do not occur. In this lesson, you learn about SharePoint groups and AD DS groups, how they integrate together, and how you should use them to organize your user accounts for authorization. After completing this lesson, you will be able to: Describe the SharePoint 2010 security model. Implement security by using default groups. Administer SharePoint custom groups. Compare SharePoint groups with AD DS groups. Implement security with AD DS groups. Understand how to use SharePoint administrative groups.
6-4
Overview of Site Security
In SharePoint 2010, there is a flexible model for organizing users and authorizing them to access content. This consists of security principals, permission levels, and securable objects such as lists or libraries.
Security Principals
A security principal is an object to which you can assign permissions. You can organize user accounts into groups to ease administration. For example, if you place all Sales staff into a single group, you can authorize them all to access the Sales Team Site in a single operation by assigning permissions to the group. Furthermore, when a new member of staff starts work you do not need to assign that user permission individually. By placing the new member in the Sales group, you implicitly grant the user permission to the Sales Team Site and all the other resources to which you have granted the Sales group permission. By grouping users in this way, you can significantly reduce administrative overhead. In SharePoint 2010, you can create SharePoint groups to assign permissions and permission levels. Alternatively, you may use AD DS groups that you already have to secure access to computers and Microsoft Windows resources.
Permissions and Permission Levels

In SharePoint 2010, a permission grants a security principal the ability to perform a certain operation. For example, you can use the following permissions: View Items Open Items Edit Items
A permission level is a combination of permissions that grants a range of operations that are commonly required. For example:
Securing Content
6-5
The Read permission level includes the View Items and Open Items permissions but not the Edit Items permission. The Full Control permission level includes all the permissions.
You can use the five permission levels included with SharePoint 2010 or create your own by assembling a combination of permissions.
Securable Objects
A securable object is an object in the SharePoint hierarchy on which you can assign permission levels for a user account or group. These include the following: Sites Lists Libraries Folders Documents Items
You can assign permission level at a very granular level, right down to single items, but consider that these many permissions granted at low levels can make access confusing for users and difficult to administer and troubleshoot. Instead, place items with similar sensitivity in lists or libraries and assign permission levels on the list or library.
6-6
Using Default Groups
SharePoint 2010 creates some SharePoint groups by default whenever you create a new site. In many cases, these default groups may satisfy all your authorization requirements and render custom groups unnecessary. Before you plan to create extra groups, understand the membership and permission levels applied to the default groups.
Common Default Groups

Some default groups are created no matter which site template you chose at site creation. You can find these groups throughout your SharePoint organization in different site collections and farms. Visitors. This group is assigned the Read permission level that allows members to view site contents, open items, and open documents but not make any changes. Members. This group is assigned the Contribute permission level that grants all the permissions of the Read level and adds the ability to add, edit, and delete items and documents. Owners. This group is assigned the Full Control permission level that grants all permissions to members. Owners can therefore assign permission levels, change content, read content, and take other actions.
Default Groups Added by Site Templates

Some site templates add extra default groups to the site that reflect the roles users take in that specific kind of site. For example, if you create a site based on the Publishing Site template, you will notice the following default groups: Viewers. Members can view pages, list items, and documents. Approvers. Members can approve new and changed items for publishing. Designers. Members can alter page designs in the browser and by using SharePoint Designer. Hierarchy Managers. Members can create and manage folders, lists, and libraries.
Securing Content
6-7
Restricted Readers. Members can read items in certain parts of the site and have limited access to specific lists. Style Resource Readers. Members can read only master pages and the style library.
Other site templates create different default groups.
6-8
Using Custom Groups
When default groups are not sufficient for your needs, you can choose to create custom SharePoint groups. You should consider custom groups in the following situations: When you have more user roles in your site than you can model with the default groups. When you want to use names different from the default groups. For example, in your organization those people who design sites may be referred to as Interface Managers or some other name. In this case, rename the Designers group to Interface Managers. When you want to preserve a one-to-one relationship between SharePoint groups and AD DS groups.
Permissions and Custom Groups

When you create a custom group you are prompted to assign a permission level to it, but you can choose not to do this. These permission levels are applied at the site level and propagate down to lower objects such as folders and items. If you do not assign a permission level to a custom group at creation, you use the custom group to assign more granular permissions by setting them at list or item level. Using Hierarchical Membership Management In some cases, you might want to delegate group membership to users. For example, where each site relates to a single project, the project manager may need to grant team members access without involving an IT administrator. You can model this situation by using a group, for example Project Managers, whose membership is assigned by IT administrators. A second group, for example, Project Members, is owned by the Project Managers group and they can assign membership in it. Members of Project Members have the required permission level to the site content.
Group Membership Visibility

For each SharePoint group, you can control whether the membership is visible to other users who are not members. This can be useful in security-sensitive situations in which it should not be generally known who has what level of access.
Securing Content
6-9
Group Management Comparison
AD DS has a rich and flexible set of features for grouping users, and in SharePoint, you can assign permissions and permission levels directly to AD DS groups. However, this approach limits some SharePoint capabilities. This topic compares AD DS and SharePoint groups to help you understand when to use each.
AD DS Groups
AD DS groups are managed outside SharePoint. Therefore: You must use Active Directory Users and Computers to set up membership; this tool is designed for technically able IT personnel and other users may not find it easy. SharePoint cannot provision group membership. For example, the members of the Site Managers group cannot assign members to the Site Members group if it is stored in AD DS. You centrally manage AD DS groups. If you want only one set of groups for all systems in your organization, place them in AD DS.
SharePoint Groups
By contrast, the following points are true of SharePoint groups: SharePoint has a membership user interface for SharePoint groups that is easy for nontechnical authors to use and appears in the relevant site. SharePoint can provision group membership. For example, a workflow can add a member to a SharePoint group. You can view SharePoint groups and users for a site in a single Web page. You can use SharePoint groups only in SharePoint.
6-10
Using Active Directory Domain Service Groups
You can choose from several approaches for using groups in SharePoint.
Using AD DS Groups Without SharePoint Groups

In this approach, AD DS administrators set up groups and manage membership. SharePoint administrators grant permissions directly to AD DS groups. If you use this configuration, you may use AD DS in classic or claims-mode authentication and the AD DS groups must be security groups, not distribution groups. The AD DS groups should also be email-enabled so that SharePoint can send alerts.
Using SharePoint Groups Without AD DS Groups

Another approach is to place AD DS user accounts directly in SharePoint groups without using AD DS groups. Again, this requires the AD DS authentication provider. Full SharePoint functionality is preserved by this approach. For example, each site to which you grant a user access automatically appears in that users My Sites list. However, when the number of users in a site is large, SharePoint groups can soon become unmanageable.
Nesting AD DS Groups in SharePoint Groups

You can nest AD DS groups in SharePoint groups and grant permissions to SharePoint groups. Members of the AD DS groups automatically inherit the access granted. This approach is recommended as the most flexible and scalable. Advantages AD DS administrators remain in control of group membership and structure. SharePoint administrators remain in control of SharePoint resources. AD DS membership changes are automatically reflected in SharePoint access. For example, if a user moves to another role, and AD DS administrators move their account to another AD DS group, their access to SharePoint resources changes automatically, without any action from SharePoint administrators.
Securing Content
6-11
Disadvantages SharePoint administrators cannot see the individual members of a group in the SharePoint user interface (UI). They must trust AD DS administrators to assign membership correctly. Sites to which you grant the group access do not automatically appear in My Sites. However, the user can manually add them. The User Information List does not show individual users until they have contributed to the site. AD DS groups with deep nesting or contacts as members can cause issues in SharePoint.
6-12
Administrative Groups
SharePoint 2010 also has built-in groups for system administration, and Windows administrators can configure SharePoint settings. Note: In a small or medium-sized company, or in a larger organization with a single administration team, a user may be a member of more than one of the following groups.
Site Collection Administrators

When you create a SharePoint site collection, you must specify a security principal (a user account or group) as primary Site Collection Administrators. Optionally, you can also specify secondary Site Collection Administrators. Site Collection Administrators have the following characteristics: Have Full Control access to a site collection and all the sites in it. Have access to all the content in a site collection. This overrides any permissions assigned by site owners. Can create and configure subsites. Are the administrative contacts for the site collection. Receive administrative alerts for the site collection. Can configure permissions, permission levels, and SharePoint groups in the site collection. Can configure auditing in the site collection. Can use all the tools under Site Collection Administration on the Site Settings page at the site collection level.
You can also add new users or groups to the Site Collection Administrators after the site collection has been created.
Securing Content
6-13
SharePoint Farm Administrators

When you create the SharePoint farm, that is, when the first server in the farm is installed, you must specify a user or group to be Farm Administrators. A group is recommended so that administration can be performed by more than one person, but membership of this group should be carefully controlled. These administrators have the following characteristics: Are responsible for the configuration of the farm as a whole. Have access to all settings in Central Administration. Can create and configure site collections. Can control which users can manage server and farm settings. Have no access to site collections and their content by default. Can take ownership of any site collection to get access to content if necessary.
Windows Administrators
Members of the local Administrators group on the SharePoint server also take a role in SharePoint administration. A user account can be a direct member of this account, such as the local Administrator account, or inherit membership from an AD DS group, such as the Domain Admins group. Windows Administrators have the following characteristics: Can perform all the actions of a SharePoint Farm Administrator. Can install new products and applications on the server, such as antivirus packages. Can deploy Web Parts and other custom components to the global assembly cache (GAC). Can create Web sites, Web applications, and control other Internet Information Services (IIS) settings. Can stop and start Windows Services on the SharePoint server. Can run Stsadm.exe commands.
6-14
Lesson 2
Implementing SharePoint Roles and Role Assignments
SharePoint permission levels are also referred to as roles. Now that you understand how SharePoint uses user accounts, AD DS groups, and SharePoint groups, you can study how to assign permissions and roles to those security principals. After completing this lesson, you will be able to: Plan for and enable anonymous access to SharePoint sites. Assign permissions to lists and libraries. Assign permissions to folders and items. Understand permission inheritance in the SharePoint hierarchy. Assign the Override Checkout permission to appropriate users.
Securing Content
6-15
Configuring Anonymous Access
In scenarios with sensitive data, anonymous access presents a security concern. Therefore, it is disabled in SharePoint 2010 by default. However, in many scenarios you need users to be able to access SharePoint Server anonymously. For example, if you host your organizations Internet-facing Website in SharePoint, most users need anonymous access to the majority of the content. You can authenticate them for access to certain parts of the site if you wish. To enable anonymous access you must make two administrative changes.
Configuring Anonymous Access in Central Administration

Start your configuration by enabling anonymous access on the Web application that hosts your site. 1. 2. 3. 4. 5. 6. 7. Start Central Administration. Click Manage Web Applications. Click the Web application that you want to configure. On the ribbon, click Authentication Providers. Click the zone you wish to configure. Select Enable anonymous access. Click Save.
Configuring Anonymous Access in Site Settings

Complete your configuration by enabling anonymous access for the site collection. 1. 2. 3. 4. Navigate to the top-level site of the site collection. Click Site Actions, and then click Site Settings. Click Site Permissions. On the ribbon, click Anonymous Access.
6-16
5.
Select the level of access you want to grant to anonymous users, and then click OK. Note: The Anonymous Access button on the ribbon is disabled until you have configured anonymous access in Central Administration.
Securing Content
6-17
Site, List, and Library Security
In many cases, with careful planning and good use of permissions levels at the site collection level, you can avoid assigning permissions to users at the site, list, or library levels. Such a permissions scheme is easy for users to understand because the level of access they receive is consistent throughout a site collection. It also eases troubleshooting because administrators have a single location where all permissions are assigned. However, in other cases, you may have to assign more granular permissions at the site, list, or library levels.
Site-Level Permissions
When you create a new site, permissions are inherited by default from the parent site and you cannot set extra permissions on the site. However, if you wish not to use this inheritance model, click More Options in the Create dialog. Then, under User Permissions, click Use Unique Permissions. You can also break inheritance at any subsequent time on the Site Permissions page for a subsite by clicking Stop Inheriting Permissions on the ribbon. When you break permissions inheritance in this way, the initial permissions for the site are those that would have been inherited from the parent. However, you can now remove these or configure additional permissions.
List and Library Permissions

As for sites, permissions on lists and libraries are inherited from the parent site, and, by default, you cannot modify them. However, you can break inheritance either when you create the list or library or at any later time. This enables you to remove or add permissions independently of permissions on the site. Note: For site, list, and library permissions, if you choose to break inheritance, you can later reestablish permissions inheritance and remove any customized permissions you applied.
6-18
The Check Permissions Tool

When you view a Site Permissions or List Permission page, the Check Permissions tool is displayed on the ribbon. With this tool, you can check the effective permissions for a user account, and it is useful when users complain of permissions that are too restrictive or when you suspect that a user has too much access. When you click Check Permissions, a dialog prompts you to enter a user name. When you click Check Now, all the permissions that apply to the user account at different levels are displayed. You can easily see the effective permissions in a single view and diagnose problems.
Securing Content
6-19
Folder and Item Security
You can also control permissions at the level of individual items, documents, and folders.
Inheritance
Permissions on items, documents, and folders are inherited from the parent by default. You should maintain inheritance whenever possible as a best practice for the following reasons: Users can easily understand their level of access because it is consistent throughout the site. You can manage permissions more easily because they are set at a single level in the hierarchy. You can maximize performance because multiple levels of permissions need not be evaluated.
However, when required, you can break inheritance on folders and items. If you break inheritance, you can remove inherited permissions and configure additional permissions to create an entirely independent level of access. Subsequently, you can reestablish inheritance if your requirements change.
Indexing and Item Permissions

SharePoint 2010 includes advance search and indexing functionality that is useful in all deployment scenarios. When the SharePoint crawler indexes an item, document, or other content, it stores the permissions in the search service properties database; it does this so that permissions can be evaluated when users run searches. Any items to which the user does not have Read access are removed from the results and security is maintained. However, when the crawler indexes an ASPX page, security issues may arise. This is because the page is run in the security context of the search user account. Web Parts and other user interface components display all the items and resources the search account has access to, and the search account usually has Read access to all resources. When users run searches, because they have permission to read the ASPX page, the result is returned to them. However, the page title or summary may include text about resources to which they do not have permission because the crawler does have permission.
6-20
For this reason, the Search service in SharePoint is configured not to crawl ASPX pages by default. If you wish to enable this functionality and have considered the security implications fully, you can do so by clicking Site Settings, Search And Offline Availability, and then configuring Indexing ASPX Page Content.
Securing Content
6-21
Permission Levels
SharePoint 2010 eases the administration of authorization by providing permission levels. You can define permission levels at the site collection level. Each permission level consists of a set of individual permissions that apply to items, sites, and other objects. These permissions are inherited by objects in the site collection. When users access SharePoint resources, the permissions they receive are determined by the permission level assigned to their user account or groups.
Default Permission Levels

You can examine the permission levels that exist in a site collection on the site permission page: 1. 2. 3. Click Site Actions, and then click Site Permissions. On the ribbon, click Permission Levels. Click a permission level to examine the individual permissions that it includes.
Some permission levels, such as Read and Full Control, exist by default in every site collection. Other default permission levels are added by certain site templates. For example, when you create a site using the publishing template, the Approve and Manage Hierarchy permission levels are added. The Read permission level, for example, consists of the following permissions: List Permissions View Items Open Items View Versions Create Alerts View Application Pages
Site Permissions
6-22
View Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open
Creating and Customizing Permission Levels

Site collection administrators can customize the default permission levels to create the appropriate level of access. You can use the following methods to do this: By customizing the default site permissions. This is not recommended as a best practice. By copying default site permissions and customizing the copy. By creating new permission levels from scratch.
It is a recommended best practice to define permission levels and allow inheritance to determine access to resources instead of applying permissions at lower levels. By using permission levels in this way you ensure that the following occur: Administrators can troubleshoot permissions rapidly without having to investigate permissions at multiple levels. Users understand their level of access because it is consistent throughout sites. Performance is maximized because multiple levels of permissions need not be evaluated for every access.
Securing Content
6-23
Override Check Out Permission
In SharePoint sites that require check out, users must check out documents and other items before they can make changes. While the document is checked out, other users cannot make changes; this ensures that proper version control is maintained so that no two users can simultaneously make changes to the same document, thereby overriding one anothers edits. Sometimes, however, a user forgets to check a document back in. If this happens, other users cannot be productive until the check-out is removed. To prevent productivity barriers like this, you should ensure that you grant users the Override Check Out permission.
Override Check Out Permission

With the Override Check Out permission, a user can check a document back in or discard the check-out even if another user checked the document out. In this way, you can remove the barrier to productivity even if the user who checked out the document is unavailable. Overriding a check-out is usually a last resort because it can result in lost changes. Consider the situation where a user has checked out a document and taken a vacation: If the user saved the document to SharePoint but forgot to check the document in, you can check it in and no changes are lost. If the user saved some changes to SharePoint but did not upload the last version, you can check the document in and lose the latest changes. If the user uploaded no changes and instead changes the local copy, you can check the document in or discard the check-out and lose all the changes.
Override Check Out Permission and Permission Levels

The Override Check Out permission is included by default in the Full Control permission level usually granted to site collection administrators. However, this may not be the most appropriate arrangement. For example, in a project site, project managers may need this permission because they manage the
6-24
content the team develops. Therefore, consider who has this permission carefully whenever version control is in place. You should ensure that you do the following: Grant the powerful Override Check Out permission to only a restricted set of users. Explain the implications of overriding check-out to those users and provide guidance on how to use this feature. Ensure that there is always at least one person available to override check-outs.
You should consider creating a new permission level that includes only the Override Check Out permission so that you can carefully manage the assignment separately from other permissions. A separate permission also reduces the chance that you accidentally grant Override Check Out to users who should not have it.
Securing Content
6-25
Lesson 3
Securing and Auditing SharePoint Content
SharePoint also provides a range of settings at the Web application level; as a farm administrator, you can use these to impose restrictions on site collection administrators and set policies that govern users, anonymous access, and permissions. You can also set up auditing to record user actions and ensure that you can always determine who made a particular change. After completing this lesson, you will be able to: Set up user policies for a Web application. Manage permissions that are available in a Web application. Configure auditing for a site collection.
6-26
Web Application Security
In the SharePoint Central Administration site, when you manage a web application, you can set a range of security options. These settings determine, for example, default permission levels that appear in every site collection in the Web application. Farm administrators can use web application security settings to restrict the capabilities of site collection administrators.
User Policy
With user policies, you can grant user accounts or groups permission levels that apply to all site collections in the Web application. These policies override permissions set at lower levels by site collection administrators. To configure a user policy, first select the Web application you wish to administer, and then click User Policy. When you add a policy you can select the zone to which it applies. In this way, you can apply a different policy to a user depending on the authentication mechanism the user used to connect.
Anonymous Policy
The anonymous policy for a Web application restricts what anonymous users can do. You can use anonymous policies to deny users Write access or prevent any access at all. As for user policies, you can apply different anonymous policies to users depending on the zone through which they connect.
Permission Policy
In the permission policy for a Web application, you can create permission levels just as you do in site collections. The permission levels in the Web application policy appear as default permission levels for all site collections in that application. Also, these permission levels are those selectable in the user policy. Note: Site templates may add extra default permissions to sites as you create them.
Securing Content
6-27
Managing Web Application Permissions
You can also restrict the permissions that are available in the site collections in a web application. This is an unusual step, but you might find it useful when you need to place boundaries on user actions throughout a site collection.
Web Application User Permissions

In Central Administration, click Manage Web Applications, and then select the web application you want to configure. On the ribbon, click the Web Application User Permissions button. The User Permissions For Web Application dialog appears and displays all the permissions available for lists, sites, and personalization. If you wish to prevent any user in the web application from performing an action, you can remove the corresponding permission from this list, and then click Save. When you remove a permission in this way it is no longer available to add to permission levels or to apply to sites, lists, or items anywhere in the site collections in that web application.
6-28
Configuring Auditing
You can use auditing to create a record of the actions of users. Use this record to examine who is doing what in your SharePoint farm. By examining audit reports regularly, you can be confident that permissions are appropriate, users are viewing information appropriate to their role, and sensitive documents are not being seen by unauthorized personnel. Auditing is thus essential for good security.
Configuring SharePoint Auditing

In SharePoint 2010, auditing is configured at the site collection level: 1. 2. In a site collection top-level site, click Site Settings. Under Site Collection Administration, click Site collection audit settings.
With the Audit Log Trimming settings, you can ensure that audit logs are stored for a limited time and so do not consume large amounts of disk space. Specify the number of days to keep audit logs and a location to store audit log reports.
Viewing Audit Reports

After auditing is configured and running, you should regularly examine audit logs to spot unauthorized or inappropriate access. 1. 2. In a site collection top-level site, click Site Settings. Under Site Collection Administration, click Audit log reports.
A large range of audit reports is available to display different events in your site collection, and you can also create custom reports. Only site collection administrators can view audit reports.
Securing Content
6-29
Lab: Configuring Security for SharePoint Content
Scenario
You have created an intranet on a new SharePoint 2010 farm at Contoso, Ltd. You have been tasked with helping set up users, groups, and permissions on the intranet until governance and training are in place, at which point permission management will be delegated to site collection administrators. Additionally, you must configure SharePoint to support the business requirement that the internal security and compliance audit team has the ability to access all information stored on the intranet.

6-30
Exercise 1: Managing SharePoint Groups

The IT site collection must be secured so that users in the IT department can make changes and users from other departments can view but not modify content. Additionally, you have been asked to add a group to each team site that assigns the Design permission level to its members. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Add a user to a sites Members group. Verify that the member can sign in. Add a user to a sites Visitors group. Verify that the visitor can sign in. Create a new group and assign it the Design permission level.
Task 1: Add a user to a sites Members group.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password Pa$$w0rd. Open Windows Internet Explorer, and then browse to http://intranet.contoso.com/sites/IT. Add the user CONTOSO\SanjayS to the site, assigning him to the Information Technology Members [Contribute] group. You have now added Sanjay Shah, the Contoso chief technology officer (CTO), as a contributor to the IT intranet Web, which gives him Read and Write permissions.
Task 2: Verify that the member can sign in.

Browse to http://intranet.contoso.com/sites/IT. Sign in to the site as CONTOSO\SanjayS with the password Pa$$w0rd. Add a new task to the Tasks list titled Select SharePoint Governance Team.
Task 3: Add a user to a sites Visitors group.

Sign in to the site as CONTOSO\SP_Admin with the password Pa$$w0rd. Observe the membership of the Information Technology Visitors group, and then add the user CONTOSO\JeffL to the group. You have now added Jeff Low, the Contoso vice president of finance, as a visitor to the IT intranet Web, which gives him Read permission.
Task 4: Verify that the visitor can sign in.

Browse to http://intranet.contoso.com/sites/IT. Sign in to the site as CONTOSO\JeffL with the password Pa$$w0rd. Verify that you do not see the Add new item link in the Tasks list.
Task 5: Create a new group and assign it the Design permission level.
Sign in to the site as CONTOSO\SP_Admin with the password Pa$$w0rd. Create a new group named Information Technology Dept Designers, and give it the Design permission level. Configure the groups description to read as follows: Use this group to grant people Design permissions to the SharePoint site: Information Technology Dept. Results: After this exercise, you should have added users to the Members and Visitors groups and created a new SharePoint group.
Securing Content
6-31
Exercise 2: Creating Custom Permission Levels

Lola Jacobsen has been tasked with monitoring the usage of the IT Web and all other intranet Webs. You must configure the least privilege permissions required for her to access the out of the box Web Analytics reports. You want to implement best practice, role-based management, so you will create a group with which to assign her the required permissions. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a custom permission level to allow viewing Web analytics reports. Attempt to view Web analytics reports. Add a permission to the custom permission level. Validate the functionality of the custom permission level.
Task 1: Create a custom permission level to allow viewing Web analytics reports.
Create a custom permission level named View Usage with the description Can see only usage data about this site. Assign the View Web Analytics Data permission. Additional permissions will be selected automatically. Create a group named Usage Monitors with the description Use this group to grant people permission to view Web Analytics data for the SharePoint site: Information Technology Dept. Assign the group the View Usage permission level. Add the user, CONTOSO\LolaJ to the group.
Task 2: Attempt to view Web analytics reports.

Browse to http://intranet.contoso.com/sites/IT, and then sign in as CONTOSO\LolaJ with the password Pa$$w0rd. You will be denied access. Browse to the usage reports page http://intranet.contoso.com/sites/it/_layouts/usageDetails.aspx. Again, you will be denied access because, although you have permission to access Web analytics data, you do not yet have permission to view the default application pages that present that data.
Task 3: Add a permission to the custom permission level.

Sign into the IT site as CONTOSO\SP_Admin with the password Pa$$w0rd. Edit the View Usage permission level, adding the View Application Pages permission.
Task 4: Validate the functionality of the custom permission level.

Browse to http://intranet.contoso.com/sites/IT, and then sign in as CONTOSO\LolaJ with the password, Pa$$w0rd. You will be denied access. Browse to the site settings page, http://intranet.contoso.com/sites/it/_layouts/settings.aspx. Examine the Site Web Analytics reports and the Site Collection Web Analytics reports. Results: After this exercise, you should have created a new custom permission level assigned to a custom group that gives users the ability to view Web Analytics reports.
6-32
Exercise 3: Managing Permissions and Inheritance

You want to create a folder in which Lola Jacobsen can save usage reports she generates. Because Lola is not in the IT department itself, she should not have Contribute permission to the entire IT Web. In this exercise, you manage permissions and experience the behavior of the security-trimmed SharePoint interface. The main tasks for this exercise are as follows: 1. 2. 3. Add a document and a folder to a library. Assign permissions to a folder. Verify the behavior of SharePoint permissions.
Task 1: Add a document and a folder to a library.

Browse to http://intranet.contoso.com/sites/IT. Sign in to the site as CONTOSO\SP_Admin with the password Pa$$w0rd. Open the Shared Documents document library. Upload the document D:\Labfiles\LAB06\ IT Policies and Procedures for SharePoint 2010. Create a new folder in the document library named Usage Reports.
Task 2: Assign permissions to a folder.

Configure permissions on the Usage Reports folder so that the only permission on the folder is one that gives CONTOSO\LolaJ the Full Control permission level.
Task 3: Verify the behavior of SharePoint permissions.

Browse to http://intranet.contoso.com/sites/IT. Sign in to the site as CONTOSO\LolaJ with the password Pa$$w0rd. You will be denied access because LolaJ does not have permission to the home page. Type the URL of the Shared Documents document library. You are able to see the Usage Reports folder but not the policies document. Close all open Internet Explorer windows. Results: After this exercise, you should have configured a list and list item with custom permissions.
Securing Content
6-33
Exercise 4: Creating a Web Application Policy

The SharePoint governance plan at Contoso specifies that a group of internal auditors will have the ability to view all content to ensure compliance with information security and information management policies. This group will have Read access to content. Additionally, a group must have the ability to access all content with Full Control permission in the event that noncompliant content must be removed, but the group with this level of access will not include any user accounts unless and until action must be taken. Finally, the environment must support the ability to deny one or more users access to SharePoint, in the event of a security incident. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Add a user to a group. Create groups. Create a Read Web application policy. Create a Full Control Web application policy. Create a deny Web application policy. Verify the behavior of SharePoint Web application policies.
Task 1: Add a user to a group.

On SP2010-WFE1, start Active Directory Users and Computers with the Run as different user option. Enter the user name CONTOSO\Administrator and the password Pa$$w0rd. Open the Users container. Create a new group named SharePoint Content Auditors. Add CONTOSO\JimD to the SharePoint Content Auditors group.
Task 2: Create groups.

Create a group named SharePoint Full Control Policy. Create a group named SharePoint Deny Policy, and then close Active Directory Users and Computers.
Task 3: Create a Read Web application policy.

Open Central Administration. In the User Policy for the intranet Web application, add a user policy that gives CONTOSO\SharePoint Content Auditors the ability to read all content from all zones.
Task 4: Create a Full Control Web application policy.

Add a user policy that gives CONTOSO\SharePoint Full Control Policy full control of all content from all zones.
Task 5: Create a Deny Web application policy.

Add a user policy that denies CONTOSO\SharePoint Deny Policy any access from all zones.
Task 6: Verify the behavior of SharePoint Web application policies.

Browse to http://intranet.contoso.com/sites/IT. Sign in to the site as CONTOSO\JimD with the password Pa$$w0rd. Verify that you do not see the Add new item link in the Tasks list.
6-34

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog, click Revert.
Securing Content
6-35
Review Questions
1. 2. What differences exist between the available permissions and the behavior of inheritance in SharePoint in contrast to a folder on an NTFS volume? Describe scenarios, other than auditing, in which a Web application policy would be useful.
6-36
Managing SharePoint Customizations
7-1
Module 7
Contents:
Lesson 1: Customizing Microsoft SharePoint Lesson 2: Deploying and Managing Features and Solutions Lesson 3: Configuring Sandboxed Solutions Lab A: Administering Features and Solutions Lab B: Administering Sandboxed Solutions 7-3 7-11 7-20 7-26 7-30
7-2
Module Overview
Microsoft SharePoint 2010 provides a number of facilities to support customization by a variety of users; these rich capabilities encompass both the simple and the complex. For example, a user can apply a new theme to her own My Site, or a developer can create a custom solution, built on SharePoint, that includes custom Web Parts, forms, workflows, timer jobs, and Microsoft Silverlight applications. This model makes SharePoint extremely flexible but, importantly, it also includes features to retain control of server resources and to ensure stability and flexibility. In this module, you learn how to make customizations and control customizations made by both users and developers.
Objectives
After completing this module, you will be able to: Customize SharePoint installations to suit your organizational needs. Deploy and manage SharePoint features and solutions. Configure sandboxed solutions.
7-3
Lesson 1
Customizing Microsoft SharePoint
You can use several different tools to customize SharePoint to meet your requirements. For example, in the browser you can apply themes and add Web Parts to pages. To make more extensive changes, you may need to use Microsoft SharePoint Designer 2010. For advanced customization, developers commonly use Microsoft Visual Studio 2010, which includes advanced integration with the SharePoint platform. As a SharePoint administrator, you should understand the changes developers can make so you can ensure the SharePoint farm remains stable and secure when it runs custom code. After completing this lesson, you will be able to: Describe the different methods available for SharePoint 2010 customization. Customize SharePoint pages in the browser. Use SharePoint Designer 2010 to make custom changes to a SharePoint site. Describe customizations that developers can make with code.
7-4
Methods for Customizing SharePoint
Some SharePoint customizations are quick and easy to use and make simple changes; you can make these changes in the browser. Others require extensive expertise but are very powerful; you need specialist tools to make these changes. Note: The customizations that each user can complete are restricted by their permissions and permission levels. For example, contributors cannot, by default, choose or modify master pages.
Customizing SharePoint Sites in a Web Browser

Many customizations to SharePoint can be completed in the browser and require no special tools. Any user or administrator can complete these tasks provided they have sufficient permissions. Site owners, for example, can make many of these changes. In the browser, you can: Choose a site theme. Choose a different master page. Create a new Web Part page. Change the Web Parts on a Web Part page. Create lists and libraries. Create content types.
Customizing SharePoint Sites in SharePoint Designer

If you cannot complete a customization task in the browser, you will often find it is possible with Microsoft SharePoint Designer 2010. SharePoint Designer is intended for use by power users and administrators who want to customize SharePoint sites to closely target the needs of their teams. SharePoint Designer
7-5
requires no custom code or .NET framework knowledge; in other words, you need not be a developer to use SharePoint Designer. In SharePoint Designer, you can complete all the customizations that are possible in the browser. In addition, you can: Create new master pages. Create new forms or customize default forms. Create new workflows to manage business processes. Make connections to external databases or systems to integrate them with SharePoint. These are Business Connectivity Services (BCS) connections.
Customizing SharePoint with Visual Studio

Microsoft Visual Studio 2010 enables the broadest array of customization to SharePoint 2010. You can build any custom SharePoint solution with this tool and deploy it to multiple SharePoint farms throughout your organization or in other organizations. Developers will find tight integration between SharePoint and Visual Studio for development, deployment, and debugging. With Visual Studio, developers can create: Custom Web Parts to be used on SharePoint pages. Custom master pages and style sheets. Custom timer jobs to take actions on a schedule defined by administrators. Workflows with custom code or custom activities. Silverlight applications. Custom BCS connection types.
7-6
Customizing SharePoint in the Browser
You can begin customizing a SharePoint site in the browser user interface you already use to access SharePoint.
Browser Customization Scenarios

When an administrator or user creates a SharePoint site, they select a site template. Built-in site templates include the Team Site template, the Wiki template, and the Publishing Site template amongst others. The template you choose determines the default lists, libraries, pages, and other features of the site, but you can add to these when the site is created. Consider, for example, a company in which a new site is created, based on the Publishing Site template, for each new publishing project. This arrangement works well but in the latest project, the project manager wants to manage customer contacts as well as documents. To do this she can add a contacts list to the site. She can also use a Web Part to display the contacts on the site home page.
Browser Customizations
In the browser interface, the customizations you can make include the following: Change the site theme. A theme applies a set of colors and fonts to a site. In addition, you can upload a theme from a Microsoft Office PowerPoint slide deck and use it as a SharePoint theme. This is a simple way to apply corporate colors and fonts to a SharePoint site. Change the master page. A master page is an ASP.NET Web page with a set of common controls and other common features. For example, in SharePoint, the Quick Launch control is part of the master page. SharePoint includes several master pages and your organization can create more by using SharePoint Designer or Visual Studio. In the browser, you can choose the master page from the existing list but you cannot create new master pages. Add lists and libraries. You can choose from various types of lists and libraries, such as calendars and asset libraries. Add content types. A content type describes a new kind of item and document.
7-7
Edit text. For example, users can edit the "Wake Up Call Service Control" text in the slide screenshot. Add images. You can insert images to illustrate a point or enliven the page. Add rich graphs. You can visualize data by using the Chart Web Part.
7-8
SharePoint Designer
Microsoft SharePoint Designer 2010 is designed to enable advanced customization in SharePoint sites and farms. Power users, administrators, and developers use SharePoint Designer to create and configure sites, modify their look-and-feel, create lists and libraries, assign permissions, and so forth. You can use all the features of SharePoint Designer without writing any .NET code.
SharePoint Designer Customizations

All the customizations that are possible in the browser are also possible in SharePoint Designer. For example, you can create content types by using either the browser or SharePoint Designeruse whichever tool you prefer. However some tasks are possible in SharePoint Designer that are not possible in the browser. These include: Creating custom workflows to model and manage business processes. Editing HTML in site pages. Creating and editing master pages and page layouts. Connecting to external data by creating BCS connections and external content types. Customizing default forms for list items and workflows. Displaying external data in SharePoint sites, and enabling SharePoint users to edit it, by creating external lists.
7-9
Custom Code Projects
Microsoft Visual Studio 2010 provides the greatest array of possibilities for customizing SharePoint 2010. In many cases, where a customization cannot be completed in SharePoint Designer, you may need to work with a developer who uses Visual Studio.
Visual Studio Customizations

The following are examples of customizations that you can build only in Visual Studio: Custom Web Parts to be used on SharePoint pages. Custom timer jobs to take actions on a schedule defined by administrators. Workflows with custom code or custom activities. Silverlight applications. Custom BCS connection types. Custom feature receivers that run code when features are activated or deactivated. Custom event receivers that run code when a SharePoint event occurs. When a user creates a new item in a SharePoint list, for example, an event receiver can respond.
Use Visual Studio for any solution that requires custom compiled code.
Administrating Custom Code Projects

Developers should not use your production SharePoint farm to run custom code until it is complete, stable, and thoroughly tested as documented and recommended in standard software development lifecycle processes. Instead, it is recommended that developers use a development SharePoint farm to test and validate their solutions. For example, developers can install SharePoint on a Microsoft Windows 7 computer specifically for this purpose or implement a virtual environment that closely represents the target production environment.
7-10
When a custom code project is complete, you must deploy it to the production SharePoint farm that you administer. Developers should be encouraged to package their customizations into SharePoint features or solution packages for ease of deployment and management. Administrators must therefore install these features or solution packages into the production farm and activate them. At that point, the custom functionality becomes available for users. These administration tasks are described in Lesson 2.
7-11
Lesson 2
Deploying and Managing Features and Solutions
A SharePoint feature is a set of functionality that administrators can activate or deactivate at any time. SharePoint includes many features out of the box and developers can add more by creating them in Visual Studio. Multiple features can be packaged with other components, into a solution package. A solution package is a complete set of customizations to SharePoint that can be installed in a single operation, but may make changes across your SharePoint organization. Administrators commonly must install, activate, upgrade, deactivate, and remove features and solution packages, so it is essential to understand these SharePoint objects. After completing this lesson, you will be able to: Describe features and how administrators enable them. Explain the content of features created by developers and third parties. Deploy and activate features in a SharePoint farm. Describe farm solutions and contrast them with features. Add and install farm solutions in a SharePoint farm. Understand the Developer Dashboard and describe the information it presents. Enable the Developer Dashboard.
7-12
Features
A SharePoint feature is a set of functionality that an administrator can enable or disable. Features can include many types of objects, for example (Web Parts, workflows and forms). When an administrator enables a feature, all the functionality that is part of it is enabled and becomes available to users.
Feature Scope
A SharePoint feature is installed into one of four possible scopes depending on where its functionality is relevant and who should administer the feature. These include the following: Farm Scope These features can include customizations that apply throughout the SharePoint farm across multiple servers, site collections, and web applications. Farm scope features are enabled and disabled by farm administrators. Web Application Scope These features can include customizations to all servers that host a web application. Web application scope features are enabled and disabled by farm administrators. Site Collection Scope These features can include customizations to a single site collection and its subsites. Site collection scope features are enabled and disabled by site collection administrators. Website Scope These features can include customizations to a single SharePoint site only. Website scope features are enabled and disabled by site administrators, site collection administrators, and site owners.
Built-In Features
Much of the out of the box SharePoint functionality is encapsulated into features. These features allow you to enable the functionality that you need and disable the functionality that you consider unnecessary.
7-13
For example, in the slide, you can see the Content Organizer feature, which is currently enabled. If you dont use the Content Organizer to file content automatically, you can disable this feature in your site. Keep built-in features in mind when troubleshooting SharePoint: if users cannot find a tool or facility in SharePoint that they know is included in the product, it may be because a built-in feature must be enabled.
Custom Features
Custom functionality is usually encapsulated in features. Therefore, the features you see in your SharePoint system depend on the customizations you have installed. Custom features may be created by any of the following: Third parties. If you purchase and install a SharePoint customization, it is likely to add one or more features. These features may appear in different scopes. Your own developers. Developers in your organization usually build their customizations into features. You must install and activate these features to make the custom functionality available to users.
Possible Feature Contents

Features can contain many types of objects to customize SharePoint. For example: Web Parts and Visual Web Parts. Users can add these to Web Parts pages. ASP.NET User Control or Server Controls. Users cannot modify these user interface components. Custom Actions. These shortcuts appear on a menu in SharePoint, for example, the Site Actions menu. List Instances. These ensure that when the feature is activated, a new list is created. List Templates. Users can use these templates to create new lists. Modules. These are files that are automatically added to SharePoint by the feature. Feature Receivers. These contain code that runs when a feature is activated. Content Types. These define new types of items or documents. Field. These can be assembled into content types. Workflows. These model and manage a business process.
7-14
Deploying and Activating Features
When a developer has created a SharePoint feature to encapsulate the customizations they have programmed, you must install and activate it to make the custom functionality available to users.
Deploying Features
A feature consists of a folder hierarchy. The top folder name is the name of the feature and it contains a file called Feature.xml and other files and folders. To begin deploying your feature, copy this folder to the following location:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\FEATURES
Now that the feature is in the right location, you must install it. To do this you can use Windows PowerShell:
Install-SPFeature Path "ContosoProjects"
Alternatively, you can install the feature by using Stsadm.exe:

Stsadm o installfeature filename ContosoProjects\feature.xml
When you have installed the feature, it is visible in the list of features at the correct scope. The scope is determined by the developer when they create the feature.
Activating Features
Although you have installed your feature, its functionality is not available to users until you activate it. You can do this in the browser interface. For example, if the feature is site-scoped: 1. 2. In the site where you want to use the feature, click Site Actions, and then click Site Settings. Click Site Features.
7-15
3.
Locate the feature and then click its Activate button.
You can also activate features by using PowerShell:

Enable-SPFeature Identity ContosoProjects
Alternatively, you can activate a feature with Stsadm.exe:

Stsadm o activatefeature name ContosoProjects
When you have installed and activated a feature, users can begin to employ its custom functionality. Note: If you have multiple web front-end servers in your SharePoint farm, you must install each feature on every web front-end server to ensure its availability. In many cases, you do not install features manually but as part of solution packages, which are described later. If you want to deactivate and remove features, similar PowerShell commands and Stsadm.exe options are used. Note: If a feature is incorporated into a solution package, administrators need not deploy the feature to each web front-end server in the farm. For more information about deploying solution packages, see the topic that follows.
7-16
Farm Solutions
As you have seen, a SharePoint feature is a set of functionality that administrators can enable or disable in a single operation. By contrast, a SharePoint solution package is a set of functionality that administrators can install in a single operation. Solution packages make administration and distribution of SharePoint customizations significantly easier than with features alone.
Characteristics and Creation

A solution package consists of a single file with a .wsp extension. Because it is a single file, it is very easy to distribute a solution package, and administrators do not need to copy them to the Templates folder. In fact, the .wsp file is a cabinet file that is a compressed file with all the files and information needed for the custom functionality. Developers can create .wsp files by using the solution package designer tool in Visual Studio 2010 or alternate tools such as MAKECAB, when they are ready to distribute their custom project.
Package Content
A solution package can contain any number of the following: Features Site Definitions Assemblies Files Updates to Web.config files
Notice, for example, that you could include two featuresone with site scope and one with Web application scope, into a single solution package for easy deployment.
7-17
Note: When you have multiple web front-end servers, you must install each feature on each one. However, this is not necessary with solution packages. SharePoint automatically installs the contents of your package on all front-end servers. Most third-party SharePoint customizations are distributed as solution packages, not individual features. You do not have to install these features manually, because they install with the solution package, but you might have to activate these features.
7-18
Adding and Installing Solutions
You must be a farm administrator to add a solution to a farm and deploy it. If you are a farm administrator, you can use PowerShell or Stsadm.exe for both these operations. You can also use the browser to deploy a solution you have previously added.
Adding Solutions
When you add a solution package, you upload the package to the SharePoint solution store so that it is ready for installation. Use the following command to add a solution in PowerShell.
Add-SPSolution LiteralPath "c:\custom\contososolution.wsp"
Notice that you do not need to copy the solution package into the SharePoint Templates folder before you add it. Instead, you supply the path to the .wsp file. Use the following command to add a solution in the Stsadm.exe.
Stsadm o addsolution filename c:\custom\contososolution.wsp
Installing Solutions
When you deploy a solution, you install all the features and other objects it contains, and the functionality becomes available to users. Once a solution package has been added, you can view and deploy it in the browser. To do this, follow these steps: 1. 2. 3. 4. Start Central Administration. Click System Settings. Click Manage Farm Solutions. Click the solution you wish to deploy and then click Deploy.
You can deploy a solution by running the following PowerShell command.
7-19
Install-SPSolution Identity ContosoSolution
Alternatively, you can also deploy a solution by running the following Stsadm.exe command.
Stsadm o deploysolution name ContosoSolution
Upgrading Solution Packages

When developers create a new version of an existing solution, they should create a solution package with a new filename, but retain the same solution ID as the original version. When you add and deploy such a solution package, SharePoint automatically upgrades the solution instead of installing a new solution.
Removing Solution Packages

To retract a solution package that you have installed, you must retract it and then remove it from the SharePoint solution store. To do this by using PowerShell, run the following commands.
Uninstall-SPSolution Identity ContosoSolution Remove-SPSolution Identity ContosoSolution
To uninstall and remove a solution package by using Stsadm.exe, run the following commands.
Stsadm o retractsolution name ContosoSolution Stsadm o deletesolution name ContosoSolution
7-20
Lesson 3
Configuring Sandboxed Solutions
Farm solutions, as created by developers in your own organization or by third parties, are powerful and can add rich functionality to your SharePoint farm. However, poorly written or untested solutions can cause problems. They can reduce stability and security and cause interruptions in service. They can consume server resources indiscriminately and reduce server responsiveness. SharePoint 2010 introduces the sandbox as an isolated and controlled environment in which you can run code. Solutions in the sandbox are still powerful but cannot take actions that compromise stability. Administrators can set quotas on sandboxed solutions to eliminate contention and ensure the farm responds quickly. SharePoint users can also create their own sandboxed solutions or install third party solutionsadministrators remain in control of the farm. After completing this lesson, you will be able to: Describe how the sandbox ensures stability. Configure the user code service application. Configure quotas and points for controlling resource usage.
7-21
Sandboxed Solutions
The SharePoint 2010 sandbox is an isolated and restricted environment in which to run solution packages. Solutions in the sandbox cannot affect stability and administrators can set strict quotas on the resources they consume.
The Sandbox Environment

The sandbox places the following restrictions on the solutions that run within it: Solutions run in a separate process called SPUCWorkerProcess.exe. This protects other SharePoint and Microsoft Windows services and processes. Solutions run a version of the SharePoint Object Model with some classes removed. These classes that may affect security and stability if poorly used. Solutions run under a strict code access security policy. This increases protection against malicious code. Solutions are governed by resource quotas set by administrators. You can use these quotas to ensure that solutions do not over-consume resources and cause contention and slow responses. Note: Although the sandbox is a restricted environment, solutions within it can still access most of SharePoints facilities and remain powerful. Sandboxed solutions are sometimes called user solutions. They are stored in the Solution Gallery in a site collection, which you can access from the Site Settings page. Site collection administrators can upload new solutions to the sandbox at any time and enable them without involving farm administrators or developers.
7-22
SharePoint Composites and the Sandbox

SharePoint composites are custom applications created by users in SharePoint sites. The browser interface, SharePoint Designer and Windows InfoPath forms can all be used to create custom applications, adapted to the needs of a team or department, without any code or developer involvement. SharePoint composites can include: Custom lists, libraries, and content types. Custom workflows. BCS connections to external data sources. Custom InfoPath forms for items and workflows.
When a SharePoint composite is complete, a user can save it as a user solution. This packages the site as a .wsp file and stores it in the Solution Gallery. You can download the .wsp file from the gallery and use it to install the composite application in other site collections or SharePoint farms. This enables users and power users to distribute their custom applications to other parts of your organization.
7-23
Configuring the User Code Service
The sandbox relies on the user code service to provide the restricted environment in which to run solutions. As an administrator, you must understand this service application and configure it in Central Administration.
User Code Service Processes

The following processes are required to support the sandbox and provide the isolated and restricted environment: SPUCHostService.exe. This is the user code service itself. This process manages worker processes and enforces quotas. In the services list, this process is labeled SPUserCodeV4. SPUCWorkerProcess.exe. This is the process in which sandboxed solutions run, isolated from other SharePoint and Windows services. SPUCWorkerProcessProxy.exe. This process enables the user code service to partake in the service application infrastructure. Note: You can find these processes in the Task Manager and the SharePoint 2010 User Code Host service in the services application. However, you should not start and stop the processes and services in these tools. Instead, use Central Administration to determine where the user code service runs.
Configuring the User Code Service in Central Administration

Use the following steps to configure which servers run the user code service and support the sandbox: 1. 2. 3. 4. In Central Administration, under System Settings, click Services on Server. At the top of the service list, choose the SharePoint server you want to administer. In the list of services, click Microsoft SharePoint Foundation Sandboxed Code Service. Click Start or Stop to enable or disable the service on this server.
7-24
Configuring Quotas and Blocking Solutions
A key feature of the sandbox is the way it restricts the server resources that each solution can consume in a day. When a solution runs, an algorithm calculates points that reflect the processor time, memory usage, database queries, and other server resources that it uses. Farm administrators set a maximum number of points that each sandboxed solution can consume in a day. Administrators can also tune the algorithm to adapt it more closely to the available resources on their servers.
Setting Quotas
To set quotas for a site collection, take the following steps: 1. 2. 3. 4. In Central Administration, click Application Management, and then click Configure quotas and locks. At the top of the window, select the Site Collection you wish to administer. Under Site Quota Information, you can specify the Maximum usage per day in points. You can also specify a warning level. Administrators receive an e-mail alert when a solution exceeds this limit.
Points Calculation
SharePoint uses 14 metrics to calculate points. These include the following values: CPU Cycles. When the processor uses a predefined number of cycles on the sandboxed solution, a point is logged. Percentage Processor Time. When the sandboxed solution uses more than a predefined percentage of the processing time, a point is logged. Critical Exception Count. When a predefined number of exceptions occur in a sandboxed solution, a point is logged. Thread Count. When the solution exceeds a predefined number of threads in the SPUCWorkerProcess process, a point is logged.
7-25
SharePoint Database Queries. When a solution initiates more than a predefined number of queries to the SharePoint content database, a point is logged.
As you can see, there is a predefined number involved in each metric. The administrator can influence the algorithm by setting these numbers in PowerShell.
Blocking a Sandboxed Solution

Farm administrators can also block any sandboxed solution. Usually an administrator does this when the solution consumes resources too heavily or poses a security issue. To block a solution, follow these steps: 1. 2. 3. Start Central Administration and then click System Settings. Under Farm Management, click Manage user solutions. In the File box in the Solution Restrictions section of the Sandboxed Solution Management page, either type the full path of the file that contains the solution to block, or use the Browse button to browse for the file to block. Optionally, type a message in the Message box. This message will be displayed when a user tries to use the solution. Click Block and then click OK.
4. 5.
7-26
Lab A: Administering Features and Solutions
Scenario
You have just installed a new SharePoint 2010 farm at Contoso, Ltd. Several developers would like to test the functionality of features and solutions they created for SharePoint 2007. Corporate IT policy states that only administrators may modify the production environments, so it is your job to install these features and solutions.

Start 10174A-CONTOSO-DC-D. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-D.
7-27
Exercise 1: Administering Features

The CEO has asked you to add a calendar to the intranet site. Although you have given her permissions to create lists on the intranet, she mentions that there is no option to create a calendar. Additionally, you have been asked to add a custom feature to the intranets Site Actions menu. In this exercise, you will install, activate, deactivate, and uninstall SharePoint features. The main tasks for this exercise are as follows: 1. 2. 3. 4. Activate a built-in feature. Install a custom feature. Activate and test a custom feature. Deactivate a feature.
Task 1: Activate a built-in feature.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password, Pa$$w0rd. Open Microsoft Internet Explorer, and then browse to http://intranet.contoso.com. From the Site Actions menu, attempt to create a calendar list. Observe that you cannot create a calendar or contact list. Activate the Team Collaboration Lists feature. Re-attempt to create a calendar list. Observe that you can now create a calendar or contact list.
Task 2: Install a custom feature.

Open Windows Explorer and copy the folder, D:\LabFiles\Lab07\CustomAction, to the folder, C:\Program Files\Common Files\Microsoft Shared\web server extensions \14\Template\Features. Each folder in the features folder represents a feature on the SharePoint server. Close all open Windows Explorer windows. Open the SharePoint 2010 management shell and use the installfeature operation of Stsadm.exe to install the feature. Tip: The installfeature operation is focused, by default, on the features folder. The path to the feature can be entered as a path that is relative to the Features folder. This will install a new feature into SharePoint that enables a simple custom action in the Site Actions menu.
Task 3: Activate and test a custom feature.

On the intranet site, activate the feature JavaScript Dropdown Item. Click the Site Actions menu, and then click the new item on the menu, A Custom Action. A Message from webpage window appears with the message, Hello World. Click OK.
7-28
Task 4: Deactivate a feature.

Deactivate the JavaScript Dropdown Item feature. Confirm that the item, A Custom Action, no longer appears on the Site Actions menu. Close Internet Explorer. Results: After completing this exercise, you should have installed, activated and deactivated SharePoint features.
7-29
Exercise 2: Administering Solutions

You want to track bugs and issues with the new SharePoint farm, and you have decided to use the SharePoint bug database application template to do so. In this exercise, you will install and deploy the solutions that enable the bug database application. The main tasks for this exercise are as follows: 1. 2. 3. Install a solution. Deploy a solution. Confirm the deployment of a solution.
Task 1: Install a solution.

Use the addsolution operation of Stsadm.exe to add the following two solutions to the farm: D:\Labfiles\Lab07\ApplicationTemplateCore.wsp D:\Labfiles\Lab07\BugDatabase.wsp
Open SharePoint 2010 Central Administration, and then from System Settings open the Manage farm solutions page. Observe that the two solutions are installed, but are not deployed.
Task 2: Deploy a solution.

Deploy the two solutions, applicationtemplatecore.wsp and bugdatabase.wsp.
Task 3: Confirm the deployment of a solution.

Create a new Web site named Bug Tracking, with the URL http://intranet.contoso.com/sites/IT/Bugs and with the Bug Database site definition. Open the new bug tracking Web site. Then close all open Internet Explorer windows. Results: After completing this exercise, you should have installed and deployed SharePoint solutions to your farm.

7-30
Lab B: Administering Sandboxed Solutions
Scenario
Developers have started testing their solutions on your SharePoint farm, and some users have complained that the new solutions seem to be causing performance problems. Your manager has tasked you with examining the resource usage of the solutions and with changing the resource point settings of sandboxed solutions for the time being to prevent database queries made by custom solutions from causing problems.
Exercise 1: Administering Sandboxed Solutions

In this exercise, you will upload and test a custom solution, and examine the resource usage of that solution. The main tasks for this exercise are as follows: 1. 2. 3. Ensure that the code service is running. Upload a sandboxed solution. Test a sandboxed solution.
Task 1: Ensure that the code service is running.

In the Services console, confirm that the SharePoint 2010 User Code Host service is not started, and that it is disabled. In SharePoint 2010 Central Administration, start the Microsoft SharePoint Foundation Sandboxed Code Service. In the Services console, confirm that the SharePoint 2010 User Code Host service is started, and is set to start automatically.
7-31
Task 2: Upload a sandboxed solution.

Browse to the IT intranet site, http://intranet.contoso.com/sites/IT. Upload the solution, D:\Labfiles\Lab07\BadReceiver.wsp, and then activate the solution. Activate the site feature, BadReceiver Feature1.
Task 3: Test a sandboxed solution.

From the All Site Content page, create a new announcement in the Announcements list, with the title My Announcement. An error message appears. In the Webs Solutions Gallery, observe that the BadReceiver solution shows no resource usage. That is because the timer job has not yet calculated resource usage for the solution. Results: After completing this exercise, you should have deployed and tested the BadReceiver solution.
7-32
Exercise 2: Modifying Sandboxed Solutions Timer Jobs

In this exercise, you will launch the timer jobs that calculate resource usage. The main tasks for this exercise are as follows: 1. 2. Run sandboxed solution timer jobs. Monitor resource usage.
Task 1: Run sandboxed solution timer jobs.

In SharePoint 2010 Central Administration, locate the timer job, Solution Resource Usage Update, for SharePoint intranet.contoso.com80. Run the job now. Note: Be sure to run the Solution Resource Usage Update and not the Solution Daily Resource Usage Update timer job. Running the latter will cause resource usage points to be reset. Run the timer job, Solution Resource Usage Log Processing, for the site SharePoint intranet.contoso.com80.
Task 2: Monitor resource usage.

Browse to the Solutions Gallery for the IT Web, and then refresh the page. The resource usage for the solution should now be updated. If you do not see the updated resource usage, then you may need to wait for up to 5 minutes for the timer jobs to execute. Results: After completing this exercise, you should have updated and executed one of the sandboxed solutions timer jobs.
7-33
Exercise 3: Configuring Sandbox Points

In this exercise, you will report the default resource point settings for sandboxed solutions, and then you will modify the points assigned to database queries. The main tasks for this exercise are as follows: 1. 2. 3. 4. Review default resource measures. Change default resource measure points. Test modified sandboxed resource measures. Deactivate the bad solution.
Task 1: Review default resource measures.

Run SharePoint 2010 Management Shell as Administrator. To export a list of default point values, type the following command:
$spusercodeservice = [Microsoft.SharePoint.Administration.SPUserCodeService]::Local $spusercodeservice.ResourceMeasures > c:\ResourceMeasures.txt
Open the file C:\ResourceMeasures.txt. This file contains a listing of the resource measures that are monitored for sandboxed solutions.
Find the section for SharePointDatabaseQueryCount, and then record the current values of ResourcesPerPoint and AbsoluteLimit. Close the file.
Task 2: Change default resource measure points.

In Administrator: SharePoint 2010 Management Shell, type the following commands:
$spusercodeservice = [Microsoft.SharePoint.Administration.SPUserCodeService]::Local $obj = $spusercodeservice.ResourceMeasures["SharePointDatabaseQueryCount"] $obj.ResourcesPerPoint = 1 $obj.Update() $obj | Select-Object Name,ResourcesPerPoint
This script sets the ResourcesPerPoint property for SharePointDatabaseQueryCount to 1 and will cause SharePoint database queries to increase the resource usage point count very quickly. Type the following command:
iisreset
IIS restarts and enables the new resource settings. Close Administrator: SharePoint 2010 Management Shell.
Task 3: Test modified sandboxed resource measures.

Switch to the instance of Internet Explorer that displays the IT intranet Web. It will take a few seconds to load the Web, because you recently reset IIS. From the All Site Content page, create a new announcement in the Announcements list, with the title My Next Announcement. An error message appears.
7-34
In the Webs Solutions Gallery, observe that the BadReceiver solution shows no resource usage. That is because the timer job has not yet calculated resource usage for the solution. If you see resource usage of 2.00, then you were lucky! The timer jobs executed just in time. Skip to Step 6.
Repeat Task 1 of Exercise 2 to run the sandboxed solutions timer jobs. Refresh the view of the IT intranet Web Solutions Gallery. Observe that the resource usage of the solution is increasing more rapidly. If you do not see the updated resource usage, then you may need to wait for up to 5 minutes for the timer jobs to execute.
Task 4: Deactivate the bad solution.

In the Solutions Gallery, deactivate the BadReceiver solution. Results: After completing this exercise, you should have updated the default sandboxed solution resource measures.

When you finish the lab, reset the virtual machines to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Question: What was the value of ResourcesPerPoint for SharePointDatabaseQueryCount? Explain the relationship between this number and one resource usage point.
7-35
Review Questions
1. You want to create a workflow that models an authoring process in one of your SharePoint sites. The workflow will not contain any custom code. Would you use the browser, SharePoint Designer, or Visual Studio to create this workflow? You want to connect your SharePoint farm to a SQL Server database and display external data in a SharePoint list. Would you use the browser, SharePoint Designer, or Visual Studio to make this connection? A developer gives you a solution package to install on the production SharePoint server farm. The farm has 3 Web front-end servers and a dedicated database server. How many times must you install the solution? A user contacts you and asks you to test a sandboxed solution that he has downloaded from a third party. He says he wants to ensure the solution does not over-consume resources on the SharePoint servers. What advice do you give him?
2.
3.
4.
7-36
Configuring and Securing SharePoint Services and Service Applications
8-1
Module 8
Contents:
Lesson 1: Securing the Enterprise SharePoint Service Lesson 2: Securing and Isolating Web Applications Lesson 3: Services and Service Applications Lab A: Administering SharePoint Services Lab B: Configuring Application Security Lab C: Configuring Service Applications 8-3 8-14 8-18 8-31 8-36 8-41
8-2
Module Overview
Configuring and securing Microsoft SharePoint and its service applications are important steps to isolate sensitive data in your organization and keep your environment free of unwanted SharePoint installations. Planning the deployment of SharePoint thoroughly is important to a successful SharePoint environment.
Objectives
After completing this module, you will able to: Secure your enterprise-level SharePoint service. Secure web applications. Configure SharePoint services and service applications.
8-3
Lesson 1
Securing the Enterprise SharePoint Service
Awareness of where SharePoint is installed in your organization and who has permissions to perform those installations are critical to maintaining security in your network infrastructure. This lesson teaches you how to track those installations and configure many of the services and accounts used to keep your SharePoint implementation secure.
Objectives
After completing this lesson, you will be able to: Track SharePoint installations in your organization. Block inappropriate SharePoint deployments. Approve relevant SharePoint deployments. Manage services on your SharePoint servers. Describe SharePoint services. Describe administrative accounts. Describe managed accounts.
8-4
Track SharePoint Installation
Key Points
Service connection points (SCPs), also known as Active Directory markers, are data points in Active Directory Domain Services (AD DS) that represent the presence of a SharePoint server and farm. By putting several pieces together, you can both track and control SharePoint installations in your enterprise. You can use the following process to track your SharePoint installations. 1. Use ADSIEdit to create a container object, CN=Microsoft SharePoint Products,CN=System,DC=contoso,DC=com. Note: You can use other container names. However, if you do, you must create a Group Policy for the domain computers to set a string value ContainerDistinguishedName under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SharePoint. This makes it possible for the SharePoint Products Configuration Wizard to detect the new name. 2. Assign Create serviceConnectionPoint objects permission to the accounts that are used to install SharePoint.
You must follow these steps before you create the farm. The SharePoint Configuration Wizard, PSConfig.exe, checks whether the container has been created, and then creates the marker. The marker contains the URL for the Application Discovery and Load Balancer Service. You can also create markers manually by using Windows PowerShell cmdlets.
Windows PowerShell Commands

To set a service connection point, use the following command.
Set-SPFarmConfig -ServiceConnectionPointBindingInformation (GetSPTopologyServiceApplication).URI
8-5
To delete a service connection point, use the following command.

Set-SPFarmConfig -ServiceConnectionPointDelete
To retrieve service connection point information for a farm, use the following command.
Get-SPFarmConfig -ServiceConnectionPoint
Additional Reading
Track SharePoint 2010 Installations by Service Connection Point at http://go.microsoft.com/fwlink/?LinkID=197124&clcid=0x409 Track or block SharePoint Server 2010 installations at http://go.microsoft.com/fwlink/?LinkID=197125&clcid=0x409
8-6
Block SharePoint Installation
Key Points
You can block unwanted SharePoint installations in your domain by applying a group policy object (GPO). Use the following procedure to block unwanted SharePoint deployments: 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Group Policy Management tool in Administrative Tools. Locate and edit the most appropriate GPO. For example, to prevent SharePoint installations on Domain Controllers, edit the Default Domain Controllers Policy GPO. Under Computer Configuration, expand Preferences, expand Windows Settings, and then click Registry. Create a new Registry Item. Select the HKEY_LOCAL_MACHINE hive. In the Key Path box, type Software\Policies\Microsoft\Shared Tools \Web Server Extensions\14.0\SharePoint. In the Value Name box, type DisableInstall. In the Value Type box, select REG_DWORD. In the Value Data box, type 1.
10. Click OK, and then close the Group Policy Editor and Group Policy Management tool. After this GPO is in place in your domain, users will receive the message, SharePoint installation is blocked in your organization. Please contact your network administrator for more details, when they try to install SharePoint.
8-7
Approve SharePoint Installation
Key Points
In an environment where you are using a GPO to block SharePoint installations, you must create a group of servers that are approved for installation. Use the following procedure to control where SharePoint can be installed. 1. 2. 3. 4. Create a new group in AD DS that contains all computer objects on which SharePoint is allowed to be installed. In Group Policy Management, apply a security filter to the Group Policy Object (GPO) that enables the disableinstall registry setting Grant the new group permissions. Give the group DENY - APPLY GROUP POLICY permission. This overrides the installation block for this specific group. Add approved servers to the new group that you created.
8-8
Manage Services on the Server
Key Points
The SharePoint installation process creates additional Windows Services. Most of these services start and stop themselves as needed by SharePoint. The one exception is the SharePoint Timer service; this service must be running at all times for SharePoint to send email messages and perform scheduled tasks. You can manually start this service if it is in the stopped state. Some of the other services created by the SharePoint installation process are the following: SharePoint Administration. Performs administrative tasks for SharePoint. SharePoint Tracing. Manages trace output. SharePoint User Code Host. Executes user code in a sandbox. SharePoint VSS Writer. Volume Shadow Copy Service. SharePoint Foundation/Server Search. Provides full-text indexing and searching.
8-9
Overview of SharePoint Services
Key Points
You can manage the services in SharePoint 2010 by navigating to Central Admin Manage services on the server. Depending on the specific version of SharePoint that you have installed, the number of services that are available to you may differ. Other products, such as Microsoft Project Server, install new services in SharePoint. You can start or stop the available services and configure them with separate permissions from Central Administration. By configuring separate permissions, you can delegate administration on each service application instance. This model allows for flexible scaling and balancing of load. These are the SharePoint services: Access Database Service. View/edit/interact with Microsoft Office Access 2010 databases in the browser. Application Registry Service. Enables users to search and collaborate around business data. Business Data Connectivity Service. Access line-of-business data. Central Administration. Central Administration Website. Claims to Windows Token Service. Used for claims authentication. Document Conversions Launcher Service. Enables document conversion. Document Conversions Load Balancer Service. Load balancer for document conversion. Excel Calculation Services. View/edit/interact with Microsoft Office Excel 2010 files. Lotus Notes Connector. Enables SharePoint to connect directly with Lotus Notes and retrieve data. Managed Metadata Web Service. Access managed taxonomy hierarchies, keywords, and social tagging infrastructure as well as content type publishing across site collections. Microsoft SharePoint Foundation Incoming E-Mail. Simple Mail transfer Protocol (SMTP) for SharePoint.
8-10
Microsoft SharePoint Foundation Sandboxed Code Service. Allows for sandboxed development. Microsoft SharePoint Foundation Subscription Settings Service. Tracks subscription IDs used in multi-tenant configurations. Microsoft SharePoint Foundation Web Application. Allows for hosting Web content. Microsoft SharePoint Foundation Workflow Time Service. Used for SharePoint workflow. PerformancePoint Service. Provides the capabilities of PerformancePoint Services. Search Query and Site Settings Service. Performs a query across built indexes. Secure Store Service. Replaces single sign-on (SSO) in SharePoint 2007. Used to store user names/passwords for external data systems. SharePoint Foundation Search. Provides full-text indexing and search to SharePoint users. SharePoint Server Search. Provides enhanced full-text indexing and search capabilities. User Profile Service. Allows for creation of MySites. User Profile Synchronization Service. Synchronizes user profiles with Active Directory data. Visio Graphics Service. View/edit/interact with Microsoft Visio documents. Web Analytics Data Processing Service. Used for processing data for Web trending and site usage. Web Analytics Service. Used for Web trending and site usage statistics. Word Automation Services. View/edit/interact with Microsoft Office Word documents.
8-11
Administrative Accounts
Key Points
SharePoint 2010 needs a few domain accounts for setup and configuration. SharePoint uses these accounts for setup and/or administrative access to the farm. You can also use separate domain accounts for other service applications. The following summary provides information about the necessary administrative accounts.
Setup User Administration Account

You use the Setup User Administration Account for initial setup for each server in your farm. This account provides the security context for running the following administrative tasks and tools: SharePoint Configuration Wizard Initial Farm Creation Wizard Windows PowerShell Farm administration
You can manage this account by using Central Administration. This account has the following requirements: Domain user account permissions Local Administrator permissions on all SharePoint servers in the farm except Microsoft SQL Server and SMTP servers Access to SharePoint 2010 databases If you are running Windows PowerShell so that it affects databases: member of db_owner role Assigned to db_creator and security_admin SQL Server roles during setup and configuration
After you have run the configuration wizards, this account assumes the following characteristics:
8-12
Becomes a member of the WSS_ADMIN_WPG security group Becomes a member of the IIS_WPG role Is granted db_owner permissions on the Config Database and CA Content Database
Farm Service Account

You can use the Farm Service account as an application pool account for Central Administration (CA) and as a process account for the Timer service. It must have domain user account permissions. After you have run the configuration wizards, this account assumes the following characteristics: Becomes a member of the WSS_ADMIN_WPG security group for the Timer service Becomes a member of the WSS_RESTRICTED_WPG security group for the Timer service and CA application pools Becomes a member of the WSS_WPG for CA App Pool Is granted the dbcreator and securityadmin fixed server roles Becomes a db_owner for all SharePoint 2010 databases Becomes a member of the WSS_CONTENT_APPLICATION_POOLS role for the farm configuration database and Sharepoint_Admin content database
SharePoint Foundation 2010 Search Service Account

You can use for the SharePoint Foundation 2010 Search Service. It must have domain user account permissions. After you have run the configuration wizards, this account assumes the following characteristics: Becomes a member of WSS_WPG Becomes a member of the WSS_CONTENT_APPLICATION_POOLS role for the farm configuration database and is assigned the following: Read access to the server farm configuration database and Sharepoint_Admin content database db_owner role for SharePoint Search database
SharePoint Foundation 2010 Search Content Access Account

You can use the SharePoint Foundation 2010 Search Service to crawl content across sites. It must have domain user account permissions and must not be a member of the Farm Admins group. After you have run the configuration wizards, the following occurs for this account: It is granted Read access to the server farm configuration database and Sharepoint_Admin content database. It is assigned the db_owner role for the SharePoint Search database. A full Read policy is created for this account on all Web applications.
8-13
Managed Accounts
Key Points
A managed account is an AD DS user account whose credentials are managed by and contained in SharePoint. In addition to storing the credentials of the object, SharePoint Server 2010 can also use Active Directory domain policies to reset passwords automatically while meeting the requirements established by policy. You do not have to know the password for an account to assign it to service applications in SharePoint. You can manage these accounts from Central Administration, where you can view the existing managed accounts, register a new managed account, or change a password. Once you have established these accounts, you can assign them to a service application from Central Administration.
Managed Accounts Passwords

The new password change feature in SharePoint 2010 can automatically update managed account passwords on a schedule and adhere to local or network password polices. When a password is close to expiration, SharePoint sends an email message to a designated administrator. At this point, users can be notified about any service interruptions they may encounter. You can also reset passwords manually to a specific password. This could come in handy when responding to an incident or when the accounts password was changed in AD DS by mistake. You can also reset all managed passwords in SharePoint at the same time using a Windows PowerShell script. Note: After a managed account is set up in SharePoint, the password for that account cannot be changed in Active Directory without synchronization issues. If a password is changed in Active Directory, you must manually change the password in SharePoint to match.
8-14
Lesson 2
Securing and Isolating Web Applications
By implementing isolation in your SharePoint environment, you can segment data into logical groups and give access only to those users who need it. Securing communication also helps keep users from accessing sensitive data.
Objectives
After completing this lesson, you will be able to: Describe how to manage isolation with a new application pool. Configure an application isolation pool. Configure SharePoint to use Secure Sockets Layer (SSL) communication.
8-15
Isolation Using Application Pools
Key Points
SharePoint uses application pools to isolate certain Web and service applications. There are advantages and disadvantages to using separate application pools for each Web application in your SharePoint farm.
Advantages
Different identities. Each application pool runs under a single domain account. The account has restricted permissions that allow it to do only what it needs to inside the specific Web application. Isolation of processes. Each application pool runs under a different process ID. This makes it easier to track events and logging corresponding to the process. Recycle/restart without affecting others. When an application pool is recycled, all Web sites using the pool are unavailable until the pool comes back online. Separate application pools limit this issue to a specific Web application. Throttling of resource usage. Application pools use many resources, CPU, RAM, and disk. You can limit the usage of these resources to certain values in an application pool.
Disadvantages
Administration overhead. Managing one application pool versus managing multiple application pools. Idle worker process. When an application pool has been idle for a specific amount of time, the worker process associated with the application pool shuts down. When the site is accessed again, the worker process has to be recycled, which can take some time, and the user may experience a delay in accessing that page.
8-16
Application Pool Isolation
Key Points
This diagram shows a totally isolated environment. Each service application and Web application has been created with its own application pool. You should weigh the advantages and disadvantages previously discussed to determine whether this type of design is appropriate for your environment.
8-17
Secure Communications Using Secure Sockets Layer
Key Points
Before you can enable SSL, you must have an SSL certificate. You can get one from a third party or create one using Active Directory Certificate Services (AD CS). When using AD CS, after installation you must create a certificate by using Internet Information Services (IIS). You can accomplish this by using the Service Certificates module in IIS 7. Once you create the certificate, you must install it on all Web front-end (WFE) servers in your farm. To configure sites to use SSL in SharePoint, you must either configure the environment to use SSL every time a new Web application is created or add an alternate access mapping (AAM) to an existing Web application. By adding an internal URL, you can add a new Web application zoned for the intranet that uses Secure HTTP (HTTPS).
Additional Reading
How to enable Active Directory Certificate Service in Windows Server 2008 R2 at http://go.microsoft.com/fwlink/?LinkID=197126&clcid=0x409 How to enable SSL on a SharePoint 2010 web application at http://go.microsoft.com/fwlink/?LinkID=197127&clcid=0x409
8-18
Lesson 3
Services and Service Applications
Services and service applications in SharePoint 2010 replace the Shared Service Provider (SSP) model in SharePoint 2007. There are many advantages to the service application model.
Objectives
After completing this lesson, you will be able to: Describe the SharePoint 2010 Service Application Framework service model. Describe service applications. Describe service application connections. Configure application connection groups. Plan service applications. Describe types of service applications. Implement service applications across farms.
8-19
SharePoint 2010: Service Application Framework Service Model
Key Points
In SharePoint 2007, the Shared Service Provider (SSP) is a single point of failure that contains shared services, for example, search, profile, and Excel services. In many cases, there is a steep learning curve to understand how to use the SSP and how it interacts with the rest of SharePoint; consequently, it is difficult to deploy and manage. A Web application can be associated with only a single SSP, which means that the SSP in that farm has to contain every service that any Web application uses. Management is also inflexible because you either have access to the entire SSP or to none of it. The SSP is essentially a single database, so there is no way to scale to larger implementations. There is also limited documentation concerning larger implementations. The all-or-nothing approach of the SSP also leads to extraneous resource usage because a Web application has to use all services in the SSP, even if it needed only one. Service applications (SAs) are the perfect alternative to the older Shared Service Provider architecture of SharePoint 2007. SAs are fundamental to the application and are included with the SharePoint Foundation Stock Keeping Unit (SKU). The SA model is much more flexible than is the SSP model: You can create more than one instance of a service application in a single farm. Web applications can consume any or all of the available services. You can also share service applications across farms. You can install applications separately from one another.
All of this gives you finer-grained control of the service that you are deploying to your users.
8-20
Now, with the SA architecture, you can load balance the services in the farm on all front-end servers or just a subset of them, allowing for future scaling in the farm or even into the cloud. The SA architecture also allows for third-party development. Some other Microsoft products already have service applications that are installed to interact with SharePoint. You can manage all service applications in the SharePoint farm in Central Administration without having to navigate to an entirely different area to do so. You can also use Windows PowerShell to interact with service applications. Note: When you upgrade from SharePoint 2007, your SSP is converted to service applications. Refer to Module 12, Installing and Upgrading to SharePoint 2010 for more details.
8-21
Service Application Components
Key Points
Several components make up the service application architecture. These components combine with one another to ensure that Web applications can consume services. Service. In SharePoint, you can configure services to run on the same server, or you can spread them across multiple servers. You can also load balance services automatically when two or more servers are configured to run a service. Service applications. Service applications are instances of services that are created. An application pool is associated with each service application instance. For most service applications, you can deploy multiple instances in a farm. You can also share them across multiple farms. Service application connections. For a service application to talk to a specific Web application, it must use a service application connection (proxy). A proxy is created automatically when you create a new service application. Service application connection groups. You can group multiple proxies together, which is then referred to as a service application connection group (proxy group). Web applications. Web applications are the component that users see in their browsers. Web applications can consume any number of the services available.
Additional Reading
Services architecture planning at http://go.microsoft.com/fwlink/?LinkID=197128&clcid=0x409
8-22
Service Applications
Key Points
You can create a service application instance by navigating to Manage Service Applications in Central Administration. There, you can see all of the service application instances that you have created, as well as create a new instance of a service application.
Components of a Service Application

Following are the components that make up a service application: Virtual directory. A new Web site in IIS. Most of the virtual directory names are globally unique identifiers (GUIDs). Application pools. Each virtual directory in IIS is associated with an application pool. There are pros and cons of making each application pool separate, as discussed earlier. Database(s). Most service applications create at least one if not more databases when they are created. The data for a single service application is stored in the database. Physical instance. This is the actual process or Web service on the physical computer on which the service is running. Administrative interface. Some service applications have administrative Web sites where you can configure settings specific to that service application. Note: Some service applications do not contain all components.
Creating a Service Application

The Farm Configuration Wizard in SharePoint establishes all default service applications that you need. This wizard is particularly useful for small farms or first-time setups and allows you to get everything up and running quickly.
8-23
Manual configuration of service groups is also possible through Central Administration or Windows PowerShell. Manual configuration is good for larger farms, where you must plan and design the service applications more thoroughly. You can assign different permissions to each instance of a service application so that you have distributed management of the SharePoint service application model.
Windows PowerShell Examples

New-SPAccessServiceApplication - Creates a new Access service application New-SPAccessServiceApplicationProxy - Creates a new Access service application proxy
Service Application Provisioning

You can deploy service applications to different application pools to achieve process isolation. However, if you want to optimize the performance of your farm, you should deploy service applications to only one application pool. To achieve physical isolation for a service application, choose or create a different application pool for the service application. You should do this only if there is a significant business need for it.
Additional Reading
Services architecture planning at http://go.microsoft.com/fwlink/?LinkID=197128&clcid=0x409
8-24
Service Application Connection
Key Points
A service application connection, also known as a proxy, allows the user-driven Web applications to talk to service applications. Web Parts, the SharePoint object model, or internal code can use proxies to connect to service applications. Service application connections are created automatically when a service application is created. Example: 1. 2. 3. When a search query is performed by the user, the Search Web Part on the WFE talks to the service application proxy. In turn, the service application proxy uses Windows Communication Foundation (WCF) to connect to the application server that is running the instance of the Search Service. This application retrieves information from the database and returns the results to the WFE to be displayed in the Web Part.
Service Application Connection Groups

A service application connection group, also known as a proxy group, is a collection of service applications that use the same proxy to interact with Web applications. SharePoint creates a default proxy group for all new Web applications automatically. You can create custom proxy groups for data isolation purposes. You can configure and change proxy groups using Central Administration or Windows PowerShell. Most service applications require setting a single proxy group as the default, but they can have multiple. Also, a single web application can consume multiple service applications, and a single service application can be consumed by multiple web applications.
8-25
Application Connection Groups
Single Farm, Single Service Application Group

In an architecture that includes a single farm and a single service application group, the default service application group is used for all Web applications in the farm. All sites have access to all of the service applications that are deployed in the farm. Advantages It is the simplest architecture to deploy. You deploy this architecture by using the SharePoint Initial Farm Setup Wizard. All service applications are available to all Web applications, meaning any Web application in the farm can consume any number of service applications. All service applications are managed centrally in one farm. This architecture provides the best use of resources because only one instance of each service group is needed.
Disadvantages You cannot isolate service application data. Any Web application can consume any service application and its data. Individual departments or teams cannot manage service applications on their own.
Recommendations The architecture that includes a single farm and a single service application group is the recommended configuration for most organizations, at least initially. This configuration works well when you want to host many sites for a single company on the same farm. Use this configuration to meet the following goals: You want to optimize the resources required to run service applications in a farm.
8-26
You are sharing content and profile data across sites that otherwise require process isolation for performance or security reasons.
Single Medium-Sized Farm, Multiple Service Application Groups

In an architecture that includes a single farm and multiple service application groups, the default service application group is used for most Web applications in the farm. Sites have access to a subset of the service applications deployed in the farm. Advantages The main Web applications have access to the service applications they need. Departments with a stricter data policy can have their own instances of service applications. Service applications can be managed departmentally by different user sets.
Disadvantages This architecture is more taxing on farm resources because multiple instances of certain service applications have been created and run at the same time. Recommendations The architecture that includes a single farm and multiple service application groups is the recommended configuration for organizations that require that specific departments have their own isolated data and service application management. This configuration works well when you want to host many sites for a single company on the same farm, yet have some isolation. Use this configuration if you are sharing content and profile data across sites that otherwise require process isolation for performance or security reasons and you would like to isolate one departments data.
Multiple Farms, Multiple Service Application Groups

In an architecture that includes multiple farms and multiple service application groups, the default service application group can be used for most Web applications. Sites have access to a subset of the service applications deployed in their farm or published from other farms. Advantages The Web applications have access to only the service applications that they need. Departments with a stricter data policy can have their own instances of service applications. Service applications can be managed departmentally by different user sets. Data and service applications can be shared across farms.
Disadvantages This architecture is the most taxing on farm resources because multiple instances of service applications have been created and run at the same time. This architecture requires more hardware to support the scaled-out infrastructure.
8-27
Recommendations The architecture that includes multiple farms and multiple service application groups is the recommended configuration for large organizations that need distribution of data and/or management of service applications. This configuration works well when you want to isolate certain departments but share data across multiple farms. Use this configuration to meet the following goals: You are sharing content across farms. You are isolating certain department data from the rest of the farms.
8-28
Overview of Planning Service Applications
Key Points
The biggest struggle when planning your service application infrastructure is striking a balance between performance and separation. The more proxy groups you define and use, the more you tax the servers in the farm. You should create new proxy groups only when you must isolate processes, data, or performance. Some typical services that are deployed for dedicated use are Excel Services, Managed Metadata, and Business Data Connectivity (BDC): Excel Services. To optimize performance for a targeted team or to isolate sensitive data. Managed Metadata. To allow a team or department to manage their own taxonomy, hierarchies, keywords, and so on. SharePoint Server 2010 combines the results of multiple Managed Metadata service applications so that taxonomies, content types, and other elements can be shared across an organization. Business Data Connectivity. Individual teams or departments can integrate with their own line-ofbusiness data systems and keep the data isolated from the rest of the organization.
8-29
Service Application Types
Key Points
You can publish certain service applications and use them across farms. Some large implementations create a separate farm in which are kept all service applications that can be shared with all other farms to consume. This is most commonly done with Search and/or user profiles. Often, Managed Metadata is also shared so that an organization can share a single corporate taxonomy. Question: How would you use the Search Service as a cross-farm service application? Question: How would you use the User Profile Service as a cross-farm service application?
8-30
Service Applications Across Farms
Key Points
You can publish certain service applications and make them available to other SharePoint farms to consume. To do so, servers exchange certificates across the farms. An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm. You can export and copy certificates only by using Windows PowerShell 2.0. You must configure permissions on both the shared service application and the Application Discovery and Load Balancer Service Application. When everything is set up, you can publish the service for other farms to consume. Note: If the farms are in two different domains, you must set up a two-way trust for User Profile or BDC Services to be shared.
8-31
Lab A: Administering SharePoint Services
Scenario
The Communications team at Contoso wants to publish content to the intranet by using Microsoft Word. The teams manager discovered that SharePoint includes a feature that can convert Word documents to Web pages and is complaining that the intranet site does not expose the document conversion command. Additionally, developers are experiencing errors that suggest some SharePoint services may not be running correctly. You have been asked to troubleshoot the problems and to ensure that SharePoint and Windows Services that are required to support the SharePoint farm are running correctly.

Start 10174A-CONTOSO-DC-D. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-D.
8-32
Exercise 1: Administering SharePoint services

Scenario
In this exercise, you enable the document conversion service on the intranet Web, and you ensure that the SharePoint Services requested by your developers are started. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create a document in a document library. Attempt to convert a document. Attempt to enable document conversion. Configure and start document conversion services. Enable document conversion. Test document conversion. Configure and start SharePoint Services.
Task 1: Create a document in a document library.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password Pa$$w0rd. Open Windows Internet Explorer, and then browse to http://intranet.contoso.com. Use the View All Site Content link to navigate to the Documents document library. From the library, create a new document. In the new document, type this text: SharePoint IT Policies and Procedures. If prompted for a user name, use Contoso\SP_Admin and the password Pa$$w0rd. Save the document to the document library http://intranet.contoso.com/Documents with the name SharePoint IT Policies and Procedures. Close Microsoft Word, and then click Yes and OK to check in the document. Switch to Internet Explorer, and then refresh the page to confirm that the document was saved in the document library.
Task 2: Attempt to convert a document.

Point at the row containing the new document SharePoint IT Policies and Procedures, and then click the drop-down arrow that appears next to the file name. Observe that there are no options to convert the document. You must enable document conversion for each Web application and several services must be running. Minimize, but do not close, Internet Explorer.
Task 3: Attempt to enable document conversion.

Open SharePoint 2010 Central Administration. In the Quick Launch, click General Application Settings, and then, in the External Connections section, click Configure document conversions. The Configure Document Conversions page appears. Click the Web Application list, and then click Change Web Application. The Select Web Application dialog appears.
8-33
Click SharePoint - intranet.contoso.com80. In the Enable Document Conversions section, click Yes, and then click OK. At the top of the page, a message appears that indicates you must choose a document conversion server.
Click the Load Balancer server drop-down arrow. Observe that you have no options. Click Cancel. You must enable the SharePoint service on front-end Web servers before you can enable document conversions.
Task 4: Configure and start document conversion services.

Under System Settings, click Manage services on server, and then browse to the Services On Server page. Start the Document Conversions Load Balancer Service and Document Conversions Launcher Service. For the Document Conversion Launcher Service, select SP2010-WFE1 as the server and the load balancer server.
Task 5: Enable document conversion.

From the General Application Settings page, browse to the Configure Document Conversions page. Enable document conversions for the Web application http://intranet.contoso.com using SP2010WFE1 as the load balancer server.
Task 6: Test document conversion.

Switch to the instance of Internet Explorer that displays the document library. Refresh the page. Open the Edit menu for the document SharePoint IT Policies and Procedures. Observe the new menu item, Convert Document. Convert the document to a Web page named SharePoint Policies and Procedures with the URL name SharePointPoliciesAndProcedures.
Task 7: Configure and start SharePoint Services.

Switch to SharePoint 2010 Central Administration, click System Settings, and then browse to the Services On Server page. Start Claims to Windows Token Service and Microsoft SharePoint Foundation Subscription Settings Service. Start SharePoint Foundation Search using CONTOSO\SP_ServiceApps as the service account. Configure the content access account as CONTOSO\SP_ServiceApps with the password Pa$$w0rd. Close all instances of Internet Explorer.
Results: After this exercise, you should have enabled document conversions on the intranet Web and configured and started several SharePoint farm services.
8-34
Exercise 2: Administering SharePoint Windows Services

Scenario
The SharePoint Timer service is responsible for performing a number of important maintenance and administration activities on the SharePoint farm. Some of the error messages experienced by developers suggest that the Timer service is not running. In this exercise, you experience one of the symptoms of a stopped Timer service, and then you start the service. The main tasks for this exercise are as follows: 1. 2. 3. 4. Stop the Timer service. Attempt to create a service application. Start the Timer service. Observe the effects of the Timer service.
Task 1: Stop the Timer service.

Run Command Prompt as administrator, type the following command, and then close Administrator: Command Prompt.
net stop sptimerv4
Task 2: Attempt to create a service application.

Open SharePoint 2010 Central Administration, and then browse to the Manage Service Applications page. Attempt to create a new Managed Metadata Service application with the following specifications: Name: Managed Metadata Human Resources Database name: HRMetadata Application pool name: HRMetadataPool Application pool identity: CONTOSO\SP_ServiceApps
When you attempt to create this application, Central Administration will pause indefinitely. Wait two minutes, and then click Cancel. Refresh the page, and then observe that the Managed Metadata Human Resources service application is listed as Stopped, and that there is no Managed Metadata Service Connection created for the service application. The Timer service must be running to process the jobs related to the creation of a service application.
Task 3: Start the Timer service.

Open the Services console, and then start the SharePoint 2010 Timer service. Close the Services console.
Task 4: Observe the effects of the Timer service.

Switch to SharePoint 2010 Central Administration, and then refresh the page. Observe the Managed Metadata Human Resources service application. If the application is listed as Stopped or if there is no Managed Metadata Service Connection for the application, wait a few moments, and then repeat this step.
8-35
Results: After this exercise, you should have experienced an effect of a stopped SharePoint 2010 Timer service and started the service.

8-36
Lab B: Configuring Application Security
Scenario
You recently inherited a SharePoint farm that was not set up using best practices. Your manager is a Certified Information Systems Security Professional (CISSP) and advocates security best practices. He would like you to explore the service account permissions and SSL settings of the SharePoint server and possibly change these settings to use specific service accounts. He would also like you to install SSL to secure the metadata that is traveling between the clients and servers.
8-37
Exercise 1: Configuring Web Application and Application Pool Security

Scenario
In this exercise, you must use SharePoint security best practices and have an in-depth understanding of various governance issues to configure and use SharePoint. What may seem like a simple setting could present information security holes and expose sensitive data to unauthorized individuals. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Review farm account settings. Add a managed account. Change the SharePoint farm account. Configure password change settings. Change a managed account password.
Task 1: Review farm account settings.

Open the Services console, and then observe the identity that is used by the SharePoint 2010 Timer service. Open Internet Information Services (IIS) Manager, and then observe the identity of the SharePoint Central Administration v4 application pool.
Task 2: Add a managed account.

In Central Administration, click the Security link, and then navigate to the Managed Accounts page. Register a managed account using the user name CONTOSO\SP_Admin and the password Pa$$w0rd.
Task 3: Change the SharePoint farm account.

In Central Administration, click the Security link, and then navigate to the Service Accounts page. Change the Farm Account to use the managed account CONTOSO\SP_Admin. Open the Services console, and then confirm that the SharePoint 2010 Timer service is now using the account SP_ Admin. Switch to Internet Information Services (IIS) Manager, and then confirm that the SharePoint Central Administration v4 application pool is now using the account, SP_Admin. Repeat the first step to reset the farm account to SP_Farm.
Task 4: Configure password change settings.

Switch to SharePoint 2010 Central Administration, and then browse to the Password Management Settings page. In the Notification E-Mail Address box, type sharepoint@contoso.com.
Task 5: Change a managed account password.

In Central Administration, navigate to the Managed Accounts page. Change the password of CONTOSO\SP_Farm to Pa$$w0rd1. Enable automatic password change and notification by email. Wait for the Security page to open.
8-38
Confirm that the Last password change column of the CONTOSO\SP_Farm row indicates that the password was changed. Results: After completing this exercise, you should have changed the farm account, reset its password, and configured the password change policy.
8-39
Exercise 2: Configuring Secure Sockets Layer Security

Scenario
Contosos SharePoint governance policy requires that passwords and other security-sensitive information must be encrypted when transmitted over the network. You have observed that Central Administration is not using encryption, and you must bring Central Administration into compliance with the policy. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Review the encryption of Central Administration. Install Active Directory Certificate Services. Create and install an SSL certificate. Configure SSL for Central Administration. Test SSL for Central Administration.
Task 1: Review the encryption of Central Administration.

In Central Administration, navigate to the Managed Accounts page. In the CONTOSO\SP_Farm row, click the Edit icon. Observe the warning that appears at the top of the page that reminds you that Central Administration is not using encryption.
Task 2: Install Active Directory Certificate Services.

Start Server Manager using the Run as different user option. Enter the user name CONTOSO\Administrator and the password Pa$$w0rd. Add the Active Directory Certificate Services role, including the role services Certification Authority and Certification Authority Web Enrollment. Accept all other defaults as you configure the role with the Add Role Wizard.
Task 3: Create and install an SSL certificate.

In Server Manager, expand Roles, expand Web Server (IIS), and then click Internet Information Services (IIS) Manager. In the Connections panel, select SP2010-WFE1, and in the IIS section, double-click Server Certificates. In the Actions panel, click Create Domain Certificate. Create a domain certificate with the following specifications: Common name: Contoso Organization: Contoso Organizational unit: SharePoint City/locality: Redmond State/province: WA Country/region: US Certificate authority: Contoso-SP2010-WFE1-CA Friendly name: Contoso
8-40
Task 4: Configure SSL for Central Administration.

Create a binding for the SharePoint Central Administration v4 site with the following specifications: Type: https Port: 10000 SSL certificate: Contoso
Close Server Manager.
Task 5: Test SSL for Central Administration.

Open Internet Explorer, and then browse to https://sp2010-wfe1:10000. A message indicates the following: There is a problem with this websites security certificate. This message appears because the certificate is issued by the server itself, and not from a trusted certificate authority. In a production environment in which you had established your certificate authority using a certificate from a trusted certificate root, this message would not appear. Click Continue to this website (not recommended). The Central Administration site will open in secure mode. Click the Security link, and then browse to the Managed Accounts page. In the CONTOSO\SP_Farm row, click the Edit icon. Observe that the warning message you observed in Task 1 no longer appears. Close all open applications and windows. Results: After this exercise, you should have configured Central Administration to use SSL.
Do not turn off the virtual machines.

Leave the virtual machines running. You use them in Lab C.
8-41
Lab C: Configuring Service Applications
Scenario
Your company Contoso has adopted SharePoint 2010 for many reasons. One is its new, more optimized service application environment and another is its ability to manage metadata. You want to allow sites in the client-facing Web application to use managed metadata and keywords, but you do not want managed metadata and keyword columns in the client Web application to have visibility into terms used internally. Therefore, you must configure a separate Managed Metadata Service for the client Web application.
8-42
Exercise 1: Creating a Service Application

Scenario
In this exercise, you configure Business Connectivity Services to address the business intelligence requirements of Contoso, Ltd. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a service application. Configure the default application proxy group. Configure a custom application proxy group. Publish a service application.
Task 1: Create a service application.

Open SharePoint 2010 Central Administration, click Application Management, and then browse to the Manage Service Applications page. Create a new Managed Metadata Service application with the following specifications: Service application name: Managed Metadata Clients Database name: Managed_Metadata_Clients Application pool name: SharePoint Web Services Default Add this service application to the farms default list: Clear this option
Task 2: Configure the default application proxy group.

Click the Application Management link, browse to the Service Application Associations page. Edit the default application proxy group. Verify that the Managed Metadata Clients application connection is removed from the proxy group.
Task 3: Configure a custom application proxy group.

Browse to the Service Application Associations page. Create a custom application proxy group for the SharePoint intranet.contoso.com80 Web application with the following service applications: Managed Metadata Clients Search Service Application Usage and Health data collection Web Analytics Service Application
Observe that there is an application proxy group labeled custom assigned to the intranet Web application.
Task 4: Publish a service application.

Click the Application Management link, and then browse to the Manage Service Applications page. Publish the Managed Metadata Clients service application. Select the Publish the Service Application to other farms option. Because this lab contains only one farm, you cannot configure a trust relationship.
8-43
Results: After this exercise, you should have configured a new managed metadata service application, modified the default proxy group, and created a custom application proxy group.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog, click Revert.
8-44
Review Questions
1. 2. 3. How would you use Active Directory markers in your environment? Which Active Directory accounts would you manage in SharePoint? Explain the different components of the service application architecture.
User Profiles and Social Networking
9-1
Module 9
Contents:
Lesson 1: Configuring User Profiles Lesson 2: Implementing SharePoint 2010 Social Networking Features Lab: A: Configuring User Profiles Lab: B: Administering My Sites 9-3 9-14 9-26 9-34
9-2
Module Overview
Social Computing has shown to be a growing trend for Internet related business; the impact it has brought to the corporate world has allowed for the evolution of information into a dynamic and rapidly changing form; information that communities of users can collaborate on and share with others within your organization. This is where social computing fits perfectly with the goals of Microsoft SharePointto be able to capture and share information, enable people to find information and other people, and the need to improve efficiency and productivity.
Objectives
After completing this module, you will be able to: Configure user profiles. Implement SharePoint 2010 social networking features.
9-3
Lesson 1
Configuring User Profiles
User profiles provide access to the people aspect of the social element of SharePoint. It provides the baseline to gather and capture information about the individuals you want to engage and interact with within your organization. In this lesson, you will see how that information can be gathered from different sources and the process to get that information into SharePoint.
Objectives
After completing this lesson, you will be able to: Describe the User Profile Service Application. Understand user profiles. Describe each of the profile properties. Understand data connections. Edit profile data. Describe the user profile synchronization process. Implement Microsoft Forefront identity manager.
9-4
User Profile Service Application
Key Points
The user profile service is a service application in Microsoft SharePoint Server 2010 that provides a central location for configuring and managing the key elements of personalization settings and a key component in the social computing capabilities of the SharePoint platform. The manage profile service page cannot be accessed until an instance of a user profile service application exists. You can use the SharePoint Central Administration Web site in addition to Windows PowerShell to create and manage user profile service applications and other service applications for non-hosted environments. You can delegate management of a user profile service application to someone who does not have permissions to manage other services or settings contained in Central Administration.
9-5
Overview of User Profiles
Key Points
SharePoint users contain key characteristics by default and can optionally provide additional information about themselves that will enable users to communicate and share information effectively.
Benefits of User Profiles

Profile data can be aggregated from different sources Content can be indexed by SharePoint search to allow for searching of individuals within your organization This information can also be used to target information (in Web Parts and dashboards) to specific users Contains a description of memberships and distribution lists to which a user belongs A good way to track a users people associations in the form of colleagues Client tools, like Microsoft Office Outlook 2010 can take advantage of user profile information.
User Profile Storage and Customization

User profile information is stored in a SQL Server database separate from the Configuration and Content databases. Map user profiles to Active Directory Domain Services (AD DS) users or other types of stores. Important: AD DS attributes and user profile properties may not necessarily match particularly where users are provided the capability to control information about themselves. This can make the synchronization and process a little complex. Knowing and understanding ADSI Edit is recommended.
9-6
Additional reading
Enable SharePoint Server 2010 Colleague in Outlook 2010 at http://go.microsoft.com/fwlink/?LinkID=197040&clcid=0x409 ADSI Edit at http://go.microsoft.com/fwlink/?LinkID=197041&clcid=0x409
9-7
Profile Properties
Key Points
A profile property is the field that holds information about a given user that exists in your organization. An extensive set of fields is available and included by default. Examples include: skills, birthday, manager, and responsibilities. In many implementations, the default properties may be enough, but there are likely scenarios and situations that require the creation of custom properties. Examples might include items that describe a training path, certification, or product specialty. Since properties are specific types of data, and they do correspond to fields, when customizing we need to consider this. You can provide centrally defined values from the Managed Metadata Services Term sets to standardize on options and organizational policies.
Additional reading
User profile properties at http://go.microsoft.com/fwlink/?LinkID=197042&clcid=0x409
9-8
Data Connections
Key Points
Data connections allow you to establish the relationship and connectivity to the source providing the profile data. There are sources that will be primary sources, which means they will be able to be defined by themselves with no additional data connections. Then there are secondary sources, which do require the configuration of a primary source. Primary sources are typically AD DS or LDAP Stores. Secondary sources are typically connections to line of business applications (LOBs) using the Business Connectivity Services functionality. A secondary source would complement the information retrieved from a primary source as it would be one directional and would not allow an overwrite of the information synchronized from a primary source.
9-9
Editing Profile Data
Key Points
Profile data is stored in a SharePoint profile database as a replica of the source data. Based on the security settings of the profile properties, end users may actually be able to edit these properties by using their My Site or any custom profile editing page. Developers can write tools to update profile properties rather than using the importing mechanisms in SharePoint. Each profile property can have security set on it. This allows you to make profile properties required, optional, or even to disable a property if needed. You can also set the visible security of a property if it is sensitive data like a social security number, bank account number, or something similar.
9-10
User Profile Synchronization
Key Points
Profile synchronization in Microsoft SharePoint Server 2010 enables user profile service administrators to synchronize user and group profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services and business systems across the enterprise. When you define the user profile synchronization, you need to meet the following security and process requirements: AD DS. At a minimum, the Replicate Directory Changes permission is needed on the AD DS domain(s) from which you wish to import data for SharePoint Server 2010. This account must be a member of the Farm Administrators group or must be an account that is designated as a user profile service administrator. If the NETBIOS name is different from the domain name, at least Replicate Directory Changes permission is also needed on the cn=configuration container. To export properties, such as profile pictures, from SharePoint Server 2010 to AD DS, at least Replicate Directory Changes permission is needed on the object and all child objects for the AD DS domains to which you want to export data from SharePoint Server 2010. Read/Write permission is also needed on the container that stores the user picture attribute, for example, the ThumbnailPhoto attribute. Authenticated users who have Replicate Directory Changes permissions will be granted read-access to AD DS objects. Additional permissions can be granted using access control lists (ACLs) in AD DS. SharePoint Server 2010 will not write profile data back to AD DS unless Write permission is explicitly set on the account that has Replicate Directory Changes permissions. Business Data Connectivity service. The Business Data Connectivity model must include Finders and Specific Finders methods in SharePoint Server 2010:http://go.microsoft.com/fwlink/?LinkId=179316 Novell eDirectory version 8.7.3 (LDAP). Only Full Sync for users is supported in SharePoint Server 2010 SunOne version 5.2 (LDAP). Both full and incremental are supported. You must set up a change log to use Incremental Sync.
9-11
IBM Tivoli 6.2 (LDAP). Both full and incremental are supported.
Profile synchronization can occur when profile information has changed in the SharePoint Server 2010 profile store or when profile information has changed in the directory service. After you configure profile synchronization, changes to either store are detected. Import or export occurs depending on the import/export settings for a particular user profile property. Synchronization is defined within the user profile service application. This is configured and set up between SharePoint and the directory services applications that will provide the details on the user profile data being imported to be consumed by SharePoint. The high level process is defined by: Farm account must be a local administrator on all SharePoint servers. A user profile service application must be created. User profile service must be started. User profile service synchronization service must be started. A new connection must be created. Map user profile properties (import/export). Set up a synchronization schedule (Full and/or import).
9-12
Forefront Identity Manager
Key Points
Forefront Identity Manager (FIM) 2010 builds on the meta-directory, certificate and smart card management and user provisioning available in ILM 2007, and adds a rich management environment including integrated user management, self-service for comprehensive credential management, group management, policy management, and expanded extensibility and connectivity. The benefit SharePoint 2010 gets from FIM 2010 relates to FIM providing the core engine that drives two-way replication between the source and the user profile imports associated. FIM 2010 feature investments are categorized into four areas.
Policy Management
SharePoint-based console for policy authoring, enforcement and auditing Extensible WS-* APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization & consistency
Credential Management
Heterogeneous certificate management with third-party CA support Management of multiple credential types Self-service password reset integrated with Windows logon and web-based tool Integrated provisioning of identities, credentials, and resources
User Management
Automated, codeless user provisioning and de-provisioning Self-service user profile management
9-13
Group Management
Rich Microsoft Office-based self-service group management tools Offline approvals through Office Group and distribution list management also including dynamic membership calculation in these groups and DLs based on users attributes
9-14
Lesson 2
Implementing SharePoint 2010 Social Networking Features
SharePoint 2010 brings social networking capabilities into the enterprise, where enormous value can be unlocked through information contained not in typical pages or files, but rather in social relationships, behavior, and expertise.
Objectives
After completing this lesson, you will be able to: Implement My Sites. Configure social networking features.
9-15
My Sites Overview
Key Points
My Site Web sites are personal sites in Microsoft SharePoint Server 2010 that provide users in an organization with a rich set of social networking and collaboration features. These features include: My Newsfeed page for managing colleagues, interests, and newsfeed settings My Content page for managing documents and other content such as lists, libraries, etc. My Profile page for managing things like user profile information and social tags and notes
These features give users a way to discover areas of expertise, projects, and business relationships from one central location. Each user can view his or her My Site website by clicking the corresponding user name in the top, right corner of any page and then clicking My Site. In SharePoint Server 2010, My Site websites enable users to easily share information about themselves and their work. This sharing of information encourages collaboration, builds and promotes expertise, and targets relevant content to the people who want to see it. You can display profile properties to particular users in the organization, and enable administrators to set policies to protect privacy. My Site Web sites in SharePoint Server 2010 include the following: A profile for each user where users can share their expertise, profile pictures, and so on A newsfeed for tracking activities such as social tags, status updates, note board notes, and content ratings A tag and note tool that helps you conveniently tag or post notes on sites directly from a web browser A shared picture library, shared document library, and personal document library with the ability to create and manage additional content as standard on other SharePoint site types
9-16
The ability to add Web Parts such as a Really Simple Syndication (RSS) viewer, or My Links, to see a list of your saved libraries and links An organizational browser that uses Microsoft Silverlight 3 to provide a dynamic organizational browsing experience The ability to manage colleagues and memberships from one location
9-17
Architecture of My Site Websites
Key Points
The user profile service stores information about users in a central location. Information in a users profile includes a profile picture, the organization to which a user belongs, colleagues, and properties such as skills. SharePoint Server uses this information to personalize the data presented on a users My Site Web site. To provision My Site websites and enable social computing features such as social tagging and newsfeeds, you must create and enable the user profile service. The My Site Host is a special purpose site collection used for hosting My Site websites. The content part of My Site websites is hosted in its own site collection. My Site Host site collections are not created automatically in SharePoint Server 2010. An administrator of the User Profile Service Application must first create a My Site Host site collection before provisioning My Site websites in addition to the web application that serves as its host. Trusted My Site Host locations are used in organizations where multiple server farms are deployed or where multiple user profile service applications are configured. In such environments, users can create multiple My Site websites. For example, in a geographic deployment with a central farm in Europe and a regional farm in Africa, a user can click the My Site link when browsing content hosted by either farm. Consequently, the user can create a My Site Web site on the Europe farm and a My Site website on the Africa farm. If your organization includes multiple farms or multiple User Profile Service Applications that host My Site websites, you can prevent users from creating multiple My Site websites by using the Trusted My Site Host Locations feature. This feature enables you to specify trusted My Site locations. When trusted My Site locations are specified, users are redirected to the My Site that is intended for their user accounts, regardless of where they are browsing when they click the link to create a My Site website. This feature ensures that each user creates only one My Site website in the organization and relies on audience targeting. Pages support the three distinct views of My Sites:
9-18
My Newsfeed page that shows colleague activities My Content site that lists shared documents, personal documents, pictures, libraries, lists, discussion boards, and surveys that a user owns My Profile page that displays personal profile information
Users can navigate between these pages by clicking the links on the My Site link bar at the top of the page. My Site websites rely on the following related features: Profile synchronization. Enables you to integrate profile information that you have stored in a directory service such as Active Directory Domain Services (AD DS) or a business system, such as SAP or Siebel, with SharePoint Server 2010. Expertise tagging. Allows users to list the areas in which they have experience as part of their profile. This information can be used by other users in the organization to locate subject matter experts for a particular area. People search. Allows users to find people by department, job title, knowledge, expertise, and common interests.
9-19
Deploy My Sites
Key Points
After a farm administrator has created a user profile service application, a designated administrator of the user profile service application can manage the following My Site website settings: My Site websites setup Trusted My Site host locations Personalization site links Links to Microsoft Office 2010 client applications
To perform the initial setup of My Sites, you must do the following: Create a My Site Host web application, for example mysites.contoso.com. Dont forget to add a DNS host (A or AAAA) record. Use either the My Site Host site definition (template) or a blank site template. Create a search center site collection, for example mysites.contoso.com/sites/Search using a search center site definition such as Enterprise Search Center. Give users permission to the search center. For example, add the Domain Users group to the search center Visitors group, or give Domain Users read permission to the search center. Add a managed path for My Sites, for example personal, with wildcard inclusion. Enable self-service site creation for the web application. On the Manage Service Applications, click the link for the User Profile Service Application. You will be prompted to set up My Sites. Enter the URL to the My Site host, the search center, the managed path, etc. You will perform these procedures in the lab for this module.
9-20
Administrative Credentials To use Central Administration to set up My Sites, you must be a member of the Farm Administrators group or a Service Application Administrator for the user profile service application.
9-21
Configure Social Features
Key Points
To configure social networking features, including My Sites, user profiles, organization profiles, and profile synchronization, open the Manage Profile Service page: 1. 2. 3. On the Central Administration page, under Application Management, click Manage Service Applications. On the Manage Service Applications page, click the name of the user profile service that you want to manage. The Manage Profile Service page opens. In the People section, you can configure user permissions. By default, Authenticated Users have permission to use all social features and to create My Sites. You can restrict the permissions of users in your enterprise by removing Authenticated Users and adding specific groups or users. Click Manage Policy to specify which social and My Site features are visible, and to control the visibility level of profile attributes.
4.
You can enable or disable social tags and note boards for a user or group. See http://go.microsoft.com/fwlink/?LinkID=197047&clcid=0x409 In the Manage Farm Features page, you can disable the Social Tags and Note Board Ribbon Controls, which removes the I like it and Tags and Notes commands from the ribbon. This is a user interface change only, but if you disable tagging, you should remove the social ribbon control so that users dont click it, only to discover that it doesnt work. The Trusted Host Locations setting specifies other locations for My Sites that are trusted. This is not necessary in a typical farm that has only one User Profile Service Application. However, if you have multiple farms or multiple User Profile Service Applications, you should add the locations of their My Sites as a trusted host location. If you want to push a link to a users My Site, click Configure Personalization Site. Links created here can be targeted to audiences, and appear in the top navigation bar of a users My Site.
9-22
You can also push links into Microsoft Office client applications. Click Publish Links to Office Client Applications.
Additional reading
Enable or disable personal and social features for users or groups at http://go.microsoft.com/fwlink/?LinkID=197043&clcid=0x409 Activate or deactivate the SocialRibbonControl farm-level feature at http://go.microsoft.com/fwlink/?LinkID=197044&clcid=0x409 Plan policies for user profiles at http://go.microsoft.com/fwlink/?LinkId=235053
9-23
Audiences
Key Points
Audiences group users in an organization so that you can personalize information to ensure that it is relevant to them. Audiences enable organizations to target content to specific users. Audiences are groupings of users determined by their memberships in Microsoft Exchange distribution lists (DL) or SharePoint groups, or by rules configured by an administrator. In Microsoft SharePoint Server, the audience rules can be based on information in the user profile; on membership in an identity management system, for example, Active Directory Domain Services (AD DS) or Business Connectivity Services; or on the organizations reporting structure (if this information is stored in Active Directory). Audiences are defined and contained in the User Profile Service Application. When you configure an audience, you specify one or more rules to determine the membership of the audience. The rules will be applied as All, or Any. When you add a new audience, you also select an owner for the audience. This is an informational attribute onlyit does not grant any permissions. The owner should be someone who understands why the audience was created and who can be contacted if there is a problem with the audience. The person who created the audience is often specified as the owner, but this is not a requirement. Having audience owners is helpful in enterprises that have a large number of audiences created by several different administrators. Each audience must be compiled before content can be targeted to that audience. Compilation identifies membership in an audience by crawling the data most recently reported from the identity management system. Note: You will not see membership of a new audience until it is complied.
9-24
Note: Audience compilation cannot run during user profile synchronization.
Additional reading
Add, edit, or delete an audience (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197046&clcid=0x409
9-25
Organization Profiles
Key Points
Organization profiles support the creation of communities of practice. Much like user profiles, an organization profile has attributes and relationships to other organizations and users. It becomes very important for an organization to be able to categorize and identify users based on organizational needs or to identify specific levels of expertise with your community of work. It is important to gather and assess the value of networks of knowledge and expertise. For example, giving you the opportunity to identify specific resources with experience in a given product. It allows making those networks stronger and better aligned with the needs an organization has. Finding communities of interest allows for internal subject matter experts and perhaps even the furthering of the adopting of an environment such as SharePoint 2010. Providing insight into an organizations makeup provides you with a better understanding of how to find information that is essential to how a task is performed and who to go to in case of questions. An organizations profile lets you know how and where to find information by better defining the teams, departments and individuals that are part of it.
9-26
Lab A: Configuring User Profiles
Scenario
Your corporation has never had an employee directory despite the multiple requests of the Human Resources department. Since implementing SharePoint 2010, the Human Resources department has again requested the directory be implemented using SharePoint user profiles. Previous IT policies prevented making changes to Active Directory and forced the creation of a separate Human Resources database of user information. You have been tasked to set up user profiles in the new farm using Active Directory as the primary data source and integration with profile properties that come from the secondary HR data source.

9-27
Exercise 1: Creating a User Profile Service Application

The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Start the Web Service Application Pool. Create a user profile service application. Start required SharePoint services. Verify successful service startup. Reset IIS. Validate the service application.
Task 1: Start the Web Service Application Pool.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with password, Pa$$w0rd. In IIS Manager, ensure that the SharePoint Web Services Root application pool is started. Then close IIS Manager. This step is necessary because memory limitations in the lab environment may prevent the application pool from starting automatically. This problem would manifest itself as a WCF error later in this lab.
Task 2: Create a user profile service application.

In Central Administration, click the Application Management link and then navigate to the Manage Service Applications page. Create a new User Profile Service Application with the following configuration: Name: User Profile Service Application Application pool name: UserProfilePool Application pool account: CONTOSO\SP_Farm
Task 3: Start required SharePoint services.

In Central Administration, click System Settings and then navigate to the Services on Server page. Start the user profile service. Then start the user profile synchronization service. When prompted to select the user profile application, select user profile service application, and enter the password, Pa$$w0rd. Observe the Status of the user profile synchronization service. A timer job is created that will configure user profile settings in the farm. When it has completed the status of the service will change from Starting to Started. Click Monitoring and then navigate to the Timer Job Status page. Click Running Jobs and then monitor the page. Press F5 to refresh the page. Repeat this step until the ProfileSynchronizationSetupJob appears. Note: It can take up to 5 minutes for the ProfileSynchronizationSetupJob to appear on the Running Jobs list. If you dont see the job start, re-start the timer service, but be sure you DO NOT restart it if this job is running.
9-28
Monitor the page. Press F5 to refresh the page. Repeat this step until the ProfileSynchronizationSetupJob disappears. Note: It can take up to 15 minutes for the ProfileSynchronizationSetupJob to complete.
Navigate to the Job History page. Confirm that the Status of ProfileSynchronizationSetupJob is Succeeded. Click the System Settings link and then navigate to the Services on Server page. Confirm that the Status of the user profile synchronization service is Started. Close SharePoint 2010 Central Administration.
Task 4: Verify successful service startup.

Open the Services console. Confirm that the following services are started: Forefront Identity Manager Service Forefront Identity Manager Synchronization Service
If a service is not started, then press F5 to refresh the view. Repeat this step until the services have started. Note: This can take several minutes. Close the Services console. Open the folder C:\Program Files\Microsoft Office Servers\14.0 \Synchronization Service\MaData. Confirm that the ILMMA folder exists. Confirm that a folder named MOSS-GUID exists with todays date. If they do not exist, wait until the timer job has completed fully, at which point the folders will appear. Close the Windows Explorer window that is showing the MaData folder.
Task 5: Reset IIS.

Start Command Prompt using the Run as administrator option. Type iisreset, and then press ENTER. After the command has completed, close Command Prompt.
Task 6: Validate the service application.

In Central Administration, click Application Management and then navigate to the Manage Service Applications page. Open the Manage Profile Service page for user profile service application. If an error is displayed, it is probably because the Web services have not completed startup following the IISRESET operation. Press F5 to refresh the page until the error disappears. Confirm that there are numbers on the right side of the page, which indicates that the service application is running. Then close Central Administration. Results: After completing this exercise, you should have created a new User Profile Service Application and started all services related to user profile synchronization.
9-29
Exercise 2: Configuring User Profiles

The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Delegate Active Directory permissions to enable user profiles synchronization. Create a user profile connection to Active Directory. Add a custom user property. Import user profiles from Active Directory. Validate the profile import. Configure a profile property in Active Directory. Run an incremental profile synchronization. Validate the profile import.
Task 1: Delegate Active Directory permissions to enable user profiles synchronization.

Start Active Directory Users and Computers using the Run as a different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Use the Delegation of Control Wizard to delegate the user account, CONTOSO\SP_Farm, permission for Replicating Directory Changes for the contoso.com domain. Then close Active Directory Users and Computers.
Task 2: Create a user profile connection to Active Directory.

In Central Administration, click Application Management, click Manage service applications, and then open the Manage Profile Service page for user profile service application. Create a new synchronization connection with the following configuration: Connection name: Contoso Active Directory Forest name: contoso.com Account name: CONTOSO\SP_Farm Password: Pa$$w0rd Containers to synchronize: the People, SharePoint, and Users organizational units (OUs)
Task 3: Add a custom user property.

In Central Administration, open the Manage Profile Service page for user profile service application. Add a new user property with the following configuration: Name: City Display name: City Default privacy setting: Everyone Replicable: Yes Display the property in the profile properties section of the users profile page, on the Edit Details page, and in the newsfeed Property imported from the Contoso Active Directory connection, l attribute
Tip: l (lowercase L) is the Lightweight Directory Access Protocol (LDAP) name for the locale, or city attribute.
9-30
Task 4: Import user profiles from Active Directory.

In Central Administration, open the Manage Profile Service page for user profile service application. Start a full synchronization of user profiles. Monitor the progress of synchronization. The synchronization job will take a few moments to start, and then will take 10-15 minutes to complete. When the job is complete, confirm that the Number of user profiles is 53, and confirm that Profile Synchronization Status displays Idle.
Task 5: Validate the profile import.

Find the profile for SP_Admin. Confirm that the City attribute has no value.
Task 6: Configure a profile property in Active Directory.

Start Active Directory Users and Computers using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Open the properties of the SharePoint Administrator account, in the SharePoint OU. Change the City property to Seattle.
Task 7: Run an incremental profile synchronization.

In Central Administration, open the Manage Profile Service page for user profile service application. Start an incremental synchronization of user profiles. Monitor the progress of synchronization. The synchronization job will take a few moments to start, and then will take a few minutes to complete. When the job is complete, the Profile Synchronization Status displays Idle.
Task 8: Validate the profile import.

Find the profile for SP_Admin. Confirm that the City attribute is Seattle. Results: After completing this exercise, you should have configured and performed user profile synchronization.
9-31
Exercise 3: Configuring Profile Import from External Data Sources

The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Create a new profile property. Set up data source permissions. Create an external data source. Set permissions on an external data source. Create a synchronization connection to an external data source. Add a profile property from an external data source. Edit a user profile. Import profile data from the external data source. Validate the user profile import.
Task 1: Create a new profile property.

In Central Administration, click Application Management, click Manage service applications, and then open the Manage Profile Service page for user profile service application. Add a new user property with the following configuration. Type the text exactly as shownbe careful about the inclusion and exclusion of spaces. Name: EmployeeID Display name: Employee ID Type: integer Default privacy setting: Everyone Replicable: Yes Allow users to edit values for this property: Yes Display the property in the profile properties section of the users profile page, and on the Edit Details page.
Task 2: Set up data source permissions.

Start the Microsoft SQL Server 2008 R2 SQL Server Management Studio using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Click Connect. Add a login for the AdventureWorks database for CONTOSO\SP_Admin. Assign the login the db_owner database role. Repeat the step for CONTOSO\SP_Farm. Close SQL Server Management Studio.
Task 3: Create an external data source.

Start Microsoft SharePoint Designer 2010, and then open the site, http://intranet.contoso.com/sites/IT. Wait for the site to open. When prompted for credentials, use Contoso\SP_Admin with the password of Pa$$w0rd. Create a new external content type named AdventureWorks. Connect to the SQL Server, SP2010WFE1, and to the database, AdventureWorks. Select the Employee table and Create All Operations. Save the external content type, and then close SharePoint Designer.
9-32
Task 4: Set permissions on an external data source.

In Central Administration, navigate to the Manage Service Applications page, and then click Business Data Connectivity Service. Set permissions on the AdventureWorks content type so that All Authenticated Users have all available permissions.
Task 5: Create a synchronization connection to an external data source.

In Central Administration, open the Manage Profile Service page for User Profile Service Application. Create a new synchronization connection with the following configuration: Connection name: Adventure Works Type: Business Data Connectivity Business data connectivity entity: AdventureWorks Connect as a 1-to-1 mapping with the EmployeeID profile property
Task 6: Add a profile property from an external data source.

In Central Administration, open the Manage Profile Service page for User Profile Service Application. Create a new user profile property with the following configuration: Name: Gender Display name: Gender Policy setting: Optional Default privacy setting: Everyone Replicable: Yes Display the property in the profile properties section of the users profile page, and on the Edit Details page Source data connection: AdventureWorks Attribute: Gender
Task 7: Edit a user profile.

Find the profile for CONTOSO\SP_Admin. Change Employee ID to 1, and confirm that Gender is blank.
Task 8: Import profile data from the external data source.

In Central Administration, open the Manage Profile Service page for User Profile Service Application. Start a full synchronization of user profiles. Monitor the progress of synchronization. The synchronization job will take a few moments to start, and then will take 10-15 minutes to complete. When the job is complete, confirm that the Number of user profiles is 34, and confirm that Profile Synchronization Status displays Idle.
Task 9: Validate the user profile import.

Find the profile for SP_Admin. Confirm that the Gender attribute is M.
9-33
Question: What group does the farm account have to be in in order for user profile synchronization to work? Results: After completing this exercise, you should have configured and performed profile attribute synchronization from an external source.
9-34
Lab B: Administering My Sites
Exercise 1: Configuring My Sites

The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create My Site Web application. Create a search center. Configure permissions for the search center. Configure a managed path for MySites. Enable self-service site creation. Configure My Sites. Configure permissions for the intranet
Task 1: Create My Site Web application.

In Central Administration, create a new Web application with the following configuration: Port: 80 Host header: mysites.contoso.com Application pool identity: CONTOSO\SP_Farm Database name: WSS_Content_MySites
Create a new site collection in the Web application with the following configuration: Title: My Site Host Template: My Site Host Primary site collection administrator: CONTOSO\SP_Admin
9-35
Task 2: Create a search center.

Create a new site collection in the My Site Host Web application with the following configuration: Title: Search Center URL: http://mysites.contoso.com/sites/Search Template: Enterprise Search Center Primary site collection administrator: CONTOSO\SP_Admin
Task 3: Configure permissions for the search center.

Open a new tab in Windows Internet Explorer, and then browse to http://mysites.contoso.com/sites/Search. Add the Domain Users group to the Search Center Visitors group.
Task 4: Configure a managed path for MySites.

In Central Administration, navigate to the Web Applications Management page. Add a wildcard inclusion managed path named personal to the SharePoint mysites.contoso.com80 Web application.
Task 5: Enable self-service site creation.

Enable self-service site creation for the SharePoint - mysites.contoso.com80 Web application.
Task 6: Configure my sites.

In Central Administration, open the Manage Profile Service page for User Profile Service Application. Set up My Sites using the following configuration: Preferred search center: http://mysites.contoso.com/sites/Search/Pages My Site Host location: http://mysites.contoso.com Location: personal
Task 7: Configure permissions for the intranet.

Open a new tab in Internet Explorer, and then browse to http://intranet.contoso.com. Add the Domain Users group to the Contoso Intranet Visitors group. Log off SP2010-WFE1. Results: After completing this exercise, you should have configured My Sites.
9-36
Exercise 2: Creating Your My Site and Profile

The main tasks for this exercise are as follows: 1. 2. 3. Create your My Site. Update your status. Edit your profile.
Task 1: Create your My Site.

Log on to SP2010-WFE1 as CONTOSO\DanJ with password, Pa$$w0rd. Open Internet Explorer, and then browse to http://intranet.contoso.com. Click the logon menu, Dan Jump, and then click My Profile. Note: If My Profile is not visible, click My Settings, and then click My Profile. Click My Content. A My Site is created. The Processing screen may display for 1 to 2 minutes. Click My Profile. Review the tabs on the My Site.
Task 2: Update your status.

Update your status to Loving SharePoint!
Task 3: Edit your profile.

Edit your profile using the values in the following table. Profile Property About me Mobile phone Home phone Office Location Time Zone Past projects Skills Schools Birthday Employee ID Value I enjoy helping my team succeed 206-555-1234 725-555-1234 New Tower (UTC-8:00) Pacific Time (US and Canada) SharePoint 2007 Public Speaking University of SharePoint January 1 2
Configure your birthday to display to My Colleagues. Save your changes. On the profile page, click More information. Observe that the newly populated profile properties are now visible.
9-37
Results: After completing this exercise, you should have created a My Site for Dan Jump, and modified his user profile.
9-38
Exercise 3: Configuring Social Networking Features

The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Add colleagues. Track colleagues. Configure membership. Start profile synchronization jobs. Explore In Common with You. Wait for search and synchronization jobs to complete. View previous updates
Task 1: Add colleagues.

Click the Colleagues tab and then add Contoso\LolaJ as a colleague. Do not add any additional suggested colleagues.
Task 2: Track colleagues.

Click the Jump, Dan link and then sign in as a different user. Sign in as Contoso\LolaJ with the password of Pa$$w0rd. Click My Profile and then edit the profile as follows: About Me: On the Contoso team for 15 years Employee ID: 3 Whats happening?: Working on our marketing strategy
Task 3: Configure membership.

In the address bar, type http://intranet.contoso.com/Sites/IT. The Error: Access Denied page opens. Sign in as Contoso\SP_Admin with the password of Pa$$w0rd. Click Site Actions, and then click Site Permissions. Grant Contoso\Danj permissions to the site by adding him to the Information Technology Members [Contribute] group. Open the Information Technology Members page, and then make this group the default group for the site. Close Internet Explorer.
Task 4: Start profile synchronization jobs.

Open SharePoint 2010 Central Administration. When prompted for credentials, provide Contoso\SP_Admin with the password of Pa$$w0rd. In Central Administration, click the Monitoring link and then under Timer Jobs, click Review job definitions. Enable and run the following jobs: User Profile Service Application Activity Feed Job User Profile Service Application User Profile to SharePoint Full Synchronization User Profile Service Application User Profile to SharePoint Quick Synchronization
9-39
Task 5: Explore In Common with You.

Open Internet Explorer and browse to http://intranet.contoso.com/Sites/IT. Browse to Dan Jumps My Profile page. Under My Organization Chart, review Toni Poes profile information. Click Organization Browser and view Dan Jumps organization structure and profile.
Task 6: View previous updates.

Switch to Dan Jumps My Site page. Click the following links and view the changes: My Newsfeed My Profile Memberships Information Technology
Results: After this exercise, you should have configured various social networking features.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
9-40
Review Questions
1. 2. What group does the farm account have to be in in order for user profile synchronization to work? Which three features must be present and activated for My Site websites to function?
Administering and Configuring SharePoint Search
10-1
Module 10
Contents:
Lesson 1: Configuring Search Lab A: Configuring Search Lesson 2: Refining Search Lab B: Tuning SharePoint Search 10-3 10-16 10-27 10-33
10-2
Module Overview
Configuring and refining Microsoft SharePoint 2010 Search correctly are critical to finding content in your organization in a quick and relevant manner. Enterprise Search has been greatly enhanced to provide for a consistent and interactive environment for you to organize and find your content and/or external content.
Objectives
After completing this module, you will be able to: Configure the search features of SharePoint Server 2010. Refine searches in SharePoint 2010.
10-3
Lesson 1
Configuring Search
By configuring SharePoint Search in your environment, you can help users have a better experience when searching for content. This lesson teaches you how to configure Search to match your organizations needs and also monitor issues that may arise.
Objectives
After completing this lesson, you will be able to: Describe SharePoint 2010 Search editions. Describe the SharePoint 2010 Search architecture. Understand how to scale searching. Describe content distribution. Administer searching. Configure crawling. Configure queries. Report on searches.
10-4
SharePoint 2010 Enterprise Search Editions
Key Points
SharePoint 2010 Search has three different product editions: Search Server 2010 Express. Search Server 2010 Express can only be used as a standalone system and has the following characteristics: Scales to 10 million items with subsecond response times. Search Server 2010 Express can meet the scale and performance needs of your organization. Searches 31 file types using the extensible iFilter platform, including Microsoft Office; Hypertext Markup Language (HTML); SharePoint 2003, SharePoint 2007, and SharePoint 2010 sites; Open Document format; and many others. Helps find information across your company in 51 languages. Improvements include compound handling, numbers, and dates in languages such as Thai, Russian, and Arabic. SharePoint 2010 Search. SharePoint 2010 Search includes all the features of Search Server 2010 Express but can be scaled to several servers. Microsoft FAST Search Server 2010 for SharePoint. FAST Search adds increased performance and relevancy tuning algorithms, along with several layers of extensible interfaces. Each of these is a different product with different features. As you move down the list, each edition builds on the last, adding more features. This module concentrates on SharePoint 2010 Search.
Additional Reading
SharePoint 2010 Enterprise Search at http://go.microsoft.com/fwlink/?LinkID=192165&clcid=0x409
10-5
SharePoint 2010 Search Architecture
Key Points
In SharePoint 2007, the search architecture has several limitations: Only one Search database is shared by the crawl and query components. In larger environments, this introduces latency in both crawling content and querying indexes. There is also a large impact on Microsoft SQL Server resources. Often, crawling has to be done during nonbusiness hours so as not to interfere with searches during the business day. Consequently, the content is refreshed only once a day. A single index file stored on the query servers is used, creating a single point of failure and no scalability. If the index file is corrupted or lost, a full crawl has to be completed.
In SharePoint 2010, there are four main components to the search architecture. Component Crawl components Description Role of the index servers. Can be scaled out to include additional servers for balancing the index. Crawler is a stateless worker and does not store any of the index on the hard drive. When crawling is complete, it propagates the content to the query servers. Both stored in SQL Server, which can be scaled with additional databases and/or servers. Crawl History database stores the history and logs of past crawls. Metabase database stores the metadata of searched items. Role of the query servers. Can be scaled out to include additional index partitions on additional servers. Search Admin database.
Crawl History databases and metabase database
Index partitions
Administration component
10-6
Component
Description There is only one, used for Search Administration page in Central Administration; no need to scale.
The Flow of Content

Content is items that can be crawled, such as web pages, Microsoft Office Word documents, and SharePoint sites. Crawling involves analyzing and consolidating all the content into index files that query servers use to serve query results to users. Crawling content is performed for the initial deployment. As well, you must perform crawls on an ongoing basis for the following reasons: You must continue to crawl the content sources that were created during the deployment phase to discover and index new content and to remove entries in the index for content that has been deleted. You periodically must evaluate the need to crawl new sources of content. For example, someone in your organization might want to enable end users to search for content in a file share, a Web site on the Internet or intranet, or another SharePoint products and technologies server farm in your organization.
During the indexing process, the crawler accesses and reads content items. The process of extracting the information from these files results in a content index that is propagated to the file system of the query server and the Search database in SQL Server. User search queries run against this content index and the Search database. Depending on how much content you have, you may need more than one crawling server. Similarly, depending on the number of users and queries they send, you may need more than one query server to service their requests.
Configuring a Custom Security Trimmer

SharePoint Server 2010 employs security trimming for search results as queries take place. Results are trimmed based on the identity of the user performing the query. At this point, the crawler has provided information regarding security. In some scenarios, however, you need to meet additional requirements not provided by built-in security trimming.
Additional Reading
Whats new in enterprise search at http://go.microsoft.com/fwlink/?LinkID=197049&clcid=0x409
10-7
Scaling
Key Points
Using the built-in management tools, you can monitor the usage of your crawlers and query servers. When their performance starts to degrade, you should consider adding more of them. Because of the componentized architecture of SharePoint 2010 Search, you can scale very easily compared with SharePoint 2007 Search. Each crawl server in the farm can crawl different content so that a multithreaded approach can be used to create the index. Also, adding crawl databases relieves input/output (I\O) contention issues because all crawl servers wont be trying to write to the same database at the same time. Multiple query servers allow for load balancing of requests. Also, each query server has a smaller partition of the index. When a query comes in from a user, all query servers are notified and search their part of the index. The results are merged and then presented to the user.
Additional Reading
Search Architectures at http://go.microsoft.com/fwlink/?LinkID=167739
10-8
Content Distribution
Crawl Distribution
In SharePoint 2010, you can distribute the crawl role to multiple servers. This allows for built-in load balancing of crawls. You can also create more crawl databases to ease the burden on the hardware. You can overwrite the default load balancing by using host distribution rules. With these rules, you can force certain crawlers to crawl certain content. You can also implement crawler impact rules to reduce the load on the content sources being crawled.
Query Distribution
You can distribute the query role to multiple servers so that users have a faster search experience as a result of load balancing. Crawlers partition the data, called an index partition, and propagate it to each query server. When a user searches, all query servers are notified to look for content. When the content is found, all results are consolidated and sent back to the user.
10-9
Administration
Search Administration
After the planning and installation of SharePoint, you must make sure that the services that make up Search are running on a server in the environment. On the Search Administration page, you can configure the following items: Component System status Details Configure the default account used to access content Configure the contact email address Configure the proxy server information Scopes update schedule Enable/disable search alerts and query logging Note: These settings must be configured before using the Enterprise Search service. Crawl history Search application topology Shows you, by content source, the past crawls and any errors that were encountered. It also shows the start time, end time, and duration of each crawl. Shows you the components used to make up the search architecture. Any crawl, query, administration, or database components are shown here along with their status.
Farm-Level Administration
On the Farm Search Administration page, you can see the following farmwide settings: Proxy server being used for the entire farm. A proxy server is used in most organizations to access the Internet. This setting allows you to crawl content that is external to your network.
10-10
Time-out settings for a search. Configure the amount of seconds the search system waits when connecting to a content repository. Ability to toggle on/off Secure Sockets Layer (SSL) warnings. If SSL warnings are on, the crawler will not crawl a site if the site name does not match the name on the SSL certificate. Note: These settings must be configured before using the Enterprise Search service.
This page also contains links to the Search Service application and to where you can modify the topology.
Configuring Search Center

You can configure a basic Search Center by applying the Basic Search Center template to a site. Before creating an enterprise or FAST Search Center, the SharePoint Server Publishing Infrastructure feature must be active on the site collection. After creating a Search Center, you must give all authenticated users permission to access it. A Search Center gives you the ability to perform complex queries on the search indexes. You can further refine results and can include people.
Additional Reading
Post-installation steps for search at http://go.microsoft.com/fwlink/?LinkID=197050&clcid=0x409
10-11
Crawl Configuration
Content Sources
SharePoint 2010 enhances content sources and how they are indexed. It now supports more than 400 structured and unstructured content types. You can have up to 500 content sources, each supporting up to 500 start addresses. The content processing algorithms were enhanced to use stronger linguistics. Support for crawling 85 different languages has been added. Also, there are now ways to build custom content types to crawl external data using a common connector framework. After creating an instance of the Search service application, a default content source is created: Local SharePoint sites. Crawls are not performed or scheduled automatically when a Search service application is created unless you do a basic installation. When creating a new content source, you can select the type of content to be crawled. SharePoint sites, Web sites, file shares, Microsoft Exchange Server public folders, line-of-business data, and custom repositories can be crawled. By selecting Line Of Business Data, you can choose a Business Data Connectivity (BDC) service application to crawl. You can crawl either all data sources associated with that service application or just a subset. You also can create new content source types for crawling custom repositories. To do so, you must register a custom connector. You can schedule full crawls or incremental crawls. You typically use full crawls only for the first crawl because they create the index from scratch and take a lot of time to complete. By setting the content source priority for crawls, you can prioritize certain content sources over others.
Crawl Rules
You can configure crawl rules to omit or include certain paths during a crawl. You can do so to exclude sensitive data in the farm that should not be searchable. Example: Files starting with a certain phrase such as SSN
10-12
All files under a certain folder, such as the Payroll folder Certain Web sites, such as the Completed HR InfoPath forms library
Use Search Administration to create a crawl rule by providing a path that should be affected by the rule. You can also use wildcards (*) to denote all folders or files under a path. You can choose to exclude all items in the path or just ones with complex URLs. You can also choose to include all items in the path instead. Specifying different authentication to the content source is also supported.
Crawl Logs
Crawl logs provide information about all content that was indexed for a particular content source. They can provide insight on why some content was not indexed and any errors that were encountered during the crawl. It is very possible that after running a full or incremental crawl you lose some of your search results. This could indicate any number of errors including the following: Permission error, such as a possible password change iFilter error, such as a file does not have a supported iFilter installed Protocol error, such as a possible blocked protocol in the environment
You use a crawl log timer job to schedule how often the logs are refreshed. By default, this interval is set to five minutes, but you can change this in the settings. Using the crawl logs in Search Administration helps you troubleshoot issues with Search and resolve them in a timely manner.
iFilters and Protocol Handlers

SharePoint must be able to pull content from various sources such as Web sites, file shares, public folders, Lotus Notes databases, and SQL Server databases. SharePoint uses protocol handlers to implement the protocol to gain access to content. Examples of protocols include Transmission Control Protocol (TCP), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). Protocol handlers are called based on the uniform resource identifier (URI)/format of the start address in the content source. The crawler uses protocol handlers and iFilters as follows: The crawler retrieves the start addresses of content sources and calls the protocol handler based on the URLs prefix. The protocol handler connects to the content source and extracts system-level metadata and access control list information. The protocol handler identifies the file type of each content item based on the file name extension and calls the appropriate iFilter associated with that file type. The iFilter extracts content, removing any embedded formatting, and then retrieves content item metadata. Content is parsed by one or more language-appropriate word breakers and is added to the content index, also called the full-text index. Metadata and access control lists are added to the Search database.
Additional Reading
Manage crawl rules at http://go.microsoft.com/fwlink/?LinkID=197051&clcid=0x409 Best practices for using crawl logs at http://go.microsoft.com/fwlink/?LinkID=197052&clcid=0x409
10-13
Query Configuration
Authoritative Pages
You can use authoritative pages to enhance the overall search rankings of items in a site. Sites can be added to the following areas: Most authoritative pages. The items on these pages show up first in the search results and are ranked higher than the rest. By default, the first Web application created in the farm is added to this field. This is a required field. Second-level authoritative pages. These items show up right under the most authoritative pages and the search rankings are slightly lower. Third-level authoritative pages. Yet another level of authoritative pages that controls search rankings and results page placement. Sites to demote. The sites placed here are actually pushed to the bottom of the search results page and are the lowest in the search rankings.
You can also force a refresh after you make any changes to the rankings.
Federated Search
With Federated Search, you can use other search indexes to supplement your own, and vice versa. Use Federated Search when you already have other search architectures in place. Rather than have SharePoint replicate the indexing process, you simply federate results from other repositories of content. Following are several reasons why you might set up Federated Search: You have a need for a quick, powerful way to bring together results. Data is distributed across many repositories. Multiple interfaces are complicated. Size, security, or cost makes crawling infeasible. Search already exists on repositories.
10-14
OpenSearch is a popular term used for search engines/products that support interoperability between searching and indexes. The interface is very simple, searches are performed over HTTP requests, and results are returned as really Simple Syndication (RSS) and Atom feeds. When you plug in other federated OpenSearch providers, you must provide an .osdx file of those search systems. Consider the following points before doing this: How will security be implemented? The provider is responsible for security trimming, not SharePoint.
Metadata Properties
When SharePoint Search crawls data, it automatically extracts metadata from the content. You can map these crawled properties to managed properties to drive a taxonomy that users can use to refine search results. The managed property types that you can configure are as follows: Text Integer Decimal Date and time Yes/no
Also, you can use multiple values at the same time when mapping.
Example
A text type managed property (UserName) is configured and is mapped to the crawl property People:UserName(Text). During a crawl, when content with a UserName attribute is found, it is linked to the UserName managed property. When users search on this content, they can refine the results to only those that are owned by a specific UserName.
Search Scopes
Search scopes are subsets of content from the search index file. Users can choose a specific search scope when searching by using the drop-down menu to the right of the search box. You can create search scopes for the following items: Project data that needs to be searched separately A specific content source that contains data from only one Web site An organizational group that needs to see only their data A search scope can encompass several other search scopes and can be set at either the service application level or the site administration level. You can also configure a search scope to send users to another search results page when they search on that scope.
Additional Reading
Manage federated locations at http://go.microsoft.com/fwlink/?LinkID=197053&clcid=0x409 Manage metadata properties at http://go.microsoft.com/fwlink/?LinkID=197054&clcid=0x409 Manage search scopes at http://go.microsoft.com/fwlink/?LinkID=197055&clcid=0x409
10-15
Search Reporting
Key Points
SharePoint 2010 makes it easy for administrators and users to manage Search. Reports can give them a view into their environment. The first step is to make sure that the Web Analytics service application is started in the farm. When users run search queries, Web analytics data is gathered, and every 24 hours the data is processed into reports. The gathering process allows the Web Analytics service to provide automatic recommendations for Best Bets for administrators. The data also helps identify I/O issues and memory pressure from crawl and query statistics. The analytics data can be displayed in three different levels: Farm level (Central Administration, Administrative Reports, Monitoring, View Administrative Reports) Web application level (Monitoring, View Web Analytics Reports) Site collection level (Site Settings, Site Collection Web Analytics Reports)
Additional Reading
Use search administration reports at http://go.microsoft.com/fwlink/?LinkID=197056&clcid=0x409
10-16
Lab A: Configuring Search
Scenario
You have installed a new SharePoint 2010 farm to address the needs of employees at Contoso, Ltd., to search for information across both intranet sites and shared folders. You have been asked to prototype a SharePoint search capability on the Information Technology Department Web site and, based on your experience with the prototype, to configure SharePoint to support search requirements.

Start 10174A-CONTOSO-DC-E. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-E.
10-17
Exercise 1: Creating Content for Search

In this exercise, you identify and add content to SharePoint and to shared folders on servers that run the Windows operating system. This content will serve to test the out of box search functionality of SharePoint. The main tasks for this exercise are as follows: 1. 2. 3. Explore SharePoint content. Create a shared folder. Add files to the shared folder.
Task 1: Explore SharePoint content.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password Pa$$w0rd. Open Internet Explorer, and then browse to http://intranet.contoso.com/sites/IT. On the home page, click the Shared Documents document library, which includes the documents IT Policies and Procedures for SharePoint 2010 and SharePoint Governance Plan. Click the All Site Content link, and then open the Announcements list. Observe the two announcements, WSS stands for Windows SharePoint Services, and Mud is dirty. Return to the Information Technology home page.
Task 2: Create a shared folder.

Create a folder named Data on the C drive. Share the folder with the share name Data. Grant the Everyone group the Full Control share permission. Inside the Data folder, create a folder named Temporary Drafts. Close any open Windows Explorer windows.
Task 3: Add files to the shared folder.

Open Notepad and create a file named C:\Data\SharePoint Search.txt with the following text:
SharePoint is able to index files in a shared folder.
Create a file named C:\Data\Temporary Drafts\Crawl Rules.txt with the following text:
SharePoint crawl rules allow you to manage the content that is included and excluded.
Copy D:\LabFiles\Lab10\SharePoint Governance Checklist.pdf to C:\Data. Results: After this exercise, you should have created text files in a shared folder.
10-18
Exercise 2: Creating an Enterprise Search Center Site

In this exercise, you build the prototype SharePoint Enterprise Search site in the Information Technology Department site collection. Then, you test the SharePoint out of box search functionality. The main tasks for this exercise are as follows: 1. 2. 3. 4. Attempt to create a search center. Enable SharePoint Search features. Create a Search Center. Test the Search Center.
Task 1: Attempt to create a Search Center.

In the Information Technology Department Web, attempt to create a new site with the following settings: Site definition: Enterprise Search Center Title: Search Center URL: Search An error message appears. The SharePoint Server Publishing Infrastructure feature must be active to create a Web using the Enterprise Search Center site definition. You can create a Web using the Basic Search Center site definition without activating the SharePoint Server Publishing Infrastructure feature. The SharePoint Server Standard Site Collection Features feature must also be active before you can create a Web with either site definition. Close the error message.
Task 2: Enable SharePoint Search features.

Enable the SharePoint Server Publishing Infrastructure feature for the Information Technology site collection.
Task 3: Create a Search Center.

In the Information Technology Web, create a new site with the following settings: Site definition: Enterprise Search Center Title: Search Center URL: Search
Task 4: Test the Search Center.

In the Search Center, perform a search for the keyword procedures. The file IT Policies and Procedures is returned in the list of results. In the Search Center, perform a search for the keyword index. No results are returned. In the Search Center, perform a search for the keyword excluded. No results are returned. Results: After this exercise, you should have created a Search Center and tested the default behavior of SharePoint Search.
10-19
Exercise 3: Creating and Configuring a Content Source

In the previous exercise, you built a prototype Search Center and confirmed that, by default, SharePoint indexes content on SharePoint sites but does not index content in shared folders. In this exercise, you add the shared folder Data as a content source so that SharePoint can crawl and index the folder. You also exclude files that are considered temporary drafts. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Create a content source. Test the content source. Create a crawl schedule. Create a crawl rule. Crawl a content source. Test the crawl rule.
Task 1: Create a content source.

In SharePoint 2010 Central Administration, open the Search Service Application and create a content source with the following settings: Name: Shared Folder - Data Content source type: File Shares Start address: \\sp2010-wfe1.contoso.com\Data Start full crawl of this content source: Selected Monitor the crawl status of the Shared Folder - Data content source until the full crawl is complete. Tip: The full crawl takes two to four minutes.
Task 2: Test the content source.

In the Search Center, perform a search for the keyword index. The file SharePoint Search.txt is returned as a result. Perform a search for the keyword excluded. The file Crawl Rules.txt is returned as a result.
Task 3: Create a crawl schedule.

In SharePoint 2010 Central Administration, edit the Shared Folder - Data content source. Create a schedule for full crawls that runs every hour.
Task 4: Create a crawl rule.

Create a crawl rule that excludes the path \\sp2010-wfe1.contoso.com\Data \Temporary Drafts\*.
Task 5: Crawl a content source.

Start a full crawl of the content source Shared Folder - Data. Monitor the crawl status until the crawl is complete. Tip: The full crawl takes two to four minutes.
Task 6: Test the crawl rule.

In the Search Center, perform a search for the keyword index. The file SharePoint Search.txt is returned as a result.
10-20
Perform a search for the keyword excluded. No results are returned. Results: After this exercise, you should have created a content source for the shared folder Data, a crawl schedule, and a crawl rule that excludes files from the Temporary Drafts folder.
10-21
Exercise 4: Configuring File Types

One of the requirements for Search at Contoso is that commonly used file types can be searched. However, a user of the IT Search Center reports that she cannot search for a PDF document that she knows is in the shared folder. In this exercise, you add a file type for PDFs so that SharePoint can index PDFs. The main tasks for this exercise are as follows: 1. 2. 3. 4. Search for an existing PDF file. Add a file type for PDFs. Crawl a content source. Test the file type.
Task 1: Search for an existing PDF file.

In the Search Center, perform a search for the keyword governance. You should not see the file sharepoint governance checklist.pdf in the results even though it is in the shared folder Data.
Task 2: Add a file type for PDFs.

In SharePoint 2010 Central Administration, add a file type for files with the extension pdf.

Task 4: Test the file type.

In the Search Center, perform a search for the keyword governance. The file sharepoint governance checklist.pdf is returned as a result. Observe its URL. Perform a search for the keyword Deployment. No results are returned. Note: Deployment is a term in the PDF file. You must install a 64-bit iFilter for PDFs on all servers that perform indexing to index the contents of PDF documents successfully.
Results: After this exercise, you should have created a file type for PDFs.
10-22
Exercise 5: Configuring Search Settings

In this exercise, you configure search settings to address search requirements at Contoso, which include use of a dedicated account to crawl content and minimization of the impact of crawling. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Explore query crawl logs. Configure the default content access account. Add a server name mapping. Crawl a content source. Test server name mappings. Explore host distribution rules. Configure crawler impact rules.
Task 1: Explore query crawl logs.

In SharePoint 2010 Central Administration, open the crawl log of the Shared Folder - Data content source. Examine the crawl history of the content source. Examine the list of URLs that have been indexed in the content source. Locate the URL for the file SharePoint Governance checklist.pdf. If the file does not appear on the list of indexed URLs, wait a few moments, and then click the Search button.
Task 2: Configure the default content access account.

Configure the default content access account as CONTOSO\SP_Crawl with the password Pa$$w0rd.
Task 3: Add a server name mapping.

Create a server name mapping that presents content indexed in the content source \\sp2010wfe1.contoso.com with the URL \\localhost.

Task 5: Test server name mappings.

In the Search Center, perform a search for the keyword governance. The file sharepoint governance checklist.pdf is returned as a result. Observe that the URL is displayed as localhost instead of sp2010-wfe1.contoso.com.
Task 6: Explore host distribution rules.

In SharePoint 2010 Central Administration, browse to the Host Distribution Rules page. SharePoint notifies you that host distribution rules cannot be applied to a farm with only one crawl database.
10-23
Task 7: Configure crawler impact rules.

In SharePoint 2010 Central Administration, create a crawler impact rule for the site SP2010-WFE1 that requests one document at a time and waits 30 minutes between requests. Results: After this exercise, you should have configured a variety of search settings.
10-24
Exercise 6: Configuring Managed Properties

Contoso wants users to be able to search for documents based on a custom document description attribute. In this exercise, you address this requirement by configuring a managed property. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Add a column to a document library. Crawl a content source. Configure a managed property. Crawl a content source. Modify a Search Center to support the managed property. Test the managed property and modified Search Center.
Task 1: Add a column to a document library.

Switch to Internet Explorer and browse to http://intranet.contoso.com/sites/IT. Click the Shared Documents link, and then in the Shared Documents document library, add a column named Summary. Edit the properties of the document IT Policies and Procedures for SharePoint 2010 so that its Summary property is Contoso IT Policies and Procedures for SharePoint 2010.

Start a full crawl of the content source Local SharePoint sites. Monitor the crawl status until the crawl is complete. Tip: The full crawl takes four to six minutes.
Task 3: Configure a managed property.

In SharePoint 2010 Central Administration, add a new managed property named ContosoSummary mapped to the crawled property ows_Summary(Text). Select the Allow this property to be used in scopes option. Tip: When adding the mapping to the crawled property ows_Summary(Text), select SharePoint from the category list.

Start a full crawl of the content source Local SharePoint sites. Tip: The full crawl takes four to six minutes.
Note: Continue to the next task while the crawl proceeds.
Task 5: Modify a Search Center to support the managed property.

Browse to the Search Center http://intranet.contoso.com/sites/IT/Search, and then click Advanced, Edit the Advanced Search Box Web Part. In the properties panel, click the builder button next to the Properties box.
10-25
Add the following element inside the <PropertyDefs> element: <PropertyDef Name="ContosoSummary" DataType="text" DisplayName="Summary"/> Add the following element as the last element in the <ResultType DisplayName="All Results" Name="Default"> element: <PropertyRef Name="ContosoSummary"/> After making your changes, click Save & Close.
Task 6: Test the managed property and modified Search Center.

In SharePoint 2010 Central Administration, monitor the crawl status of the Local SharePoint sites content source until the crawl status is Idle. In the Search Center, click Advanced to open the Advanced Search page. Perform a search with the property Summary containing the text Contoso. The file IT Policies and Procedures for SharePoint 2010 is listed as the result. Results: After this exercise, you should have created a new managed property and customized the advanced Search Center to expose a capability to search with the new property.
10-26
Exercise 7: Creating and Configuring a Search Scope

Some teams at Contoso have not moved their files from shared folders to SharePoint document libraries. These teams need to search for their documents in shared folders only so that results from SharePoint sites are filtered out. In this exercise, you create and configure a search scope that narrows a search query to a specific content source. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a search scope. Configure a search scope rule. Add the custom search scope to a site. Test the custom search scope.
Task 1: Create a search scope.

In SharePoint 2010 Central Administration, click the Scopes link, and then create a search scope named Shared Files.
Task 2: Configure a search scope rule.

Add a scope rule for the Shared Files scope that defines the scope as content from the Shared Folder Data content source. On the Search Administration page, launch a scope update. On the scopes list, monitor the Update Status of the Shared Files scope until the scope is Ready.
Task 3: Add the custom search scope to a site.

Modify the search settings for the Information Technology Department site collection to enable custom scopes by connecting the site to the Search Center at http://intranet.contoso.com/sites/IT/Search/Pages. Configure the site collection to show the Scopes drop-down. Configure the site collection search scopes to include the Shared Files scope in the Search Dropdown display group.
Task 4: Test the custom search scope.

Browse to the Information Technology home page. Use the search box to search for the keyword sharepoint. Many results are listed, including both documents in the shared folder and items from SharePoint sites. Return to the Information Technology Department Web home page and perform the search again, limiting the scope to Shared Files. The files sharepoint search.txt and sharepoint governance checklist.pdf are listed as the only results. Results: After this exercise, you should have created a new search scope and added the scope to the Information Technology Department Web.

You will use the same virtual machines in the next lab.
10-27
Lesson 2
Refining Search
When you refine SharePoint Search in your environment, users have better search results and a more interactive experience when searching for content. This lesson teaches you how to refine Search to improve how it works and how relevant the results are.
Objectives
After completing this lesson, you will be able to: Describe the concept of search relevance. Use the Refinement panel. Understand how to use keywords and Best Bets. Eliminate noise words. Use the thesaurus.
10-28
Relevance
Key Points
Relevance is about how closely the search results returned to the user match what the user wanted to find. Ideally, the results on the first page are the most relevant so that the user does not have to look through several pages of results to find the best matches for the search. Enterprise Search in SharePoint includes a revamped ranking engine developed in collaboration with Microsoft Research. It is specifically tuned for the unique requirements of searching enterprise content. The following factors can affect search rankings: Static or dynamic algorithm. Dynamic ranking looks at the properties of the content to decide how relevant it is. Static ranking ignores the metadata and just looks at the content itself, such as file type and language. Authoritative pages. Sites that are manually configured to be higher in the search rankings than others. Social tagging and ratings. In SharePoint 2010, users can tag certain items or sites that they like so that they can find them quicker the next time. They can also rate items or sites. Both of these actions increase the relevancy of the item. Click-through history. The more a search result is clicked, the higher the search ranking for that item. Overall search results are also security filtered, meaning that if a user does not have access to a document, that document will not show up in the search results.
Additional Reading
Relevance in SharePoint Search at http://go.microsoft.com/fwlink/?LinkID=197057&clcid=0x409
10-29
Refinement Panel
Key Points
The Refinement panel is a new feature of SharePoint 2010 Enterprise Search. It allows for multifaceted searching so that users can search for items and receive hundreds of results. Users can filter the results using metadata such as the following: File type. For example, Word files, Microsoft Office Excel files, PDFs Site. For example, the company intranet, microsoft.com Author. For example, Bill, Steve, Nancy Modified date. Taxonomy. For example, specific keywords
You can link these properties to managed properties in Search Administration, but you must edit the Refinement panel Web Part as well to take advantage of any new properties. Because the Web Part is editable, it is extensible to third-party development.
10-30
Keywords and Best Bets
Key Points
Keywords are words that are attached to content to help make it easier for users to find specific content when searching. Best Bets are keywords that raise the search rankings for that content. You add Best Bets to a keyword to mark the items that are most relevant for that keyword. When a portal user types a keyword into the search box, all results for that keyword are displayed prominently in the search results. After you add, edit, or delete a keyword or Best Bet, you must wait until the next scheduled update of the portal content before the Best Bets appear in the search results. Because Best Bet results are rendered in their own Web Part, you can move them around the search page wherever you like. You can also change the Extensible Stylesheet Language Transformations (XSLT) that is used to display the results of the Best Bets.
10-31
Noise Words
Key Points
Noise words are words that are disregarded during a search. There are a list of predefined noise words out of the box, including words such as it, is, and a. You can add noise words to the noise word list by adding them to the language file. There are noise lists for each language and a language-neutral list. The file names are like noise*.txt (US English = Noiseenu.txt). When you want to reduce the size of the index you can add noise words to the noise word files. By adding noise words, you effectively tell the indexer not to add the words to the index. When a noise word is added, it is automatically removed from any search thereafter. There is no need to re-index the content.
10-32
Thesaurus
Key Points
You must train SharePoint Search on how some words relate to each other. Out of the box, words such as run and jog are not considered the same. You must build thesaurus files to tell SharePoint how these words interact. This allows users to replace words in a query with other words that they specify or to extend the definition to include other words. A thesaurus file must be built for each language you support in your environment.
10-33
Lab B: Tuning SharePoint Search
Scenario
During the testing of the prototype Search Center on the Information Technology Department Web Search Center, users complained that the relevance of results was not accounting for the fact that the most important files are, at this point, the files stored in shared folders. Users also pointed out that searches with specific keywords should yield predefined results that are likely to be most useful, and that certain keywords should be treated as synonyms. Finally, the governance committee added a requirement that you prevent searches using keywords that are frowned on by Contosos employee ethics policies. You are tasked with refining SharePoint Search to meet these expectations.
10-34
Exercise 1: Creating Keywords and Best Bets

In this exercise, you modify query behavior so that, for specific query keywords, suggested results appear at the top of the results list. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a Best Bet. Test Best Bets. Customize the presentation of Best Bets. Test the customized presentation of Best Bets.
Task 1: Create a Best Bet.

Add a search keyword to the Information Technology Department site collection with the following settings: Keyword Phrase: SharePoint Best Bet URL: http://sharepoint.microsoft.com Best Bet Title: Microsoft SharePoint Server Home Page Keyword Definition: Microsoft SharePoint Server is the business collaboration platform for the enterprise and the Internet
Task 2: Test Best Bets.

Browse to the Information Technology home page. Use the search box on the home page to search for the keyword sharepoint. Confirm that the Best Bet that you configured in Task 1 precedes the query-based search results.
Task 3: Customize the presentation of Best Bets.

On the search results page, edit the Search Best Bets Web Part, and in its properties panel, click XSL Editor. The Search Best Bets Web Part properties panel is displayed on the right. Tip: You might need to scroll to the right, and to the top, to see the properties panel. Replace the All_Results/BestBetResults/Result element with the following.
<xsl:template match="All_Results/BestBetResults/Result"> <xsl:if test="$DisplayBB = 'True'" > <xsl:if test="position() <= $BBLimit" > <xsl:variable name="url" select="url"/> <xsl:variable name="id" select="id" /> These are the results that the Contoso Search Team recommends, based on your query.<br/> <xsl:if test="$DisplayTitle = 'True'" > <span style="padding-right: 4px;"> <img src="/_layouts/images/star.gif" alt="" /> </span> <span class="srch-BestBetsTitle"> <a href="{$url}" id="{concat('BBR_',$id)}"> <xsl:value-of select="title"/> </a> <br/> </span> </xsl:if> <xsl:if test="$DisplayDescription = 'True' and description[. != '']" > <div class="srch-BB-Description"> <xsl:value-of select="description"/>
10-35
<br/> </div> </xsl:if> <xsl:if test="$DisplayUrl = 'True'" > <span class="srch-BB-URL"> <a href="{$url}" id="{concat('BBR_U_',$id)}" dir="ltr"> <xsl:value-of select="$url"/> </a> </span> <br/> <br/> </xsl:if> </xsl:if> </xsl:if> </xsl:template>
After making your changes to the Web Part, click Save & Close.
Task 4: Test the customized presentation of Best Bets.

Perform a search for the keyword sharepoint. The new text appears in the Best Bet Web Part: These are the results that the Contoso Search Team recommends, based on your query. Results: After this exercise, you should have created keyword Best Bets and customized the presentation of Best Bets.
10-36
Exercise 2: Configuring a Thesaurus

In this exercise, you configure the SharePoint thesaurus file to improve the efficiency of Search by refining the search thesaurus. Keywords are automatically replaced with more accurate synonyms, and keywords are expanded with similar words and phrases. The main tasks for this exercise are as follows: 1. 2. 3. 4. Perform searches with the default thesaurus. Edit a thesaurus file. Restart the Search service. Test Search with the modified thesaurus.
Task 1: Perform searches with the default thesaurus.

In the Search Center, perform searches with the following keywords. Write down the exact number of results that are returned: SharePoint MOSS WSS SharePoint Foundation Tip: If the number of results is reported as an approximate number, page through the results so that you can identify the exact number of results that were returned.
Task 2: Edit a thesaurus file.

Open the file C:\Program Files\Microsoft Office Servers\14.0\Data \Office Server\Applications\GUID-query-0\Config\tsenu.xml in Notepad. Replace the contents with the following text, and then save your changes and close Notepad.
<XML ID="Microsoft Search Thesaurus"> <thesaurus xmlns="x-schema:tsSchema.xml"> <diacritics_sensitive>0</diacritics_sensitive> <replacement> <pat>MOSS</pat> <sub>SharePoint</sub> </replacement> <expansion> <sub>WSS</sub> <sub>SharePoint Foundation</sub> </expansion> </thesaurus> </XML>
Task 3: Restart the Search service.

Run Command Prompt as administrator. Type the following commands.
net stop osearch14 net start osearch14
Task 4: Test Search with the modified thesaurus.

In the Search Center, perform a search for the keyword sharepoint. Record the number of results. Tip: If the number of results is reported as an approximate number, page through the results so that you can identify the exact number of results that were returned.
10-37
Perform a search for the keyword MOSS. Verify that the number of results is equal to the number of results returned when you searched for sharepoint. Search results appear because searching for MOSS now produces search results for SharePoint through replacement. Perform a search for the keyword WSS. Write down the number of results. More results appear than in Task 1 because searching for WSS also returns results for the term SharePoint Foundation because of expansion. Results: After this exercise, you should have modified the English thesaurus file.
10-38
Exercise 3: Configuring Noise Words

In this exercise, you address the concerns of Contosos governance committee regarding searches for keywords that are considered inappropriate in the workplace based on Contosos employee ethics policies. The main tasks for this exercise are as follows: 1. 2. 3. 4. Perform a search. Update a noise words file. Restart the Search service. Test the noise word.
Task 1: Perform a search.

Perform a search for the keyword dirty. The announcement Mud is dirty is returned as a result.
Task 2: Update a noise words file.

Open the file C:\Program Files\Microsoft Office Servers\14.0\Data \Office Server\Applications\GUID-query-0\Config\noiseenu.txt in Notepad. Add the word dirty to the end of the file on its own line. Save your changes, and then close Notepad.
Task 3: Restart the Search service.

Run Command Prompt as administrator. Type the following commands.
net stop osearch14 net start osearch14
Task 4: Test the noise word.

Perform a search for the keyword dirty. No results are returned. Note: In a production environment, you should consider re-indexing all content after modifying the noise word file so that the words are removed from the index itself.
Results: After this exercise, you should have added new noise words and validated the behavior of noise words.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog, click Revert.
10-39
Review Questions
1. 2. 3. How would you design the architecture for your environment? How can reporting be used to better understand your environment and assess needs for changes to the infrastructure? How can you use relevance tuning to give your users a better search experience?
10-40
Implementing Productivity Service Applications
11-1
Module 11
Contents:
Lesson 1: Implementing Business Connectivity Services Lesson 2: Configuring Excel Services Lesson 3: Understanding PerformancePoint Services Lesson 4: Implementing InfoPath Forms Services Lesson 5: Implementing Visio Services Features Lesson 6: Implementing Access Services Lesson 7: Implementing Office Web Apps Lab: Implementing Office Web Apps 11-3 11-10 11-17 11-22 11-27 11-32 11-36 11-40
11-2
Module Overview
When discussing Microsoft SharePoint, it is important that you understand you are working with a business platform. SharePoint is an environment that lets you enable different services that act as a gateway to applications and tools that bring business value to the user. SharePoint provides tools you have used and are familiar with in your day-to-day activities. You can configure and enable services that allow access to data that resides in line of business applications such as ERP systems or database environments that host data or the information thats critical for your business. For example, SharePoint can work as a central repository that is connected to your organizations help desk environment to keep track of service tickets. Being able to access information is a great capability that brings information closer to the user and provides services that allow for visualization in a graphical manner rather than in a tabular format. Graphic representations of data are attractive and appealing to the user.
Objectives
After completing this module, you will be able to: Describe business connectivity services. Configure Excel services. Describe PerformancePoint Services. Configure InfoPath services. Implement Visio services. Implement Access services. Install Office Web Apps.
11-3
Lesson 1
Implementing Business Connectivity Services
Business Connectivity Services (BCS) is the gateway to an interconnected approach to data. You can configure data through a central location that allows you to use, reuse, and modify the data. The capability of using BCS as a means to access information that you can then integrate with the profile elements of SharePoint make it an important concept to understand.
Objectives
After completing this lesson, you will be able to: Describe BCS. Configure BCS. Describe Business Data Catalog indexing.
11-4
Understanding Business Connectivity Services
Key Points
BCS is the new name for what was previously called Business Data Catalog (BDC). BDC still exists and is very much a part of the new BCS functionality. BCS is a set of services and features that provide a way to connect SharePoint solutions to sources of external data and to define external content types that are based on that external data. External content types resemble content types, in the form of using columns to define the information they will hold, and allow the presentation of and interaction with external data in SharePoint lists, known as external lists, and include: Web Parts Microsoft Office Outlook Microsoft SharePoint Workspace 2010 Microsoft Office Word 2010 clients. Microsoft SQL Server databases SAP applications Web services including Windows Communication Foundation Web services Custom applications Web sites based on SharePoint
External systems that BCS can connect to include:
By using BCS, you can design and build solutions that extend SharePoint collaboration capabilities and the Office user experience to include external business data and the processes that are associated with that data. Examples of the BCS goals are to: Bring external data into SharePoint.
11-5
Provide external data in a central location. Extend the reach of enterprise data. Enable you to easily create and customize solutions.
Custom Solutions
Using BCS, you can create, read, update, delete, and query (CRUDQ) external systems from a Microsoft Office application or SharePoint site if the external system supports the operations and is appropriately modeled in the BDC service. The core function of BDC is to provide connectivity support to the following types of external systems: Databases Web/WCF services .NET connectivity assemblies Custom data sources
11-6
Features Extensible Provider Model
Description In addition to connectors for the previous list of data sources provided by BDC, BDC provides a pluggable framework with which developers can plug in connectors for new external system types, thus enabling these new data source types to be accessed via the BDC. In Office SharePoint Server 2007, BDC supported only single item operations, such as search. BDC now provides batch and bulk operation support, which enable you to read multiple items in a single call, thus reducing round trips to the backend. BDC now supports reading blob data. This is useful for streaming blobs of data from the external system. BDC now supports dot notation in field names and therefore enables you to read and write complex types. Business Connectivity Services provides a set of tools to facilitate creation of models and Office 2010 application artifacts, declaratively and by writing code. You can use Microsoft SharePoint Designer 2010, which can rapidly create composite solutions that meet external unit needs without writing code. You can use Microsoft Visual Studio to create or extend solutions with sophisticated workflows and data that spans structured line-of-external (LOB) systems, unstructured SharePoint applications or Microsoft Office applications, and Web 2.0 services. Developers can use the BDC Runtime object model to write generic applications by using the stereotyped APIs as building blocks. Such generic applications are then assured to work against any external system, including those that are preexisting and those that are yet to be built. Developers can also write specific applications that make assumptions about the abstract entity model (the fields exposed by these, and the types of the fields). In addition, with the .NET Assembly Connector, Custom Connector and the pluggable Secure Store Provider, it provides a rich extensibility mechanism for software developers.
Batch and Bulk Operation Support
Read Blobs Read and Write-back of Complex Types Lifecycle Management
Enhanced API Set and Extensibility
Working with External Content Types

One of the main elements that BCS offers is the external content type. External content types are defined as reusable metadata descriptions of connectivity information and data definitions, and the added benefit of the behaviors you want to apply to external data. External content types are beneficial; you can manage and reuse the metadata and behaviors of a business entity. For example, being able to connect to a SQL Server database and extract the structure and data for a customer table. Note: Entities are analogous to tables in a database environment.
11-7
Administering Business Connectivity Services
Key Points
The Business Data Connectivity service is a shared service in SharePoint 2010. It is available in both SharePoint Foundation and SharePoint Server. Important elements that you must understand are: For SharePoint Server 2010, services are not contained within a Shared Services Provider (SSP) as they were in Microsoft Office SharePoint Server 2007. The infrastructure for hosting services has been transitioned and integrated into SharePoint Foundation 2010. You can configure individual services independently with different sets of administrators. This allows for multiple instances of the same service, such as the Business Data Connectivity service.
You can share an instance of the Business Data Connectivity service across server farms. For example, a Business Data Connectivity service can be run in a central farm and accessed from regional locations so that the same solution is available across these locales, and the applied elements are specific to each culture. Within a server farm, you deploy service applications such as the Business Data Connectivity service, by one of the following methods: Selecting services while running the Farm Configuration Wizard and choosing the Business Data Connectivity service. Adding services individually on the Manage Service Applications page in the Central Administration Web site. Using Windows PowerShell.
You can administer shared services, such as the Business Data Connectivity service, in isolation. The administrators of a particular instance of a shared service may only have permissions to administer that service instance and are not necessarily able to administer other services or other features in the Central Administration Web site. This feature, called delegated administration, allows administration to be managed by administrators who have expertise in the particular service being administered but who are
11-8
not members of the central IT organization. Thus, for example, an administrator of a Business Data Connectivity service application in an enterprise might be familiar with the following information: The particular external content types being managed by that Business Data Connectivity service application The solutions supported by it The security implemented on the external data sources that provide the data
The administrator would have permissions to administer those objects but would not have permissions to administer other elements of the SharePoint deployment.
What Can You Administer in the Business Data Connectivity Service?

Using the Business Data Connectivity service, administrators can manage the following types of objects: External content types. An external content type is a named set of fields, such as Customer, Order, or Contact, that define an object in a business application along with the methods to create, read, update, or delete that object in its external data source. External systems and external system instances. An external system is a supported source of data, such as a Web service, SQL Server database, and other relational databases, that can be modeled by the Microsoft Business Connectivity Services. An instance of an external system includes connection and authentication information for a specific instance of an external data source. BDC models and resource files. The Business Data Connectivity service supports two types of XML application definition files: application models and resource files. An application model contains the XML descriptions of one or more external content types. Description Deletes all data from the Business Data Connectivity Metadata Store for a specified partition. Copies a set of permissions of a Business Data Connectivity Metadata Store metadata object to its child objects.
PowerShell cmdlet ClearSPSiteSubscriptionBusinessDataCatalogConfig Copy-SPBusinessDataCatalogAclToChildren
Disable-SPBusinessDataCatalogEntity
Deactivates an external content type in the Business Data Connectivity Metadata Store. Activates an external content type in the Business Data Connectivity Metadata Store. Exports a Business Data Connectivity Model. Exports all data from the Business Data Connectivity Metadata Store associated with a partition. Returns a Business Data Connectivity Metadata Store metadata object. Grants a right to a principal for the specified Business Data Connectivity Metadata Store metadata object. Imports data that is associated with the Business Data Connectivity Metadata Store for a partition. Imports a Business Data Connectivity Model.
Enable-SPBusinessDataCatalogEntity
Export-SPBusinessDataCatalogModel ExportSPSiteSubscriptionBusinessDataCatalogConfig Get-SPBusinessDataCatalogMetadataObject
Grant-SPBusinessDataCatalogMetadataObject
Import-SPBusinessDataCatalogDotNetAssembly
Import-SPBusinessDataCatalogModel
11-9
PowerShell cmdlet New-SPBusinessDataCatalogServiceApplication
Description Creates a new Business Data Connectivity service application in the farm. Creates a new Business Data Connectivity service application proxy in the farm. Deletes a Business Data Connectivity Model. Revokes a right to a principal in the specified Business Data Connectivity Metadata Store metadata object. Sets the value of a property or attribute of a Business Data Connectivity Metadata Store metadata object. Sets global properties for a Business Data Connectivity service application in the farm. Imports data associated with an exported file that contains all data associated with the Business Data Connectivity Metadata Store for a given partition. Removes the Business Data Connectivity Metadata Store for a partition.
NewSPBusinessDataCatalogServiceApplicationProxy Remove-SPBusinessDataCatalogModel Revoke-SPBusinessDataCatalogMetadataObject
Set-SPBusinessDataCatalogMetadataObject
Set-SPBusinessDataCatalogServiceApplication
ImportSPSiteSubscriptionBusinessDataCatalogConfig
RemoveSPSiteSubscriptionBusinessDataCatalogConfig
11-10
Lesson 2
Configuring Excel Services
Microsoft Office Excel Services in Microsoft SharePoint Server 2010 is a shared service that you can use to publish Microsoft Office Excel workbooks to a SharePoint Server. The published workbooks are available for your users to consume and collaborate. You can manage and secure any published workbook according to your organizational needs and then share it within your organization. Excel Services extend the value that business intelligence can bring to your organization; you can store data that represents your organizations key business processes, organize that data in a useful manner, and present that data as meaningful information. Knowledge workers can act on that information to increase productivity and to provide feedback that improves underlying business processes.
Objectives
After completing this lesson, you will be able to: Describe Excel services. Configure Excel services
11-11
Understanding Excel Services
Key Points
Excel Services in Microsoft SharePoint Server 2010 is designed to help you analyze business data and increase business intelligence. Excel Services is a Microsoft SharePoint Server 2010 shared service that you can use to publish Microsoft Excel client workbooks on SharePoint Server. The published workbooks are available throughout your organization for knowledge workers to use. You can secure and manage any published workbook according to your organizational needs and then share it throughout your organization. With business intelligence, you can store data that represents your organizations key business processes, organize that data in a useful manner, and present that data as meaningful information. Excel Services allows you to use compatible browsers to be able to work with Excel spreadsheets. It accomplishes this with a zero footprint client; you dont have to install any plug-ins in the browsers. This allows heterogeneous platforms to work with Excel workbooks, providing: Better symmetry across Excel and Excel Services. The paradigm changed from refusing to open files, which contain unsupported features to making a best effort to open any workbook. For features partially supported, either cached valuesfor example, query tablesare displayed or the user is notified to remove the feature prior to displaying the workbookfor example, Office Art shapes. More support for common features such as embedded images but also new Excel 2010 features like Sparklines, Slicers, PowerPivot, improved conditional formatting, and improved functions. Continued integration with SharePoint. Continued tight integration with SharePoint for security, content management, version control, document-level compliance, data connection management, service administration, as well as integration between Excel Services, PerformancePoint Services, and other BI-related capabilities shipped in SharePoint 2010. Improved user experience. Its an Ajax-based service, which means you can refresh elements of a page instead of having every change require a page refresh. New scrolling which lets you easily and smoothly navigate through your Excel content. Tools for application development. Improvements to the Excel Services Web services, and an introduction of a JavaScript Object Model and a REST API. With these new APIs, both professional
11-12
developers and end users can build business applications, mash-ups, or just provide an easy way to share Excel content beyond the workbook. Unattended service account. Excel Services provides a low privilege unattended service account for users to consume as a single retrieval of data account. Users then can use this as a privileged account in Microsoft Office 2010. Excel Services relies on the Secure Store Service to store the encrypted unattended account. The unattended account credentials are stored or cached as needed per session or connection so that when a workbook is loaded that contains a data connection for the unattended account, this account is called from the Secure Store and used. The Secure Store stores the Excel Services secured data and is present on all SharePoint Server farms. The Secure Store functions regardless of how authentication is configured in a farm. Manage Service Applications. The SharePoint Central Administration Web site contains a link to the Manage Service Applications page, which lists all of the services the user has rights to administer. Essentially, all available services for a particular user or role are collected on the Manage Service Applications page. This page will allow you to manage the specific service you are using. For example, managing Excel Services. Windows PowerShell. Windows PowerShell is capable of providing a complete Excel Services deployment, as well as the unattended installation and deployment of Microsoft SharePoint 2010 products. Administrators who need to look up trusted locations and user-defined functions are now able to do this by using a single Windows PowerShell key. All Stsadm.exe commands used against Excel Servicesspecific settings will fail; instead use the SPServiceApplication Windows PowerShell command. Trusted Locations. Trusted locations are now provided by default; no administrator action typically is needed. However, if Universal Naming Convention (UNC) types of trusted folders or locations are used with Excel Services, the administrator must create new trusted locations for these. Multi-User Collaboration. The multi-user collaborative environment provides multiple users with the ability to edit any workbook simultaneously. (When user is active, the polling rate is determined by an adaptive algorithm executed on the Excel Calculation Services. All edits are processed in the order in which they are received by the ECS so the last edit overwrites any previous edit to the same workbook cell.) Delegate services permissions. SharePoint Server contains a new shared service infrastructure that allows the administrator to delegate permissions to manage other services to users. Slicer feature. The Slicer feature is a new type of data filter in Microsoft Excel 2010 that is interactive, flexible in design and layout, and always conveys the current filtering state. With these data filters, more people benefit from the power of analyzing data using PivotTables and OLAP functions. The Slicer feature gives Excel 2010 authors the ability to easily write OLAP data models and build rich, interactive reports around them. The reports can then be published to Excel Services and will display and interact just as they do in the Excel client. The Slicer feature also is parameterized by other Web Parts in BI dashboards. The Slicer feature does manual filtering only and does not provide advanced filtering such as label, date, value, and top-10 types of filtering. The Slicer feature can be connected to multiple PivotTables and act as a common, shared filter so selections made in this Slicer feature are automatically propagated to all PivotTables that are connected to it. Additionally, the Slicer feature can be formatted by applying styles.
New Excel Services Custom Applications

Custom applications are created with user-defined functions (UDFs) and these functions remain available for Excel Services. Excel Services APIs will work with Excel Services and there are a few new APIs. UDFs are common functions that extend the calculation and data-import capabilities of Excel. There are now two additional methods available to build custom applications: REST API. The REST API is a client-server software architecture/protocol that defines entities and how to access them. This API uses hyperlinks and is stateless. REST lets the user access entities (ranges, charts) in workbooks using Excel Services through the HTTP protocol and also provides a method for users to set values in these ranges, including single cells. ECMAScript (JScript or JavaScript object model). ECMAScript enables syndication, mash-ups, automation of Excel Services, and the extension of Excel Services by third parties. It also provides a
11-13
subset of Microsoft Office Excel Web Access functionality that lets an administrator or developer insert JavaScript code on a Web page to affect range navigation, cell values, and other grid operations. The ECMAScript mirrors the Excel Services Web Services API functionality; however, it is not a proxy for this API.
Additional Information
Browser compatibility details at http://go.microsoft.com/fwlink/?LinkID=197236&clcid=0x409
11-14
Configuring Excel Services
Key Points
Several different settings are configurable from the Service Application management page. Excel Services provides functionality that requires fine tuning depending on the scenario you will be running. Two examples of the different scenarios are: accounting data being centrally accessed, and high performing scientific worksheets. The scenarios mentioned previously, while both are focused on providing numeric meaning to the application they support, their performance values and thresholds may be different based on your requirements. Several elements of Excel Services that can be adjusted and configured are: Global settings. Defines load balancing, memory, and throttling thresholds to adjust performance. You can also set the unattended service account and data connection timeouts. Trusted files locations. Defines the places or libraries where spreadsheets can be loaded from. Trusted data providers. Defines the data providers that can be added or removed when refreshing data connections. Trusted data connection libraries. Define a SharePoint document library where data connections can be loaded and accessed from. User-defined function assemblies. Define custom developed code assemblies that provide functionality and data to be used by spreadsheets.
Windows PowerShell cmdlets

PowerShell cmdlet Get-SPExcelBlockedFileType Description Returns a file type or list of file types that are prevented from being loaded.
11-15
PowerShell cmdlet
Description
GetReturns a trusted data connection library or a list of trusted data SPExcelDataConnectionLibrary connection libraries.
Get-SPExcelDataProvider
Returns a safe data provider or a list of safe data providers.
Get-SPExcelFileLocation
Returns a trusted file location or a list of trusted file locations.
Get-SPExcelServiceApplication Returns an SPExcelServiceApplication object.
GetSPExcelUserDefinedFunction New-SPExcelBlockedFileType
Returns a user-defined function or a collection of user-defined functions.
Adds a file type to the list of file types that Excel Services Application prevents from being loaded.
NewAdds a new data connection library to Excel Services Application. SPExcelDataConnectionLibrary New-SPExcelDataProvider Adds a new safe data provider to Excel Services Application.
New-SPExcelFileLocation
Adds a new trusted location to Excel Services Application.
NewSPExcelServiceApplication NewSPExcelUserDefinedFunction RemoveSPExcelBlockedFileType
Creates a new instance of Excel Services Application.
Adds a new user-defined function to Excel Services Application.
Removes an entry from the list of file types that are prevented from being loaded on Excel Services Application.
RemoveRemoves a data connection library from Excel Services Application. SPExcelDataConnectionLibrary Remove-SPExcelDataProvider Removes a data provider from Excel Services Application.
Remove-SPExcelFileLocation
Removes a trusted file location from Excel Services Application.
RemoveSPExcelUserDefinedFunction
Removes a user-defined function from Excel Services Application.
SetSets properties of a data connection library for Excel Services SPExcelDataConnectionLibrary Application.
11-16
PowerShell cmdlet Set-SPExcelDataProvider
Description Sets properties of a safe data provider for Excel Services Application.
Set-SPExcelFileLocation
Sets properties of a trusted file location for Excel Services Application.
Set-SPExcelServiceApplication Sets global properties for Excel Services Application.
SetSPExcelUserDefinedFunction
Sets properties of a user-defined function in Excel Services Application.
11-17
Lesson 3:
Understanding PerformancePoint Services
PerformancePoint Services is a business tool that enables you to measure the data complexities of day-today performance. By extending the capabilities of understanding business performance, you are able to deliver better results and understand the points your organization needs metrics for by implementing dashboards, reports and key performance indicators.
Objectives
After completing this lesson, you will be able to: Describe PerformancePoint. List PerformancePoint features.
11-18
PerformancePoint Overview
Key Points
PerformancePoint Services is a performance management service that you can use to monitor and analyze your business. It is an extension of the Business Intelligence process that provides tools your organization can use to determine the gains and losses a business needs to be aware of and informed about. Those tools include key performance indicators, easy-to-read charts, and a central repository in the form of a dashboard. PerformancePoint Services give you the ability to focus on understanding information thats critical to your business in the form of a scorecardmeasures the importance of, for example, sales values, and their critical elements when relevant to a geographical location or region. It provides something very similar to a house made of glassevery side you see provides relevant information to the person that has access to that information. For example, a sales manager will likely see the same information a general manager does, but the meaning of that data will be interpreted differently. PerformancePoint Services allow you to set the level of detail behind the information that those relevant roles need to access. PerformancePoint Services assist organizations in enabling their users to make informed business decisions that match the objectives and strategies your organization has defined. Dashboards, scorecards, KPIs, and reports help drive accountability. Integrated analytics help workers quickly move from monitoring information to analyzing it, and where appropriate, sharing it throughout the organization. Before PerformancePoint Services became part of Microsoft SharePoint Server 2010, Microsoft Office PerformancePoint Server 2007 was a standalone server. Now the functionality of Microsoft Office PerformancePoint Server 2007 is available as an integrated part of the Office SharePoint Server Enterprise license. PerformancePoint Services retains much of the same features and functionality as its predecessor while including additional benefits, enhancements, and new functionality.
11-19
PerformancePoint Features
Key Points
PerformancePoint Services include many new and updated features and functionality.
Platform Integration with SharePoint Products and Technologies

PerformancePoint Services build on the platform of SharePoint 2010 products, providing customers with a more robust deployment, scalability, and performance model. The previous version was built directly on Microsoft Internet Information Services (IIS), and it used a Microsoft SQL Server database. PerformancePoint Services is a SharePoint Server service application that uses SharePoint document libraries and lists to store content. These architectural changes enable PerformancePoint Services to take advantage of SharePoint Server 2010 enterprise features.
Physical Architecture
For information about the physical architecture, see the diagram in Overview of PerformancePoint Services architecture, http://go.microsoft.com/fwlink/?LinkId=235058, which shows the PerformancePoint Services architecture for farm deployment that utilizes three servers.
PerformancePoint Services As a Service Application

In SharePoint Server 2010, services are no longer contained within a Shared Service Provider (SSP). Instead, the infrastructure for hosting services is integrated with Microsoft SharePoint Foundation and the configuration of service offerings is much more flexible. The service application framework is a common service model that provides the following benefits: Management Experience. PerformancePoint provides a management experience that supports making multiple changes at once to the security operations for service applications using SharePoint Central Administration. Backup and Restore. The benefits presented include being able to perform backups of service applications and restore a site collections content from sites or individual lists to a point in time.
11-20
SharePoint Server 2010 as the Repository

PerformancePoint Services stores data sources and dashboards in document libraries and all other dashboard content in lists. In addition, PerformancePoint Services data security and management is enhanced by the following features: Failover and up-time strategies Backup and restore strategies Disaster-recovery strategies Multi-tenancy support for list content Enterprise-level, single-security model Authentication and authorization schemes Trusted locations Familiar interface for storing and consuming data
Changes to the Security Model

PerformancePoint Services uses SharePoint Server 2010 to manage user credentials and to secure access to dashboard content and its underlying data sources. The new and changed features of the PerformancePoint Services security model are described in the following list: SharePoint 2010 handles user authorization. The SharePoint Server 2010 authentication provider authenticates PerformancePoint Services users. You can use trusted locations to limit access to PerformancePoint Services content types to specific sites. PerformancePoint Services uses the SharePoint Server 2010 security model to set permissions on dashboard content. These permissions provide a level of security that is equivalent to that found in Microsoft Office PerformancePoint Server 2007, but permissions in SharePoint Server 2010 do not map directly to PerformancePoint Monitoring Server 2007 roles and permissions.
New PerformancePoint Services Features

PerformancePoint Services now can utilize SharePoint Server scalability, collaboration, backup and recovery, and disaster recovery capabilities. Dashboards and dashboard items are stored and secured within SharePoint lists and libraries, providing you with a single security and repository framework. PowerShell cmdlet Description
ClearClears all the trusted locations for a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application identity. Get-SPPerformancePointSecureDataValues Get-SPPerformancePointServiceApplication Displays unattended service account settings. Returns a PerformancePoint Service application object and properties.
GetReturns a trusted location object and properties SPPerformancePointServiceApplicationTrustedLocation for a PerformancePoint Services application. New-SPPerformancePointServiceApplication Creates a new service application for PerformancePoint Services. Creates a proxy for a PerformancePoint Services application.
New-SPPerformancePointServiceApplicationProxy
11-21
ClearClears all the trusted locations for a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application identity. NewCreates a new trusted location for a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application. Remove-SPPerformancePointServiceApplication Deletes a PerformancePoint Services application from a farm. Deletes the proxy for a PerformancePoint Services application.
Remove-SPPerformancePointServiceApplicationProxy
RemoveRemoves a single trusted location from a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application. Set-SPPerformancePointSecureDataValues Sets global settings for the unattended service account. Sets global run-time properties for a PerformancePoint Services application.
Set-SPPerformancePointServiceApplication
11-22
Lesson 4:
Implementing InfoPath Forms Services
InfoPath Forms Services supports the deployment and integration of InfoPath browser forms in SharePoint Server 2010. This provides employees, customers, and business partners of an organization to use forms to standardize, customize, and validate data collection. Forms are often deployed as one element in a business solution that uses a broad functionality of the services and features offered in SharePoint Server.
Objectives
After completing this lesson, you will be able to: Describe InfoPath forms. Configure the InfoPath forms service.
11-23
Understanding InfoPath Forms Services
Key Points
InfoPath Forms Services in Microsoft SharePoint Server 2010 gives you the ability to deploy your organization's forms to Microsoft SharePoint Server and enable users to fill out these forms by using a Web browser. Users can publish form templates to a list or form library in a site collection with InfoPath Forms Services in SharePoint Server 2010, if the form template: Contains no business logic. Does not require full trust. Does not use data connections that are managed by an administrator.
Site collection administrators can also publish user form templates that contain code by using sandboxed solutions. Since user form templates can be deployed by many users, a server can potentially host thousands of user form templates. Even form templates that contain no business logic can cumulatively put a heavy load on the server. Sandboxed solutions enable users to upload form templates with code or data connections in environments without full trust. Sandboxed solutions make connections and execute code in a limited environment, without needing individual approval by administrators, and they cannot include code that requires full trust, such as impersonating accounts by using administrator-level privileges. The level of trust for sandboxed solutions is configured in advance by the administrator. InfoPath Forms Services is an ASP.NET 2.0 Web application. It allows users to fill out business forms online and without InfoPath installed on their client machines. It allows control over your forms solutions by providing centralized management of electronic forms for the entire organization.
11-24
A form template designer can create browser-enabled forms in InfoPath and deploy them to IFS. When publishing InfoPath forms, the data validation can be set up as JavaScript and made such that the forms do not post back on validation on the Web pages. Browser-enabled forms can also be targeted at mobile devices. When modifying or upgrading your forms, IFS will help you to manage the versioning process.
11-25
InfoPath Forms Services Configuration Settings
Key Points
When configuring InfoPath Forms Services, you can apply many settings to control performance adjustments to the needs of your organization. This is achieved by limiting what the forms can do when being published to end users. Configuration options for user form templates include the following: Browser-enabled user form templates settings. User form templates, which are form templates that are deployed by non-administrators, can be opened in a browser. Administrators can choose to disable this feature so that only administrator-approved form templates are browser-enabled. They can also configure whether form templates are rendered in the browser. The other option available to access those forms is the InfoPath Filler desktop application. Authentication and connection settings. Form templates make data connections by using the default authentication methods and authorization settings for the user account in Windows. Administrators can decide to use data connection files with settings that are specific to InfoPath Forms Services. They can set the time-out and response size settings for connections to user form templates. They can also decide to use the Web Service Proxy to authenticate form template requests. User sessions settings. Forms that are being filled out can generate a large amount of transient data. InfoPath Forms Services uses the Microsoft SharePoint Server State Service to store this data so that repeated round trips to and from the form do not repeatedly transfer this data. Administrators configure the precise settings that are used to fill out forms.
Form templates can use data connection (.udcx) files to specify data connection options for forms that are made from those form templates. The Configure InfoPath Forms Services page contains settings for allowing cross-domain data connections and using data connection files for user form templates. You can configure the following settings for authentication and data connections: Data connection time-out length and maximum data connection response size. Authentication settings for user form templates. Cross-domain access for user form templates.
11-26
Designers can use custom code to modify the time-out for a data connection, but the maximum time-out value set by the farm administrator cannot be exceeded. When the custom time-out and maximum time-out values differ, the shorter time-out value is always used.
Data connection files that are used by form templates can be stored in a central data connection library in the Central Administration Web site, or in a data connection library on the same site collection as the form template. Data connection files that are stored in the central library are used by administratorapproved forms. Data connection files that are stored on individual site collections can only be used for forms that are based on form templates in that site collection. Data connection files can be packaged and deployed along with form templates as part of solution packages.
Configure User Session Settings for InfoPath Forms Services

InfoPath Forms Services uses the SharePoint Server State Service to store the transient data that is generated while a form is being filled out. As a result, front-end Web servers can remain stateless between round trips, and user session data does not have to be sent repeatedly and consume unnecessary bandwidth. You can configure user session settings including session postback thresholds, time-outs, and session size for InfoPath Forms Services across the entire server farm. If any of the thresholds are exceeded, the users session is terminated, which results in the loss of all form data, and an error is entered in the event log for the server. The error message that is shown to the user is session has exceeded the amount of allowable resources. The default parameters work for most scenarios. If you change the default settings, verify that form-filling sessions are working correctly. By using Windows PowerShell, you can perform many management operations for InfoPath Forms Services. One advantage to this approach is that you can script many common tasks to automate operations that would otherwise require using the user interface to perform each task independently. Form templates are represented in the PowerShell object model by the FormTemplate object. The following cmdlets are available for the FormTemplate object: SPInfoPathFormTemplate. You can perform the following operations: Get, Set, Install, Uninstall, Enable, Disable, Test, Start, Stop, and Update. SPDataconnectionFileDependent. You can perform the Get operation. Get-SPInfoPathFormTemplate. Returns an InfoPath form template or the list of form templates if the identity parameter is not specified. Set-SPInfoPathFormTemplate. Sets properties of an InfoPath form template. You can use this to change the category for the form template. Install-SPInfoPathFormTemplate. Installs an InfoPath form template on a server farm. Installation includes both uploading and upgrading of form templates. Uninstall-SPInfoPathFormTemplate. Removes a form template from a server farm. Enable-SPInfoPathFormTemplate. Activates a form template to the specified site collection. Disable-SPInfoPathFormTemplate. Deactivates a form template from the specified site collection. Start-SPInfoPathFormTemplate. Starts an InfoPath form template on a server farm after an upgrade. Stop-SPInfoPathFormTemplate. Disables an InfoPath form template on a server farm before an upgrade. Update-SPInfoPathFormTemplate. Upgrades all forms templates on the server farm. Test-SPInfoPathFormTemplate. Verifies that a form template can be browser-enabled. Get-SPDataConnectionFileDependent. Verifies that a form template can be browser-enabled.
The following is a description of the IFS cmdlets:
11-27
Lesson 5
Implementing Visio Services Features
Microsoft Visio Services in Microsoft SharePoint Server 2010 is a service application that lets users share and view Microsoft Visio Web drawings. The service also enables data-connected Microsoft Visio 2010 Web drawings to be refreshed and updated from various data sources.
Objectives
After completing this lesson, you will be able to: Describe Visio services. Configure Visio services.
11-28
Overview of Visio Services Features
Key Points
The Visio Services Web Part is a very powerful way to connect your Visio process shapes to other Web Parts on the page. There is also a new site definition called the Visio Process repository site that is a central location for storing your Visio diagrams.
Use and Benefits of Visio Services

Visio Web drawings can be rendered by Visio Services and viewed in a Web browser. Your users can then view Visio documents without having Visio installed on their local computer. Visio Services can also refresh the data and visuals of a Visio Web drawing hosted on a Microsoft SharePoint Server 2010 site. This enables published Web drawings to refresh connections to various data sources and to update affected data graphics and text fields. Visio files can be published to SharePoint Server 2010 using Microsoft Visio Professional 2010 and Microsoft Visio Premium 2010.
Data Sources Supported By Visio Services

Connections to data sources may be refreshed by using Visio Services if they were created by using Microsoft Office Visio 2007 or Visio 2010 data-link technology and published using Visio 2010 publishing functionality. Refreshing data through any other mechanism into a Visio Web drawing will not be supported. The following list represents the data sources with data refresh capabilities. SQL Server 7.0 SQL Server 2000 SQL Server 2005 (32-bit and 64-bit) SQL Server 2008 (32-bit and 64-bit) Sheet information that is stored in Excel workbooks published from Microsoft Office Excel 2007 or Microsoft Excel 2010 hosted on the same SharePoint Server 2010 farm SharePoint Server lists
11-29
OLE DB or ODBC connections Custom Data Providers implemented as .NET Framework assemblies
11-30
Configuring the Visio Graphics Service
Key Points
Visio Services provide you with a range of options to work with in order to provide the best performance possible. Performance is a key element that needs to be addressed when configuring Visio Services as it has graphics elements that provide great value to your deployment, but at the same time, it can limit the response time needed based on the volume of users you have considered. The settings that can be configured can be modified by using Central Administration. The settings are: Global settings. Manages settings for performance and security. Settings define the maximum size you can use for a Visio drawing to be rendered and also the maximum amount of time, in minutes, that a drawing will remain on cache. Trusted Data Providers. This setting presents you with the capability of adding or removing the data providers, odbc, oledb, or SharePoint lists that can be used when refreshing or accessing data connections. Description Returns the settings for external data connections for a Visio Services application.
PowerShell cmdlet Get-SPVisioExternalData
Get-SPVisioPerformance
Returns the Visio Services settings for the performance of a Visio Services application.
Get-SPVisioSafeDataProvider
Returns the settings of a safe data provider for a Visio Services application.
11-31
PowerShell cmdlet Get-SPVisioServiceApplication
Description Returns properties of a Visio Services application or a collection of Visio Services applications.
GetSPVisioServiceApplicationProxy
Returns properties of a Visio Services application proxy or a collection of Visio Services application proxies.
New-SPVisioSafeDataProvider
Adds a new data provider to a Visio Services application.
New-SPVisioServiceApplication
Adds a new Visio Services application to a farm.
NewSPVisioServiceApplicationProxy RemoveSPVisioSafeDataProvider Set-SPVisioExternalData
Adds a new Visio Services application proxy to a farm.
Removes a data provider from a Visio Services application.
Configures settings related to external data connections for a Visio Services application.
Set-SPVisioPerformance
Sets performance properties for a Visio Services application.
Set-SPVisioSafeDataProvider
Specifies a description of a safe data provider for a Visio Services application.
Set-SPVisioServiceApplication
Sets the ServiceApplicationPool property for a Visio Services application.
11-32
Lesson 6:
Implementing Access Services
Access Services is a service application available in SharePoint Server 2010 that allows users to edit, update, and create linked Access 2010 databases that can be viewed and manipulated by using an Internet browser, the Access client, or a linked HTML page.
Objectives
After completing this lesson, you will be able to: Describe Access services. Publish Access content to SharePoint.
11-33
Overview of Access Services
Key Points
Access Services is a service application of Microsoft SharePoint Server 2010 that allows users to edit, update, and create linked Microsoft Office Access 2010 databases that can be viewed and manipulated by using an Internet browser, the Access client, or a linked HTML page. IT professionals and end users can use Access Services to allow the use of Access applications inside a Web browser, to publish and share information across teams, and to create and modify applications where no Access client is available. Access Services allows you to create, edit, and save Access databases in the following ways: By allowing access and configuration of a Microsoft SharePoint Server database on any computer that can connect to and has permission to use Access Services on a networked computer running SharePoint Server. By allowing the creation, publishing, and sharing of a SharePoint Server Web database from any computer that can connect to and has permission to publish to a computer that is running SharePoint Server and that has Access 2010 installed. By allowing the download, modification, and republishing of modified data in an Access Web application from any computer that has Access 2010 installed and can connect to a computer running SharePoint Server.
11-34
Publishing Access to SharePoint
Key Points
Access 2010 provides templates that allow for quick creation of powerful applications that can address the needs that your users have for a system that allows interaction with data. The interaction with data can be for data retrieval purposes, or to modify data. While those solutions bring the power to their desktop applications, your users can now publish their Access solution to SharePoint and enable rich functionality that presents a solution in a Web-driven format. Access Database published as: Access Database becomes a Site Access Tables become Lists Access Forms become ASPX Pages UI Macros map to JavaScript Data Macros to SharePoint Workflows
SQL Server 2008 R2 is required for Access Reports to become RDL files
Additional Reading
For more information, read Improving the Reach and Manageability of Access 2010 Database Applications with Microsoft Access Services at http://go.microsoft.com/fwlink/?LinkID=197238&clcid=0x409
Windows PowerShell is a tool for you to manage Access Services and also to conduct automation of process management
11-35
PowerShell cmdlet GetSPAccessServiceApplication
Description Returns an Access Services application or a collection of Access Services applications.
NewSPAccessServiceApplication SetSPAccessServiceApplication
Creates a new instance of an Access Services application.
Sets global properties of an existing Access Services application.
11-36
Lesson 7
Implementing Office Web Apps
Within a SharePoint 2010 environment where Microsoft Office Web Apps have been installed and configured, Office Web Apps give you browser-based viewing and editing of Office documents from anywhere you have a connection to your organizations SharePoint site. If you have Microsoft Office 2010, you can save Word, Excel, PowerPoint, and OneNote documents directly from your Office program to SharePoint. Even if you dont have Office 2010, you can store documents in a SharePoint library and start using Office Web Apps right away. There are two different modes to work with hereone is the capability of reading directly from the browser, and the other is to edit directly from the browser, each is treated as a different mode. Office Web Apps are a separate download that you can add to the SharePoint Server Enterprise or Standard editions, or to SharePoint Foundation 2010.
Objectives
After completing this lesson, you will be able to: Describe Office Web Apps. Configure Office Web Apps.
11-37
Office Web Apps Features
Key Points
Office Web Apps extend the Microsoft Office programs you already knowWord, PowerPoint, Excel, and OneNotewith the added benefits of anywhere-access and easy sharing. When you click on an Office document that is stored in a SharePoint Library, the document opens directly in your browser. The document looks similar in the browser as it does in the Office program, and Office Web Apps allows you to edit documents in the browser, using the familiar look and feel of Office. Office Web Apps work in some of the most widely used browsers, and are officially supported in Windows Internet Explorer 7 and 8 and Firefox 3.5 for Windows, Mac, and Linux, as well as Safari 4 for the Mac. When you want to make changes beyond what is available in the browser, you can easily open the document in an Office program on your computer, and then save it back to the document library. Office Web Apps make it easier for you to: Extend your Office experience on the Web. Use the Office tools you are familiar with, in a Web environment. Work anywhere. A browser is all you need to access your documents. Work together. Your teammates can work with you on projects regardless of which version of Microsoft Office they have.
To use Office Web Apps in SharePoint, you must have access to a SharePoint 2010 environment where Office Web Apps have been installed and configured. OneNote Web App gives you and your team a centralized place for collecting notes, brainstorming on a topic, or assembling the bits and pieces that will become a formal document. Microsoft PowerPoint Web App extends your Microsoft PowerPoint experience to the Web browser, where you can work with presentations directly on the Web site where the presentation is stored.
11-38
PowerPoint Web App is part of Office Web Apps, available in Windows Live SkyDrive and in organizations that have configured Office Web Apps on SharePoint 2010. Broadcast Slide Show is a new capability in Microsoft Office 2010 that enables presenters to broadcast a slide show from Microsoft PowerPoint 2010 to remote viewers who watch in a Web browser. Broadcast Slide Show provides companies with a low-infrastructure presentation broadcast capability that works through the Web. Two kinds of broadcast services are available: PowerPoint Broadcast Service. By default, PowerPoint 2010 provides all presenters with a link to the public PowerPoint Broadcast Service hosted by Microsoft. This service requires presenters to sign in with a Windows Live ID. Presenters who use this service receive a public Internet link that they can share with anyone on the Internet they invite. Internal Services. You can host your own broadcast service with Office Web Apps installed on SharePoint 2010 products. You create one or more broadcast services by creating site collections that use the PowerPoint Broadcast site template. You can set permissions for who can use the service through group membership on the site. Up to ten services can be specified.
11-39
Configuring Office Web Apps
Key Points
Office Web Apps can be installed in standalone or farm SharePoint 2010 deployments. For both standalone SharePoint servers and SharePoint server farms, deploying Office Web Apps involves three primary phases: Running setup and PSConfig. Tasks include running Setup.exe and SharePoint Products and Technologies Post Setup and Configuration Wizard (PSConfig) on a standalone SharePoint server or each server in a SharePoint server farm. Running Setup.exe installs Office Web Apps files and components on a server. Running PSConfig is required as part of Office Web Apps setup in order to register the Office Web Apps services and, depending on the SharePoint installation type, start the service instances, create the service applications, service application proxies, and activate the Office Web Apps feature. Activating the Office Web Apps services. Includes starting the service instances, and creating the service applications and service application proxies. Whether you must activate the services will depend on the state of SharePoint and whether PSconfig and the SharePoint Farm Configuration Wizard have previously been run. Activating the Office Web Apps feature. Includes activating the Office Web Apps feature on all existing SharePoint site collections where the Office Web Apps should be available. If PSconfig or the SharePoint Farm Configuration Wizard has been run before installing Office Web Apps, at least one site collection will exist. The feature will be activated automatically for new site collections created after Office Web Apps is installed.
11-40
Lab: Implementing Office Web Apps
Scenario
Contosos strategic objectives for the year set a target for improved employee productivity. SharePoint 2010s collaboration features are a pivotal component to achieving this objective. One initiative related to this project is to provide Microsoft Office client application functionality to users in a variety of scenarios, including remote users on personal computers that may not have Microsoft Office installed. You have been tasked with installing, configuring, and testing Office Web Apps to improve end user productivity.

11-41
Exercise 1: Installing and Configuring Office Web Apps

In this exercise, you will install and configure Office Web Apps to support end user productivity objectives. The main tasks for this exercise are as follows: 1. 2. 3. Install Office Web Apps. Configure Office Web Apps Service Applications. Assign Office Web Apps Service Application Connections.
Task 1: Install Microsoft Office Web Apps.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with password, Pa$$w0rd. Open Windows Explorer, and then browse to and double-click D:\Labfiles\Lab11\Setup.exe. Install Office Web Apps. For the product key, type BFGMH-8RM8J-JWMCQ-P784Q-F7R2Y. After Office Web Apps have installed, run the SharePoint Products Configuration Wizard. When the wizard is complete, SharePoint 2010 Central Administration opens.
Task 2: Configure Office Web Apps service applications.

In Central Administration, complete the Configure your SharePoint Farm wizard. Accept all default settings, except skip the creation of a site collection. Click the System Settings link, and then open the Services on Server page. Confirm that the following services are started, and then close Central Administration. PowerPoint Service Excel Calculation Services Word Viewing Service
Task 3: Assign Office Web Apps service application connections.

Click Application Management, and then on the Service Application Associations page, ensure that both PowerPoint Service Application and Word Viewing Service service application connections are included in the default application proxy group. Results: After completing this exercise, you should have installed and configured Office Web Apps.
11-42
Exercise 2: Configuring and Testing Office Web Apps in a Document Library

In this exercise, you will test the functionality of Office Web Apps. You will configure a document library to open documents in the browser. You will upload a PowerPoint presentation and a Word document to a document library, and then test the viewing and editing experience of the Office Web Apps. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure documents to open in a browser. Create and upload a PowerPoint presentation. Create and save a Word document. Test Office Web Apps.
Task 1: Configure documents to open in a browser.

In Internet Explorer, browse to http://intranet.contoso.com/sites/IT. Activate the Office Web Apps site collection feature. Configure the Shared Documents document library settings to open documents in the browser.
Task 2: Create and upload a PowerPoint presentation.

Open Microsoft PowerPoint 2010. Create the following slides: Title slide layout with the title, Marketing Strategy Title and Content slide layout with the title, Product Title and Content slide layout with the title, Pricing Title and Content slide layout with the title, Packaging Title and Content slide layout with the title, Positioning Save the presentation with the name Marketing Strategy. In Internet Explorer, open the Shared Documents document library, and upload the Marketing Strategy presentation.
Task 3: Create and save a Word document.

Open Microsoft Word 2010. Type SharePoint Governance Plan and apply the style Heading 1 to the paragraph. Click File, and then use the Save & Send command to save the document to the Information Technology Web sites Shared Documents document library with the name, SharePoint Governance Plan. Tip: You may experience one or more delays of up to one minute during this step. If you are prompted for credentials, enter the user name, CONTOSO\SP_Admin, and the password, Pa$$w0rd. In Internet Explorer, refresh the view of the Shared Documents document library, and then verify that SharePoint Governance Plan appears
Task 4: Test the functionality of Office Web Apps.

Open SharePoint Governance Plan. The document opens in the browser in view mode Click Edit in Browser. The document opens in edit mode Save and close the document.
11-43
Open Marketing Strategy. The presentation opens in the browser in view mode. Click Edit in Browser. The presentation opens in edit mode. Add a new slide after the existing title slide. Apply the Title and Content layout. Add the title, Market Demographics, to the slide. View the slide show. Close the presentation. Results: After completing this exercise, you should have tested the functionality of Office Web Apps.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
11-44
Review Questions
1. 2. What software applications and SharePoint features are available for working with Office files? What are some options to configure Service Applications?
Installing and Upgrading to SharePoint 2010
12-1
Module 12
Contents:
Lesson 1: Installing SharePoint Servers and Farms Lesson 2: Upgrading to SharePoint 2010 Lesson 3: Evaluating Installations and Upgrades Lesson 4: Configuring SharePoint Operational Settings Lesson 5: Updating SharePoint Lab A: Preparing SharePoint 2007 for Upgrade to SharePoint 2010 Lab B: Upgrading SharePoint 2007 to SharePoint 2010 12-3 12-13 12-25 12-28 12-35 12-43 12-51
12-2
Module Overview
This course introduces you to many of the fundamental concepts of Microsoft SharePoint 2010, as well as the basics of how to perform common activities such as installing SharePoint on a server. This module is designed to take that knowledge and apply it to what may seem to be more complex situations and implementations of SharePoint 2010, but which are also common ways that SharePoint 2010 is used in by many organizations. This module covers a wide range of operational activities, such as building SharePoint farms consisting of multiple servers, upgrading SharePoint 2007 installations to SharePoint 2010, ensuring operational stability and utility of your SharePoint farm, and the proper way to keep your environment stable and secure by applying regular updates effectively.
Objectives
After completing this module, you will be able to: Install SharePoint servers and farms. Upgrade SharePoint 2007 to SharePoint 2010. Plan SharePoint installations and upgrades. Configure operational settings in SharePoint 2010. Update SharePoint.
12-3
Lesson 1
Installing SharePoint Servers and Farms
Building a SharePoint farm with multiple servers presents you with far more choices, as well as much more complexity, than does a single-server farm. This lesson introduces the various roles a server can play in a SharePoint farm, common models for deploying servers in a farm, and the actual processes involved in creating a farm with multiple servers.
Objectives
After completing this lesson, you will be able to: Describe SharePoint server roles. Describe SharePoint server topologies. Build a SharePoint farm consisting of multiple servers. Script the farm-building process. Build a farm that supports multiple languages. Slipstream updates into the SharePoint installation hierarchy.
12-4
SharePoint Server Roles
Key Points
SharePoint 2010 can meet the needs and constraints of a broad range of use cases. It serves small teams of five or fewer users, but also the largest of enterprises use it. It enables collaboration, makes information more discoverable, serves anonymous content to millions of users over the Internet, or all three at once. To enable this flexibility and complexity, SharePoint assigns servers in a farm various roles that dictate the specific functions and features each server contributes to the overall environment. You can assign multiple roles to a single server, and multiple servers in a farm can have the same role assigned. The SharePoint 2010 server roles are the following: SharePoint Foundation Web Application Server Application Server Query Server (Search) Crawl Server (Search Service Application Server
SQL Server
12-5
SharePoint Server Topologies
Key Points
You can consolidate SharePoint server roles on a single server or spread the roles across multiple servers. When moving from one to two servers in a farm, you should always move Microsoft SQL Server to its own server first. Some topologies require additional configuration, such as the creation of a failover cluster for SQL Server, or additional hardware, such as a load-balancing device for Web servers. You typically separate farms with three or more servers into three tiers, according to server roles: The Web Tier contains servers assigned the Microsoft SharePoint Foundation Web Application Server role. Servers with this role are also known as Web front ends (WFEs). These are the servers responsible for serving content to end users over SharePoint Web pages and Web services. The Application Tier contains servers assigned the Search Crawl role, the Search Query role, and servers hosting the farms service applications. The servers in this tier host services such as Search, PerformancePoint Services, Microsoft Office Excel Calculation Services, and other services consumed by the farms users through SharePoint. The SQL Server Tier contains servers hosting the farms SQL Server instance or instances. The servers in this tier host the farms databases in SQL Server.
Every server farm configuration is unique. You must consider your specific requirements, resources, and constraints when designing your SharePoint 2010 farm.
12-6
Building a Multiple-Server Farm
Key Points
Before building a multiple-server SharePoint farm, identify the server that should host the SharePoint Central Administration Web site; it should be the first server in the farm. Run the SharePoint 2010 installation application to begin installing the platform on the server hosting the Central Administration Web site. Run the SharePoint 2010 Prerequisite Installer on the server. When installing SharePoint, select the Complete Install option.
Create the farm using the SharePoint 2010 Products and Technologies Configuration Wizard before installing SharePoint 2010 on any other servers in the farm. Follow the steps listed previously to install SharePoint on each of the other servers in the farm, and then join each server to the new farm. Once they are joined to the farm, use the Central Administration site or the SharePoint 2010 Windows PowerShell cmdlets to provision the proper service applications on each new server and apply the desired server role (or roles) to it.
12-7
Scripting the Build Process
Key Points
By scripting the build process for a farm, you can automate the installation of SharePoint on a server and the creation of your SharePoint farm itself. Scripting the build process ensures that your deployment process is consistent and accurate in its activities. You should script the Microsoft SharePoint Products Preparation Tool (PrerequisiteInstaller.exe) using command-line switches that can, alternately, be placed in a file called PrerequisiteInstallerArguments.txt. Note: Switches are documented in the command Help: type PrerequisiteInstaller.exe /?. You must also create an installation configuration file to ensure that SharePoint 2010 is properly installed on your server by the script. To extract an example Config.xml file from the installation media, complete the following steps: 1. 2. Open a command prompt on a computer storing the SharePoint installation media and navigate to the directory containing it. Run the following command:
Officeserver.exe /extract:C:\SPInstallation
3. 4.
In Windows Explorer, open the C:\SPInstallation\files\setup directory and make a copy of the Config.xml file. Open the copied Config.xml file with Notepad.exe and make the following edits: a. b. Provide your product key in the PIDKEY node. Set the SERVERROLE node to APPLICATION.
5.
Your build script should, at a minimum, perform the following actions:
12-8
a. b. c. d.
Run PrerequisiteInstaller.exe to automate the installation of the software required to install SharePoint 2010. Call the installers Setup.exe with your custom Config.xml file to install SharePoint 2010 on the server. Build the farm using SharePoint 2010 Windows PowerShell cmdlets. Install SharePoint on additional servers and join them to the farm (this can be done by using a separate script if desired).
12-9
Scripting the Farm: Key Windows PowerShell Cmdlets
Key Points
After you have installed SharePoint 2010 on the first server in your farm, your script must call several key SharePoint 2010 cmdlets to begin the process of actually building your farmthe equivalent of running the SharePoint 2010 Products and Technologies Configuration Wizard during a manual build. To build a farm, your script must run the following cmdlets: New-SPConfigurationDatabase. Creates the farms configuration and Central Administration site content databases Install-SPHelpCollection. Installs the SharePoint Help files on the server Initialize-SPResourceSecurity. Secures SharePoint files and registry entries on the server Install-SPService. Installs and provisions SharePoint services in the farm Install-SPFeature. Installs the features on the server; use the -AllExistingFeatures switch New-SPCentralAdministration. Creates the Central Administration site Install-SPApplicationContent. Installs the application content Note: Use the Windows PowerShell Get-Help cmdlet to review the functionality and requirements of each cmdlet before implementing it in your script. To add a new SharePoint 2010 server to an existing farm your script must run the following cmdlets: Connect-SPConfigurationDatabase. Connects the server to the farms configuration database Install-SPHelpCollection, Initialize-SPResourceSecurity, Install-SPService, Install-SPFeature, and Install-SPApplicationContent. Same usage as described previously
12-10
When you have joined a server to a farm, calling the Get-SPFarm cmdlet to select the servers in the farm should return a result if the process was successful. If it does not, review the SharePoint log files to troubleshoot the problem.
12-11
Building a Multiple-Language Farm
Key Points
In Windows Server 2008 operating system on all Web servers in the farm, install the system language files using Control Panel Regional And Language Options. Only install the language files for the language packs you plan to implement in your SharePoint farm. East Asian languages include Chinese, Japanese, and Korean. Complex script and right-to-left-oriented languages include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese.
Install the SharePoint 2010 language packs you plan to implement on each Web server in the farm. After each language pack is installed, run the SharePoint 2010 Products and Technologies Configuration Wizard on each server. Note: Do not run the wizard in parallel on multiple servers.
12-12
Slipstreaming Updates Before Installation
Key Points
Microsoft publishes updates to SharePoint 2010 software and you should ensure that your farm is up-todate. Updates are covered in full in Lesson 5, Updating SharePoint. However, to integrate updates before installation, you should consider using the slipstreaming technique. To slipstream an update means to incorporate the update into your SharePoint installation medium either on a disk or a shared network location. This places the update into the UPDATES folder within the hierarchy. When you perform an installation, updates in that folder are automatically applied immediately after the SharePoint binaries are installed. In this way, you avoid the need for a separate update operation, as described in Lesson 5. To slipstream an update, first copy the installation disk to a writable location, such as a shared network folder. Then, use the /extract option on the updates executable file. For Service Pack 1, for example, use the following command.
sharepointfoundation2010sp1-kb2460058-x64-fullfile-en-us.exe /extract:D:\SP2010\installfolder\EN\UPDATES
For the June 2010 Cumulative Update, the command is as follows.

officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe /extract:D:\SP2010\installfolder\EN\UPDATES
12-13
Lesson 2
Upgrading to SharePoint 2010
Likely many organizations with existing SharePoint 2007 environments plan to upgrade to SharePoint 2010; your organization may be one of them. The upgrade process has flexibility built in to give options to fit your organizations capabilities and resources, as well as the ability to grant site owners control over upgrades to their individual sites.
Objectives
After completing this lesson, you will be able to: Determine the prerequisite steps to perform prior to upgrading. Perform an in-place upgrade. Perform a database attach upgrade. Perform a visual upgrade. Complete the upgrade process. Upgrade a farm that supports multiple languages.
12-14
Preparing to Upgrade
Key Points
To upgrade to SharePoint 2010 successfully, your farm must meet Microsoft-defined prerequisites to qualify for an upgrade. Several tools are available to evaluate the current state of a SharePoint 2007 farm and its readiness to be upgraded to SharePoint 2010: SharePoint 2007 Service Pack 2 introduced a new STSADM operation, PreUpgradeCheck, which you can run to evaluate whether your farm meets those prerequisites set by Microsoft and can be upgraded. PreUpgradeCheck generates an HTML report, and you can run the operation multiple times to evaluate the progress of your preparations. Note: Improvements were added for the PreUpgradeCheck operation in the October 2009 SharePoint Cumulative Update (CU) packages. It is recommended you apply this upgrade prior to using the operation to test the farm and upgrade it. SharePoint 2007 Service Pack 2 and October 2009 CU also added and enhanced another important STSADM operation: EnumAllWebs. Use this operation to identify any orphaned sites in your environment, which must be repaired or deleted prior to an upgrade. SharePoint 2010 Test-SPContentDatabase cmdlet can be used with SharePoint 2007 content databases to evaluate their readiness for upgrade to a new farm. It identifies missing customizations and files, which is especially important for database attach upgrades (described later). SPDiag version 2 (included in the SharePoint Administration Toolkit 4.0) gathers a great deal of important and useful data about your SharePoint 2007 farm. Run it prior to an upgrade as an additional way to identify any possible issues or errors that may exist in the farm and present a risk to a successful upgrade to SharePoint 2010.
Two types of upgrades are available to move a SharePoint 2007 farm to SharePoint 2010:
12-15
The in-place upgrade uses the resources of your existing farm and upgrades them to SharePoint 2010. The database attach upgrade requires additional hardware on which to build a new SharePoint 2010 farm. Your SharePoint 2007 content databases are moved to the new farm and upgraded to SharePoint 2010.
Test the upgrade process thoroughly before doing it in a production environment. Make a point to document in detail each step necessary to complete the process, identify required information and components, and determine how long the upgrade takes to complete.
12-16
The SharePoint 2010 In-Place Upgrade
Key Points
An in-place upgrade takes a SharePoint 2007 farms binaries and database and upgrades them to SharePoint 2010 functionality and settings. As long as your existing farm meets the SharePoint 2010 hardware and software requirements, it can be upgraded without the purchase of new assets. Another benefit of the in-place upgrade is that it is designed to allow for failed upgrades or upgrades with errors to be restarted at the point of failure so that you do not have to repeat successful steps in each successive attempt. It also offers deep and informative error reporting and logging capabilities to give you better insight into the upgrade process. However, the in-place upgrade is often not the best solution for upgrading to SharePoint 2010. For large farm deployments of SharePoint 2007, the database attach upgrade offers a much better possibility of success because it greatly reduces the complexity, scope, and delivery time of the upgrade. If your hardware is not up-to-date or is marginal for meeting SharePoint 2010 base requirements, you are most likely better off procuring new hardware and using the database attach upgrade to move your farms contents over to a new SharePoint 2010 farm. Because it uses your farms existing severs and infrastructure, the in-place upgrade does require that the farm be unavailable to users during the upgrade, and it takes more time to complete because it updates a single server at a time. It is also an all-or-nothing activity: once the upgrade process starts, you cannot reverse it; the farm cannot reset to SharePoint 2007 without a complete rebuild. Prior to beginning an inplace upgrade, review the available disk space on each server in your farm. The upgrade process requires considerable storage to hold its files, logs, and output.
12-17
Performing an In-Place Upgrade
Key Points
Prior to executing the upgrade in a production environment, it is important to test the process in a staging or testing environment set up to mirror the content and configuration of your production farm. Testing is an important part of the upgrade process because it gives you valuable information about which items in your farm need updating or fixing prior to the upgrade, identifies steps that may have been omitted during planning, and helps with estimating the amount of time it takes to complete the upgrade. Understanding how your environments configuration and content should be upgraded before you start the upgrade process greatly increases your chances for success. Consider using server virtualization for your test environment; it can help lower costs and be easily reset to a starting point for multiple tests. To upgrade, complete the following steps: 1. 2. 3. 4. Run the SharePoint 2010 Installer to update the SharePoint binaries installed on the targeted server in your farm to SharePoint 2010. Run the SharePoint 2010 Products and Technologies Wizard to update the farms databases to SharePoint 2010 and the servers records in the configuration database. Repeat steps 1 and 2 individually for each server in the farm. You can perform a visual upgrade to upgrade the farms site collections and sites to the SharePoint 2010 user experience, or you can postpone this if you find issues or errors when previewing the visual upgrade. Do not allow users entry until the entire farm has been reviewed and validated as functional and properly upgraded.
5.
12-18
The SharePoint 2010 Database Attach Upgrade
Key Points
The database attach upgrade is designed to migrate the contents of a SharePoint 2007 farm and upgrade them to SharePoint 2010 by adding them to a new SharePoint 2010 farm. Database attach upgrades allow for content to be moved from SharePoint 2007 to SharePoint 2010 gradually (a content database at a time) as well as in parallel, which can also help to reduce or eliminate downtime required for the upgrade process. It does, on the other hand, require separate hardware and software because the existing SharePoint 2007 environment is not used for the SharePoint 2010 farm, and additional work is necessary to configure the new environment to meet the same specifications as the original. Because a new farm is used to host the content, you may need to update URLs in the SharePoint farm as well as URLs pointing to it to avoid broken links. Finally, it is important to remember that the database attach upgrade method only migrates the content of your SharePoint 2007 environment to SharePoint 2010; no configuration settings or customizations are included in the upgrade.
12-19
Performing a Database Attach Upgrade
Key Points
Like the in-place upgrade, effective and thorough testing plays an important role in a successful database attach upgrade. You can use two methods to test the upgrade throughout the process; both should be considered to provide the best opportunity for a successful upgrade: Using a test environment to verify that content databases can be successfully attached to the new farm and upgraded to SharePoint 2010 The Test-SPContentDatabase SharePoint 2010 Windows PowerShell cmdlet, which tests the targeted content database to identify potential issues, such as the following: Orphaned sites Missing customizations (including site definitions, features, templates, and assemblies)
To begin the upgrade, you must construct a new SharePoint 2010 farm. When the target SharePoint 2010 farm is built, deploy any customizations used by the sites in the SharePoint 2007 content databases to be upgraded as well as applicable configuration settings made in the SharePoint 2007 farm to the SharePoint 2010 farm, if they are compatible. To perform a database attach upgrade, complete the following steps: 1. 2. 3. Copy the content database backups to the SharePoint 2010 farms SQL Server instance and attach them to the instance. To perform the upgrade, attach the content databases to the SharePoint 2010 farm using the MountSPContentDatabase cmdlet. You can perform visual upgrades to upgrade the farms site collections and sites to the SharePoint 2010 user experience, or you can postpone this if you find issues or errors when previewing the visual upgrade.
12-20
4.
If desired, you can migrate the SharePoint 2007 farms user profiles to the SharePoint 2010 farm by attaching the SharePoint 2007 farms shared services provider (SSP) database to the SharePoint 2010 farm with Mount-SPCContentDatabase. Note: This is the only aspect of a SharePoint 2007 SSP database that can be migrated to SharePoint 2010 using the database attach upgrade method.
5.
Review and validate the new SharePoint 2010 environment.
12-21
The SharePoint 2010 Visual Upgrade
Key Points
After completing an in-place or database attach upgrade, the SharePoint 2010 farms site collections and their Webs, or subsitesstill have the SharePoint 2007 user interface (UI). The UI, the SharePoint master pages, and Cascading Style Sheets (CSS) must be upgraded separately using a visual upgrade. The visual upgrade options for site administrators are the following: Keep the previous interface. Preview the site with the SharePoint 2010 UI. Update the site to the SharePoint UI.
Farm administrators can also update the UI of all site collections in the farm using the SharePoint 2010 object model and Windows PowerShell.
12-22
Performing a Visual Upgrade
Key Points
By previewing the visual upgrade using the sites Site Actions menu, site administrators can save their users from dealing with upgrade errors: If there are issues, they can be resolved before committing the upgrade. Updating the user interface using the Site Actions menu finalizes the visual upgrade and cannot be rolled back, so site administrators should preview it at least once.
Farm administrators can batch visual upgrades of multiple site collections with the Windows PowerShell and the SharePoint 2010 object model: This method allows for the mass update of a large number of site collections quickly and effectively. This method does not offer preview or rollback options, but farm administrators can change back the settings using the same process.
12-23
Completing the Upgrade
Key Points
When you have finished the selected type of upgrade, you may still have several tasks to do before the upgrade is complete. You should not consider your farm open for end users until these, or any similar steps you may define for your specific environment, are completed so that users are presented with a stable and feature complete SharePoint environment to work in. Your farms service applications may require the following: Configure new services and service applications (in-place upgrades only). Update user profiles with new taxonomy and social data. Set up the Secure Store service and migrate single sign-on (SSO) data (database attach upgrades only). Update Business Data Catalog components to compatibility with Business Connectivity Services (database attach upgrades only).
Farm administrators are granted permissions to all services using the database attach upgrade. If you follow the practice of assigning the least privilege required, make sure to restrict this after the upgrade. Update InfoPath form template links (database attach upgrades only). If the migrated applications use forms-based authentication (FBA), they must be updated to use claims-based authentication (CBA) because SharePoint 2010 now requires that CBA be enabled to use FBA. Validate the upgrade one last time to ensure that the upgrade is completely finished and the farm can be opened for use.
12-24
Upgrading a Multiple-Language Farm
Key Points
If your SharePoint 2007 farm had a certain language pack deployed to it, you must deploy a SharePoint 2010 version of the language pack to your new farm. If you need to change a sites language, do not do it before the upgrade; wait until it is safely in a SharePoint 2010 farm. It is better to move the site into SharePoint 2010 while it is in a known and stable state, rather than attempt to update it with a new language. That way, if changes need to be made to a sites UI or content for the new language, you have to do them only once in SharePoint 2010 rather than in both SharePoint 2007 and SharePoint 2010. If you need to change the language used on a server in the farm, implement the new languages files and language pack on a new SharePoint 2010 farm. Then, use the database attach upgrade to bring the new content database into the new farm, upgrading its database and its language all at once.
12-25
Lesson 3
Evaluating Installations and Upgrades
In information technology administration, just like in life in general, things rarely go as you may have planned. No matter how much you test your installation or upgrade processes (and test them you should!), there is always the opportunity for something unforeseen to occur and cause you problems. The important point to strive for is not to avoid these obstacles, but to be prepared for them, to know how to identify them, and to be able resolve them quickly and effectively. This lesson is designed to introduce you to some of the common ways you can assess the outcome of your operations and take action on your findings. The items in this lesson focus on the ways that SharePoint can inform you of an error or an issue, but they are not the only tools available to you. Be careful to also analyze the stability of your entire environment after an install or upgrade and never lose sight of your SharePoint farms ultimate goal: to provide your users with tools and resources to help them be more productive and successful in their work.
Objectives
After completing this lesson, you will be able to: Review and describe result data. Troubleshoot upgrade errors and issues.
12-26
Reviewing Result Data
Key Points
Whether you are building a new SharePoint 2010 farm or upgrading from a SharePoint 2007 environment, always make sure to review the results documentation created by the process. The log files created during an installation or upgrade and the tool associated with those activities contain valuable information about not only the outcome of the activity, but also the current state of your environment when the installation or upgrade completes. The log files generated by these processes include the following: The SharePoint 2010 Setup.exe log file The SharePoint 2010 Products and Technology Configuration Wizard (PSConfig.exe) PSCDiagnostics log file The SharePoint 2010 upgrade Upgrade log files
SharePoint 2010 creates a new log file each time one of these processes is executed, rather than appending the new data on to an old file. You can use tools such as Windows PowerShell and LogParser to improve data extraction and reporting. You can also review the Central Administration site Check Update Status page for additional information, and you should run STSADM o LocalUpgradeStatus on all SharePoint servers in the farm to review their individual statuses.
12-27
Troubleshooting Issues and Errors
Key Points
SharePoint creates a new upgrade log, as well as a new log listing only the errors encountered during the process, for each iteration of the upgrade process that you complete. Review the contents of each log file associated with the installation or upgrade carefully to verify that the process did not encounter any issues or errors. Search the log files for key terms such as Error, Warning, Failure, or Success, as well as any items that may be of significance to your situation or environment. If you find any issues, try to resolve those with the broadest impact or scope first before focusing on small problems or errors. The Test-SPContentDatabase cmdlet is still very useful after the completion of an upgrade, or even an install. It can run against a SharePoint 2010 farms content databases long after an installation or upgrade has been completed to check the status and health of a content database. Do not forget to validate the end-user experience of your SharePoint 2010 farm after it is built or has been upgraded. Review the following items to ensure that they are fully functional and meet the requirements of your end users: Verify themes, styles, and images. Verify permissions. Identify broken links. Identify broken, missing, or hidden Web Parts. Identify large lists that may be throttled by default.
12-28
Lesson 4
Configuring SharePoint Operational Settings
Even though you may have successfully installed SharePoint 2010 in a new environment, it may not be automatically set up and ready for your users to start using. In almost every SharePoint 2010 farm, you still must perform several activities, regardless of whether you have 1 server or 10 servers or it is a fresh install or an upgrade from SharePoint 2007. This lesson identifies some of the most common activities you need to complete in your farm before you can open it for business. This lesson discusses configuring some of the core components of your farm, introduces a great new tool for assessing the health of your SharePoint 2010 farm, walks you through how to establish additional paths of access to the farm as well the process behind setting up the farm to host multiple organizations in siloed site collections.
Objectives
After completing this lesson, you will be able to: Use the farm configuration wizard tools. Run the SharePoint Health Analyzer. Configure alternate access mappings. Configure email and Short Message System (SMS) settings. Enable multi-tenancy. Set up timer jobs.
12-29
Using the Farm Configuration Wizard
Key Points
The Farm Configuration Wizard is a tool new to SharePoint 2010 that is designed to help you complete some of the common tasks necessary to get your farms first SharePoint site up and running, as well as the services it needs to deliver content and functionality to end users. It is available to your farms administrators on the SharePoint Central Administration Web site. Although administrators can manually carry out the tasks completed by the Farm Configuration Wizard either through the Central Administration site or with Windows PowerShell cmdlets, the Farm Configuration Wizard is a good way for administrators new to SharePoint 2010 to understand what information is necessary to complete its tasks and to complete them in a consistent manner. What it does: Configures selected service applications for your farm, such as Excel Calculation Services or the Managed Metadata service application Sets up managed accounts for those service applications, allowing SharePoint to manage account passwords directly without administrator intervention Creates your farms first content Web application
What it does not do: Do not confuse it with the SharePoint 2010 Products and Technologies Configuration Wizard. The Farm Configuration Wizard configures components and services in the farm, whereas the SharePoint 2010 Products and Technologies Configuration Wizard is responsible for creating and updating the farm itself. It does not do fine-grained configurations; the service applications and Web application created by the Farm Configuration Wizard still require additional administration and configuration before they are fully functional.
12-30
Running the SharePoint Health Analyzer
Key Points
Another valuable tool available in SharePoint 2010 to measure the well-being and stability of your SharePoint farm is the SharePoint Health Analyzer, located in the Monitoring section of your farms Central Administration Web site. It is intended to help you identify configuration issues in your SharePoint farm and optimize availability and performance. The SharePoint Health Analyzer is included with every edition of SharePoint and is preconfigured with a full set of defined health rules for evaluation. What it does: It checks rules on a scheduled basis, and it can also be run at any time. Administrators can enable or disable rules, configure schedules, and determine a rules scope. It generates visual alerts in the Central Administration site and emails alerts. It can be extended with custom-developed rules.
What it does not do: The SharePoint Health Analyzer does not replace comprehensive monitoring solutions such as Microsoft System Center Operations Manager. The SharePoint 2010 Management Pack (MP) for System Center Operations Manager actually includes the same set of default rules used by the Health Analyzer, as well as additional event and monitoring rules, integration with SharePoints Unified Logging System (ULS) logs, and valuable Microsoft Knowledge Base articles that provide contextual information and troubleshooting guidance for administrators.
12-31
Configuring Alternate Access Mappings
Key Points
Alternate access mappings (AAMs) enable a single SharePoint 2010 Web application to be accessed through multiple URLs. Each SharePoint Web application can have up to five different AAMs for accessing its content. When you create each AAM, you must assign it an identifying label, such as Default or Intranet; these labels do not dictate how the AAM must be used or add any additional functionality to the AAM, they are simply for identification. Usage scenarios for AAMs include the following: Reverse proxy access Load-balanced Web servers Enabling multiple authentication providers for a site
You can create AAMs in the Application Management section of your farms Central Administration site or by using the New-SPApplication Windows PowerShell cmdlet.
12-32
Configuring Email and SMS Settings
Key Points
In SharePoint 2010, you can configure your farm to communicate directly and automatically with its users and administrators by email and/or SMS text message. This makes it easier for users to receive important notifications quickly as well as allows administrators both to receive and send messages through the farm. On the Central Administration sites System Settings page, you can configure the following settings: Delivery of email from the farm to users for access notifications, alerts, task assignments, and so forth Delivery of email to administrators from users requesting access or assistance with issues Delivery of text messages between your farm and mobile devices
To configure outgoing email you need a Simple Mail Transfer Protocol (SMTP) server and an email address for sending and receiving. To configure incoming email you need an SMTP server configured (it can be the same server you used for outgoing email) and a drop folder for storing messages on the servers file system. To configure SMS messaging, you need a URL for your SMS service provider and account access data for the SMS service.
12-33
Enabling Multitenancy
Key Points
The new SharePoint 2010 multitenancy features allow for site collections in a single Web application to be grouped and for each groups user experiences, profile stores, search indices, and other resources to be isolated from one another while still using the shared resources of the overall farm. You can use multitenancy to deliver hosted SharePoint environments for multiple customers without configuring separate infrastructure resources for each customer account. Common use cases are the following: Hosted SharePoint sites as a service for sale to the public, similar to Microsoft SharePoint Online offerings Hosted SharePoint sites as a service provided by a large enterprise to its internal divisions, allowing for rapid deployment of sites, segmentation of functionality and information, and shared infrastructure resources Delegation of common administrative tasks
12-34
Setting Up Timer Jobs
Key Points
SharePoint 2010 gives administrators much more control over timer jobs, how they are scheduled, when they can be run, and where they are run. In previous editions of SharePoint, administrators could use the Central Administration site only to check on the status of timer jobs and delete failed jobs. The Central Administration sites Timer Jobs Definitions page now enables the following configuration: Code-free modification of an individual timer jobs schedule A Run Now option to enable ad hoc execution of specific timer jobs Rich information on the status and outcome of a timer job on the timer jobs status page
The Timer Job Definitions page also displays useful information about what a timer job does, where it runs, and when it is run. To view more detailed information about the current status of a timer job, you can visit the Timer Job Statuses page. It displays information about when a timer job is next scheduled to run, which timer jobs are currently running, any failed timer jobs, and historical execution data for each of the farms timer jobs.
12-35
Lesson 5
Updating SharePoint
When SharePoint is up and running the way you want it, your focus should turn to more operational matters: performing maintenance on your environment and ensuring its long-term health and stability. A key maintenance activity for any software platform, and for SharePoint in particular, is updating to the application in the form of updates, hot fixes, and service packs. Whether these updates introduce new functionality, enhance existing capabilities of the environment, or resolve important issues, when you apply them in an effective and timely manner you can maintain a secure and robust SharePoint environment. Microsoft has done a lot to make the application of SharePoint updates a much more manageable process, with specific attention to reducing the amount of downtime necessary for updating. SharePoint 2010 can integrate multiple versions of SharePoint into a single farm so that administrators of environments with multiple servers can gradually distribute updates throughout a farm without interrupting services to users.
Note: Microsoft published Service Pack 1 (SP1) in June 2011. New CUs are published every two months. Objectives
After completing this lesson, you will be able to: Describe the SharePoint update process. Describe SharePoint update types. Update a single-server farm. Update a multiple-server farm.
12-36
How SharePoint Is Updated
Key Points
To update most applications, even complex server-based applications, is usually a matter of running an installer to apply updates to the application, verify the results of the process, and then declare it complete. Because SharePoint stores so much of its configuration data in its databases, the update process requires additional planning and consideration. The SharePoint platform is updated in two distinct ways: Binary updates Database updates
Binary updates modify the installed SharePoint binaries on each SharePoint server in the farm by deploying updates through installation packages, similar to how most typical software updates are done. Database updates can modify the configuration, structure, and content of the farms SQL Server databases and can be scripted using Windows PowerShell cmdlets; this part of the update process is what makes SharePoint unique. In previous versions of SharePoint, the binaries on every server in a farm, as well as its databases, all had to be using the same version of SharePoint. If they were not using the same version, the farm could encounter errors, lose some functionality, or even become completely inoperable. In SharePoint 2010, a farms binaries can be updated to a newer version than its databases use, allowing for more fluid updating activities that require less downtime for end users. This gives administrators more flexibility in planning their updating activities so that updates can be rolled out gradually to meet tighter requirements for uptime while keeping the SharePoint platform updated and secure.
12-37
The eventual goal of applying updates to SharePoint is still the same: to update the SharePoint environment to the latest and most stable version so that it has the best combination of security and functionality available from Microsoft. This is accomplished by finalizing the update process with the SharePoint Products and Technologies Wizard, bringing all of a farms components to a consistent version.
12-38
SharePoint Update Types
Key Points
SharePoint follows Microsofts standard convention for numbering versions of software products: MMMM.mmmm.BBBB.rrrr (where MMMM indicates the major version for the product, mmmm is the minor version, BBBB is the build version number, and rrrr is the revision number, which indicates the versions type of update). The two important values to consider when reviewing the version number of a SharePoint installation are the major version number and the build version number. The major version indicates the released version of the product; all versions and updates to SharePoint 2010 are marked with a major version value of 14. Because upgrading a farm from SharePoint 2007 to SharePoint 2010 changes the farms major version from 12 to 14, that process is considered to be a version-to-version upgrade. The build version number indicates the specific level in the major version that SharePoint has been updated to, such as the release to manufacturing (RTM) version or that of a later cumulative update (CU) or service pack (SP). Applying updates to SharePoint is considered to be a buildto-build upgrade. Update compatibility ranges define the spectrum of version numbers that servers and databases in a farm can cover and still function cohesively. Services packs should delineate compatibility ranges, meaning that all updates to SharePoint between its RTM release and Service Pack 1 should be in the same compatibility range, while updates made between Service Pack 1 and Service Pack 2 are in a separate compatibility range. Microsoft makes the following types of updates available: Individual updates to resolve specific issues or vulnerabilities as they arise. Cumulative updates (CU), which cumulatively roll up all publicly released updates since the last major update and are released every two months. Service packs, which indicate a major update to the platform and include updates as well as new functionality. Service packs are released very infrequently and should represent the boundary for compatibility ranges. SP1 for SharePoint 2010 was released in June 2011.
12-39
Additional Reading
Service Pack 1 for SharePoint Foundation 2010 and SharePoint Server 2010 at: http://go.microsoft.com/fwlink/?LinkId=234972 Service Pack 1 Tutorial at: http://go.microsoft.com/fwlink/?LinkId=234973
12-40
Updating a Single-Server Farm
Key Points
In a single-server SharePoint 2010 environment, the important point to understand is that downtime or an outage is unavoidable. Because the farm does not include any redundancy it must be unavailable during the upgrade process to prevent resource contention, data corruption, and fatal errors. You need to communicate that outage proactively to your farms users, as well as make it unavailable during the updates in case the message is not delivered in time to all users. Always take the time necessary to review the documentation completely for each update prior to installing it and adjust the following steps according to the installation information included with the update. If at all possible, test the updates in a separate environment prior to deploying them in your production environment and back up your production environment before updating itthe only way to roll back a SharePoint 2010 update is to rebuild your farm and restore your content to it. To apply a build-to-build update to a single-server SharePoint farm, complete the following steps: 1. 2. 3. 4. Back up the farm and test the restoration procedure. Obtain the update from Microsoft and copy it to the server. Schedule an outage window during off-peak hours and communicate it to your users. Prior to the advertised outage window, run the updates installer to deploy the binary update to the servers file system. 5. When the outage window begins, make the farm unavailable by stopping its Web sites in Internet Information Services (IIS), and then update the farms content databases using the UpgradeSPContentDatabase cmdlet. 6. Finalize the update by running the SharePoint Products and Technology Configuration Wizard. 7. Review the updates log file to verify that the update completed without error. 8. Validate that the farms sites are fully functional. 9. Back up the farm and test the restoration procedure. 10. Communicate to users that the outage window has ended.
12-41
Updating a Multiple-Server Farm
Key Points
The steps to update a SharePoint 2010 farm with multiple servers are similar to those for updating a single-server farm. However, in addition to the obvious changes in scale, more detailed planning is necessary to reduce downtime and issues. You should update in stages servers assigned redundant roles in the farm so that you can shift traffic and workloads to some servers with a given role while the other servers are updated. This allows your farm to continue to function without disrupting service, or at least it keeps disruptions to a minimum. You should still alert users about the update activity because they may experience degraded performance (resulting from a reduction in available resources in the farm) or unforeseen errors may force you to take an outage. As with a single-server farm, it is important always to take the time necessary to review the documentation completely for each update prior to installing it and adjust the following steps according to the installation information included with the update. Make sure to review the documentation carefully for instructions specific to farms with multiple servers. It is still critical to test your update and protect your production environment with a backup prior to starting the update process. To apply a build-to-build update to a multiple-server SharePoint farm, complete the following steps: 1. 2. 3. 4. Obtain the update from Microsoft and copy it to each server in the farm. Back up the farm and test the restoration procedure. Schedule an outage window during off-peak hours and communicate it to your users. Update the binaries on each SharePoint server in the farm prior to the advertised outage window. a. Review the farms servers to identify each servers role(s) so that you can group together servers with the same roles for updating. b. If the farm has load-balanced WFEs, remove half the clusters node and update them, and then reverse the configuration to ensure optimal uptime.
12-42
Ensure that the binary updates installer has been run on every server in the farm prior to the outage window. 6. When the outage window begins, update the farms content databases using the UpgradeSPContentDatabase cmdlet. 7. Finalize the upgrade by running the SharePoint Products and Technology Configuration Wizard. 8. Review the upgrades log file to verify that the upgrade completed without error. 9. Validate that the farms sites are fully functional. 10. Back up the farm and test the restoration procedure. 11. Communicate to users that the outage window has ended.
5.
12-43
Lab A: Preparing SharePoint 2007 for Upgrade to SharePoint 2010

1. 2. Start 10174A-CONTOSO-DC-F. After CONTOSO-DC has completed startup, start 10174A-SP2007-WFE1-F.
12-44
Exercise 1: Performing SQL Server Database Maintenance

Task 1: Clean up databases.
1. 2. 3. 4. 5. 6. 7. 8. Log on to SP2007-WFE1 as CONTOSO\Administrator with the password Pa$$w0rd. Click Start, click All Programs, click Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio. Click Connect. Click File, click Open, and then click File. Select D:\Labfiles\Lab12\DefragIndexes.sql, and then click Open. In the Available Databases list on the toolbar, select WSS_Content_Intranet. Click Execute. When the query is complete, the status below the Results panel indicates Query executed successfully. You may have to expand the results window to see the results. Repeat steps 6 and 7 for the following databases: 9. WSS_Content_Intranet_IT WSS_Content_MySites SharePoint_AdminContent_GUID SharePoint_Config
Close SQL Server Management Studio.
Task 2: Confirm sufficient free disk space.

1. 2. Open Windows Explorer and confirm that there is at least 20 gigabytes of free disk space on C drive. Close Windows Explorer.
12-45
Exercise 2: Moving a Site Collection Between Content Databases

Task 1: Create a new site collection.
1. Click Start, click All Programs, click Microsoft Office Server, and then click SharePoint 3.0 Central Administration. If prompted for credentials, provide Contoso\Administrator as the user name and Pa$$w0rd as the password. Click the Application Management tab, and then create a new site collection with the following settings: Web Application: http://intranet.contoso.com/ Title: Sales URL: Sales Primary Site Collection Administrator: Contoso\SP_Admin
2.
Task 2: Create a new content database.

1. 2. In the Quick Launch, click Application Management. In the SharePoint Web Application Management section, create a new Content database named WSS_Content_Intranet_Sales.
Task 3: Move a site collection between content databases.

1. 2. Open Command Prompt. To export an Extensible Markup Language (XML) listing of sites in the intranet Web application, type the following command and press Enter.
"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin\stsadm.exe" -o enumsites -url http://intranet.contoso.com > C:\SiteList.xml
3.
To open the site listing in Notepad, type the following command and press ENTER:
notepad C:\SiteList.xml
4.
Delete the following two elements (the entire line of XML): Site Url="http://intranet.contoso.com" Site Url="http://intranet.contoso.com/sites/IT"
5. 6. 7. 8.
Confirm that the only remaining Site element is for the Sales site collection. Click File, and then click Save. Close Notepad. Switch to Administrator: Command Prompt. To move the Sales site collection from the WSS_Content_Intranet content database to the WSS_Content_Sales content database, type the following command, and then press Enter.
"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin\stsadm.exe" -o mergecontentdbs -url http://intranet.contoso.com sourcedatabasename WSS_Content_Intranet -destinationdatabasename WSS_Content_Intranet_Sales -operation 3 -filename C:\SiteList.xml
9.
To restart IIS, type the following command.

iisreset
12-46
Task 4: Verify and report the move of the site collection.

1. Switch to Internet Explorer. Press F5 to refresh the page. If the Windows Security dialog opens, type CONTOSO\Administrator in the User name box, type Pa$$w0rd in the Password box, and then click OK. Observe that the WSS_Content_Sales content database now contains one site. Switch to Administrator: Command Prompt. To export an XML listing of sites in the intranet Web application, type the following command.
"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin\stsadm.exe" -o enumsites -url http://intranet.contoso.com > C:\SiteList.xml
2. 3. 4.
5.
To open the site listing in Notepad, type the following command.

notepad C:\SiteList.xml
6. 7. 8. 9.
Click Format, and then click Word Wrap. Observe the information that is reported for each site collection, including the owner (primary site collection administrator), content database, and storage utilization. Close Notepad. Close Administrator: Command Prompt.
12-47
Exercise 3: Preparing SQL Server Databases for Upgrade

Task 1: Back up SharePoint databases using SQL Server.
1. 2. 3. 4. 5. 6. 7. Open Windows Explorer and browse to C drive. On the toolbar, click New folder. Type Backups, and then press ENTER. Click Start, click All Programs, click Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio. Click Connect. Click New Query. Type the following query into the query editor panel.
use WSS_Content_Intranet dbcc shrinkfile ('WSS_Content_Intranet') dbcc shrinkfile ('WSS_Content_Intranet_log') go backup database WSS_Content_Intranet to disk = 'C:\Backups\WSS_Content_Intranet.bak' go backup log WSS_Content_Intranet to disk = 'C:\Backups\WSS_Content_Intranet_log.bak' go dbcc shrinkfile ('WSS_Content_Intranet') dbcc shrinkfile ('WSS_Content_Intranet_log') go
8. Click the Execute button. 9. Confirm that at the bottom of the Results panel, the status indicates Query executed successfully. 10. Repeat steps 69 to back up and truncate the WSS_Content_Intranet_IT database. Use the following query.
use WSS_Content_Intranet_IT dbcc shrinkfile ('WSS_Content_Intranet_IT') dbcc shrinkfile ('WSS_Content_Intranet_IT_log') go backup database WSS_Content_Intranet_IT to disk = 'C:\Backups\WSS_Content_Intranet_IT.bak' go backup log WSS_Content_Intranet_IT to disk = 'C:\Backups\WSS_Content_Intranet_IT_log.bak' go dbcc shrinkfile ('WSS_Content_Intranet_IT') dbcc shrinkfile ('WSS_Content_Intranet_IT_log')
12-48
go
11. Repeat steps 69 to back up and truncate the WSS_Content_Intranet_Sales database. Use the following query.
use WSS_Content_Intranet_Sales dbcc shrinkfile ('WSS_Content_Intranet_Sales') dbcc shrinkfile ('WSS_Content_Intranet_Sales_log') go backup database WSS_Content_Intranet_Sales to disk = 'C:\Backups\WSS_Content_Intranet_Sales.bak' go backup log WSS_Content_Intranet_Sales to disk = 'C:\Backups\WSS_Content_Intranet_Sales_log.bak' go dbcc shrinkfile ('WSS_Content_Intranet_Sales') dbcc shrinkfile ('WSS_Content_Intranet_Sales_log') go
12. Repeat steps 69 to back up and truncate the WSS_Content_MySites database. Use the following query.
use WSS_Content_MySites dbcc shrinkfile ('WSS_Content_MySites') dbcc shrinkfile ('WSS_Content_MySites_log') go backup database WSS_Content_MySites to disk = 'C:\Backups\WSS_Content_MySites.bak' go backup log WSS_Content_MySites to disk = 'C:\Backups\WSS_Content_MySites_log.bak' go dbcc shrinkfile ('WSS_Content_MySites') dbcc shrinkfile ('WSS_Content_MySites_log') go
13. 14. 15. 16.
Open the C:\Backups folder. Confirm that the database and log backup files were created. Close the C:\Backups folder. Close SQL Server Management Studio. When prompted to save your changes, click No.
Task 2: Back up a SharePoint 2007 farm by using Central Administration.

1. Switch to SharePoint 3.0 Central Administration. Click the Operations link, and then from the Backup and Restore section perform a backup.
12-49
2. 3. 4. 5.
Select the check box next to Farm. Click Continue to Backup Options. In the Backup location box, type C:\Backups. Do not perform a backup at this time. Click Cancel.
Task 3: Detach content databases.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. In the Quick Launch, click Application Management. In the SharePoint Web Application Management section, click Web application list. Click SharePoint - intranet.contoso.com80. In the SharePoint Web Application Management section, click Content databases. Click the database name of the first-listed content database. Select the Remove content database option. A confirmation message appears. Click OK. Click OK. The content database is removed. Repeat steps 57 for each content database. Repeat steps 18 for the Web application SharePoint - mysites.contoso.com80. Close SharePoint 3.0 Central Administration.
12-50
Exercise 4: Preparing SharePoint 2007 for Upgrade

Task 1: Perform a pre-upgrade check.
1. 2. Open Command Prompt. Type the following command, and then press ENTER. A report opens in Windows Internet Explorer:
"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin\stsadm.exe" -o preupgradecheck
3. 4. 5. 6. 7.
Switch to Command Prompt. Review the output of the command. Switch to Internet Explorer. Review the report. Close all open windows and applications.
To prepare for the next lab.

1. 2. Turn off 10174A-SP2007-WFE1-F. Leave 10174A-CONTOSO-DC-F running. Start and connect to 10174A-SP2007-WFE1-G.
12-51
Lab B: Upgrading SharePoint 2007 to SharePoint 2010
Log on to the virtual machine for this lab

1. 2. Start 10174A-CONTOSO-DC-F. After CONTOSO-DC has completed startup, start 10174A-SP2007-WFE1-G.
12-52
Exercise 1: Upgrading SharePoint 2007 to SharePoint 2010

Task 1: Run the SharePoint Products Configuration Wizard.
Note: To save time the actual installation of SharePoint 2010 has already been completed on 10174A-SP2007-WFE1-G. You use this virtual machine for the remainder of the lab. Log on to SP2007-WFE1 as CONTOSO\Administrator with the password Pa$$w0rd. Click Start, point to All Programs, click Microsoft SharePoint 2010 Products, and then click SharePoint 2010 Products Configuration Wizard. 3. On the Welcome to SharePoint Products page, click Next. A message appears to inform you that services may have to be started or reset. 4. Click Yes. 5. On the Specify Farm Security Settings page, type 10174_SharePoint_2010 in the Passphrase and Confirm passphrase boxes. 6. Click Next. 7. On the Visual Upgrade page, review the message and options. 8. Click Preserve the look and feel of existing SharePoint Sites, and allow end users to update their sites user experience. 9. Click Next. 10. On the Completing the SharePoint Products Configuration Wizard page, click Next. A SharePoint Products Configuration Wizard message opens. The message reminds you to install the binaries on all servers in the farm before you run the wizard. Click OK. 11. On the Configuration Successful, Upgrade In Progress page, read the message, and then click Finish. SharePoint 2010 Central Administration opens. 1. 2.
Task 2: Validate the upgrade.

1. In SharePoint 2010 Central Administration, on the Upgrade Status page, confirm that Status is Succeeded. You might need to wait a few minutes before the upgrade completes. Press F5 to refresh the page, and then return to step 1. Observe the number of Errors and Warnings. There should be no errors. However, warnings are expected. Identify the Log File that contains a record of events during the upgrade. Open the log file in Notepad. Press CTRL+F, and then type [Warning]. Tip: Include the brackets. 6. 7. 8. Read the first warning message. Press F3 to locate the next warning message, and then read the message. Repeat this step for all warning messages. Close Notepad.
2. 3. 4. 5.
12-53
Exercise 2: Upgrading Content Databases

Task 1: Attempt to attach a content database.
1. 2. 3. 4. 5. 6. In the Quick Launch, click Application Management. In the Databases section, click Manage content databases. Click Add a content database. In the Database Server box, type SP2007-WFE1. In the Database Name box, type WSS_Content_Intranet. Click OK. An error page opens that explains that you must use the addcontentdb operation of Stsadm.exe or the Mount-SPContentDatabase cmdlet of Windows PowerShell to attach and upgrade a content database. Click Go back to site.
7.
Task 2: Attach content databases using Windows PowerShell.

1. 2. Open the SharePoint 2010 Management Shell. Type the following commands.
Mount-SPContentDatabase "WSS_Content_Intranet" -DatabaseServer SP2007-WFE1 WebApplication http://intranet.contoso.com Mount-SPContentDatabase "WSS_Content_Intranet_IT" -DatabaseServer SP2007-WFE1 WebApplication http://intranet.contoso.com Mount-SPContentDatabase "WSS_Content_Intranet_Sales" -DatabaseServer SP2007-WFE1 WebApplication http://intranet.contoso.com
Task 3: Verify the database upgrade.

1. 2. 3. 4. 5. 6. Switch to SharePoint 2010 Central Administration. In the Quick Launch, click Upgrade and Migration. In the Upgrade and Patch Management section, click Check upgrade status. Click the first item in the Upgrade sessions list. Identify the Starting object for the upgrade session. Observe the number of errors and warnings. Note: There should be no errors, but warnings are expected. 7. Repeat steps 46 for each upgrade session.
Task 4: Verify the database attach.

1. 2. 3. 4. 5. 6. 7. In the Quick Launch, click Application Management. In the Databases section, click Manage content databases. Click the Web Application list, and then click Change Web Application. Click SharePoint - intranet.contoso.com80. Confirm that three databases are attached to the intranet Web application. Click WSS_Content_Intranet. In the Database Versioning section, confirm that the Microsoft.SharePoint.Administration.SPContentDatabase Current Schema Version is 14.0.4762.1000.
12-54
Task 5: Verify database upgrade status.

1. 2. 3. 4. 5. 6. In the Quick Launch, click Upgrade and Migration. In the Upgrade and Patch Management section, click Check product and patch installation status. Confirm that all products are listed as Installed with a version of 14.0.4763.1000. In the Quick Launch, click Upgrade and Migration. In the Upgrade and Patch Management section, click Review database status. Confirm that the Status for all databases is No action required.
Task 6: Run the Farm Configuration Wizard.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. In the Quick Launch, click Configuration Wizards. In the Farm Configuration section, click Launch the Farm Configuration Wizard. Click Yes, I am willing to participate (Recommended). Click OK. Click Start the Wizard. In the Service Account section, click Create new managed account. In the User name box, type CONTOSO\SP_ServiceApps. In the Password box, type Pa$$w0rd. Click Next. Click Skip. Click Finish. Close SharePoint 2010 Central Administration. Close all open windows and applications.
12-55
Exercise 3: Implementing a Visual Upgrade

Task 1: Validate the SharePoint 2007 user interface.
1. 2. 3. 4. 5. Open Internet Explorer, and then browse to http://intranet.contoso.com /sites/IT. If you receive an error message, click Go back to site. Click Welcome Contoso\Administrator, and then click Sign in as Different User. Log on as Contoso\SP_Admin with the password Pa$$w0rd. In the Quick Launch, click Calendar. Observe the SharePoint 2007 user interface.
Task 2: Preview the SharePoint 2010 user interface.

1. 2. 3. Click Site Actions, and then click Visual Upgrade. Select the Preview the updated user interface option, and then click OK. Observe the new SharePoint 2010 user interface.
Task 3: Revert to the SharePoint 2007 user interface.

1. 2. 3. 4. 5. On the information bar, click View or modify this sites Visual Upgrade settings. Click Use the previous user interface, and then click OK. Click the Home tab. In the Quick Launch, click Calendar. Observe the SharePoint 2007 user interface.
Task 4: Upgrade to the SharePoint 2010 user interface.

1. 2. 3. Click Site Actions, and then click Visual Upgrade. Click Update the user interface, and then click OK. Click Site Actions, and then observe that the Visual Upgrade command no longer appears.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Microsoft Hyper-V Manager. 2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. 3. In the Revert Virtual Machine dialog, click Revert.
12-56
Review Questions
1. 2. 3. What options are available to administrators when running visual upgrade? Which are the application server roles available? What advantages does scripting a build process offer?
Implementing Business Continuity
13-1
Module 13
Contents:
Lesson 1: Protecting and Recovering Content Lesson 2: Working with Backup and Restore for Disaster Recovery Lesson 3: Implementing High Availability Solutions Lab A: Implementing a Backup Strategy Lab B: Implementing a Restore Strategy 13-3 13-10 13-23 13-33 13-40
13-2
Module Overview
This module describes the principles and processes that are behind business continuity. It identifies possible solutions, and identifies which elements of Microsoft SharePoint can help you determine the plan that you implement. The cost that loss of a system can represent is minimal in comparison to the impact the loss of information can have on an organization. Loss of information can happen in many different types of failures. Some may be natural causes, and others can be man-made. Business continuity is defined as the process and procedures that are implemented to outline a plan that sets the path to recovery from disruption of service and restores access to information in a given time period.
Objectives
After completing this module, you will able to: Describe how to protect content and recover content. Perform backup and restore operations to mitigate against disasters. Implement high availability solutions with SharePoint Server.
13-3
Lesson 1
Protecting and Recovering Content
When working as an administrator, one essential task is determining how to protect the information that is part of the lifecycle of your organization. In order to achieve this, you must be able to use features that are an intrinsic part of SharePoint, including version control and the Recycle Bin.
Objectives
After completing this lesson, you will be able to: Configure version control. Configure and manage the Recycle Bin. Use the Site Recycle Bin to restore sites and site collections. Import and export content.
13-4
Configuring Version Control
Key Points
Version control is a way to store multiple copies of a document. Those multiples you can store are defined by the historical changes you may want to keep on an item. Version control has the following options: No versioning. Nothing is stored and all changes overwrite the previous version, leaving no trail. Major version. This represents major changes in the document, and each change becomes a major version. Major and minor versions. Documents can exist in two formsa major version, denoted by a .0, or a minor version, denoted by a .1 to .9. This setting is the most granular setting possible, and it will require the most planning for space considerations.
13-5
Configuring and Managing the Recycle Bin
Key Points
The Recycle Bin is a means of simple content recovery that users can perform in a SharePoint 2010 implementation. The default setting for the Recycle Bin is to be active and to provide a 30-day window within which a user can recover an item without administrator intervention. In order to provide this recovery window, it is important to understand the way the Recycle Bin operates. The Recycle Bin has two stages: Stage 1. This first stage of the Recycle Bin is a site level protection that allows users with contribute, design, or full control permission to recover items intended for deletion. Stage 2. The second stage Recycle Bin is a site collection level protection. At this level, information needs to be recovered by the site collection administrator.
The process to go from Stage 1 to Stage 2 depends on the configuration of the Recycle Bin settings in Central Administration. These settings are specific per Web application. The configurable settings include: Enable or disable the Recycle Bin protection Define the time in days to keep a given item through the stages Define the percentile amount of live site quota allocated for Stage 2 items
13-6
Using the Site Recycle Bin
Key Points
Before SharePoint 2010 Service Pack 1 was released, if a site or site collection was accidentally deleted, you could only recover it by restoring a previous backup. This operation takes significant administrative time and involves an interruption in service to users. SP1 adds the Site Recycle Bin to SharePoint 2010 so that you can avoid costly restoration operations. When a site or site collection is deleted, it remains in the Site Recycle Bin for the same time period as other content. At any time during this period, you can restore the site or site collection to its original location without resorting to a backup.
Restoring Sites
When a site administrator deletes a SharePoint site, it is automatically placed in the Stage 2 recycle bin at the site collection level. Site collection administrators can restore a deleted SharePoint Site in exactly the same way as they restore deleted items and documents. Note: If a site is deleted in PowerShell with the Remove-SPWeb cmdlet, it is not sent to the Site Recycle Bin unless the Recycle parameter is specified. You can also restore sites by using the Restore-SPDeleteSite cmdlet as described below.
Restoring Site Collections

Deleted site collections do not appear in the browser user interface. Instead, you must use PowerShell to restore them. The number of deleted sites and site collections can be determined by using the GetSPDeletedSites cmdlet.
(Get-SPDeletedSite).Count
13-7
If there is only one site collection available to restore, you can restore it with the following command.
Get-SPDeletedSite | Restore-SPDeletedSite
If there is more than one deleted site or site collection, the restoration procedure is slightly more complex because you must pipe the right one to the Restore-SPDeletedSite cmdlet. Start by listing all the deleted site collections.
Get-SPDeletedSite
This command lists the available site collections with their Site IDs. Select the instance you want to restore and use its Site ID with the Restore-SPDeletedSite cmdlet:
Restore-SPDeletedSite Identity <SiteID>
Where: <SiteID> is the Site ID of the site or site collection you want to restore.
13-8
Importing and Exporting Content
Key Points
The importing and exporting content feature provides a level of granularity that is useful when working with sites, lists, or libraries. It provides a quick way of protecting sensitive information that uses a simple mechanism to help provide protection. Import and export operations can be centrally managed by using Central Administration or by taking advantage of Windows PowerShell.
Exporting Content
The export option in SharePoint gives you a very granular level of control over the content that you want to extract, such as sites, lists, and libraries. This export process will create a file that will contain the information you select. To export content using Windows PowerShell: 1. 2. 3. 4. On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products. Click SharePoint 2010 Management Shell. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press ENTER:
Export-SPWeb -Identity <Site URL> -Path <Path and file name> [-ItemUrl <URL of site, list, or library>] [-IncludeUserSecurity] [-IncludeVersions] [-NoFileCompression] [GradualDelete] [-Verbose]
Importing Content
The import option in SharePoint lets you bring in content in a granular style. It allows you to select the items that are needed from an export that was performed previously from a backup or from read-only databases.
13-9
To import content using Windows PowerShell: 1. 2. 3. 4. On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products. Click SharePoint 2010 Management Shell. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press Enter.
Import-SPWeb -Identity <Site URL> -Path <Export file name> [-Force] [NoFileCompression] [-Verbose]
Note: It is important that you do not rely on import and export to replace backup and restore procedures.
Additional Reading
Export a site, list or document library at http://go.microsoft.com/fwlink/?LinkID=197239&clcid=0x409 Import a list or document library at http://go.microsoft.com/fwlink/?LinkID=197240&clcid=0x409
13-10
Lesson 2
Working with Backup and Restore for Disaster Recovery
You can recover from various disaster scenarios if you have a well-defined plan that describes the actions that you must take in a given situation and the processes you must complete after a system failure or instance of data loss.
Objectives
After completing this lesson, you will be able to: Define disaster recovery. Protect your content by using backup. Protect your farm deployments by using backup. Perform backup operations to protect your configuration. Protect customizations. Use restore to recover from disasters. Use Microsoft System Center Data Protection Manager (DPM) 2010.
13-11
Defining Disaster Recovery
Key Points
As a SharePoint Administrator, you are responsible for implementing an effective disaster recovery solution that meets the needs of your users; a solution that takes into consideration your organizations goals, and overall, a platform that offers healthy and functional operations. Disaster recovery is the process of bringing the SharePoint solution back to a healthy and functional operational state after a failure or disaster. It is important to define and understand the metrics that dictate the effectiveness of the process; this is known as Recovery Point Objective, or the amount of data to be recovered and lost; and Recovery Time Objective, or the time that will elapse for the solution to be in a recovered operational state and back online. This information is not only to have a value for the information you collect. There is a need to make sure the plan you are defining and stating is part of the collection of considerations you are taking into your Service Level Agreement and also part of your Operational Level Agreement. The SLA is the overall agreement between IS/IT and the business department. OLAs are agreements between different IS/ITdepartments and the Service Level Manager.
13-12
Protecting Content Using Backups
Key Points
When working with backups, you are creating a copy of data that is used to restore and recover that data in the event of a system failure. Backups allow you to restore data after a failure. If your backup strategy is sound, you have a greater chance of recovering from many system failures, including the following: Media failure User errors (such as accidental content deletion) Hardware failures (for example, a failed hard disk or permanent loss of a server) Natural disasters
When considering SharePoint content, you should focus on working with items that are stored in a site collection; this is a common process to add a safety level to protecting content beyond version control and the stages of the Recycle Bin. There are several features you can take advantage of when running backups of a site or site collection. The features are: Executing backups from Central Administration. Executing backups of content databases by using Microsoft SQL Server Administration tools like SQL Server Management Studio.
Comparison of Backup Types and Scope

The tables below illustrate the different tools and levels of backup possible by using those tools. You are seeing a contrast of the different items that can be captured by using one or a combination of tools to define your strategy.
13-13
Functionality Farm Configuration Content Service Applications
SharePoint Yes Yes Yes Yes
Data Protection Manager Yes No Yes Yes
SQL No No Yes No
Granular Backups
In SharePoint 2007, all granular backup and restore operations were only available by using STSADM. SharePoint 2010 has integrated granular backup and restore operations into both Central Administrator and PowerShell. Performing backup operations deemed as granular can be performed from Central Administrator or PowerShell. Granular restore operations are only available using PowerShell. SharePoint 2010 offers more flexible options in terms of what can be backed up and restored. Its possible to back up and restore site collections, sites, lists, document libraries, and items. The options for performing granular backups using Central Administrator are: Perform a site collection backup. Export a site or list. Recover data from an unattached content database.
The granular backup and export architecture uses a Transact-SQL query and export calls. This process results in a more read-intensive and processing-intensive operation than farm backup. A farm backup will capture most of the information with regards to configuration and content in a SharePoint deployment. From the granular backup system, a user can back up a site collection, or export a site or list. If your database implementation is based on Microsoft SQL Server Enterprise Edition, the granular backup system can make use of SQL Server database snapshots to ensure that data remains consistent while the backup or export is in progress. When a snapshot is requested, the SQL Server database snapshot of the appropriate content database is taken. SharePoint Server uses it to create the backup or export package, and then the snapshot is deleted. Database snapshots and their originating database are linked. If for any reason the originating database were to become deleted or unavailable, this would affect the snapshot as well.
Additional Reading
To back up a site collection: http://go.microsoft.com/fwlink/?LinkID=197243&clcid=0x409 Back up a content database: http://go.microsoft.com/fwlink/?LinkID=197242&clcid=0x409
13-14
Protecting the Farm Using Backups
Key Points
It is recommended for your backup plan that you consider backing up the complete farm by including both the configuration and content. Regular backups of the farm will greatly reduce the possibility of data loss that is possible due to hardware failures, power outages, or other elements that may impact your environment. Performing a backup does not affect the state of the farm. It does require resources and has the potential to affect farm performance when the backup process is taking place.
Considerations
To avoid performance issues, run backups of the farm during off hours. Backing up the farm backs up the configuration and Central Administration content databases, but these cannot be restored using Microsoft SharePoint Server 2010 tools. In order for SharePoint Server 2010 to backup remote Binary Large Objects BLOB), the FILESTREAM remote BLOB store provider needs to be used. This will allow for the BLOBs to be safely stored. If you are using another provider, you must manually back up the remote BLOB stores. The farm backup process does not back up any certificates that you used to form trust relationships. Ensure that you have copies of those certificates before you back up the farm. You must re-establish these trust relationships after restoring the farm. If you are using SQL Server with Transparent Data Encryption (TDE), and you are backing up your environment by using SharePoint tools or SQL Server tools, the TDE encryption key is not automatically backed up or restored. You must back up the key manually. When restoring, you must manually restore the key before restoring the data.
A farm backup will include all elements of server farm. It is considered a full backup.
13-15
Considerations:
Farm backups cannot be restored to other product versions. Downgrade and upgrade topologies with farm backup and restore are not possible. The destination farm must have the same topology as the original farm.
Additional reading
To back up a farm: http://go.microsoft.com/fwlink/?LinkID=197244&clcid=0x409
13-16
Backing Up Configuration Settings and Service Applications
Key Points
You should perform backups at the farm level; however, there are circumstances that may require you to perform certain types of backups that align more with business requirements. For example, performing configuration or service backups. When performing a farm backup, the configuration information is included, but you cannot recover the configuration data without performing a full farm restore. If the configuration changes and no other element within the farm is affected, then it is good practice to back up the configuration settings. Service application backups allow you to be granular in having only the needed services backed up. For example, Access Services is not critical, but the items for Excel Services are.
Configuration Backups and Service Application Backups

The configuration backup will extract and back up the configuration settings from a SharePoint Server 2010 configuration database. You can back up configuration from any configuration database that includes the configuration database for the current farm, another farm, or a configuration database that is not associated with any farm. It is important to understand what is included when you create a configuration backup, for example you include Farm-level object and settings. If the desired solution is to perform a backup of the configuration for a Web application, then the backup to execute is a content database backup. Another item to consider is to detach the content databases and perform a configuration backup to capture configuration settings.
Considerations:
You cannot use SQL Server tools or Data Protection Manager (DPM) to back up the farm configuration. Backing up the farm configuration will not back up the information you have to have to restore service applications. If you want to restore a service application, you must perform a configuration and content backup of the farm or service application.
13-17
When performing a service application backup for the first time, you need to use the Full option. This defines a marker so Differential backups can be used.
To perform a configuration backup by using Windows PowerShell

1. 2. 3. 4. On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products. Click SharePoint 2010 Management Shell. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press Enter.
Backup-SPConfigurationDatabase -Directory <Backup folder> -DatabaseServer <Database server name> -DatabaseName <Database name> -DatabaseCredentials <PowerShell Credential Object> [-Verbose]
To perform a service application backup using Windows PowerShell

1. 2. 3. 4. On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products. Click SharePoint 2010 Management Shell. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press Enter.
Backup-SPFarm -Directory <Backup folder> -BackupMethod {Full | Differential} -Item <Service application name> [-Verbose]
13-18
Protecting Customizations
Key Points
Customizations to SharePoint sites can include the following: Custom DLLs, assemblies that have been deployed to the global assembly cache (GAC) XML files used to configure feature or site definition XML files Master pages, page layouts, and cascading style sheets Web Parts, site or list definitions, custom columns, new content types, custom fields, custom actions, coded workflows, and workflow activities and conditions Third-party solutions and their associated binary files and registry keys, such as IFilters
Custom Site Definitions

The method that you use to back up customizations is defined by the deployment of your customizations. For example, being centrally managed. A centrally managed environment is defined by having a change control or central process established to deploy any customizations. There is a lifecycle management process that allows them to be tested prior to being deployed to a production environment.
13-19
Working with Restore
Key Points
Once you have a valid backup, you have the ability to restore that backup to the same farm or to new server hardware. There are manual steps that you must perform following your restore operation to get the farm back up and running. In SharePoint 2010, most of the missing items have been added into the backup process, and you have fewer items that require a manual set up after the restore. Before you restore a SharePoint 2010 farm, ensure that the following requirements are met: To restore a farm by using the SharePoint Central Administration Web site, you must be a member of the Farm Administrators group. To restore a farm by using Windows PowerShell, you must be a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed. The database server's SQL Server account, the Timer service account, and the Central Administration application pool account must have Read permissions to the backup locations. The database server's SQL Server account must be a member of the sysadmin fixed server role. Your login account must have Read permissions to the backup locations. Ensure that the SharePoint Foundation Administration service is started on all farm servers. By default, this service is not started on stand-alone installations.
Consider the following before you restore a farm: Restoring from one version of SharePoint Products and Technologies to a different version is not supported.
13-20
After recovery, search might take as long as 15 minutes to be available again. It can take longer than 15 minutes if the search system has to crawl all the content again. If you backup and restore the complete service, the system does not have to perform a full crawl.
13-21
Using System Center Data Protection Manager
Key Points
System Center Data Protection Manager delivers unified data protection for Microsoft Windows servers and clients as a backup and recovery solution for Windows environments. DPM 2010 provides the protection and restore scenarios from disk, tape, and cloudin a scalable, manageable, and cost-effective way. Benefits you see by implementing System Center Data Protection Manager: No need for a recovery farm Automatic protection of new content databases without the need for a consistency check Scheduling of the SharePoint catalog job which enables item level recovery
How DPM Protects SharePoint Data

After you have configured and created the initial baseline copy of data, DPM will routinely perform express full backups, which make use of the SharePoint VSS writer to identify which blocks have changed in the entire production farm and content database, and it will send only the updated blocks or fragments. This provides a complete and consistent image of the data files on the DPM server or appliance.
How DPM Can Help You Restore SharePoint Data

Restore the SharePoint farm. The entire configuration from the farm and the content databases can be restored to the original servers, including the configuration database, administration content database, and the content databases that were backed up in the point-in-time selected. Restore a content database. DPM can restore a single content database to the SharePoint farm. Copy to a network folder or tape. For archival purposes, you can also take the files from SharePoint and restore them to a network folder for manual purposes or to their own tape for archival or delivery to an auditor.
13-22
Example
1. 2. 3. 4. DPM initiates a database recovery to a recovery database server. This could be on the passive node in a SharePoint server cluster. The production WFE used to protect the farm connects to the recovered database and begins the extraction process. Content Migration API on the production WFE is used to export content from the unattached database. Content Migration API is used again to import the package back into the SharePoint object hierarchy and associated SQL Server database in the production farm.
13-23
Lesson 3
Implementing High Availability Solutions
A highly available solution considers many factors that allow the implementation to achieve the expectations of your organization. Redundancy of services is essential to provide the best possible means of access for your users. The goal of a high availability solution provides continuous, long-term access to data. When analyzing such solutions, one must consider the needs of the business and various technical and non-technical constraints that impact high availability solutions, including all factors that contribute to planned and unplanned downtime. In this lesson, you will learn and discuss how to implement solutions that mitigate those situations.
Objectives
After completing this lesson, you will be able to: Describe high availability. Describe SharePoint Roles and Services. Implement Load Balancing. Implement SQL Server Clustering. Implement SQL Server Database Mirroring. Implement Log Shipping.
13-24
Understanding High Availability
Key Points
Organizations have come to rely more and more on their Information Technology (IT) infrastructure to support their business needs. In many cases, an organizations server infrastructure provides applications or contains data that is critical to business operations. As a result, the availability of those applications and the retention and safety of that data must be managed to ensure business continuity through high availability and data recovery. High availability refers to the ability of a server infrastructure to remain available and operable in the event of hardware, application, or service outages within the server infrastructure itself. Organizations that are required to meet service level agreements (SLAs) or that run applications critical to an organizations daily business typically use high availability solutions to achieve required server uptimes. This uptime value is often referred to as the number of 9s referred to in the percentage of that servers total availability. It is not uncommon for companies to strive for five nines of uptime (99.999%), which equates to less than ten minutes per year of server downtime. High availability typically involves multiple servers configured to perform the same role or provide similar services. If one of the servers experiences a hardware or software failure, the remaining servers continue to provide the services. SharePoint Server 2010 contains several features that assist you in maintaining high availability in your server infrastructure.
13-25
Understanding SharePoint Roles and Services
Key Points
SharePoint is a distributed platform consisting of services that run on servers in specific roles. The roles are identified as: Web front-end. Connection points for users, configured by using load balancing. Application Servers. Host service applications can provide redundancy and load balanced solutions. Database Server. Hosts the content and configuration databases for a SharePoint environment. There are several solutions for implementing a high availability solution. For example, the list below describes some the possible solutions that can be used individually or combined to extend the scope of protection: Failover Clustering. Failover clustering allows for a group of servers to work together to provide a set of applications or services. The level of protection provided is at the server level. Database Mirroring. Microsoft SQL Server database mirroring is a software-based high availability solution that sends transactions directly from a principal database to a mirror database when the transaction log buffer for the principal database is written to disk. The level of protection provided here is at the database level and does not include system databases. Log Shipping. Log Shipping is a low-cost method of creating a standby server by using standard hardware. Log shipping works by initially restoring a full database backup of the database from the primary server to a secondary server, and then periodically applying transaction logs. The level of protection provided here is at the database level and does not include system databases. Database Snapshots. Database snapshots are read-only, static views of a database. Each database snapshot is transactionally consistent with the source database as of the moment of the snapshot's creation. Snapshots can be used in the event of a user error on a source database, because an administrator can revert the source database to the state it was in when the snapshot was created. Data loss is confined to updates to the database since the snapshot's creation. The level of protection provided here is at the database level and does not include system databases.
13-26
Working with Load Balancing
Key Points
NLB provides high availability and scalability for TCP/IP-based services, including Web servers, File Transfer Protocol (FTP) servers, as well as other mission-critical servers and services. In an NLB configuration, multiple servers run independently, and do not share any resources. This group of servers is referred to as a cluster. Client requests are distributed among the servers, and in the event of a server failure, NLB detects the problem and distributes the load to another server. NLB allows you to increase network service performance and availability. In terms of a SharePoint implementation, it is the structuring and distribution of the Web front-end roles to maximize the experience the users will have when accessing the SharePoint site. Using multiple components with load balancing, instead of a single component, increases reliability through redundancy. The load balancing service is usually provided by dedicated software or a hardwarebased device (such as a multilayer switch or a DNS server). It is commonly used to mediate internal communications in computer clusters, especially high-availability clusters. If the load is more on a server, then the secondary server takes some load while the other is still processing requests. NLB typically provides the following features: High availability Performance Scalability
13-27
Implementing SQL Server Clustering
Key Points
Failover clustering allows for a group of servers to work together to provide a set of applications or services. Together, these servers provide a fault tolerant configuration that continues to provide its applications and services, even if one of the servers in the cluster fails or becomes unavailable. Failover clustering is another technology in Windows Server 2008 R2 that provides for high availability. In a failover cluster, a group of servers, or cluster, work together to increase the availability of a set of applications and services. Physical cables and software connect the clustered servers, referred to as nodes. If any of the cluster nodes fail, other nodes begin to provide service to clients (a process known as failover). With this method, system downtime is minimized and a high level of availability is provided. Applications that are best suited for configuration in a failover cluster are applications that use a centralized set of data. Applications like Microsoft SQL Server, Microsoft Exchange Server, and services like Dynamic Host Configuration Protocol (DHCP), file and print, and Dynamic Name System (DNS) use centralized data sets and are therefore ideal for being configured as a failover cluster.
Failover Clustering Benefits

Failover clustering provides several benefits for mission-critical server and application deployments, including: Reduced downtime in the event of server failure Reduced downtime in the event of operating system failure Reduced downtime during periods of planned server maintenance
Applications or services that are added to a failover cluster must be cluster-aware in order to take advantage of the full benefits provided by failover clustering. Cluster-aware refers to the applications ability to register with the failover cluster in order to communicate with the cluster and take advantage of the clusters features. SQL Server is a cluster-aware application.
13-28
SQL Server is a cluster aware service that works under the Microsoft Windows Clustering and the functionality of the database engine then is controlled and monitored by the cluster functionality so it can failover to a partner node in the event of failure. A failover cluster instance appears as a server on the network, but has functionality that provides failover from one node to another if the current node becomes unavailable. For a SharePoint Server 2010 implementation, this is fully transparent and automatic.
Additional Reading
Getting Started with SQL Server 2008 R2 Failover Clustering at http://go.microsoft.com/fwlink/?LinkID=197245&clcid=0x409 Installing a SQL Server 2008 R2 Failover Cluster at http://go.microsoft.com/fwlink/?LinkID=197246&clcid=0x409
13-29
Implementing SQL Server Database Mirroring
Key Points
Microsoft SQL Server database mirroring is defined as a software-based high availability solution that sends transactions directly from a principal database to a mirror database when the transaction log buffer for the principal database is written to disk. To implement SQL Server Database Mirroring on a Microsoft SharePoint Server 2010 farm, you implement the high availability database mirroring capability, also known as high safety mode with automatic failover. In order to implement the high availability database mirroring configuration, you will define three server instancesa principal, a mirror, and a witness. The witness server enables SQL Server to automatically fail over from the principal server to the mirror server. While there is only one witness server in this configuration, in the event of witness failure, the servers in the configuration would establish quorum and continue with the operations. Failover from the principal database to the mirror database typically takes several seconds. In a SharePoint Server 2010 farm, SQL Server Database Mirroring provides redundancy for the content and configuration databases. It can also be configured for service databases.
Database Mirroring and SharePoint 2010

In SharePoint Server 2010, support for database mirroring is provided natively, enabling seamless and automatic failover. SharePoint Server 2010 has an ADO.NET connection object, so in the event the primary connection string cannot connect, the ADO.NET connection string object will attempt the secondary connection string. The failover time will vary depending on a number of conditions that include network conditions. However, in most instances, when operating in the high availability mode, the connection at the SQL layer is updated within seconds, which minimizes the impact of failover on end users. In High Safety and High Performance operating modes, ADO.NET will attempt the primary connection string until the specified timeout threshold has been reached, prior to attempting the secondary connection string.
13-30
Configuration Central Administration in SharePoint 2010 provides an entry point that configures the failover partner for the database mirroring configuration. Note: Configuration databases do not have an entry point to configure database mirroring. You can use Windows PowerShell to configure the failover partner.
Additional Reading
Configure availability by using SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197247&clcid=0x409 Sample script for configuring SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197248&clcid=0x409
13-31
Implementing Log Shipping
Overview
Log shipping is a low-cost method of creating a standby server by using standard hardware. Log shipping works by initially restoring a full database backup of the database on the primary server to a secondary server, and then periodically applying transaction logs from the primary server to the standby system. Log shipping is available for user databases but not system databases.
Operations and Roles

Log shipping is a high-availability technique in which the primary servers transaction log is restored periodically to a standby server. You can schedule the log backups to occur at a frequency that best suits your availability and performance requirements. In addition to providing redundancy, the standby server can be used for read-only queries to alleviate some of the load from the primary server. In the event that the primary server fails, automatic failover does not take place. You must promote the standby server manually and reconfigure all clients to connect to it. If a more automated solution is required, you should consider database mirroring or server clustering. Optionally, you can create a monitor server. The monitor server logs any problems with log shipping as well as listing the last backup and restore operations. Monitor servers should be separate to the primary and standby servers in case one of the servers fails.
Combining Database Mirroring and Log Shipping

A given database can be mirrored or log shipped. It can also be simultaneously mirrored and log shipped. To choose which approach to use, consider the following: How many destination servers do you require? If you require only a single destination database, database mirroring is the recommended solution.
13-32
If you require more than one destination database, you need to use log shipping, either alone or with database mirroring. Combining these approaches gives you the benefits of database mirroring along with the support for multiple destinations provided by log shipping. If you need to delay restoring a log on the destination database (typically to protect against logical errors), use log shipping, alone or with database mirroring.
Additional Reading
Configure availability by using SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197247&clcid=0x409 Sample script for configuring SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197248&clcid=0x409
13-33
Lab A: Implementing a Backup Strategy
Scenario
The Contoso SharePoint governance plan requires that sites be backed up regularly. You have been asked to demonstrate the out of box backup functionality of SharePoint Server 2010, and to create an automated, nightly backup of the SharePoint farm.

1. 2. Start 10174A-CONTOSO-DC-E. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-E.
13-34
Exercise 1: Backing Up SharePoint Using Central Administration

In this exercise, you will use the out of box backup operation in Central Administration to back up the intranet Web application. The main tasks for this exercise are as follows: 1. 2. Create a backup share. Back up a Web application with Central Administration.
Task 1: Create a backup share.

Log on to SP2010-WFE1 as CONTOSO\SP_Admin with password, Pa$$w0rd. Create a new folder, C:\SharePointBackup. Assign NTFS permissions that allow the Users group Full Control. Share the folder with the share name, SharePointBackup, and with share permissions that allow the Everyone group Full Control. Note: In a production environment, you should configure NTFS permissions that ensure the least privilege access to the folder. The service account that performs the backup operation should be given Full Control permission to the backup share.
Task 2: Back up a Web application with Central Administration.

Open SharePoint 2010 Central Administration, click the Backup and Restore link, and then browse to the Perform a Backup page. Observe the components that can be backed up: Farm Various solutions and services Microsoft Office InfoPath Forms Services SharePoint Server State Service Microsoft SharePoint Foundation Web Application(s) WSS_Administration SharePoint Server State Service Proxy SPUserCodeV4 Global Search Settings Application Registry Service Shared Services
Perform a full backup of the Web application, SharePoint intranet.contoso.com80, to the backup share, \\SP2010-WFE1.contoso.com\SharePointBackup.
The Backup and Restore Job Status page opens. The page refreshes every few seconds. You can click Refresh to refresh the page manually. Wait until Phase shows as Completed. Note: The backup operation may complete with warnings. This is expected in this lab. You may continue to the next step.
13-35
Results: After this exercise, you should have backed up the intranet Web application using Central Administration.
13-36
Exercise 2: Investigating SharePoint Backup Logs and Files

When you backed up the intranet Web application, you noticed that a warning was generated. In this exercise, you will investigate the files and logs in the backup share to identify the cause of the warning. The main tasks for this exercise are as follows: 1. 2. Examine the backup folder. Identify backup warnings and errors in the backup log.
Task 1: Examine the backup folder.

Switch to Microsoft Windows Explorer and browse to C:\SharePointBackup, and then open the file, spbrtoc.xml, in Microsoft Notepad. Examine the file, which is similar to the following.
<?xml version="1.0" encoding="utf-8"?> <SPBackupRestoreHistory> <SPHistoryObject> <SPId>GUID of operation/SPId> <SPRequestedBy>CONTOSO\SP_Admin</SPRequestedBy> <SPBackupMethod>Full</SPBackupMethod> <SPRestoreMethod>None</SPRestoreMethod> <SPStartTime>Start Date and time</SPStartTime> <SPFinishTime>End Date and time</SPFinishTime> <SPIsBackup>True</SPIsBackup> <SPConfigurationOnly>False</SPConfigurationOnly> <SPBackupDirectory>\\SP2010-WFE1.contoso.com\ SharePointBackup\ spbr0000\</SPBackupDirectory> <SPDirectoryName>spbr0000</SPDirectoryName> <SPDirectoryNumber>0</SPDirectoryNumber> <SPTopComponent>Farm\Microsoft SharePoint Foundation Web Application\SharePoint intranet.contoso.com80</SPTopComponent> <SPTopComponentId>GUID of top component</SPTopComponentId> <SPWarningCount>1</SPWarningCount> <SPErrorCount>0</SPErrorCount> </SPHistoryObject> </SPBackupRestoreHistory>
Locate the SPHistoryObject element. This element describes the backup operation, and is used during a restore operation.
Locate the SPBackupDirectory element. This element is a reference to the folder in which the backup files are stored.
Locate the SPWarningCount and SPErrorCount elements. These elements report warnings and errors.
Close Notepad. Open the spbr0000 folder, and then observe the backup (*.bak) files in the folder. Open the file, Spbackup.xml, in Notepad. Examine the file. This file contains attributes related to the backup operation and to each of the components. It is used during a restore operation. You should not modify, delete, or rename the Spbackup.xml file.
Close Notepad.
Task 2: Identify backup warnings and errors in the backup log.

Open the file, Spbackup.log, in Notepad.
13-37
Examine the log. Observe that each of the backup operations is listed, including the T-SQL commands that were sent to SQL Server. Observe the last lines of the log, which indicate that the backup completed and summarize the number of warnings and errors. Navigate to the top of the log, and then use the Find command to find the text, Warning:. Tip: Include the colon. Write down the warning message.
Navigate to the top of the log, and then use the Find command to find the text, BACKUP DATABASE. Observe the command that was sent to SQL Server to back up one of the SharePoint databases. Answer the following questions: Which SharePoint database was backed up? Which database backup (.bak) file in the backup folder contains that SharePoint database?
Repeat step 5 to identify the database backup file that contains the backup of the WSS_Content_IT database. Close Notepad. Results: After this exercise, you should have investigated the files and logs in the SharePoint backup share. You should also have identified the database that is a backup of the SQL database, WSS_Content_IT.
13-38
Exercise 3: Automating SharePoint Backup Using Windows PowerShell

In this exercise, you will use Windows PowerShell and the Windows Task Scheduler to automate the nightly backup of your SharePoint farm. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a backup script. Schedule the backup script. Test the scheduled backup task. Monitor the backup operation.
Task 1: Create a backup script.

Create a new folder, C:\Scripts. Create a script named C:\Scripts\Backup.ps1, with the following text.
Add-PSSnapin Microsoft.SharePoint.PowerShell Backup-SPFarm -directory \\SP2010-WFE1.contoso.com\SharePointBackup -backupmethod Full
Task 2: Schedule the backup script.

Create a scheduled task using the following specifications: Task name: Backup SharePoint FULL Description: Back up the SharePoint farm Schedule: Daily at 1:00 a.m. Action: Start the program PowerShell.exe with the argument C:\Scripts\backup.ps1. Run the script as Contoso\SP_Farm and choose the option to Run whether user is logged on or not. Run with highest privileges. Provide Pa$$w0rd as the password.
Task 3: Test the scheduled backup task.

Run the task, Backup SharePoint FULL. Open the C:\SharePointBackup folder. You should see another set of backups get loaded into the file share. Note: The operation to perform a full backup of the entire farm takes several minutes to complete.
Tip: You may continue to the next task.
Task 4: Monitor the backup operation.

Switch to SharePoint 2010 Central Administration, and then browse to the Backup and Restore Job Status page.
13-39
Refresh the page and examine the information that is presented on the page. Browse to the Backup and Restore History, and then examine the information that is presented. Return to the Backup and Restore Job Status page, and then wait for the Phase to be Completed before continuing to the next lab. Close all open applications and windows. Results: After this exercise, you should have created a backup script using Windows PowerShell and scheduled the script to run nightly.

Allow the backup operation to continue until it has completed. You will use the same virtual machines in the next lab to perform restore operations.
13-40
Lab B: Implementing a Restore Strategy
Scenario
You have recently configured an automated, nightly backup of your SharePoint farm. The SharePoint governance policy requires you to test your backups every 60 days. You have been tasked with testing the most recent backup by restoring it to a staging environment. You must also verify that you can perform a partial restore of a site collection, site, and list.
13-41
Exercise 1: Restoring a Web Application Using Central Administration

In this exercise, you will test the integrity of the most recent backup by restoring a Web application using Central Administration. The main tasks for this exercise are as follows: 1. 2. 3. 4. Delete a web application. Test the deleted web application. Restore a web application using Central Administration. Verify the restored web application.
Task 1: Delete a web application.

Open SharePoint 2010 Central Administration, click Application Management, and then browse to the Web Applications Management page. Delete the web application, SharePoint - intranet.contoso.com80, including its content databases and IIS Web sites.
Task 2: Test the deleted web application.

Open Microsoft Internet Explorer, and then browse to http://intranet.contoso.com/sites. An error page opens.
Task 3: Restore a web application using Central Administration.

Switch to SharePoint 2010 Central Administration, and then browse to the Restore from Backup page. Select the most recent Farm backup, and then click Next. Select the SharePoint - intranet.contoso.com80 Web application to restore, and then click Next. Select the Same configuration restore option, and configure the login password for the CONTOSO\SP_ServiceApp account as Pa$$w0rd. Start the restore operation. Monitor its status until the Phase shows as Completed.
Task 4: Verify the restored web application.

Switch to Internet Explorer, and then browse to http://intranet.contoso.com. Verify that the intranet site opens. Results: After this exercise, you should have deleted and then restored a SharePoint web application.
13-42
Exercise 2: Investigating SharePoint Restore Logs and Files

When you performed the restore of the intranet Web application, you noticed that warnings were reported. In this exercise, you will investigate the restore logs to identify the cause of these warnings. The main tasks for this exercise are as follows: 1. 2. Examine the backup folder. Identify restore warnings and errors in the restore log.
Task 1: Examine the backup folder.

Open the SharePoint backup folder, and then open the file, Spbrtoc.xml, in Notepad. Examine the file to discover the following: Identify the SPHistoryObject element that describes the restore operation. Locate the SPRestoreMethod element. This element describes the type of restore operation that was performed. Locate the SPBackupDirectory element. This element is a reference to the folder in which the backup files are stored. Locate the SPTopComponent element. This element describes the top level component of the farm that was restored. Locate the SPWarningCount and SPErrorCount elements. These elements report warnings and errors. The same count was shown on the timer job status page in the previous task. Close Notepad. Open the spbr0001 folder. Open the file, Sprestore.xml, in Notepad. Examine the file. This file contains attributes related to the restore operation and to each of the components. You should not modify, delete, or rename the Sprestore.xml file. Close Notepad.
Task 2: Identify restore warnings and errors in the restore log.

Open the file, Sprestore.log, in Notepad. Observe the last lines of the log, which indicate that the backup completed and summarizes the number of warnings and errors. Navigate to the top of the log, and then use the Find command to find the text, Progress: Starting Restore. This step locates the beginning of the restore operation. Navigate to the top of the log, and then use the Find command to find the text, Warning:. Tip: Include the colon. Write down the warning message.
13-43
Navigate to the top of the log, and then use the Find command to find the text, RESTORE DATABASE. Observe the command that was sent to SQL Server to back up one of the SharePoint databases. Answer the following questions: Which SharePoint database was backed up? Which database backup (.bak) file in the backup folder contains that SharePoint database?
Close Notepad. Results: After this exercise, you should have investigated the restore logs in the SharePoint backup share.
13-44
Exercise 3: Performing a Partial Restore

In this exercise, you will perform and validate partial restore operations on SharePoint lists and libraries. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Restore a content database. Delete a document library. Export a document library from an unattached content database. Restore a deleted document library. Validate the restored document library. Delete a list. Export a list from an unattached content database. Restore a deleted document library. Validate the restored list.
Task 1: Restore a content database.

Open SQL Server Management Studio as Contoso\Administrator with the password of Pa$$w0rd. Right-click Databases, and then click Restore Database. In the To Database box, type WSS_Content_Intranet_IT_Backup. Click From device, and then select C:\SharePointBackup \spbr0000\000000xx.bak, where 000000xx.bak is the backup of the WSS_Content_Intranet_IT database that you identified in Lab A, Exercise 2, Task 2. In the Select the backup sets to restore box, select the check box next to WSS_Content_Intranet_IT. Tip: If you do not see WSS_Content_Intranet_IT listed, it is because you did not restore the correct database. Return to Lab A, Exercise 2, Task 2 to identify the database that contains WSS_Content_Intranet_IT. Then repeat Task 1 of this exercise. Perform the restore operation.
Task 2: Delete a document library.

Switch to the instance of Internet Explorer that displays the intranet site. Browse to http://intranet.contoso.com/sites/IT, and then delete the Shared Documents document library.
Task 3: Export a document library from an unattached content database.

Switch to SharePoint 2010 Central Administration, click the Backup and Restore link, and then browse to the Unattached Content Database Recovery page. Perform an export with the following specifications: Database name: WSS_Content_Intranet_IT_Backup Object: /sites/it/Shared Documents Export to filename: \\SP2010-WFE1.contoso.com\SharePointBackup \ITSharedDocuments.cmp Export full security
After you start the export, monitor the Granular Backup Job Status page until the job is complete.
13-45
Task 4: Restore a deleted document library.

Open SharePoint 2010 Management Shell as Contoso\SP_Farm with the password of Pa$$w0rd. To do this, hold down the SHIFT key, right-click SharePoint 2010 Management Shell and then click Run as different user. To import the document library, type the following command:
Import-SPWeb -identity http://intranet.contoso.com/Sites/IT -path c:\SharePointBackup\ITSharedDocuments.cmp
Task 5: Validate the restored document library.

Switch to the instance of Internet Explorer that displays the Information Technology Dept Web. Confirm that the Shared Documents document library is restored.
Task 6: Delete a list.

Delete the Announcements list.
Task 7: Export a list from an unattached content database.

Switch to SharePoint 2010 Central Administration, and then browse to the Unattached Content Database Recovery page. Perform an export with the following specifications: Database name: WSS_Content_Intranet_IT_Backup Object: /sites/it/Announcements Export to filename: \\SP2010-WFE1.contoso.com\SharePointBackup \ITAnnouncements.cmp Export full security
After you start the export, monitor the Granular Backup Job Status page until the job is complete.
Task 8: Restore a deleted list.

Switch to SharePoint 2010 Management Shell. To import the list, type the following command:
Import-SPWeb -identity http://intranet.contoso.com/Sites/IT -path c:\SharePointBackup\ITAnnouncements.cmp
Task 9: Validate the restored list.

Switch to the instance of Internet Explorer that displays the Information Technology Dept Web. Confirm that the Announcements list is restored. Results: After this exercise, you should have restored a deleted SharePoint document library and list.

13-46
Module Review
Review Questions
1. 2. What tools can be used to back up SharePoint 2010 out of the box? Is there an advantage to combining multiple High availability technologies?
Monitoring and Optimizing SharePoint Performance
14-1
Module 14
Contents:
Lesson 1: Monitoring Logs Lesson 2: Configuring SharePoint Health Analyzer Lesson 3: Configuring Usage Reports and Web Analytics Lesson 4: Monitoring and Optimizing SharePoint Performance Lab A: Configuring SharePoint Monitoring Lab B: Analyzing SharePoint Health Lab C: Reporting SharePoint Usage 14-3 14-8 14-12 14-16 14-19 14-21 14-25
14-2
Module Overview
This module explores the activities you need to perform to have a well-tuned Microsoft SharePoint deployment. Being able to use capabilities SharePoint provides and being able to configure them to get the most out of the information those agents gather lead to understanding better what is happening in your environment. Lesson 1 describes the needed elements to establish a performance baseline by using the Unified Logging Service (ULS). Lesson 2 describes how SharePoint can keep track of its health and how you can configure what to keep track of and any actions needed to recover from a potential error condition. Lesson 3 explores the possibilities behind out of the box reports that can identify the usage in counters and values that enable you to make informed decisions based on the situations users are experiencing when using SharePoint Server. Lesson 4 provides guidelines needed to determine the running values and establish a baseline about your environment to fully understand recommended practices and be able to determine how they fit into your deployment.
Objectives
After completing this module, you will be able to: Use monitoring logs to establish a baseline for performance monitoring. Configure SharePoint Health Analyzer. Configure both usage reports and web analytics. Monitor your SharePoint servers performance and optimize them.
14-3
Lesson 1
Monitoring Logs
From time to time, situations arise with server performance or behavior that result in the need for you to log information to troubleshoot your SharePoint deployment. To gather useful information and have relevant data to interpret, it is important to understand the Unified Logging Service, or ULS. This service provides a unified approach to retrieving log data and the different areas and tools to work with to the make the most out of logging information.
Objectives
After completing this lesson, you will be able to: Configure diagnostic logging. Administer ULS log files. View and interpret administrative reports.
14-4
Configuring Diagnostic Logging
Key Points
Following deployment, it might be necessary for you to configure the diagnostic logging settings of your SharePoint Server 2010 environment. The guidelines in the following list can help you form best practices for your specific environment. Change the drive that logging writes to. Diagnostic logging is configured by default to the same location where SharePoint is installed; this can cause an adverse impact on performance as a result of the amount of data being written to the log. Restrict log disk space usage. By default, there is no limit on the amount of disk space logging can use; however, it is possible to configure size-based restrictions so that when the disk restriction is used up, the oldest logs are removed and new logging data information is recorded. Use the Verbose setting sparingly. You can configure diagnostic logging to record verbose-level events. This can become quite active because it writes every possible action SharePoint performs. You can use verbose-level logging to record a greater level of detail when you are making critical changes, and then reconfigure logging to record only higher-level events after you make the change. Note: When configuring values that are different from their default representation, in SharePoint Central Administration the logging level is shown in bold type. Back up logs. The diagnostic logs contain important data. Back them up regularly to make sure that this data is preserved. Enabling restrictions causes the logs to be overwritten and possibly deleted. The true value of logs, however, is presented by the information you can access during critical events. This is an option to implement for organizational purposes where log archival is required. Enable event log flooding protection. Enabling event log flooding protection configures the system to detect repeating events in the Microsoft Windows event log. This set of values is configurable through Windows PowerShell.
14-5
Administering Unified Logging Service Logs
Key Points
The concept of a unified logging service is not new to SharePoint Server 2010; however, the level of control and information you can gather is. The trace logs hold valuable information about the activity that occurs in a SharePoint deployment. By default, the logs are stored in the path C:\Program Files\Common Files \Microsoft Shared\Web Server Extensions\14 under the LOGS directory. A recommended best practice is to change this path to one that is meaningful to your deployment. It is also a good idea to move this off of the C drive to save space on the C drive. SharePoint gets very fussy if the C drive becomes full. It is also important to note that if you do move the logs off of your C drive, all members of your farm must have this alternate location. If you move them to D:\Logs, every farm member has to have a D drive. When working with users and trace logs to troubleshoot any errors, it is important to remember to introduce users to the value behind correlation IDs. Correlation IDs are globally unique identifiers (GUIDs) that appear in the event of an error on attempting to access a resource through a browser. The correlation ID is useful to track the event in the trace logs. Correlations IDs can appear even if there isnt an error, such as in the Developer Dashboard. They also can be used in Microsoft SQL Server profiler traces, not just the browser. Also, correlation IDs are farm wide, so a conversation that hits multiple servers has the same correlation ID in each servers logs. Here recommended practices for logging: Use non-system drives that are write-optimized to store the ULS logs. Rely on correlation IDs to isolate problems as they occur. Implement a logging policy that defines retention periods.
14-6
Windows PowerShell Log Management

You have several options for managing information from the ULS logs. Among these options are using Microsoft Office Excel and taking advantage of the sorting and filtering options in it. Another option is to use the ULS viewer available for download from http://go.microsoft.com/fwlink/?LinkID=197196 Also, in SharePoint 2010, you can use the following Windows PowerShell cmdlets to gather information. You can retrieve specific details of a cmdlet by executing the following command: Get-Help <cmdlet to use>. This provides you with a documentation view of the command. Cmdlet Set-SPDiagnosticConfig Get-SPDiagnosticConfig Get-SPLogLevel Set-SPLogLevel Clear-SPLogLevel New-SPLogFile Merge-SPLogFile Description Sets diagnostic settings on the farm Retrieves ULS diagnostic configuration values of the farm Returns a list of objects or diagnostic levels Sets the trace and event levels for a set of categories Resets the Windows trace logging and event logging levels to their default values Creates a new trace log file on the server, closing out the current one Creates a timer job that collects the trace logs from all the computers in the farm and saves them to a single file on the local computer
Additional Reading
Logging and events cmdlets at http://go.microsoft.com/fwlink/?LinkID=197197
14-7
Viewing Administrative Reports
Key Points
Administrative reports give you access to information on the performance and execution of components such as search crawls and query performance. The administrative reports you can access are provided in the form of standard reports and advanced reports; in SharePoint, you can also add custom reports. As you view reports, you have the option to apply filters to focus on a given application and time frame. You can access reports in the Monitoring section in Central Administration.
Additional Reading
View administrative reports at http://go.microsoft.com/fwlink/?LinkID=197198
14-8
Lesson 2
Configuring SharePoint Health Analyzer
Key Points
The SharePoint Health Analyzer is a new configurable option that enables SharePoint Server to report on potential issues and in some situations take action to mitigate those issues. You can configure the SharePoint Health Analyzer to identify conditions that fit your specific deployment needs. Some conditions are active on completing installation of SharePoint Server 2010.
Objectives
After completing this lesson, you will be able to: Configure health rules. Define health schedules. View health reports.
14-9
Configuring Health Rules
Key Points
Health rules give you the ability to monitor SharePoint Server and be proactive in understanding any potential issues that may arise. This information is presented to you as a list, just like other list items in a SharePoint deployment. For example, health rules can identify issues such as search crawls not running and a content database indicating an error or offline status. Also, you can receive proactive information about configuration or security issues such as when accounts are given more access than is necessary. For example, the databases used by SharePoint have a fragmented indices rule that checks for a very specific condition that requires verification of status from SQL Server. If that rule is triggered, a preconfigured action will take place if the rule is set to repair automatically. Not all rules are configured to repair automatically. Whether or not a rule repairs automatically depends on how the rule is created and whether it includes the necessary implementation to execute a repair. The same is also common when working with health rules that require your intervention as an administrator. The default rules that are in place monitor some conditions; however, you can customize your own conditions and provide actions that execute to mitigate the errors. To configure a health rule you must have access to Central Administration and be a member of the Farm Administrators group. To learn how to create your own health rules, see http://go.microsoft.com/fwlink/?LinkID=197199
14-10
Configuring Health Schedules
Key Points
A health rule checks for specific conditions that affect performance, configuration, and security in your SharePoint Server deployment, and a health schedule defines the execution or timer definition for running that health rule. You can configure schedules by using either Central Administration or Windows PowerShell. The following table lists the Windows PowerShell cmdlets that are useful for health scheduling. Windows PowerShell Cmdlet Get-SPTimerJob Set-SPTimerJob Start-SPTimerJob Description Retrieves the timer job Sets the schedule for a timer job Starts a specific timer job
You can configure a schedule by the second, minute, hour, day, week, or month. Specific date conditions are also an option, for example: First Monday of every month. Rules can be executed immediately in the rule definition. This is a great way to verify that a problem has been fixed without waiting for the job to run again: Resolve the issue, run the rule manually, and see whether the condition is resolved.
14-11
Viewing Health Reports
Key Points
Health reports return data collected on performance characteristics of your farm. Out of the box, the two reports included list the slowest-loading pages in your farm and the most active users in your farm. In both of these reports, you can refine the results based on a specific criterion such as server or Web application to better determine where problems may be.
14-12
Lesson 3
Configuring Usage Reports and Web Analytics
As the system or farm administrator, your purpose is to guarantee the well-being of your organizations SharePoint environment. This, of course, includes being able to monitor health and performance of the different components that enable users to access your SharePoint environment. At some point, you must learn about your users patterns of usage. The frequency at which users view a specific page or the department a user comes from becomes part of the information you consume, and you can also identify latency in displaying specific content given a network segment that is geographically remote. This is the information you can gather when you configure and view usage reports and gather details in the form of Web Analytics.
Objectives
After completing this lesson, you will be able to: Configure usage data collection. View and interpret the collected data.
14-13
Configuring Usage Data Collection
Key Points
The usage and health data settings are farm-wide; you cannot set them for individual servers in the farm. Logging uses system resources and can affect performance and disk usage. Only log those events for which you want regular reports. For ad hoc reports or investigations, enable logging for specific events, and then disable logging for the events after the report or investigation is complete. Usage and health data collection is the collection of binary large objects (BLOBs) that are processed into a logging database. You can configure the logging database retention period. For processing both BLOBs and databases, you need to consider disk performance and capacity in addition to network considerations. The usage database collects information from health rules, the event viewer, diagnostics, and so forth. You can use this database to build custom reports. The Usage and Health Data Collection service application is a prerequisite to Web Analytics and other service applications such as Search and is provisioned by default if you run the Farm Configuration Wizard. These settings are applied to all events. To set event collection settings for individual event types, use the following Windows PowerShell cmdlets. To change the Database Server and Database Name values, you must use Windows PowerShell. Windows PowerShell Cmdlet Set-SPUsageService Description Sets parameters for the usage data to be gathered. Settings such as log location and maximum space to be used are configured here. See http://go.microsoft.com/fwlink/?LinkID=199509
14-14
Windows PowerShell Cmdlet Set-SPUsageDefinition
Description Configures the retention period for the usage logs. See http://go.microsoft.com/fwlink/?LinkID=199510
Set-SPUsageApplication
Configures the settings for the Usage database, such as database server and credentials to be used. See http://go.microsoft.com/fwlink/?LinkID=199511
14-15
Viewing Web Analytics Usage Reports
Key Points
Web Analytics reports are based on the information that is gathered by configuring the usage logs. The reports presented include prebuilt reports in Central Administration. Reports are assigned to logical elements in a SharePoint environment, such as farm, site collection, and site level; each provides different yet pertinent information for that level. You can access the reports by clicking the link, View Web Analytics Reports. This presents the usage data gathered. Samples of the reports available include Summary Report, Number of PageViews, Unique Daily Visitors, Top Pages, and Top Destinations. A key element provided as well is automatic Best Bets recommendations for Search configuration. You can define reports to be viewed based on a date range. Here, it is important to consider the value you set for the retention policy because this limits the range of data available to report on. You can also export the reports to Excel and conduct further analysis on the information.
Additional Reading
View Web Analytics reports at http://go.microsoft.com/fwlink/?LinkID=197200
14-16
Lesson 4
SharePoint is a very complex product that is composed of several different elements, including SQL Server, which defines the storage location for configuration, logs, and content; and Windows Server services such as Internet Information Services (IIS), which hosts ASP.NET and the Microsoft .NET Framework, which provide functionality and the user interface for SharePoint Web sites. Because of this, you have a wide range of checkpoints for validation and monitoring of your SharePoint environment. It is very important to use the monitoring and performance analysis tools provided by the components of SharePoint, such as SQL Server. Counters and dynamic management views are very useful in determining proper parameters for the databases. An understanding of the proper rendering of content coming from the Web functionality is key to knowing whether a page is loading efficiently.
Objectives
After completing this lesson, you will be able to: Determine how to collect performance monitoring statistics. Use those statistics to improve the performance of your SharePoint servers.
14-17
Performance Monitoring
Key Points
You can add to the usage database the performance counters that assist you in monitoring and evaluating your farms performance so that they are logged automatically at a specific interval. Then, you can query the usage database to retrieve these counters and graph the results over time. The following is an example of using the Add-SPDiagnosticsPerformanceCounter Windows PowerShell cmdlet to add the %Processor Time counter to the usage database. Note: You need to run this on only one of the web servers.
Add-SPDiagnosticsPerformanceCounter -Category "Processor" -Counter "% Processor Time" Instance "_Total" -WebFrontEnd
Additional Reading
System Center Operations Manager at http://go.microsoft.com/fwlink/?LinkID=197201 Planning for Virtualized deployments at http://go.microsoft.com/fwlink/?LinkID=197202
14-18
Performance Optimization
Physical Bottleneck Resolution

Physical bottlenecks are typically based on processor, disk, memory, and network contention: Too many requests compete for too few physical resources. The objects and counters described in the topic titled Performance Monitoring earlier in this lesson indicate where the performance problem is located, for example, hardware processor or ASP.NET. Bottleneck resolution requires that you identify the issue and then make a change or changes that mitigate the performance problem. By constantly evaluating these items, you can understand the activity that takes place in your SharePoint Server environment. Once that understanding is formalized, you can then implement ways to address contention for those resources and improve the performance required by your deployment. Problems seldom happen instantaneously; usually you can track a gradual performance degradation if you monitor regularly using your performance monitor tool or a more sophisticated system, such as Microsoft Systems Center Operations Manager. For both of these options, to varying degrees, you can embed solutions in an alert in the form of advisory text or scripted commands. Keep in mind that SharePoint is a combination of various products, such as the Windows Server operating system, IIS, and SQL Server. This means you must pay special attention to contributing elements of those products that require attention and monitoring. So, in many ways, you need to understand those additional components to make sure you are providing an optimization plan that covers the entire range of functional components.
14-19
Lab A: Configuring SharePoint Monitoring
Scenario
The Contoso SharePoint governance plan specifies levels of monitoring for the development and production environments that differ from the out of box settings. You have been tasked with configuring monitoring and with demonstrating how developers can use monitoring to troubleshoot errors generated by their code.

14-20
Exercise 1: Configuring SharePoint Diagnostic Logging

Scenario
The development team plans to deploy several new solutions to the development environment. The governance plan dictates a higher level of monitoring during periods of solutions deployment and testing so that developers can view errors generated by their code. However, you must also ensure that the size of log files does not grow out of control. The main tasks for this exercise are as follows: 1. 2. Configure diagnostic logging. Review a log file.
Task 1: Configure diagnostic logging.

1. 2. 3. Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password Pa$$w0rd. Open SharePoint 2010 Central Administration, click the Monitoring link, and then browse to the Diagnostic Logging page. Configure all categories of events to use verbose logging to both the event log and the trace log. Enable event log flood protection and ensure that trace logs do not grow larger than 10 gigabytes (GB). Note: Microsoft does not recommend configuring a verbose-level trace log in a production environment.
Task 2: Review a log file.

Open Windows Explorer and browse to the C:\Program Files \Common Files\Microsoft Shared\Web Server Extensions\14\Logs folder. Open the most recently modified log (*.log) file. Examine the log. Observe the number of events that are logged in just a few seconds. Close the log and the Windows Explorer window that displays the Logs folder. Results: After this exercise, you should have configured verbose diagnostic logging for your SharePoint farm.

Leave the virtual machines running. You will use them in the next lab.
14-21
Lab B: Analyzing SharePoint Health
Scenario
You have just installed a SharePoint 2010 farm. When you open Central Administration, an error message appears at the top of the page that indicates an error in configuration. The SharePoint governance plan mandates that SharePoint farms at Contoso should be deployed using Microsoft-recommended best practices. You have been tasked with determining the cause of the error message and correcting the configuration of the farm.
14-22
Exercise 1: Configuring Health Analyzer Rules

In this exercise, you explore the default Health Analyzer rules. The main tasks for this exercise are as follows: 1. 2. 3. Review Health Analyzer problems. Configure Health Analyzer rule definitions. Run a Health Analyzer rule.
Task 1: Review Health Analyzer problems.

Open SharePoint 2010 Central Administration, click the Monitoring link, and browse to the Review problems and solutions page. Observe the list of reported problems.
Task 2: Configure Health Analyzer rule definitions.

1. Click the Monitoring link, and then browse to the Health Analyzer Rule Definitions page. Observe the four categories of rules: Security4 rules Performance17 rules Configuration30 rules Availability13 rules
Tip: The list of rules is paged. Click the Next Page button, displayed as a right-pointing arrow below the list, to see additional rules. 2. Open the Some content databases are growing too large rule. Observe that you can change the following attributes of the rule, but do not make any changes at this time: Title Scope Schedule Enabled Repair Automatically Version
Note: You cannot change the actions that the rule uses to perform its health analysis task. The rules actions are determined by the code used to develop the rule. 3. Edit the rule and change the Schedule to Daily.
14-23
Task 3: Run a Health Analyzer rule.

Run the following two rules: Availability category: Some content databases are growing too large Configuration category: One or more categories are configured with Verbose trace logging
Results: After this exercise, you should have configured rule definitions and run two rules.
14-24
Exercise 2: Reviewing and Repairing Health Analyzer Problems

In this exercise, you review and repair problems identified by the Health Analyzer. The main tasks for this exercise are as follows: 1. 2. 3. Review Health Analyzer problems. Repair Health Analyzer problems. Validate the Health Analyzer solution.
Task 1: Review Health Analyzer problems.

1. 2. 3. 4. Open SharePoint 2010 Central Administration, click the Monitoring link, and browse to the Review problems and solutions page. Observe the list of reported problems. In the Configuration section, observe that a new problem is reported: One or more categories are configured with Verbose trace logging. Click the problem, and then examine the information that is presented on the problem details page. Click Reanalyze Now to reanalyze the problem. On the Review problems and solutions page, refresh the page until the Modified column for the problem indicates that the rule was analyzed.
Task 2: Repair Health Analyzer problems.

1. 2. Click the One or more categories are configured with Verbose trace logging problem. Click Repair automatically. On the Health Analyzer Reports list, refresh the page until the problem report disappears.
Task 3: Validate the Health Analyzer solution.

1. 2. 3. 4. 5. 6. Click the Monitoring link, and then browse to the Diagnostic Logging page. Observe that the two lists, Least critical event to report to the event log and Least critical event to report to the trace log, are reset. They no longer are set to Verbose. For All Categories, set event log reporting level to Error and trace log reporting level to Unexpected. Browse to the Health Analyzer Rule Definitions page. Run the rule One or more categories are configured with Verbose trace logging. Browse to the Review problems and solutions page and confirm that the rule One or more categories are configured with Verbose trace logging is not shown on the report. Close all open applications and windows. Results: After this exercise, you should have configured Health Analyzer rules, reviewed Health Analyzer reports, and repaired Health Analyzer problems.

You use the same virtual machines in the next lab.
14-25
Lab C: Reporting SharePoint Usage
Scenario
Contoso recently implemented a systems management report center. You are required to submit reports related to performance and usage. You have been tasked with creating a SharePoint performance and usage report that uses the SharePoint logging database as its data source.
14-26
Exercise 1: Configuring SharePoint Usage Data Collection

In this exercise, you configure SharePoint usage data collection and trigger the jobs that collect data. The main tasks for this exercise are as follows: 1. 2. Perform usage data collection. Create reports from the logging database.
Task 1: Perform usage data collection.

1. 2. 3. Open SharePoint 2010 Central Administration. Click the Monitoring link, and then browse to the Configure web analytics and health data collection page. Click Health Logging Schedule. Observe the set of Health Analysis jobs. Then, run the Health Analysis Job (Daily, Microsoft SharePoint Foundation Timer, All Servers) job. Click the Monitoring link, and then browse to the Configure web analytics and health data collection page. Click Log Collection Schedule. Run the following jobs: Microsoft SharePoint Foundation Usage Data Import and Microsoft SharePoint Foundation Usage Data Processing. Log off of SP2010-WFE1. Results: After this exercise, you should have executed the logging timer jobs that populate the logging database.
4.
14-27
Exercise 2: Creating Reports from the Logging Database

In this exercise, you create reports in Microsoft Excel using the logging database as the data source. The main tasks for this exercise are as follows: 1. 2. Explore logging database tables. Create a logging report by using Microsoft Excel.
Task 1: Explore logging database tables.

1. 2. 3. Log on to SP2010-WFE1 as CONTOSO\Administrator with the password Pa$$w0rd. Open SQL Server Management Studio and expand the tables in the WSS_Logging database. You should see several tables with different partition names. Execute the following query, and record the ConfigValue value that is returned in the Results panel:
Use WSS_Logging Select * from configuration where configname = 'max partition id - TimerJobUsage'
Task 2: Create a logging report by using Microsoft Excel.

1. 2. 3. Open Microsoft Excel 2010. If the Microsoft Office Activation Wizard appears, click Cancel. Save the new workbook with the name SharePoint Timer Job Duration Report. Create a data connection with the following configuration: 4. SQL Server: SP2010-WFE1 Database: WSS_Logging Table: TimerJobUsage_PartitionXX table, where XX is the ConfigValue value you obtained in Task1.
Create a PivotTable report. In the PivotTable Field List panel, in the Choose fields to add to report list, select the following options: MachineName WebApplicationName JobTitle
5.
Drag the Duration field from the field list to the Values box. You now have a report of timer job durations presented by server, by webapplication, and by timerjob. Results: After this exercise, you should have created a usage report based on data from the SharePoint logging database.
To revert the virtual machines.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog, click Revert.
14-28
Review Questions
1. 2. 3. How can you minimize the impact of logging in your environment? What is event log flood protection? What value do Correlation IDs bring to troubleshooting?
Best Practices Related to a Particular Technology Area in this Module

Change the default path logs are written to, use a non-system drive. Enable event log flooding protection.
Tools
Tool Use for Where to find it http://go.microsoft.com/fwlink/ ?LinkID=199513
ULS Log A windows application for viewing SharePoint ULS log files Viewer more easily. Supports filtering and easy viewing of data.
SharePoint Online and Office 365
15-1
Module 15
Contents:
Lesson 1: Introducing Office 365 and SharePoint Online Lesson 2: Setting Up Office 365 Lesson 3: Administering SharePoint Online 15-3 15-10 15-23
15-2
Module Overview
This module introduces Microsofts cloud services and Microsoft SharePoint Online. When you subscribe to SharePoint Online, you get a hosted SharePoint system that your users can access whenever they have an Internet connection. You do not need to install SharePoint servers and concern yourself with scalability SharePoint Online automatically scales to respond to your users as you add them, and as they add content, to the system. SharePoint Online is one of the key components of Microsoft Office 365, Microsofts suite of collaboration and productivity tools delivered through the cloud. Office 365 also includes Microsoft Exchange Online for email services and Microsoft Lync Online for instant messaging and conferencing as well as the Microsoft Office Professional Plus suite of desktop applications for enterprise subscribers.
Objectives
After completing this module, you will be able to: Describe the components of Office 365 and compare the functionality of SharePoint Online to that of a SharePoint on-premise farm. Create and configure an Office 365 subscription to host a Web site, team collaboration sites, and connections to desktop software. Enable users, in and outside your organization, to access SharePoint Online and perform other administrative tasks.
15-3
Lesson 1
Introducing Office 365 and SharePoint Online
Office 365 is Microsofts cloud-based productivity solution. By taking the functions traditionally provided by back-office server software and hosting them in the cloud, Office 365 ensures high-availability, simple scalability, and access from a wide range of client computers and devices. The Office 365 suite includes SharePoint Online, which provides content creation and management functions within Office 365. The suite is completed by Exchange Online, Lync Online, and the Office Professional Plus suite.
Objectives
After completing this lesson, you will be able to: List all the components of Office 365 and describe how they enable productivity in a modern, distributed organization. Describe the advantages and disadvantages of using SharePoint Online as compared to a SharePoint on-premise farm. Describe typical situations in which you can usage SharePoint Online and select an architecture for each of those situations.
15-4
Features of Office 365
Key Points
Office 365 is designed to provide a complete, cloud-based productivity suite for modern businesses that scales from the smallest to the largest organizations. It has five different components. SharePoint Online. This is the cloud implementation of SharePoint Server 2010 hosted in Microsoft data centers world-wide. SharePoint Online supports most of the functionality that you have seen from SharePoint Server 2010 in this course. For example, it includes a Team Site that you can use for content creation and management including workflows, approvals, versioning, checkout, and so on. Full enterprise search features are included and each user is given a user profile just as they are in an on-premise farm. However, there are some restrictions; for example, although customizations can be deployed in the form of SharePoint solution packages (.wsp files), these can only be deployed in the sandbox. InfoPath and Access Services are not available in all editions. Youll see more of the differences between SharePoint Server 2010 and SharePoint Online later in this module. Exchange Online. Each Office 365 user has an Exchange mailbox, which they can access using Microsoft Office Outlook 2010 or in the browser with Microsoft Outlook Web Access (OWA). Rich functionality is supported in a wide range of popular browsers. A calendars and task list is available in each mail box and meeting requests can be used to organize co-workers. Lync Online. Lync 2010 is Microsofts messaging software. In Office 365 you can use Lync to exchange instant messages and presence information with friends within and outside your organization. You can also use Lyncs extensive conferencing facilities for audio and video calls and to share applications. For example, you can deliver a Microsoft Office PowerPoint presentation by sharing the application in a conference. Office Professional Plus. Office 365 for midsize businesses and enterprises includes the Office Professional Plus 2010 suite of desktop applications. All the familiar Microsoft Office applications, such as Word and Excel, give users the richest range of document editing features and InfoPath supports rapid development of forms that can be used in SharePoint for items, document libraries and workflows. In addition, you can use Microsoft Office Workspace 2010 to automatically synchronize SharePoint Online with local folders. This means you can continue to work on documents
15-5
when you do not have an Internet connection, in which case your local changes are synchronized with SharePoint Online the next time you connect. Office Web Apps. Office Web Apps are implementations of the Office Desktop applications that work in the browser. You can use Office Web Apps to read and edit Word documents, Excel spreadsheets, and PowerPoint presentations from any location with an Internet connection. A wide range of popular browsers are supported, including Google Chrome and Mozilla Firefox. Although Office Web Apps do not have the complete features of their equivalent desktop applications, the majority of basic editing features are available.
Three different Office 365 subscription plans are available: Office 365 for Professionals and Small Businesses. This subscription plan includes all of the above components except Office Professional Plus, although subscribers can purchase Office desktop software separately. Subscription is on a monthly basis and includes access to online community support forums. This is also known as Plan P1. Office 365 for Midsize Businesses and Enterprises. This plan is the premium Office 365 subscription and adds Office Professional Plus to the previous plan. Extra administration and control features are also included and subscribers get 24x7 support from Microsoft support personnel. This is also known as Plan E3. Office 365 for Education. This special plan is designed for educational establishments that want to provide productivity tools to their staff and students. Global 24x7 support is included and custom rates are available.
Additional Reading
Office 365 Subscription Plans: http://go.microsoft.com/fwlink/?LinkId=239823 SharePoint Online Homepage: http://go.microsoft.com/fwlink/?LinkId=239824 Features Available by License: http://go.microsoft.com/fwlink/?LinkId=239825
15-6
Comparing SharePoint Online with On-Premise Farms
Key Points
A SharePoint Online subscription provides a very similar environment for users to a SharePoint onpremise farm but there are differences that you must be aware of before you decide which to use. To assist you in choosing the most appropriate implementation for an organization, use the following table to compare a SharePoint Server 2010 on-premise farm to a SharePoint Online subscription.
Area
SharePoint On-Premise
SharePoint Online
Server Hardware
You must purchase and install server hardware on which to install SharePoint. At least one server is required for all implementations. Scalable and highly available farms can require many more servers. When you plan a SharePoint farm it is your responsibility to ensure that it scales to the number of users and volume of content your organization needs. If the organization grows you may need to add new hardware, move service applications, or purchase load-balancing solutions. To ensure high availability and meet your departments service level agreement (SLA) you may have to create a farm with no single-point of failure. This requires fault-tolerant disk arrays, multiple servers for each server role, advanced load-balancing, and other redundant components such as network cards.
You do not have to purchase any server hardware because SharePoint Server runs in Microsoft data centers. SharePoint Online automatically scales as you add new users and more content. You do not have to reconfigure SharePoint Online to support extra capacity, although your subscription charges may rise. SharePoint Online includes 99.9% availability as part of all subscriptions. It is not your responsibility to ensure that SharePoint is online. However, you should bear in mind that users must have a functioning Internet connection in order to access
Scaling
High Availability
15-7
Area
SharePoint On-Premise
SharePoint Online SharePoint Online.
Office Web Apps
Office Web Apps are not included with SharePoint Server 2010 Standard but are available with SharePoint Server 2010 Enterprise. You must deploy and configure the appropriate service application before Office Web Apps are available to users. All features are available in on-premise farms, depending on the Edition of SharePoint you have purchased.
Office Web Apps are included with most Office 365 subscriptions and do not require any configuration by administrators.
Available Features
Business Connectivity Services (BCS) are only available using the client object model.. Custom SharePoint Solutions are supported in SharePoint Online but they must run in the Sandbox. For example, a solution that accesses data outside SharePoint cannot be successfully deployed to SharePoint Online. You can also make customizations by using the browser, such as adding a new page, and by using SharePoint Designer, such as editing a Master Page.
Additional Reading
1. Comparison of SharePoint Online Features and SharePoint Server Features: http://go.microsoft.com/fwlink/?LinkId=235463 Subscription Cost Estimator: http://go.microsoft.com/fwlink/?LinkId=225285
15-8
Usage Scenarios
SharePoint Online can be used to solve a wide variety of business problems and is particularly suited to companies with distributed or mobile users. It can also assist companies with small IT departments because the infrastructure is built and maintained by Microsoft. The following sections describe some typical scenarios in which SharePoint Online can help.
Pure SharePoint Online Scenarios

In these scenarios, SharePoint Online is used without a parallel on-premise SharePoint farm. This situation has the advantage of simplicity but may not be possible for organizations with more complex requirements. Small and Start-up businesses: Small businesses may not have the budget or resources to maintain a dedicated IT department with expertise to run a SharePoint farm on their premises. A principal advantage of SharePoint Online is that it makes SharePoint accessible to such organizations because many design, implementation, and maintenance tasks are not the responsibility of the client but performed by Microsoft personnel at server centers. Start-ups and small businesses can considering moving immediately to a pure cloud-based SharePoint system without a staged migration. Highly Distributed Organizations: Many modern businesses see no need for a centralized office where server infrastructure can be installed and find home-working to be more productive. Those organizations with many travelling or home-based users can get up and running quickly with SharePoint online without hiring and equipping a server center to host SharePoint servers. Non-Profit Organizations: Charities, clubs, and other non-profit organizations can save money and resources by using SharePoint Online, thus avoiding the need to pay dedicated IT staff.
Hybrid Environments
Whether to install SharePoint Server 2010 on-premise or subscribe to SharePoint Online is not an either/or decision. You can choose to implement both SharePoint Online and SharePoint Server 2010, either on a temporary or permanent basis. In the following scenarios, both systems are used:
15-9
Travelling User Support: In some regions, travelling users may have difficulty connecting to SharePoint at your premises from client sites and other locations. By placing SharePoint in the cloud, you can ensure they can connect whenever there is an Internet connection available. By implementing SharePoint on-premise as well, you ensure that office-based users have maximum connectivity to SharePoint. External Projects: You can support collaboration with your partner organizations by implementing an extranet and granting access to your on-premise SharePoint farm. However, an extra level of separation and security can be achieved by placing such external and partner projects in SharePoint Online. In this way you can avoid permitting partner access to your internal SharePoint farm which may store highly sensitive data. Migrations to SharePoint Online: Organizations already using SharePoint Server 2010 on-premise may wish to migrate fully to SharePoint Online but must ensure this process does not impact on users. To mitigate the risks of this migration a staged approached is usually adopted, in which data and users are migrated to SharePoint Online, team-by-team or project-by-project over several months. This interim stage is an example of a hybrid solution and is the most common of the examples in this section. Farm Solutions: Although you can customize SharePoint Online in many ways you cannot implement Farm-level SharePoint solutions in the cloud. If you have a custom SharePoint solution that cannot be run in the sandbox, you could consider maintaining an on-premise farm where farm solutions can run outside the sandbox.
Additional Reading
Hybrid SharePoint Environments with Office 365: http://go.microsoft.com/fwlink/?LinkId=239933
15-10
Lesson 2
Setting Up Office 365
Many of the administrative tasks you have seen in this course are not necessary if you choose to subscribe to Office 365 and SharePoint Online. For example, you need not install SharePoint on server hardware or run the SharePoint configuration wizard because these tasks are completed for you on Microsoft servers at data centers. However, some administrative tasks are required and some, such as setting up a vanity domain, are unique to SharePoint Online. In this lesson, you will learn how to complete these tasks and make the right design decisions for your organization.
Objectives
After completing this lesson, you will be able to: Create a new subscription to Office 365 for an organization. Configure Office 365 to use a vanity domain for email, web sites and team sites. Configure the SharePoint Online default team site and enable sub-site creation. Configure and style the Internet-facing website included in the SharePoint Online subscription. Set up desktop Office applications to connect to SharePoint Online.
15-11
Creating a New Subscription
Key Points
Creating a new Office 365 subscription is a simple process that requires only a normal range of contact information. To create a new subscription visit: http://go.microsoft.com/fwlink/?LinkId=239822 Before you create your subscription, consider the following issues carefully: Evaluation Period. Most organizations choose to take advantage of the free 30 day trial that is available on small business or enterprise subscriptions. However, if you prefer you can buy a subscription immediately. A Plan P1 evaluation includes 10 user licenses and a Plan E3 evaluation includes 25 user licenses. Note: There is currently no free trial period for Office 365 for Education. Education establishments that want to evaluate Office 365 should choose the Plan E3 trial, which provides a similar level of service. Switching Plans. You cannot change your subscription plan after it has been created. In order to move from Plan P1 to E3 you would have to back up data, cancel your subscription, create a new subscription, and restore data. Be careful to select the most appropriate plan at the beginning. Choosing Domain Name. When you create a new subscription, you must choose a unique subdomain within the onmicrosoft.com parent domain. This cannot be changed later; however, you can add a so-called Vanity Domain to your subscription. For example, Contoso Inc. might have registered the contoso.com Internet domain. They could add this to their subscription so that the included web site is at http://www.contoso.com instead of http://contoso.onmicrosoft.com. The same domain name can also be used for email and messaging. See the Setting Up a Vanity Domain topic for more details on vanity domains.
15-12
Choosing Country or Region. The Country or Region you choose is important because it determines taxes and billing details and the data center that hosts your subscription. It cannot be changed later. Usually the best choice is obvious because the company operates in a single country or has the majority of users based in a single country. However, international organizations should think carefully about billing and the location of the majority of their users before specifying this value.
Additional Reading
Getting Started with Office 365: http://go.microsoft.com/fwlink/?LinkId=235464
15-13
Demonstration: Creating a New Subscription
This demonstration illustrates how to create and configure a new Enterprise trial subscription for Office 365. It also shows how to create and configure a new public Web site. The instructor will perform this demonstration by creating a new Office 365 subscription, unless an Internet connection is not available in the classroom. A recording of this demonstration is also available for student download as part of the course companion content which can be obtained via the companion moc site. http://www.microsoft.com/learning/en/us/training/companionmoc.aspx You can use this to review the steps after the course.
15-14
Setting Up a Vanity Domain
Key Points
When you subscribe to Office 365, all services are provided through the domain you selected when you created your subscription. This domain is always within the parent domain onmicrosoft.com. For example, if you select the domain contoso.onmicrosoft.com: The included Web site is at http://contoso.onmicrosoft.com. Emails and Instant Messages are sent to and from addresses like administrator@contoso.onmicrosoft.com.
Most organizations have registered one or more Internet domain names and would like to use them for all public communications. You can add these domains to Office 365 and configure the system to use them instead of the onmicrosoft.com domain. These are called Vanity Domains. For example, if you added the vanity domain contoso.com to your subscription: The included Web site could be at http://www.contoso.com. Emails and Instant Messages are sent to and from addresses like administrator@contoso.com.
The Office 365 service includes DNS servers, but Microsoft does not register domain names or host name server records. Therefore, you must maintain a relationship with an ISP, even if you no longer host a Web site or other services on their servers. The ISP registers domain names and maintains NS records. These NS records should point to the Office 365 DNS servers. You can obtain the correct IP addresses for NS records when you configure the vanity domain in Office 365. All other DNS records, including A, CNAME, and MX records, are hosted on Microsoft DNS servers. These records enable client to locate Office 365 SharePoint, Exchange, and Lync servers in Microsoft data centers.
Configuring a Vanity Domain

To add and configure your own registered domain to your Office 365 subscription, complete the following steps:
15-15
1. 2.
3.
Add the domain to Office 365. On the Admin page, click Domains and then click Add a Domain. Verify the domain belongs to your organization. To complete this step you must first add a specific TXT or MX record to the DNS zone file at your ISP. In Office 365, you click Verify. Office 365 queries for the TXT or MX record you just created. If the record is found, the domain is verified. At this point, a zone file is created for your new domain on the Office 365 DNS servers. This includes A, MX, CNAME and other records. At your ISP, configure NS records to point to the Office 365 DNS servers. Office 365 displays the correct addresses to configure but you must update ISP records yourself.
Changes to DNS records can take up to 24 hours to propagate through the system. You can add multiple vanity domains to Office 365 but you cannot add the same domain to two separate Office 365 subscriptions.
15-16
Setting Up The Team Site
Key Points
SharePoint Online includes a private team site by default. The team site is intended to be the document management hub for your organization and looks very similar to an on-premise team site. This familiarity helps users who are already skilled in SharePoint. In this topic, you will see how to configure the team site and other collaboration sites. You can also add a range of other collaborative sites. Many of the configuration tasks are the same as the equivalent tasks in SharePoint Server 2010 and can be accomplished with the same tools After you create a subscription, the default configuration includes one site collection and two sites. The top-level site is the public-facing Web site and includes predefined styles and themes. You will see more about this site in the Setting Up The Public Web Site topic. The first sub-site is the team site. Subscribers to the P1 plan are restricted to a single site-collection but can create sub-sites. Enterprise subscribers can create extra site collections if they are required for more flexible administrative hierarchies. Note: If you view Site Settings for the default team site, you will see administrative tools for a SharePoint site. Site collection tools, such as the Web Part Gallery and Solutions Gallery, will not be visible. To access these tools, click Go to top level site settings or access the Site Settings for the default Web site.
Creating Sub-Sites
As in SharePoint on-premise farms, you can create sites for each team, each project, each product, or on whatever other basis is most appropriate for your organization and its processes. The user interface is similar to the on-premise tool but includes a Silverlight application that presents site templates and helps you choose to site best template for your requirements. To create a sub-site:
15-17
1. 2. 3. 4.
In the default Team Site, click Site Actions, and then click New Site. The Silverlight application presents six Featured Items, each of which is a site template. Click on each for more details. To see a list of all the installed site templates, click Browse All at the top left of the application. When you have chosen a site template, type a Title and URL and click Create. The new site is created and displayed.
Using SharePoint Designer

As you saw in Module 7, Administering SharePoint Customization, many configuration and administration tasks are possible in SharePoint Designer 2010. For example, you can create lists, document libraries, asset libraries, content types, workflows, wiki pages, and many other types of objects. You can also customize the user interface by creating and applying master pages. Connecting SharePoint Designer to SharePoint Online works in a very similar way to connecting to a SharePoint on-premise farm: 1. 2. 3. 4. Start SharePoint Designer 2010 and then click Open Site. In the Site name textbox, type the full URL for your team site. For example, http://contoso.sharepoint.com/. If you are asked for credentials, use your Microsoft Online Services username and password. Click Open. SharePoint Designer displays the site hierarchy.
Using Custom Site Templates

Custom site templates are available from a variety of sources such as Codeplex and third party vendors. Developers within your organization can also create their own templates. You can use any site template in SharePoint Online as long as it runs as a user solution within the sandbox. For example, if code in a site template accesses data outside SharePoint Online, the sandbox prevents that action and the site template does not function correctly. To use a custom site template in SharePoint online, first obtain a SharePoint Solution .wsp file, then take the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. In the Team Site, click Site Actions and then click Site Settings. Under Site Collection Administration, click Go to top level site settings. Under Galleries, click Solutions. Click the Solutions tab, and then click Upload Solution. Browse to the .wsp file and then click OK. Select the new solution in the list. On the ribbon, click Activate. Browse to the default Team Site, click Site Actions, and then click New Site. Click Browse All at the top left of the application. Locate your custom site template, type a Title and URL and click Create. The new site is created and displayed.
Note: Many custom site templates created in a SharePoint on-premise farm may not work in SharePoint Online. This is because not all the features present on-premise are available in SharePoint Online. All the active features present when you created the user solution file are listed as required for that solution. If you come across this issue, determine which feature is not present in SharePoint Online. Deactivate this feature in the on-premise farm and then re-create your user solution file.
15-18
Setting Up The Public Web Site
Key Points
The SharePoint Online subscription includes a public-facing Web site with rich Web content management features. You may choose to continue using an existing Web site host, but many subscribers use their SharePoint Online Web site as their principal Internet presence because of the built-in flexibility and the simple WYSIWYG editing tools available in the browser. In this topic, you will see some of the features you can use to build this Web site. To edit the Web site: 1. 2. Log into Office 365. From the Office 365 Home page, click Admin. Under Website, click Edit website.
SharePoint displays the Web Pages list. In the Quick Launch on the left, you can see links to the Images, Documents, and Templates lists as well as links to any sub-sites you have created.
Creating a Consistent Look and Feel

You can edit any page by clicking it in the Web Pages list. SharePoint displays the page in Edit mode with a range of tools in the ribbon. It is important to present a consistent look and feel throughout your site that includes your companys branding and projects professionalism to site visitors. Use the tools on the Design ribbon tab to make changes to the site-wide look and feel. The tab includes the following sections: Site: You can use this section to select a color-scheme, set a page width, and create a footer text. These settings apply to all pages in the site. Page: You can use this section to set a background image and set the page title and the title shown in the navigation bar. These settings apply only to the page you are editing.
15-19
Important: In the Page Properties dialog you can set keyword and description metatags. These are vital for search engine optimization. They should be different for each page in your site. Make sure they accurately reflect the content of the page. Header: You can use this section to select a style, theme, and text for the header shown at the top of all Web site pages. Navigation: You can use this section to position site navigation links and set their order. A simple, understandable navigation hierarchy is essential to help visitors locate the content they need. Zone: Each page contains one or more zones in which text, images, links and other content can be placed. You can use the Zone section of the Design tab to select the number and layout of zones on the current page. You can also set a background image for a zone. Advanced: If you have Cascading Style Sheet (CSS) skills, you can use the Advanced section to apply custom CSS code to style text, colors, links and all other aspects of the site.
Adding Content
To create a new page in the Web site, follow these steps: 1. 2. 3. 4. 5. 6. 7. Go to the Web Pages list, and then on the Pages tab, click New Page. Choose the most appropriate page template from the list and then click Next. On the Choose Page Properties page, in the Page Title textbox, type an appropriate title. In the Web Address textbox, type the URL where the page will be found. Under Navigation, specify the navigation title and choose a parent page. Select whether to include standard page elements such as the Header and Footer. Click Finish. The new page is created and shown in the Editor.
When you edit a page, the Home ribbon tab includes common editing tools such as font and paragraph formatting tools. To add richer content to the page, use the Insert ribbon tab. This includes the following sections: Objects: You can use this section to insert Images, horizontal lines, and tables in the page at the cursor. You can choose images from the sites Images library or upload them from your computer. Links: You can use this section to insert a new hyperlink to internal content or an external address. Gadgets: You can use this section to add various types of rich content to your page. For example, you can rapidly create a slide show that cycles through images from your Images gallery, a Bing map to display a location and driving directions, a stock ticker, or Contact Us form. Manage: You can use this section to reconfigure gadgets already added to the page and to reformat tables.
As for the default Team Site, you can also add sub-sites to the SharePoint Online Web site. For example, you may want to add a blog for each of your users.
15-20
Demonstration: Configuring the Web Site
This demonstration illustrates the user-friendly tools available in SharePoint Online for editing Web content. The instructor will perform this demonstration in the new Office 365 subscription created in the previous demonstration, unless an Internet connection is not available in the classroom. A recording of this demonstration is also available for student download as part of the course companion content which can be obtained via the companion moc site. http://www.microsoft.com/learning/en/us/training/companionmoc.aspx You can use this to review the steps after the course.
15-21
Setting Up Office Applications
Key Points
The browser is the primary way to access Office 365 and SharePoint Online. However, by installing Office desktop software and integrating it with Office 365, maximum productivity can be achieved for users. A user can perform a variety of tasks once you complete this integration, including: Send and receive email and organize tasks and appointments in Outlook 2010. Although Outlook Web Access provides a rich experience in the browser, the highest functionality is only available in the Outlook desktop application. Arrange online meetings in Outlook and partake in them using Lync 2010. Audio, video, and data conferencing facilities are available. Save documents directly to SharePoint libraries from within Office applications. Synchronize SharePoint documents and items with the local hard drive so that documents can be edited when there is no Internet connection available.
The following sections describe how to integrate each users desktop software with Office 365.
Install Lync 2010

All users receive Lync in their subscription. To download it, log into Office 365 and click Install Lync on the homepage. Ensure that you choose the correct version (32- or 64-bit) for your operating system and choose your preferred language. Then click Install. You can either save the executable file to a folder and run it or execute it immediately. When the installation is complete you will be asked for your Office 365 credentials to log in.
Install Office Professional Plus

If your company has an SharePoint Online Enterprise subscription you will receive product keys for Office Professional Plus. You can download this suite from the following location: http://go.microsoft.com/fwlink/?LinkId=235466
15-22
Small business subscribers do not receive the Office Suite as part of their subscription. However, they can purchase any edition of the Office Suite separately. The configuration steps in the next section will work in the same way.
Configure Office Desktop Applications

Integrate your Office Suite installation with SharePoint Online by following these steps: 1. 2. Log into Office 365. On the Office 365 Home page, under Resources, click Downloads. Under Setup and Configure your Office Desktop Apps, click Set Up. The Office 365 desktop setup tool starts.
Note: In some browsers you might be prompted to save the setup_en.exe file, and the option to execute it might not appear. If this happens, you can save the file to a local folder and execute it there. 3. The desktop setup tool scans your system for compatibility. When the scan is complete, select the applications you want to integrate with Office 365 and accept the service agreements. The desktop setup adds shortcuts to your start menu, configures Outlook to send and receive email through Exchange Online, and configures Office applications to save to SharePoint Online.
4.
SharePoint Workspace 2010

SharePoint Workspace 2010 is an important team collaboration tool that manages content for knowledge workers. Workspace can either function in a peer-to-peer configuration or use SharePoint as a hub to store documents, forms, and other items. Workspace is not included in the Standard edition of Office 2010. Importantly, workspace automatically synchronizes SharePoint sites to your local hard drive. This enables you to continue editing and creating content when you have no Internet connection. Furthermore, any changes you make while offline are automatically uploaded when you reconnect. This facility can be very useful for mobile users who want to edit documents at client locations, on trains or planes, or at remote locations.
Additional Reading
Set Up Your Desktop for Office 365: http://go.microsoft.com/fwlink/?LinkId=219644 Software Requirements for Office 365: http://go.microsoft.com/fwlink/?LinkId=218052
15-23
Lesson 3
Administering SharePoint Online
SharePoint Online is the cloud-based version of SharePoint Server 2010, so anyone who administers an on-premise farm will find many administration tasks familiar. For example, the procedures for creating sites, applying customizations, and enabling features are similar or the same as those in previous modules. By contrast, many of the tasks that were outlined in this course are unnecessary in SharePoint Online because the SharePoint farm is configured for you. For example, installing SharePoint updates, creating Web applications, installing service applications, and monitoring SharePoint performance are all tasks carried out by Microsoft staff at data centers and not the responsibility of the subscriber. This lesson identifies the administration tasks that are important, different, or exclusive to SharePoint Online.
Objectives
After completing this lesson, you will be able to: Configure SharePoint Online users and authorize them to access content. Enable people outside your organization to access SharePoint content. Configure SharePoint Online for single-sign on authentication so that users are asked for credentials a minimum number of times.
15-24
User Administration
Key Points
In an on-premise SharePoint farm, Active Directory usually stores user accounts and credentials and Active Directory User and Computers is used to create and configure accounts. You can authorize these user accounts to access SharePoint by configuring the membership of SharePoint groups. In SharePoint Online, user accounts are actually stored in Active Directory but, instead of using Active Directory Users and Computers, there is a Web-based tool to create and configure accounts. The following sections describe how to administer Office 365 accounts and authorize them to access SharePoint content.
Office 365 User Administration

To create and configure user accounts: 1. 2. Log into Office 365 and then, from the homepage, click Admin. In the Quick Launch on the left, under Management, click Users. A list of all user accounts is displayed.
Note: Office 365 licensing is calculated on a per-user basis. Every user account you add increases licensing costs. Therefore, plan carefully which employees to create accounts for. To create a new user account: 1. 2. Click New, and then click User. Under Name, enter identity details. If you have added a vanity domain, you can choose it for the username domain, or use the .onmicrosoft.com domain. The username cannot be changed after the account is created. Under Additional Details enter extra contact information, and then click Next.
3.
15-25
4. 5.
6.
On the Settings page, choose the users location and whether the new user should be an administrator for Office 365. On the Licenses page, choose which products the user can access. If you have used all your licenses, you must use the Purchase tool on the Admin page to add new licenses before you can add a user account. On the Email page, select an email address for the new user account. Click Finish to create the account.
Bulk User Import

Small businesses or those with a limited Office 365 usage may find manual user creation as described above perfectly practical. However, it can be unwieldy as a means of creating a large number of users. Instead, you can use the bulk import tool. To use bulk import, you supply a text file in comma-separated format (a .CSV file). Each line in this file represents the properties of a new user for Office 365. The bulk import tool parses this file and creates the new users in a single operation. You can create up to 250 users with a single .CSV file, so this technique can save you a lot of time. The file must be in UTF-8 or Unicode encoding and the first line must consist of column titles. The column titles must be as follows: User Name (this must be the username with the domain, such as danjump@contoso.onmicrsoft.com) First Name Last Name Display Name Job Title Department Office Number Office Phone Mobile Phone Fax Address City State or Province ZIP or Postal Code Country or Region
During the bulk import process, the wizard requests some properties that will apply to all the users in the file. For example, you select the user location and the licenses to apply. If for example, you have some users in the United States and others in the United Kingdom, create two .CSV files and perform two bulk imports.
Authorizing Access to SharePoint Sites

Once you have created Office 365 user accounts for all the users, you should review the permissions that should apply for access to SharePoint resources such as the default Web site and Team site, their sub-sites and, for enterprise subscribers, other site collections. Just like in a SharePoint on-premise farm, you can authorize access to a site by using the membership of SharePoint groups. Use the following steps to grant a user permission to contribute to the default Team Site by assigning membership to the Members group: 1. 2. 3. Log on to Office 365. In the home page, click Visit team site. Click Site Actions, and then click Site Settings. Under Users and Permissions, click People and Groups.
15-26
4. 5. 6.
In the Quick Launch on the left, under Groups, click Members. Click New. Type the name of the account in the Users/Groups box, and then click the Check Names button. If the name is resolved, SharePoint underlines it. Under Send E-Mail, compose the subject and body of a welcome email. This should explain the purpose of the site and the reason for the invitation. A link to the site will be added by SharePoint. Click OK.
15-27
External User Administration
Key Points
SharePoint Online is an excellent location from which to share content with people outside of your organization, such as partners or customers. For example, if your company has been hired to develop some documents and the customer wants close involvement with the authoring process, you could grant them membership to the Visitors group for the site. The customer could log into the site and see documents as they progress but make no changes. External users can only be used to access SharePoint content. They cannot use Lync conferences or Exchange Online. You do not need to purchase an extra Office 365 license for each external user. Currently, however, each subscription is restricted to 50 users. Note: Do not confuse a SharePoint Online External User with an Exchange External Contact. External Users grant access to SharePoint Online content; External Contacts are entries in the Exchange Global Address that are used to email contacts.
Enabling External Users

To ensure that external users can be invited, you must ensure that the External User Invitations feature is enabled: 1. 2. 3. 4. 5. Log into Office 365 and click the Visit team site link. Click Site Actions, and then click Site Settings. Under Site Collection Administration, click Go to top level site settings. Under Site Collection Administration, click Site collection features. Locate the External user invitations feature. If it is not active, click Activate.
Enterprise subscribers must also complete the following procedure to enable invitations: 1. Log into Office 365 and click the Admin link.
15-28
2. 3. 4. 5.
Under SharePoint Online, click Manage. In the SharePoint Online Administration Center, click Manage site collections. Ensure you do not select a site collection. On the ribbon, click Settings and then click Manage External Users. In the External Users dialog, click Allow and then click Save.
Inviting External Users

To invite an external user and grant them access to SharePoint content, perform the follow steps: 1. 2. 3. Browse to the SharePoint site you want to grant access to. Click Site Actions and then click Share Site. Enter one or more email addresses in the Visitors textbox. These users will be able to browse the site and download documents but not make changes. Enter one or more email addresses in the Members textbox. These users will be able to create and edit items and documents.
Note: To ensure security, Microsoft only permits users with Microsoft Online Services accounts or Windows Live accounts to access SharePoint Online as external users. To create a Live account for any users that do not already have one. To do this, go to: http://go.microsoft.com/fwlink/?LinkId=133221 4. Enter a subject and a message that will be sent to the addresses you configure. The message includes links to accept the invitation and add the SharePoint site to favorites.
15-29
Single Sign-On and Office 365
Key Points
Users dislike having to remember credentials and grumble when passwords expire, even though these measures are vital for security. If you use Active Directory to store user accounts on premise, you can enable those user accounts to be used to access Office 365 services. This has the following advantages: Each user must only remember a single username and password. Users are less likely to forget their passwords and require an administrator to reset them. They are also less likely to write down their passwords, thus compromising security. Users are prompted for credentials less often.
Active Directory Federation Services 2.0 (AD FS) is required to synchronize Active Directory user accounts with Office 365. A relying party trust relationship is established between AD FS and Office 365. This trust acts as a secure channel through which authentication tokens can flow. The following sections describe how to set up single sign-on for Office 365. Single sign-on and Active Directory synchronization are only available Office 365 Enterprise subscribers. Note: Setting up single-sign on is an advanced task that requires Active Directory and AD FS skills. It is too involved to cover in detail in this SharePoint course. Here you will see the main stages and find links to sources of the full step-by-step procedures.
Prepare for Single Sign-On

Ensure that your Active Directory forest conforms to the following requirements: Active Directory Domain Controllers run Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 operating systems.
15-30
Use Windows Update to ensure that client operating systems are up-to-date. Windows 7, Vista, and XP are supported. User accounts must have full User Principal Names (UPNs) such as administrator@contoso.com. These UPNs must not be in a .local domain.
You can use the Office 365 Deployment Readiness Tool to test your Active Directory. You can find this tool at: http://go.microsoft.com/fwlink/?LinkId=219173.
Deploy AD FS 2.0
You should plan, deploy and configure AD FS on your premises. This service exchanges tokens and synchronizes account changes between Active Directory and Office 365. Read more about planning and deploying AD FS at: http://go.microsoft.com/fwlink/?LinkId=212852
Establish the Trust Relationship

To create the trust relationship between AD FS and Office 365, you must install some PowerShell extensions and use them to make the connection. This process involves the following steps: 1. 2. Download and install the Microsoft Online Service Module. Use the New-MsolFederatedDomain cmdlet to establish the trust relationship.
For more details of this process, see: http://go.microsoft.com/fwlink/?LinkId=235468
Set Up Active Directory Synchronization

Active Directory Synchronization is required to exchange user account changes such as password resets. This setup involves the following steps: 1. 2. 3. Install the Microsoft Online Services Directory Synchronization Tool. Synchronize directories and verify that security principals synchronize correctly. Activate synchronized user accounts in Office 365.
For more details of this process, see: http://go.microsoft.com/fwlink/?LinkId=190629
Additional Reading
Single Sign-On Roadmap: http://go.microsoft.com/fwlink/?LinkId=239821
15-31
Review Questions
1. You are evaluating SharePoint Online and comparing it to a SharePoint on-premise farm you have already implemented. When you designed your on-premise farm, you included Redundant Array of Inexpensive Disk (RAID) arrays, load balanced front-end servers, and clustered database servers for high availability. Your manager is concerned that availability from SharePoint Online might not be as good. What do you tell him? You have moved your Web site, email services and instant messaging facilities to Office 365 including a vanity domain. Should you cancel all services from your old ISP? You have used all the Office 365 licenses you purchased for office staff. You are starting a new project with a new customer. How can you grant them access to a SharePoint Team site without buying extra licenses?
2. 3.
Best Practices Related to a Particular Technology Area in this Module

Add a vanity domain to Office 365 to ensure that the Web site, email addresses, and other properties reflect your companys branding.
Tools
Tool Office 365 Deployment Readiness Tool Microsoft Online Services Module Use for This tool checks your Active Directory to ensure that servers are at the correct version level and user accounts have suitable UPNs. This tool adds a range of commands to PowerShell that can be used to established a trust relationship for single sign-on. Where to find it http://go.microsoft.com/fwlink/ ?LinkId=219173 http://go.microsoft.com/fwlink/ ?LinkId=235468
15-32
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential, and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

10174b Enu Trainerhandbook Volume1

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

10174b Enu Trainerhandbook Volume1

Caricato da

Copyright:

Formati disponibili

O F F I C I A L

10174B Administering Microsoft Configuring and

Configuring and Administering Microsoft SharePoint 2010

Product Number: 10174B Part Number: X18-05902 Released: 01/2012

Configuring and Administering Microsoft SharePoint 2010

Configuring and Administering Microsoft SharePoint 2010

Dan HolmesSubject Matter Expert

Chris GivensSubject Matter Expert

Enrique LimaSubject Matter Expert

Configuring and Administering Microsoft SharePoint 2010

John FerringerSubject Matter Expert

Ryan PowellSubject Matter Expert

Jason MederoTechnical Reviewer

Todd KlindtTechnical Reviewer

Configuring and Administering Microsoft SharePoint 2010

Glen SmithTechnical Reviewer

Mike SmithTechnical Reviewer

Configuring and Administering Microsoft SharePoint 2010

Module 2: Creating a SharePoint 2010 Intranet

Module 3: Administering and Automating SharePoint

Module 4: Configuring Content Management

Module 5: Configuring Authentication

Module 6: Securing Content

Configuring and Administering Microsoft SharePoint 2010

Module 7: Managing SharePoint Customizations

Module 8: Configuring and Securing SharePoint Services and Service Applications

Module 9: User Profiles and Social Networking

Module 10: Administering and Configuring SharePoint Search

Module 11: Implementing Productivity Service Applications

Configuring and Administering Microsoft SharePoint 2010

Module 12: Installing and Upgrading to SharePoint 2010

Module 13: Implementing Business Continuity

Module 14: Monitoring and Optimizing SharePoint Performance

Module 15: SharePoint Online and Office 365

About This Course

About This Course

About This Course

About This Course

About This Course

Configure SharePoint farms.

Configure service applications.

Manage accounts and user roles.

Manage site collections.

Deploy and manage SharePoint solutions.

About This Course

Lesson 2 Lesson 5 Lesson 1/2/3 Lesson 1 Lesson 1/2/3/4 Lesson 1 Lesson 1

Monitor and analyze a SharePoint environment.

Optimize the performance of a SharePoint environment.

About This Course

About This Course

Virtual Machine Environment

Virtual Machine Configuration

About This Course

Course Hardware Level

Introducing Microsoft SharePoint 2010

Configuring and Administering Microsoft SharePoint 2010

Introducing Microsoft SharePoint 2010

Evaluating the Features of Microsoft SharePoint 2010

Configuring and Administering Microsoft SharePoint 2010

The Value Proposition of SharePoint 2010

Introducing Microsoft SharePoint 2010

The SharePoint Platform

Configuring and Administering Microsoft SharePoint 2010