Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
M I C R O S O F T
L E A R N I N G
P R O D U C T
Volume 1
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS. a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only MOC Courses that are conducted by a MCT at or through an Authorized Learning Center. c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location. d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement. Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy Program. h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in good standing that currently holds the Learning Competency status. i. Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular MOC Course. l. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. m. Trainer Content means the trainer version of the MOC Course and additional content designated solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines. 2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center: i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content, 5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.
d. If you are a MCT. i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control. ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices. 2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement. 3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other provisions in this agreement, then these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement. c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control. 4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time. a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services. b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means. 5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend, make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement. reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation; access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content; access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or transfer the Licensed Content, in whole or in part, or assign this agreement to any third party. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.
6.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are the entire agreement for the Licensed Content. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.
8.
9. 10.
11.
12.
13.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
15.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS. This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur. Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011
xi
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Alistair Matthews
A consultant with extensive and cutting-edge experience in Microsoft technologies, Alistair has spent the last 10 years developing with, consulting on, and communicating about both the developer and IT professional sides of SharePoint, Visual Studio, Active Directory, Exchange, and Windows. He is currently most interested in SharePoint Web Content Management and likes to impress clients with elegant publishing workflows and custom UI elements. Hes also more excited about Office 365 than he cares to admit. Alistair has a particular passion for writing about technology and
has contributed to many Microsoft Learning courses, MSDN and TechNet articles, and white papers. He is the principal consultant at Web Dojo Ltd and lives the telecommuting dream in Cornwall, UK.
xii
SharePoint technologies, BizTalk, Commerce Server, and Content Management Server with other Microsoft and non-Microsoft platforms.
xiii
xiv
Contents
Module 1: Introducing SharePoint 2010
Lesson 1: Evaluating the Features of Microsoft SharePoint 2010 Lesson 2: Preparing for SharePoint 2010 Lesson 3: Installing SharePoint 2010 Lesson 4: Advanced Installation of SharePoint 2010 Lab: Installing SharePoint 2010 1-3 1-26 1-41 1-57 1-67
xv
xvi
Course Description
This five-day instructor-led course teaches students how to install, configure, and administer Microsoft SharePoint and also how to manage and monitor sites and users by using Microsoft SharePoint 2010. It covers Microsoft SharePoint 2010 Service Pack 1 and SharePoint Online.
Audience
This course is intended for IT professionals who are experienced Windows Server 2003 or 2008 administrators and are interested in learning how to administer SharePoint 2010 Sp1 or SharePoint Online. The course is also intended for part-time Business Application Administrators (BAAs) who are engaged in administering Line of Business (LOB) applications in conjunction with internal business customers.
Student Prerequisites
In addition to their professional experience, students who attend this training should have experience: Administering Active Directory by creating and managing user and group accounts, delegation of administration, and configuring Group Policy in an Enterprise environment. Administering network infrastructureDNS and TCP/IP connectivity General conceptual awareness of Microsoft .NET Framework as it relates to SharePoint 2010 Administering Microsoft SQL Server 2005 or 2008 through creating logons, assigning roles and using Microsoft SQL Server Management Studio One years experience using Windows PowerShell cmdlets Understanding and implementing best practices for general security and authentication. Windows client management experience with either Windows Vista or Windows 7
Course Objectives
After completing this course, students will be able to: Prepare for and install Microsoft SharePoint 2010. Configure the fundamental service and logical components of a SharePoint implementation. Administer SharePoint using the user interface, the command line, and Windows PowerShell. Manage content in Lists and Libraries. Administer identities and authentication. Secure content in SharePoint sites. Manage customizations to a SharePoint implementation. Configure SharePoint services and applications. Configure SharePoint social networking features. Manage SharePoint Search. Configure farms, servers, service applications, and web applications. Install, upgrade, configure, and operate a SharePoint farm. Configure high availability and recoverability. Monitor and optimize SharePoint performance. Understand the differences between on premise and online deployments of SharePoint as well as how to subscribe to and Administer SharePoint Online
ii
Course Outline
This section provides an outline of the course: Module 1: Introducing Microsoft SharePoint 2010: This module explores the role of Microsoft SharePoint 2010 in delivering business collaboration solutions in the enterprise and on the Internet. You are introduced to the various SharePoint product offerings, including SharePoint Online, and you examine what it takes to get SharePoint up and runningfrom preparing your infrastructure, to configuring related technologies and products, to deploying SharePoint servers and farms using both out of box installation wizards and scripts Module 2: Creating a SharePoint 2010 Intranet: In this module. you will create a SharePoint-based intranet and, as you do so, you will examine key concepts and skills related to the logical architecture of SharePoint, including web applications, site collections, sites, and content databases Module 3: Administering and Automating SharePoint: This module covers how to apply the full range of options for administering and automating SharePointCentral Administration, STSADM, and PowerShell. The module also introduces students to the logs. Module 4: Configuring Content Management: This module explains how to manage content (lists, libraries, items and documents). It examines how to configure SharePoint and SQL Server to ensure optimal content storage and access, how to create content types and site columns to describe your content as well, and how to set up the managed metadata service application to tag and classify content. Module 5: Configuring Authentication: This module describes the process of administering authentication to SharePoint web applications. It examines classic SharePoint authentication providers followed by details of Federated Authentication. Module 6: Securing Content: This module introduces you to managing security of SharePoint content within a web application. It examines how to assign permissions and administer groups, how to implement SharePoint roles and Role assignments, and providing details on securing and auditing of SharePoint content. Module 7: Managing SharePoint Customizations: This module describes how to customize the SharePoint environment to meet your organizational needs. It explores how to deploy and manage SharePoint features and solutions, and how to configure sandboxed solutions Module 8: Configuring and Securing SharePoint Services and Applications: This module shows you how to manage the SharePoint service as a whole, as well as individual services and service applications. It provides instruction on how to secure your enterprise-level SharePoint service, how to secure web applications, and how to configure SharePoint services and service applications. Module 9: User Profiles and Social Networking: This module describes how to manage and configure user profiles and My Sites, and how to implement SharePoint 2010 social networking features. Module 10: Administering and Configuring SharePoint Search: This module discusses how to administer and configure SharePoint Search, and how to refine searches. Module 11: Implementing Productivity Service Applications: This module examines how to configure specific service applications. It covers Business Connectivity Services (BCS), Excel services, PerformancePoint services, InfoPath services, Visio services, and Access services. This module also provides details on installing Office web applications. Module 12: Installing and Upgrading to SharePoint 2010: This module examines how to install and upgrade to SharePoint 2010 in a variety of scenarios, and how to keep SharePoint 2010 current. It examines the installation of SharePoint servers and farms, the upgrade of SharePoint 2007 to SharePoint
iii
2010, and the planning of those installations and upgrades. This module also focuses on how to apply updates to your SharePoint environment. Module 13: Implementing Business Continuity: This module shows you how to configure business continuity for SharePoint. It examines how to protect and recover content, how to perform backup and restore operations, and how to implement high availability solutions with SharePoint server. Module 14: Monitoring and Optimizing SharePoint Performance: This module examines how to monitor SharePoint performance, health, and usage, and how to identify and remediate performance and health problems. It covers the monitoring of logs to establish a baseline for performance, how to configure SharePoint Health Analyzer, how to configure usage reports, web analytics, and details on overall performance and optimization of SharePoint servers. Module 15: SharePoint Online and Office 365: This module introduces Microsofts cloud services and Microsoft SharePoint Online. It examines the components of Office 365, compares the functionality of SharePoint Online to that of a SharePoint on-premise farm, and describes how to create and configure an Office 365 subscription to host a website, team collaboration sites, and connections to desktop software. This module examines how to enable users (in and outside your organization), and how to access SharePoint Online and perform other administrative tasks.
Exam/Course Mapping
This course, 10174B: Configuring and Administering Microsoft SharePoint 2010, has a direct mapping of its content to the objective domain for the Microsoft exam 70-667: TS: Microsoft SharePoint 2010, Configuring. The below table is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
Note: The exam objectives are available online at the following URL: http://go.microsoft.com/fwlink/?LinkId=241352
70-667 TS: Microsoft SharePoint 2010, Content Configuring Exam Objective Domain Module Installing and Configuring a SharePoint Environment Deploy new installations and upgrades. Module 1 Module 12
Labs Lesson Lessons 2/3/4 Lessons 1/2/3 Exercise Lab: Ex 1/2/3/6 Lab A: Ex 1/2/3/4 Lab B: Ex 1/2/3 Lab A: Ex 1
Module 14
Lesson 1
iv
Module 1 Module 2 Module 11 Module 12 Module 13 Module 15 Module 1 Module 4 Module 8 Module 9 Module 11 Module 10
Lesson 2/3 Lesson 1/2/3 Lesson 4 Lesson 3/4/5 Lessons 1/2/3 Lesson 1/2 Lesson 1 Lesson 3 Lesson 1/2/3 Lesson 1 Lesson 1 > 6 Lesson 1 > 6
Lab: Ex 4/5 Lab: Ex 1/2/3 NA NA Lab A: Ex 1/2/3 Lab B: Ex 1/2/3 NA Lab: Ex 1/5 Lab B: Ex 1 Lab C: Ex 1 Lab A: Ex 1/2/3 Lab: Ex 1/2 Lab A: Ex 1 > 7 Lab B: Ex 1/2/3 NA Na Lab: Ex 1/2/3/4 NA Lab A: Ex 1 Lab B: Ex 1/2 Lab: Ex 5 Lab: Ex 2 & 3 Lab A: Ex 1 Lab B: Ex 1 Lab: Ex 1/2/3/4 NA Lab A: Ex 1/2 Lab B: Ex 1/2/3
Configure indexing and search. Managing a SharePoint Environment Manage operational settings.
Module 1 Module 2 Module 6 Module 7 Module 14 Module 1 Module 2 Module 5 Module 6 Module 15 Module 5
Lesson 1 Lesson 2 Lesson 1/2/3 Lesson 3 Lesson 1/2/3/4 Lesson 2 Lesson 1/2 Lesson 1 Lesson 1/2/3 Lesson 3 Lesson 1/2
Manage authentication providers. Deploying and Managing Applications Manage Web Applications.
Module 2 Module 3 Module 6 Module 8 Module 2 Module 6 Module 12 Module 15 Module 2 Module 7
Lesson 1/2/3 Lesson 3 Lesson 3 Lesson 2 Lesson 1/2/3 Lesson 1/2/3 Lesson 4 Lesson 2 Lesson 3 Lesson 2/3
Lab: Ex 1/2/3 NA Lab: Ex 4 Lab B: Ex 1/2 Lab: Ex 2/3 Lab: Ex 1/2 NA NA NA Lab A: Ex 2
Module 15 Maintaining a SharePoint Environment Back up and restore a SharePoint environment. Module 12 Module 13 Module 15 Module 14
Lab B: Ex 1/2/3 NA Lab A: Ex 3 Lab B: Ex 2 Lab A: Ex 1/2/3 Lab B: Ex 1/2/3 NA Lab A: Ex 1 Lab B: Ex 1/2 Lab C: Ex 1/2 NA Lab A: Ex 1/2/3/4
Module 1 Module 4
Important Note: Attending this course alone will not successfully prepare you to pass any associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following: Minimum of 1-2 years real world, hands-on experience configuring and implementing a Microsoft SharePoint 2010 environment Additional study outside of the content in this handbook
There are additional study and preparation resources, such as practice tests, available for you to prepare for this exam. The details of these are available at the following URL: http://go.microsoft.com/fwlink/?LinkId=239934 You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://go.microsoft.com/fwlink/?LinkId=239935 The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.
vi
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its needed.
Course Companion Content on the site http://www.microsoft.com/learning/companionmoc/ Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press and other locations SharePoint Online Demonstration Files: The below files, are also available to you as part of the companion content. These files are recordings of demonstrations that your instructor will carry out in Module 15. They contain basic features and functionality of Office 365 and SharePoint Online. SetupO365TrialSubscription_Demo.wmv SPOWebsiteConfiguration_Demo.wmv SetupO365TrialSubscription_TranscriptandDemoSteps.docx SPOWebsiteConfiguration_TranscriptandDemoSteps.docx
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
vii
Note: This course is number 10174B while the virtual machine names all contain the number 10174A. This is entirely as expected and by design.
Software Configuration
The following software is installed on the virtual machines: Windows Server 2008 R2 Microsoft SharePoint 2010 Microsoft Office SharePoint Server 2007 Microsoft Office 2010 Microsoft SQL Server 2008 R2
viii
Course Files
There are files associated with the labs in this course. The lab files are located on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 768, 16-bit colors.
1-1
Module 1
Introducing Microsoft SharePoint 2010
Contents:
Lesson 1: Evaluating the Features of Microsoft SharePoint 2010 Lesson 2: Preparing for SharePoint 2010 Lesson 3: Installing SharePoint 2010 Lesson 4: Advanced Installation of SharePoint 2010 Lab: Installing SharePoint 2010 1-3 1-26 1-41 1-57 1-67
1-2
Module Overview
Microsoft SharePoint 2010the collection of products and technologies that includes SharePoint Server 2010 and SharePoint Foundation 2010offers a broad range of functionality that addresses a vast number of business collaboration scenarios. The SharePoint platform sits on, and depends on, a number of other Microsoft products and technologies. In this module, you explore the role of SharePoint 2010 in delivering business collaboration solutions in the enterprise and on the Internet. You will be introduced to the various SharePoint product offerings and flavours, including SharePoint Online. You then learn what it takes to get SharePoint up and running from preparing your infrastructure, to configuring related technologies and products, to deploying SharePoint servers and farms using both out of box installation wizards and scripts.
Objectives
After completing this module, you will be able to: Describe the features of Microsoft SharePoint Server 2010 and other SharePoint products and technologies. Prepare hardware and software for a SharePoint Server 2010 installation. Perform and installation of a single-server SharePoint 2010 farm. Perform a scripted installation of SharePoint 2010 on a single server.
1-3
Lesson 1
Microsoft SharePoint 2010 is the business collaboration platform for the enterprise and the Internet. SharePoint 2010 is a complex and potentially powerful product that delivers a lot of functionality to address varying day to day business needs. In this lesson, you learn just how much technology is available in the product, and you dissect the technical capabilities and features that are driving enterprises around the world to adopt SharePoint 2010. After completing this lesson, you will be able to: Describe the value proposition of SharePoint 2010. Describe the SharePoint 2010 platform. Describe the key SharePoint products and technologies. Describe the key SharePoint capabilities, such as sites, communities, content, search, insights, and composites. Identify the new features introduced in Service Pack 1. Describe how SharePoint Online makes SharePoint features available as a service in the cloud and how it fits into Office 365.
1-4
The value proposition for SharePoint is, SharePoint is the business collaboration platform for the enterprise and the Internet. Microsoft invested heavily in the development of SharePoint Server 2010 to deliver features that enable an enterprise to do the following: Deliver the best productivity experience. The end-user experience of SharePoint Server 2010 builds on familiar user interfaces and tools. Cut costs with a unified infrastructure. SharePoint 2010 performs roles that have been, in many enterprises, provided by other disparate systems. Now those roles can be consolidated on to SharePoint 2010. Rapidly respond to business needs. SharePoint 2010 provides a diverse feature set addressing many business collaboration scenarios, with out of box functionality, a rich collection of communitygenerated solutions, and extensibility to support custom solutions.
1-5
SharePoint is a platform that itself extends and depends on many components of the broader Microsoft technologies suite. This visualization of the platform shows the dependenciesboth required and availablebetween components of the technology stack. Each component of the platform contributes specific features and functionality. Windows Server 2008 or Windows Server 2008 R2 provides the core operating system functionality, including the security subsystem. The Microsoft .NET Framework provides the framework for SharePoint, which is a .NET application running within Internet Information Services (IIS). SharePoint Foundation 2010 delivers fundamental SharePoint functionality including service management, security, integration with Microsoft Office client applications, and core collaborative features such as lists and libraries. SharePoint Server 2010 builds on SharePoint Foundation, adding social networking, enterprise search, business intelligence, and other features. Note: The features provided by SharePoint Foundation 2010 and SharePoint Server 2010 are detailed later in this module. SharePoint uses identity services that can include the Active Directory Directory Services or other claims-based authentication providers. Some of these identity services, such as forms-based authentication, rely on the .NET Framework. SharePoint content is stored in Microsoft SQL Server. SharePoint is a highly extensible platform. Independent software vendors (ISVs), the community, customers, and Microsoft itself deliver solutions that depend on SharePoint Foundation or SharePoint Server.
1-6
There is a wide array of products and technologies that make up SharePoint, including the following: SharePoint Foundation 2010, which is licensed with Windows Server at no additional cost and provides many common features for building websites, portals, intranets, and content management solutions. SharePoint Server 2010 for Intranet Scenarios, which is licensed with Standard or Enterprise features. The features provided by SharePoint Foundation 2010 and SharePoint Server 2010 are detailed later in this module. SharePoint Server 2010 for Internet Sites, which is licensed for access by large numbers of users and by non-authenticated users. Office Web Apps, which enable users to view and edit Office documents in the browser. FAST Search for SharePoint 2010, which provides industry-leading, highly-scalable enterprise search facilities to SharePoint farms. FAST Search for SharePoint 2010 for Internet Sites, which is licensed for access by a large numbers of users and by non-authenticated users. Search Server 2010 and Search Server Express 2010, which provide the search functionality of SharePoint Server. SharePoint Online, which implements SharePoint as a cloud-based service. SharePoint Online is a key part of Office 365 and is covered in more detail in Module 15, SharePoint Online and Office 365.
Additionally, a vast selection of community-generated solutions and applications by ISVs extends the capabilities and feature set of SharePoint 2010. It is important that you understand your business requirements so that you can choose the best mix of products and technologies.
1-7
Sites
The sites capability includes functionality that delivers and personalizes content to users, provides manageability and scalability to administrators, enables developers to customize and extend SharePoint, and allows an enterprise to implement SharePoint along with other solutions or to consolidate the functionality provided by disparate collaboration solutions into SharePoint.
Content Delivery
The sites capability offers the following components, features, and functionality to deliver content to users: Core content structures Web applications, site collections, sites, lists, libraries Services to render content Multiple browsers Mobile browsers Accessibility standards (WCAG 2.0) Rich Web experience Ribbon user interface (UI): Familiar Office UI Web Edit: Rich content editing Interfaces for rich and offline client experiences Office client applications SharePoint Workspace Office Web Applications SharePoint Foundation 2010 delivers the core functionality of SharePoint and provides most of the features in the sites capability. Content structures such as Web applications, site collections, and sites, are discussed in Module 2, Creating a SharePoint 2010 Intranet.
1-8
SharePoint 2010 features significantly expand browser support, which are detailed in Lesson 2 of this module. Additionally, you can access content can using mobile browsers. SharePoint is compliant with WCAG 2.0 accessibility standards out of the box. A number of components, services, features, and interfaces of SharePoint are designed to deliver a unified, efficient, and familiar experience to end users. SharePoint 2010 offers a variety of modalities through which users can interact with content, including Office client integration, SharePoint Workspace and other applications that provide offline access to SharePoint, and Office Web Apps, which enable browser-based viewing, editing, and coauthoring of documents.
Question: What important business objectives do the content delivery capabilities in the sites capability its components, features, and the many ways it gives you to interact with contentsupport?
Content Personalization
The sites capability offers components, features, and functionality to support personalizing the delivery of content. Features that personalize the users experience with content include: My Sites User tagging Content targeting Multilingual support One user may not need, want, or be allowed to see the same content that another user sees. The SharePoint sites capability delivers functionality to individualizeto personalizethe user experience. My Site is a users individual Web page, exposing that users profile, shared information and documents, expertise, organizational relationships, and social activities to other users. Additionally, a users My Site can provide a personalized navigation and view of enterprise resources. User tagging is an important new functionality of SharePoint 2010. Documents, lists, libraries, sites, and users can be tagged. These tags can then be used to associate a user with content that is of interest to that person. Content targeting is the ability of an administrator to push content to one or more users based on those users shared characteristics, including their group membership. SharePoint provides multilingual support. SharePoint can support content, services, and tags in a wide range of languages. A site can be rendered in a particular language to a user in that users language and can be switched to another language on the fly.
1-9
SharePoint is centrally managed using the Central Administration site and Windows PowerShell. It supports governance, security, and compliance at multiple levels, for almost every feature. SharePoint Server 2010 provides greater scalability, manageability, and availability.
SharePoint provides a unified infrastructure that delivers a broad range of functionality that might take several tools from other vendors to deliver, at which point you have to know how to integrate them. This infrastructure gives you a way to deploy, secure, manage, maintain, back up, and monitor operations. Question: What are the business outcomes supported by interoperability? Question: What are the business outcomes supported by platform consolidation?
Additional Reading
Microsoft SharePoint 2010 Sites (SP2010_Sites_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197249&clcid=0x409
1-10
Communities
The communities capability encompasses much of what people think of as business collaboration.
Enterprise Collaboration
The communities capability offers the following components, features, and functionality to enable collaboration between users: Lists Fundamental construct in which content is stored Out of box lists: Calendar, contacts, tasks, announcements, surveys Libraries Fundamental construct in which documents are stored Version control, check in, check out, document workflows Alerts and Really Simple Syndication (RSS) Business process automation: Workflows Out of box workflows Document routing SharePoint Designer 2010 SharePoint Foundation delivers much of the out of box enterprise collaboration functionality that makes up the communities capability.
1-11
Active Directory and other sources Attributes: Biography, job title, location, contact information, previous projects, interests, skills Photos, presence, and contact card Organizational relationships Manager, teams, colleagues (Add a Colleague) Expertise: Assigned or professed (Ask Me About) Social data mining SharePoint teams Office Communicator contacts E-mail communication patterns and content
Colleague and keyword suggestion Following are some important points related to identity and profiles: My Sites are the social networking hub for interacting with individuals in an organization, designed to help build relationships between users and to connect people in an organization. User profiles are a collection of attributes that can be synchronized with Active Directory and other sources. Users can also define their own attributes. A users My Site exposes the users profile, and SharePoint enables the organization and the individual to manage the visibility of profile attributes to various audiences. User photos, presence, and contact information is displayed throughout the SharePoint UI. Relationships are defined by authoritative sources, such as Active Directory, by user membership in teams, and by users who can add their own colleagues. Expertise can be defined centrally and by the user through the Ask Me About section of their profile. SharePoint can discover and suggest areas of expertise by mining the users memberships, contacts, e-mail communication patterns, and e-mail content. Through such mining activities, SharePoint can suggest keywords and colleagues to help users refine their profile.
Following are some important points related to user-generated content and user feedback:
1-12
User feedback encompasses activities and channels through which users give input on content. User feedback information can help users discover and make use of content based on what others think of the content. The note board is similar to the wall in Facebook. A users My Site has a note board, but any site, library, list, or document can also have a note board. Social bookmarking is a way to share favorite sites with a community of users and to discover new sites and resources from colleagues with similar interests. It replaces the My Links feature in SharePoint 2007.
Business Communities
By combining the power of collaborative capabilities with social computing technologies, SharePoint enables an organization to achieve the goals of both the customer (user base) and manager (IT) of the technology.
1-13
Content
A fundamental output of users and business collaboration activities is content. The content capability delivers functionality that supports the management of content throughout its life cycle. SharePoint interoperates with or replaces other content management systems.
Following are some important points related to support for content and interaction with content:
Question: What business outcomes does SharePoints support for a variety of content types and modalities of interaction with the content facilitate?
1-14
Following are some important points related to document and records management:
Question: What are the business outcomes supported by SharePoints support for a variety of content types and modalities of interaction with the content?
Following are some important points related to definition of content and metadata:
1-15
structure that can be delegated to appropriate business owners. Tags can be centrally driven (taxonomy) or user submitted (folksonomy) or both, and tags are enabled for multiple languages. The MMS also deploys content types across sites, site collections, Web applications, and farms so that an enterprise can maintain better control over the definition of and metadata associated with content, as well as information management policies for that content. You can use metadata (tags) in numerous ways, and SharePoint 2010 provides a variety of methods with which to tag content and view tags. You can even have tags applied to content automatically, based on the items location or other rules. Additionally, you can use metadata to create dynamic navigation and to provide search refiners.
Some important points related to manageability and extensibility of the content capability are as follows:
Question: What are the business outcomes supported by extensibility and interoperability in the content capability?
Additional Reading
Microsoft SharePoint Server Content (SP2010_Content_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197250&clcid=0x409
1-16
Search
Users can browse SharePoints content structuressites, lists, and librariesfor content, but searching is often a more effective means of locating content. The search capability is self-explanatory and is detailed in Module 11.
Following are some important points related to people and expertise search:
1-17
Following are some important points related to content sources, indexing, and query:
1-18
Hit highlighting Results summaries Visual search Thumbnails Previews View in browser Refinement panel and sorting driven by metadata Includes social distance, other people, and expertise metadata Exact result counts with refiners (FAST) Search from the desktop, browser, or Windows mobile device Search results are rich, with hit highlighting, summaries, and visual search features including thumbnails, previews, and view-in-browser. Metadata-driven refinement including social metadata provides navigation, sorting, filtering, and narrowing down your results. Adding FAST provides exact result counts. Users can search SharePoint from the desktop using Windows 7 federated search, from one of several browsers on several platforms, or from a Windows mobile device.
Following are some important points related to manageability and extensibility of the search capability:
Additional Reading
SharePoint Search Datasheet (SP2010_Search_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197251&clcid=0x409
1-19
Insights
The insights capability encompasses functionality that you can use to connect to data sources and present the data in meaningful ways that support decision making. It is the capability that most closely aligns with what the industry refers to as business intelligence.
Information Sources
The insights capability offers the following components, features, and functionality to connect with information from a broad range of data sources: SharePoint Business Connectivity Services: External data and systems PerformancePoint Services: Interactive scorecards and dashboards Visio Services: Browser-based rendering of Visio diagrams, including filtering, interaction with objects, and connections to data Excel Services Secure, manage, and share Excel workbooks Rendered in the browser Embed workbooks in apps, desktop, blogs, and wikis Programmability: JavaScript object model and REST API PowerPivot, SQL Analysis Services
Following are some important points related to information sources: With self-service access to information, users can discover and manage their aspect of the business with access to the right information. Business Connectivity Services connects you with external data and systems. PerformancePoint Services provide interactive scorecards and dashboards. Visio Services provides browser-based rendering of Visio diagrams and includes filtering, interaction with objects, and connections to data sources.
1-20
With Excel Services, you can secure, manage, and use Excel workbooks as interactive reports rendered in the browser. You can embed workbooks in applications, blogs, and wikis and on the desktop. New programmability features include JavaScript object model and REST API. PowerPivot and SQL Analysis Services provide powerful reporting and analysis of very large data sets.
Following are some important points related to presentation and visualization of information:
Additional Reading
Microsoft SharePoint Server 2010 Insights (SP2010_Insights_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197252&clcid=0x409
1-21
Composites
The composites capability offers the following components, features, and functionality to empower users to create no-code solutions that target specific needs and to enable an enterprise to manage ad hoc solutions: Access Services: Publish Access databases as Web apps Business Connectivity Services Read-write access to back-end data Disconnected experience: Microsoft Office Outlook, Microsoft Office Word, SharePoint Workspace Customizations: Browser, SharePoint Designer Workflows: Out of box, SharePoint Designer, Visio Forms: Customized Web forms or forms-based applications Visio: Publish diagrams, interact with objects and data Manageability Governance over all no-code solutions features Control over infrastructure, data, and applications
Following are some important points related to the composites capability: SharePoint gives you a plethora of ways to create a custom application without writing a single line of code. The enterprise gains control over such custom applications and can apply governance and security measures that are not possible when applications are ad hoc and not centrally managed.
Additional Reading
Microsoft SharePoint Composites (SP2010_Composites_Datasheet.pdf) at http://go.microsoft.com/fwlink/?LinkID=197253&clcid=0x409
1-22
Service Pack 1 (SP1) for SharePoint 2010 products and technologies adds a range of extra features and functionality, as follows: Site Recycle Bin: Without SP1, when an administrator deletes a site or site collection, it cannot be recovered, except by restoring it from a backup. Recovering accidentally deleted sites and site collections in this way is very time consuming. After you apply SP1, deleted sites and site collections are automatically placed in a Recycle Bin and can be recovered in the same way as accidentally deleted items and documents. For more information about the Site Recycle Bin, see Module 13, Implementing Business Continuity. Shallow Copy: In SharePoint 2010, you can configure files, such as documents, images, and videos, to be stored outside the content database. This configuration, which is called Remote BLOB Storage (RBS), improves performance in some circumstances. After you install SP1, if you have set up RBS and want to move a content database, you can do so without moving the BLOB files. This database movement technique is called Shallow Copy and can vastly reduce the volume of data that needs to be moved. For more information about Shallow Copy and RBS, see Module 4, Configuring Content Management. Office Web Applications Browser Support: Microsoft Office Web Applications, which enable you to create and edit Office documents in the web browser, now support Internet Explorer 9 and Google Chrome. Office Web Application Improvements: Extra functionality has been added to Office Web Applications in SP1. For example, in Excel, you can insert a chart; in Word, you can print in Edit Mode. StorMan.aspx: This page displays a list of a users files and compares them to the users quota. By providing access to this page, you can enable users to assess their data usage and avoid quota restrictions. This page was available in SharePoint Server 2007, but not in SharePoint Server 2010 without SP1. Search: The SharePoint Search crawler process has a new file type handler that enables it to index PowerPoint .ppsx files. SQL Server 2012 support: After you have installed SP1, you can create content and service application databases on the SQL Server 2012 database servers. SQL Server 2012 is the latest SQL Server version from Microsoft.
1-23
Additional Reading
Service Pack 1 for SharePoint Foundation 2010 and SharePoint Server 2010 at: http://go.microsoft.com/fwlink/?LinkId=234972 Service Pack 1 Tutorial at: http://go.microsoft.com/fwlink/?LinkId=234973
1-24
You can choose to subscribe to SharePoint as a cloud-based service from Microsoft instead of purchasing and implementing SharePoint on your premises. This cloud-based service, known as SharePoint Online, supports many of the features available in an on-premise SharePoint farm, and is part of Microsofts Office 365 cloud-service package.
This is not a complete list of features, but illustrates the functionality that is available in SharePoint Online. A small number of SharePoint Server features, such as farm solutions, are not available in SharePoint Online because they have the potential to compromise stability in a shared environment. However, power users and developers can customize functionality with user solutions. For more details about SharePoint Online, see Module 15: SharePoint Online and Office 365.
1-25
Office 365
SharePoint Online is part of Microsofts Office 365 subscription service. This includes the following components, in addition to SharePoint: Exchange Online: Exchange provides email storage, delivery, and processing. Users can collect and respond to emails by using Outlook 2010, a browser, or a Windows Phone. Other devices may also be able to connect and text messaging services are included. Lync Online: Microsoft Lync is an integrated messaging platform that includes presence information, instant messaging, file exchange, and audio, video, and desktop conferencing. Office Professional Plus: An enterprise subscription to Office 365 includes licenses for the Office 2010 desktop suite of software.
When you subscribe to Office 365, choose from a Small Business subscription or an Enterprise subscription. A Small Business subscription has some limitations. For example, you can only create one website. An Enterprise subscription has fewer limitations and includes the Office Professional Plus desktop software.
Additional Reading
Office 365 Homepage: http://go.microsoft.com/fwlink/?LinkId=225285 What is Office 365?: http://go.microsoft.com/fwlink/?LinkId=234974 SharePoint Online Homepage: http://go.microsoft.com/fwlink/?LinkId=234975
1-26
Lesson 2
As you learned in the previous lesson, SharePoint 2010 is a platform that itself relies on a wide range of other Microsoft technology platforms. Before you can install SharePoint 2010, you must prepare your hardware and software environment to support the dependencies and interactions with SharePoint products and technologies. After completing this lesson, you will be able to: Identify the roles and topologies in SharePoint farms. Describe the infrastructure requirements for installing SharePoint 2010. Describe the prerequisites for installing SharePoint 2010. Install the software prerequisites for SharePoint. Describe the interaction between SharePoint services, Active Directory, and SQL Server. Create the various user accounts required to install SharePoint. Assign permissions and rights required to install SharePoint. Describe the client browser and application requirements for installing SharePoint 2010.
1-27
A SharePoint farm consists of one or more servers playing one or more roles. The Web front-end (WFE) role renders content to users, and therefore hosts the Web applications (Web sites) with which users interact. The content of those Web sites is stored in a SQL Server database, which is therefore another role, the database role. A number of services and applications provide functionality, such as search, and administrative and management capabilities, such as Central Administration. Each of these is a distinct role, and a server hosting one of these back-end services or administrative sites is referred to as playing an application server role. The roles can be consolidated on a single server or spread across multiple servers in a variety of topologies. These topologies are summarized on the slide and are detailed in Module 12, Installing and Upgrading to SharePoint 2010.
1-28
Infrastructure Requirements
SharePoint Server 2010 is a powerful platform that can scale to meet the most demanding enterprise scenarios. As such, the hardware requirements for SharePoint begin with a minimum hardware base with at least four processor cores running 2.5 GHz and 8 GB of RAM. SharePoint 2010 is a 64-bit platform, and therefore you must use 64-bit versions of the operating system on each SharePoint server and for SQL Server. Windows Server 2008 with Service Pack 2 (64-bit) or Windows Server 2008 R2 (which is only 64-bit) is required. SQL Server is the required database platform. SharePoint Server 2010 requires one of the following: SQL Server 2005 Service Pack 3 (SP3) with Cumulative Update 3 (64-bit) SQL Server 2008 SP1 with Cumulative Update 2 or Cumulative Update 5 or later (64-bit) SQL Server 2008 R2 (which is only 64-bit) SQL Server 2012 (requires SharePoint Server 2010 SP1)
It is highly recommended that you use the latest versions of the operating system and SQL Server to take advantage of the maximum number of features. For example, you need SQL Server 2008 R2 to take advantage of failover, Power Pivot, and Access Services reporting features. If you are investing in infrastructure for Microsoft Office SharePoint Server 2007, invest in 64-bit hardware to reduce the number of steps required to migrate to SharePoint Server 2010. Migration from 32-bit to 64-bit platforms is detailed in Module 12.
Additional Reading
Hardware and software requirements (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=234752
1-29
Infrastructure Options
Microsoft allows you to install SharePoint on a client operating system to support development. The following are supported, with at least 4 GB of RAM: The Windows Vista operating system with Service Pack 2 or later (64-bit). The Windows 7 operating system (64-bit) client to support development. Such a model should not be used for production purposes.
You can also access SharePoint through a hosted service such as one of several offerings from Microsoft and its partners, including the following: Microsoft Online, which offers Office 365, a per-user subscription to SharePoint Online, Microsoft Exchange Online, and Microsoft Lync Online. Microsoft Online also offers dedicated SharePoint hosting to large customers. You will learn more about SharePoint Online in Module 15. Microsofts consumer and small business services, Windows Live and Office Live, provide some SharePoint functionality. For example, at the time of publication Windows Live SkyDrive allows users to edit Excel and PowerPoint documents in the browser, which is functionality provided by Office Web Apps.
You can mix and match internally hosted farms with externally hosted services to meet varied business requirements.
Additional Reading
Setting Up the Development Environment for SharePoint Server, at http://go.microsoft.com/fwlink/?LinkID=164557 Microsoft Online, at http://go.microsoft.com/fwlink/?LinkId=191565
1-30
SharePoint licensing is complex because of the number of products that are involved. It is important that you consult with your licensing representative to ensure compliance for your SharePoint implementation. The most typical implementation involves purchasing licenses for Windows Server 2008 or Windows Server 2008 R2 for each SharePoint server and a quantity of per-user client access licenses (CALs) for each SharePoint user. SQL Server is typically installed with a per-processor license, which does not require CALs for users. If you are using SharePoint Foundation 2010, no additional license is required. If you are using SharePoint Server 2010, however, you need a server product license for each SharePoint server and CALs for each user. SharePoint Standard CAL provides access to the basic level of SharePoint Server 2010 functionality including My Sites and search. With the Enterprise CAL, which is an add-on to the Standard CAL, you can deploy features such as Excel Services and Office Web Applications.
Additional Reading
SharePoint editions at http://go.microsoft.com/fwlink/?LinkID=196255
1-31
There is a long list of software and configuration prerequisites: The following server roles: Web Server (IIS), Application Server Hotfix for Microsoft Windows (KB976394 for Windows Server 2008 / KB976462 for Windows Server 2008 R2) Windows Identity Foundation (KB974405) Microsoft Sync Framework Runtime v1.0 (x64) Microsoft Chart Controls for Microsoft .NET Framework 3.5 Microsoft Filter Pack 2.0 Microsoft SQL Server 2008 Analysis Services ADOMD.NET Microsoft Server Speech Platform Runtime (x64) Windows PowerShell 2.0 (for Windows Server 2008) Optional: Microsoft Server Speech Recognition Language Optional: Microsoft SQL Server 2008 R2 Reporting Services Add-in for SharePoint Technologies (SSRS)
Additional Reading
Details and links to all prerequisites can be found at Hardware and software requirements" (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=234752
1-32
Installing Prerequisites
You must install SQL Server prior to installing other SharePoint prerequisites.
1-33
The Preparation Tool scans for each prerequisite. If a prerequisite is not found, the tool downloads, installs, and configures the prerequisite. If there is an error, for example, if downloading the prerequisite fails, the tool stops and produces an error message that indicates which prerequisite failed. You can find details of the failure in the error log, which is located in the %TEMP% folder. The tool displays a link to the log. After you have remediated the problem, rerun the tool. Repeat the process until all prerequisites have been installed and configured successfully.
Optional Prerequisites
Two prerequisites are optional: Microsoft Server Speech Recognition Language and Microsoft SQL Server 2008 R2 Reporting Services Add-in for SharePoint Technologies (SSRS). If the Preparation Tool cannot find or install these prerequisites, it generates an error, but you can continue to the next step in installing SharePoint Server 2010. Question: Does your organization allow servers to access the Internet directly. If not, why not?
1-34
Additional Prerequisites
You must install and configure several prerequisites manually. Use the information on this slide as a checklist of prerequisites to evaluate in the context of your enterprise and your SharePoint implementation. After class, read about these items and determine whether they are necessary in your environment. The ADO.NET Data Service Update is used by services like REST Web services. If you use Claims-based authentication, you need to apply KB979917 (http://go.microsoft.com/fwlink/?LinkID=196882&clcid=0x409) for ASP.NET. The third prerequisite is to disable loopback checking. Windows Server 2008 (and Windows Server 2008 R2) blocks access to a Web site if the request for the Web site originates on the server itself. This prevents you from using a browser on a SharePoint server to browse to a site on the same server farm. Of course, it is not recommended that you log on to a SharePoint server and use a browser in the production environment, but this scenario may be more common in a development, testing, or training environment. However, the loopback checking also prevents SharePoint servicesmost notably the search crawler that indexes SharePoint contentfrom accessing sites on the same server farm. The crawl process will generate Access Denied events, and no content will be indexed. The problem is solved by removing or controlling the loopback checking. Microsoft Knowledge Base article 896861 has the details. The article discusses two options. Method 1 involves specifying all sites hosted on the server so that the server allows requests to those sites to originate on the same server. Method 2 entails disabling loopback checking altogether, for all sites. Method 2 reduces the security of the server much more than Method 1. Therefore, Method 2 is recommended only for development and test environments.
Additional Reading
An update is available that provides additional features and improvements for ADO.NET Data Services in the .NET Framework 3.5 SP1 on a computer that is running Windows 7 or Windows Server 2008 R2, at http://go.microsoft.com/fwlink/?LinkID=200826&clcid=0x409
1-35
Two issues occur when you deploy an ASP.NET 2.0-based application on a server that is running IIS 7.0 or IIS 7.5 in Integrated mode, at http://go.microsoft.com/fwlink/?LinkID=196882&clcid=0x409 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version, at http://go.microsoft.com/fwlink/?LinkID=196884&clcid=0x409
1-36
SharePoint has close relationships with and dependencies on SQL Server and Active Directory. Active Directory provides identity and authentication services. In other words, it stores user accounts (user names and passwords), other identity and group information, and validates account logons. These services support users logging on to SharePoint sites. They also support the accounts used by SharePoint and SQL services themselves. SQL Server stores almost all of the configuration and content of a SharePoint farm. SQL Server services, like all Windows services, run using an identity. SharePoint services also run with Active Directory credentials. The credentials are used by SharePoint to access data in SQL Server. These accounts must have SQL logins so that SQL can authorize the access. These SQL logins are created automatically by SharePoint during setup and the creation of Web applications.
1-37
Service Accounts
Before installing SharePoint, you must ensure that there are appropriate accounts, logins, and permissions to support the interdependencies between SharePoint, SQL Server, Active Directory, and the SharePoint server itself.
1-38
The SharePoint Products Configuration Wizard automatically assigns the account the permissions it needs.
1-39
SharePoint 2010 generates most of its content using Web-standard XHTML that renders well across most browsers. Microsoft categorizes browsers into two categoriesLevel 1 and Level 2to help customers align browser choice with the desired level of functionality. Level 1 browsers support ActiveX and all SharePoint functionality on user and administrative pages. Operating System Browser Windows XP Internet Explorer 7 (32-bit) Windows Internet Explorer 8 (32-bit) Vista Mozilla Firefox 3.5* Windows Note: Features provided by ActiveX controls, such as list Datasheet Server 2003 view and the control that displays user presence information, do Windows not work in Mozilla Firefox 3.5, which does not support ActiveX. Server 2008 Windows 7 Windows Server 2008 R2 Internet Explorer 8 (32-bit) Mozilla Firefox 3.5*
Level 2 browsers support basic read, write, and administrative activities. Operating System Apple Mac OS X Snow Leopard Windows Browser Apple Safari 4.x Mozilla Firefox 3.5 Internet Explorer 7 (64-bit)
1-40
Operating System XP Windows Vista Windows Server 2003 Windows Server 2008
Other standards-based browsers work with SharePoint with the same limitations as Level 2 browsers, however Microsoft has not done extensive testing on browsers other than those listed and does not support use of other browsers. If you want to use a browser other than one listed in the preceding tables, you should perform testing to ensure that the browser delivers an acceptable user experience. For published sites, page designers can apply Web Content Management features to control markup and styling so that published sites are compatible with additional browsers, including Microsoft Internet Explorer 6. However, it is the page designers responsibility to create pages that target the browsers that are designated for support. Page designers and content authors must use a standards-based browser, such as Internet Explorer 8 or Firefox 3.5, to author content. SharePoint-compatible applications can provide a rich, client-side interaction with SharePoint. Microsoft Office 2003 and later are compatible with SharePoint.
Additional Reading
Plan Browser Support, at http://go.microsoft.com/fwlink/?LinkID=196887&clcid=0x409
1-41
Lesson 3
You can use several methods to install and upgrade a SharePoint 2010 farm. In this lesson, you learn how to install SharePoint by using the wizard-driven setup and configuration tools, which make it easy to create a simple farm. In the next lesson, you learn about methods to automate installation, and in Module 12, you learn about ways to upgrade an existing farm to SharePoint 2010. After completing this lesson, you will be able to: Describe the process for installing and configuring SharePoint 2010. Identify the configuration parameters required to install SharePoint. Install SharePoint to create a single-server farm. Configure SharePoint on a single-server farm. Apply service packs and cumulative updates to a single-server farm.
1-42
Installing SharePoint is a multiphase process. The four high-level steps for installing and configuring SharePoint are the following: 1. 2. 3. 4. Install the prerequisites. Install the SharePoint binaries. Configure the SharePoint server and farm. Configure services and applications on the farm.
You can perform each step with user interface tools or commands or scripts. In the following topics and lesson, you learn how to perform each of these steps.
For more information about Slipstreaming updates, see Module 12: Installing and Upgrading to SharePoint 2010.
1-43
Before you install SharePoint Server 2010, you must collect information that is required during the installation. Use the following items as a pre-installation checklist: You must know the user name and passwords for the accounts discussed in the previous lesson. You must know the SQL Server server name and instance name. You will be prompted for a configuration database name, for example, SharePoint_Config. Determine a naming strategy for SharePoint databases. You will be prompted for a port on which to host Central Administration. You must determine this. You will be prompted for a farm passphrase. You must determine this.
You use the farm passphrase when making certain changes to the farm, for example, when adding a new server to the farm. With the farm passphrase, an administrator can perform farm-level changes without needing to know the password for the SharePoint farm account (SP_Farm). The farm passphrase should be long, complex, unique and should not be the same as the password used by any of the SharePoint administrative or service accounts. Be sure to document the password and store it in a physically secure location. You must know the product key or trial key. You must enter the product key during setup, but you can change it later in Central Administration.
1-44
The following steps walk you through the manual installation of SharePoint Server 2010 binaries. During this step, program files are installed, components are registered, security settings are applied, and services are configured but not enabled. Installation with the user interface is wizard-driven. As long as you know the configuration information presented earlier in this lesson, installation is very straightforward. 1. 2. Log on as the setup user account (SP_Admin). Run the SharePoint Server 2010 Start Page (default.hta).
1-45
SharePoint Server 2010 installation now features a splash screen. 3. Click Install SharePoint Server.
Installation requires administrative credentials, so a User Account Control dialog box appears. 4. Click Yes.
5.
Enter your product key or a trial key. You can change it later.
1-46
6.
7.
Click Server Farm. Important: It is recommended that you use the Server Farm installation.
The Standalone installation fully installs and configures SharePoint Server 2010 with all defaults, including the installation of SQL Server 2008 Express as the database server on the same server. The result is a
1-47
standalone, single-server farm with all roles on one server. Standalone installation is not supported on a server that is a domain controller because SQL Server Express cannot be installed on a domain controller. It is not possible to add servers to a farm that was installed with the Standalone installation. Therefore, it is recommended that you use Standalone only for the most simple testing or development environments. In all other scenarios, you should use the Server Farm installation option. You must have already installed SQL Server on the same server or on another server. However, with a Server Farm installation, you have the option of, later, moving roles to other servers in the farm.
If you select a Server Farm installation, you can specify the location of the SharePoint binaries and the SharePoint Root (formerly known as the 12 Hive, now the 14 Hive) in the File Location tab.
1-48
8.
Select Complete.
The Stand-alone option presented on this page of the installation wizard creates a single-server farm with all components and roles. It is not possible to add another server to a farm that was installed with the Stand-alone option. This option is identical to the Standalone installation option discussed in an earlier step.
Installation proceeds.
At the end of the installation phase, the Setup application offers you the chance to proceed to the Configuration phase.
1-49
9. Clear the Run the SharePoint Products Configuration Wizard now check box. 10. Click Close. The result is a SharePoint server that is ready to add to a farm. Until you add the server to a farm, no SharePoint functionality is available on the server.
1-50
After installing the SharePoint binaries, you can configure the server and, in the process, create a SharePoint farm or add the server to an existing farm. Configuration with the user interface is wizard-driven. As long as you know the configuration information presented earlier in this lesson, installation is very straightforward. 1. 2. Log on as the setup user account (SP_Admin). Run the SharePoint Products Configuration Wizard, which you can find in the Microsoft SharePoint 2010 Products program group on the Start menu.
1-51
3.
Click Next.
You are warned that IIS and SharePoint services will be restarted. 4. Click Yes.
1-52
5.
6. 7.
Enter the configuration for the SQL Serverthe name of the Database server (SERVER\instance if you are connecting to a specific instance of SQL Server) and the Database name. Enter the farm account (SP_Farm) user name and password.
1-53
8.
9. Enter the port number on which Central Administration will be hosted. 10. Choose an authentication provider. NTLM allows Central Administration to use Active Directory as the authentication provider. This is typically the best option for Central Administration.
1-54
11. Review the configuration, and then click Next. Configuration takes several minutes.
12. Click Finish. The SharePoint 2010 Central Administration site opens.
1-55
After you have installed SharePoint, you must verify that you are using the latest version of the software. Microsoft publishes updates that include security fixes; so, you may be vulnerable to malicious attacks if you do not install all updates. Furthermore, service packs such as SP1 include new features that may help your users and other stakeholders. It is particularly important to install the following update types: Service Packs (SPs): These are regression-tested baselines and include both issue fixes and new functionality. Cumulative Updates (CUs): Cumulative Update packages apply fixes and optimizations, but do not include new features and are not regression tested. For SharePoint, CUs are published every 2 months. Each CU includes all the previous CUs; so, for example, it is not necessary to install the August 2010 CU and the October 2010 CU. Only the latest package is required. Note: You should not install the June 2010 CU or later CUs until you have installed SP 1. For more information about the latest updates for SharePoint 2010 products and technologies, and for the latest updates, refer to the following site: http://go.microsoft.com/fwlink/?LinkId=234976
1-56
Therefore, you need only download and install a single package for the combination of products that you have installed.
This procedure is designed for production farms that are already in use and have live content. When you apply SPs and CUs to newly-installed SharePoint servers that have no content, you may decide to take fewer precautions because you can always reinstall from the beginning. Consider how long such a reinstallation might take when you decide whether to, for example, back up the farm at step 2.
For information about how to verify the updates, go to: http://go.microsoft.com/fwlink/?LinkId=234977
1-57
Lesson 4
Manual installation and configuration, as presented in the previous lesson, is time consuming and prone to inconsistent implementation. In this lesson, you learn how to script the installation and configuration of SharePoint. You also learn how to install a language pack. After completing this lesson, you will be able to: Perform a scripted installation of SharePoint prerequisites. Perform a scripted installation of SharePoint Server 2010. Execute a scripted configuration of SharePoint and a SharePoint farm. Install SharePoint language packs.
1-58
.8 By scripting installation, an organization can reduce the time required to deploy a SharePoint server. Scripting also ensures that configuration is applied consistently, and therefore reduces the chance for errors and failure. Scripting is also required to automate the provisioning of SharePoint. There are three different mechanisms for scripting SharePoint installation and configuration, one mechanism for each of the phases of installation.
1-59
Many organizations do not allow servers to have direct access to the Internet. The Preparation Tool can be directed to install prerequisites from a specific location, rather than downloading prerequisites from the Downloads Center at Microsoft.com. First, you must download all prerequisites. You can find links to prerequisites by using one of the following two options: Links to prerequisites are listed at http://go.microsoft.com/fwlink/?LinkId=234752 Run the Preparation Tool and examine the log for error messages that are generated when the tool attempts to download each prerequisite. The URL to the attempted download is listed.
PrerequisiteInstaller.exe supports parameters that specify the location of each prerequisite. The syntax of each parameter is /PrerequisiteName:PathToInstallationFile. The PrerequisiteName parameters are listed on the slide. The path can be a local or Universal Naming Convention (UNC) path to which the setup user (SP_Admin) account used to run the prerequisite installer has Read permission. The /unattended parameter causes the Preparation Tool to run in silent, unattended mode. No prompts or messages are displayed. Use this mode only when you are confident that prerequisite installation will be successful. You can type PrerequisiteInstaller.exe /? to display the help documentation for the switches. Now that you know the parameters of PrerequisiteInstaller.exe, you can script prerequisite installation by using one of two methods: Open the command prompt and type a command line with PrerequisiteInstaller.exe and all of the switches on a single command line. Open Notepad and enter all switches on a single line. Save the file as PrerequisiteInstaller.Arguments.txt in the same folder as PrerequisiteInstaller.exe. Then, run PrerequisiteInstaller.exe. It automatically looks for the arguments file, called PrerequisiteInstaller.Arguments.txt, in the working directory.
1-60
1-61
You can script the installation of SharePoint binaries by specifying installation parameters in an Extensible Markup Language (XML) file named Config.xml by default. Microsoft provides sample Config.xml files in the SharePoint distribution. You can simply modify these files to match your environment. In most cases, you need only to remove the comment tags (<!-- and -->) and enter a valid product ID. The following Config.xml file installs a SharePoint server using the Server Farm installation option and the Complete server type.
<Configuration> <Package Id="sts"> <Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/> </Package> <Package Id="spswfe"> <Setting Id="SETUPCALLED" Value="1"/> </Package> <Logging Type="verbose" Path="%temp%" Template="SharePoint Server Setup(*).log"/> <PIDKEY Value="36BY2-DVVJY-6426X-PXWVQ-BM342" /> <Display Level="none" CompletionNotice="no" /> <Setting Id="SERVERROLE" Value="APPLICATION"/> <Setting Id="USINGUIINSTALLMODE" Value="0"/> <Setting Id="SETUP_REBOOT" Value="Never" /> <Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/> </Configuration>
The following sample Config.xml files are available in the Files folder in the SharePoint distribution: Configuration File Setup\Config.xml Description Stand-alone server installation using Microsoft SQL Server 2005 Express Edition3
1-62
Description Server farm installation Server farm installation in silent mode In-place upgrade of an existing farm Stand-alone server installation using SQL Server 2005 Express Edition in silent mode In-place upgrade of an existing single-server installation
1-63
You can automate the Microsoft SharePoint 2010 Products Configuration Wizard using a Windows PowerShell script. Windows PowerShell is discussed in Module 3, Administering and Automating SharePoint, so it is beyond the scope of this topic to explain Windows PowerShell. The cmdlets (pronounced command-lets) listed on this slide are for reference purposes. However, in the lab for this module, you have the option of using a preexisting Windows PowerShell script to automate the configuration of the farm.
Additional Reading
Quick start: Deploy single server in an isolated Hyper-V environment (SharePoint Server 2010), at http://go.microsoft.com/fwlink/?LinkID=196892&clcid=0x409 Install SharePoint Server 2010 by using Windows PowerShell, at http://go.microsoft.com/fwlink/?LinkID=196893&clcid=0x409
1-64
Language Packs
If you are working in an environment that needs to support multiple languages, you must also install language packs for SharePoint Server 2010.
Installation Process
The process by which you install language packs is described in the following sections. 1. Install Windows operating system language files Before installing SharePoint language packs, you must ensure that the language files for the Windows operating system have been installed. Windows includes language files for many languages in its default configuration. However, if the languages you are supporting include any of the following, you must install the Windows language files manually: East Asian languages, including Chinese, Japanese, and Korean Complex script and right-to-left-oriented languages, including Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese
You can install Windows language files by using the Regional And Language Settings application in Control Panel. 2. Install SharePoint You must install SharePoint before installing a SharePoint language pack. The language of the SharePoint installation becomes the default language for the farm and the language of administrative interfaces such as Central Administration. As you learned in the previous lesson, to install SharePoint you must first install the SharePoint binaries. 3. Run the SharePoint Products Configuration Wizard Next, run the SharePoint Products Configuration Wizard to configure the farm with the default language.
1-65
4. Download the language pack You can download language packs from the Microsoft Downloads Center. At the time of writing, there are 40 language packs available. You must download a language pack for each language you want to support with SharePoint. There is no single package of all languages. It is possible that the downloads for different languages may have the same file name. Watch out for this situation, and if it occurs, rename the downloads or save them to separate folders so that you do not overwrite a previously downloaded language pack. 5. Install on all Web servers so that content can be rendered Install the language pack on all SharePoint servers that host user-facing Web applications so that content can be rendered in the required languages. Be prepared for the fact that the installation routine for a language pack is in the language of the pack, so the setup wizards text and buttons will not be in the default language of the farm. 6. Run the SharePoint 2010 Products Configuration Wizard Run the SharePoint 2010 Products Configuration Wizard on all servers on which language packs have been installed. This completes the installation and configuration of the language pack. Uninstalling SharePoint when language packs have been installed Uninstall all language packs before uninstalling SharePoint.
Upgrade Alert
The following issue applies in only rare and specific situations, but it is important to raise the issue to the attention of administrators it affects. If you are upgrading from SharePoint 2007 and you are using Group Approval (eApproval) features with Chinese (Simplified), Chinese (Traditional), Japanese, or Korean languages, you must do the following before running the SharePoint Products Configuration Wizard:
1-66
1. 2. 3.
Install the language pack. Run psconfig.exe cmd upgrade inplace v2v. Then, run the SharePoint Products Configuration Wizard.
Additional Reading
Deploy language packs (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=199614&clcid=0x409
1-67
Scenario
You have been asked to deploy a SharePoint farm to support Contosos strategic initiatives related to enterprise collaboration. This single-server farm will act as a prototype, and executives, developers, and end users will use it to evaluate the new features of SharePoint Server 2010.
1-68
1-69
1-70
Alternately, you can copy the contents of the file D:\Labfiles\Lab01 \PrerequisiteInstaller.Arguments.txt and paste it into your Notepad document. 2. 3. 4. 5. Save the file as D:\Software\SharePointServer2010 \PrerequisiteInstaller.Arguments.txt. Close Notepad. Start the Command Prompt using the Run as administrator option. Type the following commands, each followed by ENTER:
D: CD Software\SharePointServer2010 PrerequisiteInstaller.exe
The Microsoft SharePoint 2010 Products Preparation Tool appears. In a production environment, you would also add the /unattended switch to the PrerequisiteInstaller.Arguments.txt file to specify a silent, unattended installation of SharePoint prerequisites. An unattended installation skips the Welcome page and the license agreement. For this lab, however, you did not use the /unattended switch so that you may observe the progress of the prerequisite installer and ensure that there are no errors in your script. 6. Step through the Microsoft SharePoint 2010 Products Preparation Tool. When installation has completed successfully, click Finish to close the tool. Results: After this exercise, you should have installed and configured all SharePoint Server 2010 prerequisites.
1-71
Remove the comment tags, <!-- and -->. 3. Replace the Display element with the following:
<Display AcceptEULA="yes" Level="basic" CompletionNotice="yes" />
Alternately, copy D:\Labfiles\Lab01\config.xml to the D:\Software \SharePointServer2010\Files\SetupFarmSilent folder, overwriting the existing file. 4. 5. 6. Save the file and close Notepad. Start Command Prompt using the Run as administrator option. Type the following command on one line, and then press ENTER:
"D:\Software\SharePointServer2010\setup.exe" /config "D:\Software\SharePointServer2010\Files\SetupFarmSilent\ config.xml"
1-72
Installation takes approximately 710 minutes. 7. You can monitor the progress of the SharePoint installation using any of these methods: Click Start, type %temp%, and then press ENTER. Open the log named SharePoint Server Setup*.log. Open Task Manager, and then monitor processes including Msiexec.exe, Setup.exe, Mscorsvw.exe, and Psconfigui.exe. 8. Clear the Run the SharePoint Products Configuration Wizard now check box and then close the Run Configuration Wizard page. Results: After this exercise, you should have installed SharePoint Server 2010.
1-73
The Windows PowerShell Credential Request dialog box appears. 3. In the Password box, type Pa$$w0rd, and then press ENTER. A prompt appears to enter the farm passphrase. 4. Type 10174_SharePoint_2010, and then press ENTER. Configuration proceeds for 710 minutes. 5. When the prompt Press Enter to exit appears, press ENTER.
1-74
Results: After this exercise, you should have configured SharePoint Server 2010 as a single-server farm with the Central Administration application on port 9999.
1-75
2.
Results: After this exercise, you should have a SharePoint farm and service applications configured with default settings.
1-76
1-77
Review Questions
1. 2. 3. 4. 5. 6. What are the most salient benefits of SharePoint 2010 to your enterprise and to you as an IT professional? How can you automate the installation of SharePoint prerequisites? In which scenarios would you consider a standalone installation of SharePoint 2010? What pre-requisites are required to install SharePoint Server 2010? What new configuration setting has been added to the setup of a SharePoint Farm? You have just installed a new single-server SharePoint Server 2010 farm in your organization. What service packs and updates should you apply?
While running the SharePoint Products Ensure that you are logged on as the setup user account and Configuration Wizard, you are unable that the account has been given a login on the SQL server with to connect to the SQL database. the dbcreator and securityadmin server roles.
1-78
Real-World Scenarios
1. The training department wants to conduct a course in which site collection administrators will learn skills required to manage their site collections. Each site collection administrator in the course requires a test SharePoint farm. You do not want the test farms to connect to the production SQL Server environment. What type of installation will you prepare for each site collection administrator? IT security policy dictates that servers shall have no direct connectivity to the Internet. However, you need to be able to install SharePoint prerequisites. What can you do to achieve your goals while maintaining compliance with security policy? A remote office requires team sites to support its collaboration. The remote office is connected to the datacenter with a slow connection that will not provide adequate performance against a team site hosted on the farm at the datacenter. How would you propose addressing the remote office requirements while minimizing additional software costs?
2.
3.
Best Practices
Supplement or modify the following best practices for your own work situations: Follow best practice, least privilege best practices in your planning and implementation of the user accounts required for SharePoint. Download all SharePoint prerequisites and configure the PrerequisiteInstaller.Arguments.txt file to automate the installation of prerequisites. Create a Config.xml file to script the installation of SharePoint. Document the farm passphrase and store it in a secure location.
Tools
Tool SharePoint Server 2010 Start page Use for Starting prerequisite installation and SharePoint installation Where to Find It Default.hta PrerequisiteInstaller.exe Setup.exe On the Start menu or Psconfig.exe
Prerequisite installer Installing and configuring SharePoint prerequisites SharePoint Installation Wizard Installing SharePoint binaries
2-1
Module 2
Creating a SharePoint 2010 Intranet
Contents:
Lesson 1: Performing Initial Farm Configuration Lesson 2: Configuring the SharePoint Logical Structure Lesson 3: Exploring the SharePoint Web Application and Physical Architecture Lab: Creating a SharePoint 2010 Intranet 2-4 2-12 2-37 2-46
2-2
Before starting this module, start and log on to the virtual machines. 1. 2. 3. Start 10174A-CONTOSO-DC-B. After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-B. Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password, Pa$$w0rd.
2-3
Module Overview
After installing your Microsoft SharePoint farm, you are ready to begin establishing content, such as an organizational intranet site. In this module, you will create a SharePoint-based intranet and, as you do so, you will learn key concepts and skills related to the logical architecture of SharePoint including web applications, site collections, sites, and content databases.
Objectives
After completing this module, you will be able to: Use the SharePoint Farm Configuration Wizard and configure managed accounts. Create web applications, site collections, and sites to logically structure content. Describe how web applications and content database underpin the SharePoint logical architecture.
2-4
Lesson 1
After you have installed Microsoft SharePoint 2010 on your first server in the farm, and after you have run the SharePoint Products Configuration Wizard, you still must configure services, accounts, and settings on the farm itself. In this lesson, you'll use the Configure Your Farm Wizard to automate the process of initial farm configuration, and you'll begin the exploration of SharePoint's components, technologies, and features by examining the high-level tasks that the wizard performs. After completing this lesson, you will be able to understand the high-level structure, components, and functioning of the farm.
2-5
2-6
The Farm Configuration Wizard applies the default settings for services, proxies, proxy groups, and accounts. The wizard makes it easy to get a farm up-and-running using out of the box defaults. It is particularly well suited to configuring a SharePoint farm for testing, training, or development when there are no requirements for farm or service customization. In most production environments, however, business requirements lead to farm topology designs and configuration that is not the same as SharePoint's out-of-box defaults. Therefore, it is generally recommended to configure the farm manually in a production environment. You will learn, through the modules in this course, how to configure services, service applications, proxies, application proxy groups, managed accounts, and other farm components.
2-7
Service applications are a very important concept to understand in SharePoint 2010. Although they perform a role similar to Shared Service Providers (SSPs) in SharePoint 2007, there are significant differences between service applications and SSPs.
Service Application
A service application provides specific functionality, such as search, that may be required by a web application. In the end, web applications connect to and consume the service provided by a service application. Examples of service applications are: The Search Service Application, which supports crawling, indexing, and querying. The Business Connectivity Service, which enables SharePoint to connect to external data sources. The Managed Metadata Service, which provides taxonomy and managed content types. The User Profile Service, which synchronizes user profile attributes from Active Directory and other sources.
2-8
The Farm Configuration Wizard sets up all service applications and creates a single application connection group, default, that is available and can be used by any web app in the farm.
Architecture
Service applications are part of SharePoint Foundation 2010. This means that the architecture is part of the platform, in contrast to SharePoint 2007 in which SSPs were introduced by Microsoft Office SharePoint Server 2007 and not by Windows SharePoint Services v3. In SharePoint 2010, most new services are built on the Windows Communications Framework (WCF), which means they have optimization built into their protocol, using binary streams instead of XML to transfer data.
Flexible Topology
A service application provides a single set of functionality. A web application can, through application connection groups, connect to one or more service applications based on the needs of the web app. This is in contrast to the SSP in SharePoint 2007, which contained a bundle of services and a web application that was connected to the SSP and incurred the overhead of all services in the SSP. A service app can also be published so that it can be consumed by applications on another farm.
2-9
Whiteboard Diagram
Label the following components in the preceding diagram: SharePoint server Service instance, for example, the instance of the Search service Service application, for example, the instance of the Search Service application Application connection (proxy) Application connection group (proxy group) Web application Association of the web application to the application connection group
Additional Reading
Module 8, Configuring and Securing SharePoint Services and Service Applications, details managed accounts.
2-10
Service accounts are user accounts used by a service to log on to Windows. When you configure a service, you associate an identitya user name and passwordwith the service. When the service starts, it authenticates using that account just as a user authenticates when logging onto a system. The service account must have sufficient permissions for the service to perform its tasks. Traditionally, service accounts have been difficult for enterprises to manage, because when you change the password of the service account in Active Directory, you must then reconfigure the service with the new password, otherwise it will be denied logon. Because of this challenge, enterprises have typically sacrificed security best practices and have configured service accounts with passwords that never expire. SharePoint 2010 introduces the concept of managed accounts. Managed accounts are service accounts with which SharePoint services run. Unlike traditional service accounts, however, SharePoint is able to perform password resets on the accounts in Active Directory, and it can update the service with a new password. All of this can be done automatically, without administrative intervention. A managed account starts like any service account: a domain user account is created in Active Directory. You then register the account as a managed account using SharePoint 2010 Central Administration. At that time, you enter both the username and password of the account. When you configure a service application, application pool, or any other component that requires an identity, you can specify which managed account should be used. In this way, SharePoint is able to maintain a database of associations between managed accounts and services. Additionally, and in contrast to SharePoint 2007, when you assign an identity to a service application, SharePoint 2010 configures any permissions or rights required for the identity. When it comes time to change the password of a managed account, you do so with SharePoint Central Administration, rather than with Active Directory Users and Computers. SharePoint is able to change the password of the account in the domain, and it can reconfigure the services associated with that identity to allow the use of a new password.
2-11
You can also configure SharePoint to change passwords automatically based on the domain password expiration and complexity policies. In this way, the managed account passwords are known only to the farm, and cannot be used by an administrator, accidentally or intentionally, to cause damage to the farm. The managed account credentials are encrypted. The encryption process begins with the farm passphrase that is specified during SharePoint configuration. The farm passphrase is stored in a secure key of the Registry. The farm passphrase encrypts a private key that is stored in the SharePoint Config database. Private keys are used to encrypt account credentials.
Additional Reading
Module 8, Configuring and Securing SharePoint Services and Service Applications, details managed accounts.
2-12
Lesson 2
Now that the SharePoint farm is installed and configured, you can turn your attention to the creation of web applications, site collections, sites, and content databases. These are the primary components of the SharePoint logical structure. In this lesson, you will learn how to create the architecture for a simple SharePoint intranet and, along the way, come to understand the characteristics of and issues related to each of these logical components. After this lesson, you will be able to: Identify components of a logical architecture Manage web applications Manage Site collections Delegate site collection administration Configure quotas Manage sites Configure managed paths Manage content databases
2-13
The diagram shown on the slide above represents the logical structure of SharePoint. A web application is the highest level component of the logical structure within a farm. A farm can have one or more web applications. Within a web application are one or more site collections. Site collections have a URL that is a managed path. A site collection contains one or more sites. When you create a site collection, you also create the top-level site in that site collection. Below that top-level site can be one or more additional sites, often referred to as subsites or subwebs. Within a site are pages, lists, and libraries. Lists and libraries can contain folders. Within lists and librariespossibly organized into foldersare items and documents, respectively. A site collection and all of its content is hosted in a content database. There can be one or more content databases associated with a web application.
An important element of the diagram shown above is that when you create a site collection, you also create a top-level site. They are two separate components, but they always go hand-in-hand. You cant have a site collection without a top-level site, and you cant have a top-level site without also having a site collection.
2-14
The top-level logical component within a farm is the web application. A web application in SharePoint corresponds to a site and Internet Information Services (IIS). To understand the configuration parameters you must provide when you create a web application, it is helpful to understand how a clienta web browser, for exampleconnects to a site. This slide illustrates the process with which a browser retrieves a page from a SharePoint site. With a browser opened, a user enters a URI (Universal Resource Identifier), also called a URL (Uniform Resource Locator). This is the request that the user makes. The URI includes a protocol, such as http: and an address, typically specified as a domain name system (DNS) name, such as intranet.contoso.com. Often, the URI also includes a path or page that specifies a resource within the target site, such as /default.aspx. The request must be sent to the server hosting the website. Therefore, the DNS name of the server must be resolved to its IP address. The client sends a query to its DNS server requesting a lookup of the web servers DNS name, intranet.contoso.com. The DNS server resolves the query and returns the IP address of the server, for example, 10.0.0.11. The client can now send the request to the web server using the servers IP address. The request is sent to a specific port on the server based on the protocol or a port specified in the URI. For web requests, port 80 is used unless otherwise specified. IIS on the server receives the request and must hand the request to the correct site. The server knows which site should get the request based on the sites bindings. A site can be bound to a specific IP address or port. Typically, however, a web server hosts multiple sites and it is not efficient or sometimes even possible to assign a unique IP address or port to each site. Therefore, it is typical to see a web server hosting multiple sites all bound to the same IP address and port. How then can the server know which site should handle the inbound request? While the inbound request targets a specific IP address and port, the request itself contains the DNS name of the website
2-15
in a field called the host header. Sites on the server can be bound to the host headers that correspond to the DNS name of the site. Therefore, while requests for different sites may be coming into the same IP address and port, IIS is able to forward requests to the correct sites based on the host header. If a site happens to be a SharePoint site, SharePoint takes the request, examines the URI, and retrieves the content from the appropriate content database on the SQL Server. At each point in the process, security controls can be applied to ensure that users can get only to the content they need.
2-16
A web application is a logical unit that contains one or more site collections. A web application is associated with an IIS website, but can have up to five IIS websites with which it is associated. Each web applications IIS website runs in the context of an application pool. You use web applications to isolate content, processes, features, and users. You can separate content that is accessible by anonymous users from content that is accessed by authenticated users, or content that is accessible by partners from content that is accessible by employees, by hosting the content in separate web applications. Each web application has a unique domain name, which helps to prevent cross-site scripting attacks. You can assign a unique application pool to a web application, which isolates its processes. When you create a new web application, you also create a new content database that defines the authentication method used by the application pool to connect to the database. When you create a new web application, you specify the authentication method used to connect to the IIS website. SharePoint Server 2010 provides a set of service applications that are available for each web application. You can select which service applications you want to use for each web application that you create by associating the web application with a proxy group or by specifying a custom set of service applications for the web application. For more information, see Module 8, Configuring and Securing SharePoint Services and Service Applications. Service applications are associated with web applications. Policy can be specified uniquely for each web application. For more information, see Module 6, Securing Content.
2-17
2-18
The web application and content database will be created. When this process is complete, the Application Created page appears. 13. Click OK. The new web Application is displayed on the Web Applications Management page. Tip: Be sure that you have created a host record (A or AAAA) in DNS for the web application. Create a Web Application by Using Windows PowerShell The following example shows the use of the New-SPWebApplication cmdlet to create a new web application:
New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> ApplicationPoolAccount <ApplicationPoolAccount> -Port <Port> -URL <URL>
Where: <Name> is the name of the new web application. <ApplicationPool> is the name of the application pool. <ApplicationPoolAccount> is the user account that this application pool will run as. <Port> is the port on which the web application will be created in IIS. <URL> is the public URL for the web application.
Additional Reading
Create a Web Application (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192703&clcid=0x409
2-19
Load Balancing
When you create a web application, you specify the load balanced URL, for example, intranet.contoso.com:80. Load-balancing is a technology that allows the distribution of requests across more than one web front end. Windows Server 2008 can provide load-balancing, but it is common for organizations with more than one web front end to utilize hardware-based load balancers. A load balancer is assigned the IP address associated with the DNS name of the website. Each web front end has a unique IP address that is known to the load balancer. The load balancer receives the clients request, and then forwards the request to one of the web front ends based on the logic applied by the load balancer.
2-20
A site collection is a group of SharePoint websites that share common ownership and administrators, as well as common settings, such as quotas, locks, site use confirmation and deletion, and self-service site creation. When you create a site collection, you also create a top-level site in the site collection. The top-level site can be configured to use a template, also called a site definition. Create a Site Collection by Using Central Administration 1. In the Central Administration Quick Launch, click Application Management. 2. 3. In the Site Collections section, click Create site collections. In the Web Application section, ensure that you are focused on the web application in which you want to create a site collection. If necessary, click the web application picker, and then click Change Web Application. Click the correct web application. 4. 5. 6. 7. In the Title box, type a title for the site collection. In the Template Selection section, select the site definition you want to apply to the top-level site of the new site collection. In the Primary Site Collection Administrator section, in the User name box, type the user name of the site collection administrator. Click OK. The site collection is created, and the Top-Level Site Successfully Created page appears. 8. Click OK.
When you create a site collection, you also create a top-level site within that site collection. The top-level site is typically created using a site definition, for example, Team Site or Publishing Site, but it is also possible to create a blank top-level site that can then be customized later.
2-21
Create a Site Collection by Using Windows PowerShell The following example shows the use of the New-SPSite cmdlet to create a new site collection.
Get-SPWebTemplate $template = Get-SPWebTemplate "STS#0" New-SPSite -Url "<URL for the new site collection>" -OwnerAlias "<domain\user>" Template $template
Where: <URL> is the URL of the site collection you want to create. The -OwnerAlias parameters <domain\user> value defines the primary site collection administrator. The -SecondaryOwnerAlias parameter defines the secondary site collection administrator. The -Template parameters value specifies the site definition for the top-level sitein this example, STS#0, the Team Site template.
2.
3. 4. 5.
Read the Warning section and verify that the site collection information is correct. On the Delete Site Collection page, click Delete. The site collection that you select is deleted.
Delete a Site Collection by Using Windows PowerShell The following example shows the use of the Remove-SPSite cmdlet to delete a site collection:
Remove-SPSite -Identity "<URL>" GradualDelete
Where: <URL> is the URL of the site collection you want to delete.
2-22
The -GradualDelete parameter specifies that you use gradual deletion, which reduces the load on the system during the deletion process.
When you use Remove-SPSite to delete a site collection, you cannot restore it by using the Restore-SPSite cmdlet.
Additional Reading
Create a site collection (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=221520
2-23
After creating the site collection, you should configure site collection settings. In Central Administration, this is done on the Application Management page. In SharePoint 2010 Central Administration Quick Launch, click Application Management.
2. 3. 3. 4. 5.
In the Primary site collection administrator box, type the name of the primary owner, using the format, DOMAIN\username. In the Secondary site collection administrator box, type the name of the secondary owner, using the format, DOMAIN\username. Click OK.
2-24
Assign Site Collection Owners by Using Windows PowerShell The following example shows the use of the cmdlet cmdlet to assign the site collection owners:
Set-SPSite -Identity "<SiteCollection>" -OwnerAlias "<DOMAIN\User>"-SecondaryOwnerAlias "<DOMAIN\User>"
Where: <SiteCollection> is the URL of the site collection to which you want to add a site collection administrator. <DOMAIN\User> is the name of the user whom you want to add as a site collection owner. The -OwnerAlias parameter defines the primary site collection administrator. The -SecondaryOwnerAlias parameter defines the secondary site collection administrator.
Assign Site Collection Administrators Site collection administrators are owners of the site collection. They are given full control of the site collection and always have the ability to change permissions on objects within the site collection. They also have permission to perform a wide range of administrative tasks within the site collection. 1. 2. 3. 4. In the top-level site of a site collection, click Site Actions, and then click Site Settings. Click Site Collection Administrators. In the Site Collection Administrators box, type the names of the site collection administrators, separated by semicolons. Click OK.
Whereas you can assign two site collection owners in Central Administration, you can assign more than two site collection administrators within the site collection. Two Sets of Site Collection Administrators Site collection owners assigned in Central Administration receive e-mail notifications related to site usage and quotas. Otherwise, the permissions and capabilities of the two types of site collection administrators are identical. A farm administrator can assign the primary and secondary site collection administrators in Central Administration. A site collection administrator can add or remove site collection administrators in the site collection settings. Assign Permissions to the Top-Level Site Each SharePoint site has at least three default groups: Owners, Members, and Visitors. These three groups have full control, contribute, and read permission respectively. 1. 2. 3. Click Site Actions, and then click Site Permissions. Click the name of a group to which you want to add members, for example, Contoso Intranet Visitors. Click New. The Grant Permissions page opens. 4. In the Users/Groups box, type the name of users or groups that you want to add to the selected SharePoint group, and then click OK.
To give all authenticated users the ability to browse a site, add the Authenticated Users group to the sites Visitors group. Before you use this option, be careful to verify which users are included in the Authenticated Users group. For example, if you work with partners and contractors, their accounts are included because they enter credentials to access your site.
2-25
Additional Reading
Add or remove site collection administrators (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192707&clcid=0x409
Quotas
One of the important site collection settings is the quota template associated with the site collection. A quota template specifies the maximum storage permitted for each site in a site collection. Quotas also define the resource utilization limits for Sandboxed Solutions. Sandboxed Solutions are discussed in Module 7, Managing SharePoint Customizations. Quotas define the following: Storage limit (in MB) The storage warning level at which site collection owners (primary and secondary site collection administrators) are notified that the site is approaching its storage limit. This value must be lower than the storage limit. Resource usage limit for Sandboxed Solutions (per day). Resource usage warning level at which site collection owners (primary and secondary site collection administrators) are notified that the site is approaching its resource usage limit. This value must be lower than the resource usage limit.
Create or Modify a Quota Template Quota templates are defined at the farm level. When you create a quota template, you simplify the management of storage limits on new site collections. 1. 2. In the Central Administration Quick Launch, click Application Management. On the Application Management page, in the Site Collections section, click Specify quota templates. The Quota Templates page opens.
You can create, modify, or delete a quota template from the Quota Templates page.
2-26
3.
4.
On the Quota Templates page, in the Template Name section, in the Template to modify list, select the template that you want to change. Alternately, to create a new quota template, click Create a new quota template and then, in the New template name box, type a name for a new quota template. In the Storage Limit Values section, specify the values that you want to apply to the template. If you want to modify the amount of data that can be stored in the database, select the Limit site storage to a maximum of check box, and type the new storage limit, in megabytes, in the text box. If you want an e-mail message to be sent to the site collection administrator when a storage threshold is reached, select the Send warning E-mail when Site Collection storage reaches check box, and then type the threshold, in megabytes, in the box.
5.
In the Sandboxed Solutions With Code Limits section, set the values for a template for Sandboxed Solutions. If you want to limit the resource usage of Sandboxed Solutions in the site collection, select the Limit maximum usage per day to check box, and then type the daily resource usage limit, in points, in the text box. If you want an e-mail message to be sent to the site collection administrator when a resource usage threshold is reached, select the Send warning e-mail when usage per day reaches check box, and then type the daily resource usage warning limit, in points, in the box. A point is a relative measurement of resource usage, for example, CPU cycles, memory, or page faults. Points enable comparisons between measurements of resource usage that could not be compared otherwise. See Module 7, Managing SharePoint Customizations, for more detail about Sandboxed Solutions.
6.
Click OK.
Apply a Quota Template to a Site Collection A site collection can be associated with one of the farm's quota templates. When a new site is created in the site collection section, the properties of the quota templates are applied to the site. 1. 2. In the Central Administration Quick Launch, click Application Management. On the Application Management page, in the Site Collections section, click Configure quotas and locks. The Site Collection Quotas and Locks page opens.
2-27
3.
4. 5.
If you want to change the selected site collection, in the Site Collection section, expand the Site Collection list, and then click Change Site Collection. Use the Select Site Collection page to select a site collection. On the Site Collection Quotas and Locks page, in the Site Quota Information section, expand the Current quota template list, and then select the new quota template to apply. Click OK.
Updating Quotas If you update a quota template, or update the site collection quota, the change does not apply to existing sites. To update quotas on existing sites, you can use Windows PowerShells Set-SPSite cmdlet with the MaxSize parameter.
To Lock or Unlock a Site Collection by Using Central Administration 1. In Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections section, click Configure quotas and locks.
2-28
The Site Collection Quotas and Locks page opens. 3. If you want to change the selected site collection, in the Site Collection section, on the Site Collection menu, click Change Site Collection. Use the Select Site Collection page to select a site collection. On the Site Collection Quotas and Locks page, in the Site Lock Information section, select one of the following options: 5. 6. Not locked. To unlock the site collection and make it available to users. Adding content prevented. To prevent users from adding new content to the site collection. Updates and deletions are still allowed. Read-only (blocks additions, updates, and deletions). To prevent users from adding, updating, or deleting content. No access. To prevent access to content completely. Users who attempt to access the site receive an access-denied message.
4.
If you select Adding content prevented, Read-only (blocks additions, updates, and deletions), or No access, type a reason for the lock in the Additional lock information box. Click OK.
Lock or Unlock a Site Collection by Using Windows PowerShell The following example shows the use of the Set-SPSite cmdlet with the -LockState parameter to lock or unlock a site.
Set-SPSite -Identity "<SiteCollection>" -LockState "<State>"
Where: <SiteCollection> is the URL of the site collection that you want to lock or unlock. <State> is one of the following values: Unlock. To unlock the site collection and make it available to users. NoAdditions. To prevent users from adding new content to the site collection. Updates and deletions are still allowed. ReadOnly. To prevent users from adding, updating, or deleting content. NoAccess. To prevent access to content completely. Users who attempt to access the site receive an access-denied message.
Additional Reading
Manage site collection storage limits (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192708&clcid=0x409
2-29
Subsites
A site collection can contain one or more sites. Below the top-level site, you can create additional sites, also called subsites or subwebs. The preceding diagram shows subsites for HR and Engineering. The URL for HR would be http://intranet.contoso.com/HR. The site hierarchy can be even deeper, but be aware of the 260-character URL length limit.
2-30
Managed Paths
To create a new site collection within a web application, there must be a managed path at which to create the site collection. A managed path is a portion of the URI namespace where the site collections exist. A managed path is not directly mapped to content within the web application. Instead, it is used by SharePoint as a namespace (path) node where site collections can be created. An explicit managed path is useful for creating only a single site collection, at the exact URL specified. For example, the default (root) managed path for our intranet site is http://intranet.contoso.com/ and a single site collection can be created at that exact URL. A wildcard managed path, for example, http://intranet.contoso.com/sites/ indicates that child URLs of the path are site collections. A wildcard managed path such as sites/ allows for unlimited number of site collections to be created directly under the provided path. It is important to note that a site collection (and therefore, a website) cannot be created at this explicit URL. The default managed path, created when you create any new web application, is sites/. However, you can define managed paths with other descriptive names such as depts (for departments), teams, clients, or projects. Managed paths allow a SharePoint server to receive a request in the form of a URI and to determine which part of the URI corresponds to a site collection, by looking at the list of managed paths for a given Web Application. SharePoint can then go to the correct content database of the site collection to retrieve the content based on the remaining portion of the URI. This means that SharePoint has to look at every managed path for each request. So Microsoft only supports up to 20 managed paths per web application. Add Managed Paths for a Web Application by Using Central Administration 1. On the SharePoint 2010 Central Administration website, in the Quick Launch, click Application Management.
2-31
2. 3. 4. 5. 6. 7.
On the Application Management page, click Manage web applications. Click the web application for which you want to manage paths. The ribbon becomes active. On the ribbon, click Managed Paths. On the Define Managed Paths page, in the Add a New Path section, type the path you want to include. Click Check URL to confirm the path name. Use the Type drop-down menu to identify the path as either Wildcard inclusion or Explicit inclusion. The Wildcard inclusion type includes all URLs that are immediately subordinate to the specified URL. The Explicit inclusion type includes only the URL that is indicated by the specified path.
8. 9.
Click Add Path. When you have finished adding paths, click OK.
Remove Managed Paths for a Web Application by Using Central Administration 1. On the SharePoint 2010 Central Administration website, in the Quick Launch, click Application Management. 2. On the Application Management page, click Manage Web Applications. 3. Click the web application that you want to manage paths. The ribbon becomes active. 4. 5. 6. On the ribbon, click Managed Paths. On the Define Managed Paths page, in the Included Paths section, click the check box next to the path that you want to remove. Click Delete selected paths. Warning: Deletion is immediate. You will have no additional opportunity to confirm. 7. When you have finished removing paths, click OK.
Add a Managed Path by Using Windows PowerShell The following example shows the use of the cmdlet named cmdlet to add a managed path to a web application:
New-SPManagedPath [-RelativeURL] "</RelativeURL>" -WebApplication <WebApplication>
Where: </RelativeURL> is the relative URL for the new managed path. The type must be a valid partial URL, such as site or sites/teams/. <WebApplication> is the URL of the web application to which the managed path will be added.
Remove a Managed Path by Using Windows PowerShell The following example shows the use of the cmdlet cmdlet to add a managed path to a web application:
Remove-SPManagedPath [-Identity] <ManagedPathName> -WebApplication <WebApplication>
2-32
<WebApplication> is the URL of the web application that hosts the managed path to delete.
Additional Reading
SharePoint 101: Managed Paths, at http://go.microsoft.com/fwlink/?LinkID=192710&clcid=0x409 Define managed paths (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192709&clcid=0x409
2-33
Content Databases
Scalability
From a logical storage management perspective, it would make sense for each site to be a separate site collection in a separate content database. However, for performance reasons, such an approach is often not feasible. In fact, several scalability guidelines apply to SharePoint Server 2010. Become aware of scalability boundaries: 300 content databases per web application are supported. Additionally, the RAM and performance of your SQL Server limits the total number of content databases that should be hosted on that server. 200 GB per content database is supported. Content database sizes up to 1 terabyte are supported only for large, single-site repositories and archives with non-collaborative I/O and usage patterns, such as Records Centers. Larger database sizes are supported for these scenarios because their I/O patterns and typical data structure formats have been designed for, and tested at, larger scales. 100 GB per site collection is supported. If a content database contains only one site collection, then the site collection can be up to 200 GB. 250,000 websites per site collection are supported. Up to 2,000 subsites of a given website are supported.
2-34
When designing a strategy for content databases, consider your service level objectives. Include the recovery time objective (how quickly your deleted or corrupted content is brought back online) and your recovery point objective (how far back in time are your historical backups maintained)? You must also consider performance, such as the scalability guidelines mentioned above.
Additional Reading
SharePoint Server 2010 Capacity Management: Software Boundaries and Limits at http://go.microsoft.com/fwlink/?LinkID=192711&clcid=0x409
Add a Content Database by Using Windows PowerShell The following example shows the use of the New-SPContentDatabase cmdlet to create a new content database:
New-SPContentDatabase -Name <ContentDbName> -WebApplication <WebApplicationName>
Where: <ContentDbName> is the name of the content database that you want to create. <WebApplicationName> is the name of the web application to which the new database is attached.
Additional Reading
Add a content database (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192712&clcid=0x409
2-35
Its important to mention that the size of the content database is not taken into consideration. In the event that more than one content database has the same number of available sites, the content database with the lowest GUID is selected as a tie-breaker. As you can see, the lack of fine-grained control in Central Administration can be problematic when you are trying to manage the association of site collections to content databases. The -ContentDatabase parameter of the New-SPSite cmdlet can be used to create a site collection in a specific content database. You can move site collections between content databases by using Windows PowerShell. The following example shows the use of the Move-SPSite cmdlet to move a site collection between content databases:
Move-SPSite <http://ServerName/Sites/SiteName> -DestinationDatabase <DestinationContentDb>
Where: <http://ServerName/Sites/SiteName> is the name of the site collection. <DestinationContentDb> is the name of the destination content database.
2-36
The preceding slide presents a simple view of the logical infrastructure of a typical intranet or collaboration web application. At the root of the web application is a site collection with a top-level site that serves as the home page, and may contain general content that applies across divisions. Under a managed path, each division, department, or team gets a unique site collection. The URL to a divisional site is web application \ [managed path \] site, for example, http://intranet.contoso.com/depts./HR. The divisions site collection scopes the ownership, user and group definitions, quotas, and other configuration for the site. Site collections also impose functional boundaries. Features can be activated or deactivated at the site collection level. You will typically need far more site collections than you would anticipate, because governance designs typically require more than one set of configuration at the site collection level. Optionally, you can put each divisions site collection in a dedicated content database to manage storage, backup and restore. Keep in mind, however, that there are performance-related scalability guidelines that might prevent you from putting every division in a separate site collection in particularly large or complex implementations.
2-37
Lesson 3
In the previous lesson, you examined the process where a browser requests and receives content from a SharePoint site. In this lesson, you will explore in detail the components of SharePoint, IIS, and Microsoft SQL Server that are responsible for handling the request on the web front end. After this lesson, you will be able to: Understand the SharePoint enginethe components of the web application and service itself.
Among the components you will explore are: SharePoint and IIS 7.0 SharePoint Web Applications Components Web.config SharePoint Root SharePoint Databases Customized vs. Uncustomized Pages
2-38
As you learned in Module 1, Introducing SharePoint 2010, SharePoint 2010 sits on top of IIS 7.0 and relies on Internet Information Services to process requests. IIS 7.0 has several features that will make managing your SharePoint 2010 environment easier and increase performance: HttpModules and HttpHandlers participate in all requests to the server without having to be associated with the ASP.NET ISAPI filter, which improves the performance of request processing. HttpModules and HttpHandlers are two types of component that process web requests. ASP.NET configuration was managed directly in XML files in previous versions of IIS. The new IIS Manager allows you to visualize configuration values and make changes in the user interface. Traditionally, it has been difficult to troubleshoot and debug 500 errors. Now, with failed request tracing, you can trace the events that lead to such errors. You can make changes to IIS configuration settings using a .NET API, which makes it possible to configure IIS using Windows PowerShell. IIS configuration used to be stored in the metabase. Now, configuration is stored in the applicationHost.config file. IIS supports more granular delegation of administration, which makes it possible to assign roles to administrators without giving them the keys to the entire web server.
2-39
Key Points
When you create a new SharePoint web application, several things happen. A new site is created in IIS. The site is bound to the port and host header specified by SharePoint. An application pool is associated with the site. As you learned in the previous lesson, an existing application pool can be used by more than one site, which allows the sites to share a single process and to share the overhead associated with the application pool, leaving certain efficiencies. Alternately, you can create a new application pool for the site, which will isolate the site in a separate process and will incur its own app pool overhead. Microsoft supports up to ten application pools per SharePoint server. This number may be reduced depending primarily on the RAM of the server. A root directory for the web application is created as a subfolder of c:\inetpub\wwwroot\wss\virtualdirectories. Inside the root directory is a .NET configuration file, web.config. The web.config file defines the application as a SharePoint application. Virtual directories within the site point to other folders, each with its own .NET configuration (web.config). HttpModules add the SharePoint object model properties to the memory space.
2-40
Web.config
The web.config file is the key component that makes an IIS website a SharePoint web application. The web.config file is a typical XML-based .NET config file with several configuration sections added to it. Several common configuration sections are: SafeControls. Defines what controls can be used on a SharePoint page SafeMode. Determines whether pages are allowed to execute inline .NET code MergedActions. Allows changes to web.config without actually modifying the fileit merges the actions specified in selected and other files BlobCache. Enables caching various file types in a location on the web front end, rather than pulling files from the database for each request For more information, see Module 4, Configuring Content Management.
2-41
SharePoint Root
If you open the folder that acts as the root directory of a SharePoint web applicationthe Physical Path of the IIS websiteyou will discover that there are no .aspx files in the folder. Where, exactly, do SharePoint files and pages reside? Content that is specific to the individual web application is stored in the web application content database(s) in SQL Server. However, a significant amount of content is shared across sites and web applications in a SharePoint farm. These files are stored in the folder:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\14
This folder is called the SharePoint root. You'll also hear it referred to as the 14 hive, because in SharePoint 2007, the folder was named 12 and was called the 12 hive. However, the proper name for the folder in SharePoint 2010 is the SharePoint root. The folder has many subfolders that drive the core functionality of the SharePoint farm and web applications.
Top-level folders
The top-level folders in the SharePoint root include: ADMISAPI. Web services that manage content deployment. BIN. Executables that manage search, timer jobs, upgrade, configuration, and administration. CONFIG. Configuration files that control code security, web application security, and extensions to stsadm.exe and Windows PowerShell. HCCab. .cab-based help files. Help. .chm-based Help files.
2-42
ISAPI. SharePoint .NET object model .dlls, administration application pages, SharePoint web services, and the SharePoint RPC .dll. LOGS. Usage analysis processing logs and SharePoint log files. Policy. .dll and .config files. Resources. .resx files used to create SharePoint objects using an installed language pack. TEMPLATE. Site definitions, workflow settings, feature additions, and user controls. UserCode. Files that support sandboxed solutions. WebClients. Configuration files used for the client object model. WebServices. Files that support service applications.
TEMPLATE folder
The TEMPLATE folder in the SharePoint root contains files that support content and functionality across SharePoint sites in a farm. The TEMPLATE folder includes the following subfolders: 1033. English-language SharePoint configuration files. Other folders with names that correspond to a specific language will exist for other installed languages. ADMIN. The site applications for Central Administration. CONTROLTEMPLATES. User controls that are used across sites. DocumentTemplates. Document templates that are used across sites. FEATURES. Features that have been added to extend the SharePoint functionality. GLOBAL. A site definition that is inherited by all other site definitions. IMAGES. Common graphic elements. LAYOUTS. Pages that implement functionality that is available to all SharePoint sites. SITETEMPLATES. Site definitions. SQL. Scripts that create configuration, search, and content databases, and to upgrade older versions of databases. THEMES. Styles that can be applied to change the look and feel of a SharePoint site. XML. XML configuration files.
It is best to deploy files and functionality to a SharePoint farm using SharePoint solutions. Solutions are packages, similar to Windows Installer (.MSI) files, which deploy files and functionality. When you use a solution, the farm does the job of ensuring that the solution is deployed to all servers.
2-43
SharePoint Databases
A SharePoint implementation consists of numerous databases stored in SQL Server: Each farm has a configuration, or config database. The configuration database contains data about SharePoint databases, Internet Information Services (IIS) websites, web applications, trusted solutions, Web Part packages, site templates, and web application and farm settings specific to SharePoint 2010 products, such as default quota settings and blocked file types. Each service application can have one or more databases. Each web application stores its content in one or more content databases, in addition to using shared content in the SharePoint root. Content databases include content from list and document libraries, document versions, workflow instances, Web Part properties, audit logs, and sandboxed solutions, in addition to user names and rights.
As you learned earlier in this module, all the data for a specific site collection resides in one content database on only one server. A content database can be associated with more than one site collection.
2-44
RecycleBin. Contains deleted items from all sites in the site collection. WebParts. Provides available web parts. Webs. Provides configuration of each site (web) in the site collection.
Additional Reading
Database types and descriptions (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192713&clcid=0x409 Storage and SQL Server capacity planning and configuration (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192714&clcid=0x409
2-45
Key Points
When you create a site, a special collection of files called the site definition generates the initial, default content for the site. A subset of this content is the pages that make up the site, for example, default.aspx, the home page. The default.aspx page does not reside in the content database itself. Instead, it resides in the SharePoint root on the file system of the web front-end servers. All sites in a SharePoint farm, by default, use the same default.aspx page. Of course, the home page of each site is typically different. This is supported because the default.aspx page defines content areas and Web Part zones, but the actual content and the properties of each Web Part are specific to each site, and are stored in the site's content database. When a page such as default.aspx is pulled from the SharePoint root, it is said to be uncustomized. In previous versions of SharePoint, this was called ghosted. Using a tool such as SharePoint Designer, you can customize the page itself. When you do so, the customized page is saved to the content database. At this point, the uncustomized version in the SharePoint root is no longer used for that site. Thus, your customized page is said to be customized. In previous versions of SharePoint, this was called unghosted. It is possible to reset a site or page to the site definition, which removes the customized page. It is not recommended to modify files directly in the SharePoint root. Among other problems that could arise: SharePoint updates and service packs may overwrite your changes.
2-46
Scenario
You have been asked to build an intranet to support communication and collaboration requirements at Contoso, Ltd. You have recently completed the installation of SharePoint 2010. You must now configure the farm using the Farm Configuration Wizard, and create the logical topology to support the initial business requirements. You are tasked with establishing a SharePoint 2010 intranet site so that business users can review the new features of the publishing site definition. Additionally, you have been asked to configure sites to meet the collaboration requirements of several divisions within the organization. You will begin by creating a site for the Information Technology (IT) department.
2-47
Results: After this exercise, you should have created a new web application, intranet.contoso.com.
2-48
Task 3: Add a DNS host record for the new web application.
Start DNS Manager using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Connect to the DNS server running on CONTOSO-DC. Create a new host record in the contoso.com zone with the name, intranet, and the IP address, 10.0.0.21. Close DNS Manager.
2-49
The website begins to load. Because this is the first time that the site has been requested from the server, it must be compiled. This takes several seconds. The intranet web application opens.
2-50
2-51
Review Questions
1. 2. Why would you create more than one content database in a web application? If you were to create another site collection in the intranet web application, in which content database would it be created?
2-52
3-1
Module 3
Administering and Automating SharePoint
Contents:
Lesson 1: Configuring Central Administration Lesson 2: Administering SharePoint from the Command Line Lesson 3: Automating SharePoint Operations with Windows PowerShell Lab: Automating SharePoint with Windows PowerShell 3-3 3-9 3-20 3-45
3-2
Module Overview
In previous modules, you used Central Administration to perform common administrative tasks related to the installation and configuration of Microsoft SharePoint. In this module, you learn more about what it means to be an administrator of a SharePoint farm and what it takes to administer SharePoint using both Central Administration and command-line options. Among the most powerful tools at your disposal as a SharePoint administrator is Windows PowerShell. SharePoint 2010 offers rich support for Windows PowerShell as the primary command-line interface for administering and automating SharePoint, and in this module you learn the fundamentals of Windows PowerShell for SharePoint.
Objectives
After completing this module, you will be able to: Configure the Central Administration site and describe administrative roles. Administer SharePoint by using PowerShell and STSADM.EXE. Automate SharePoint administration operations by writing PowerShell scripts.
3-3
Lesson 1
In this lesson, you take a high-level look at the available options for administering SharePoint: Central Administration, Stsadm, and Windows PowerShell. You learn to configure Central Administration and to identify the various administrative roles in a SharePoint environment. Later lessons explore Stsadm and Windows PowerShell in detail. After completing this lesson, you will be able to: Describe the options for administering SharePoint farms. Configure and manage the Central Administration Web application. Describe the administrative roles that you can use to manage SharePoint farms.
3-4
Administrative Options
In addition to SharePoint 2010 Central Administration, you have at least two other options with which to administer a SharePoint farm: Stsadm and Windows PowerShell. Stsadm is a command (Stsadm.exe) located in the folder C:\Program Files \Common Files\Microsoft Shared\web server extensions\14\BIN. Windows PowerShell is the administrative framework for SharePoint 2010 and other Microsoft technology platforms. SharePoint 2010 Management Shell is the preferred interface for performing task-based commands and for running scripts. The SharePoint 2010 Management Shell supports both Stsadm and Windows PowerShell. In this module, you learn about all three of these administrative options.
3-5
Central Administration
Remember that Central Administration is a Web application. Every action you perform in Central Administration is being executed using the application pool identity for the Central Administration Web application and the timer service, for example, SP_Farm. Actions performed in Central Administration are not executed in the context of your administrative accounts identity. If something is not working, be sure that the SP_Farm identity has the permissions it requires. For example, some tasks performed in Central Administration require that the account have the following attributes: Local Administrators group membership on each SharePoint server Microsoft SQL Server permissions
These permissions are assigned automatically if you follow the procedures outlined earlier in this course. However, if something happens that removes or denies a required permission, administrative tasks may fail.
Where: <PortNumber> is an available port, greater than 1023 and less than 32767. Stsadm. You can use the setadminport operation to modify the port to which Central Administration is bound.
stsadm o setadminport <PortNumber>
3-6
Additional Reading
Change the Central Administration Web site port number (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192720&clcid=0x409 Setadminport: Stsadm operation (Office SharePoint Server) at http://go.microsoft.com/fwlink/?LinkID=192721&clcid=0x409
3-7
Administrative Roles
Farm Administrators
The Farm Administrators group represents the accounts that can use the Central Administration application to perform administrative tasks. Manage the Farm Administrators Group In SharePoint 2010 Central Administration Quick Launch, click Security, and then, in the Users section, click Manage The Farm Administrators Group. Members of the Farm Administrators group have permissions to and responsibility for all servers in the server farm. Members can perform all administrative tasks in Central Administration for the server or server farm. Members of this group can also use Windows PowerShell to create and manage configuration database objects and can perform command-line operations, for example, Stsadm.exe. They can assign administrators to manage service applications, which are instances of shared services. The Farm Administrators group does not have permissions to access individual sites or their content, by default. However, members can take ownership of a site collection by assigning themselves as a site collection owner in Central Administration. For example, if a site collection administrator leaves the organization and a new administrator must be added, a member of the Farm Administrators group can take ownership of the site collection to make the change.
Local Administrators
Members of the Administrators group on the local server are members of the Farm Administrators group by default. Therefore, members of the Administrators group on the local server can perform all farm administrator actions and more, including installing new products or applications, deploying Web Parts and new features to the global assembly cache, creating new Web applications and new Internet Information Services (IIS) Web sites, and starting services. Like Farm Administrators, members of this group on the local server have no access to site content, by default, but can take ownership of a site collection.
3-8
Site-Level Administrators
The following two roles are administrative roles, but they do not have any capability to perform tasks in Central Administration: Site collection administrators The Owners group of a site
The scope of their permissions is the site collection or site. Site collection administrators have the Full Control permission level on all Web sites in a site collection. They have access to content in all sites in that site collection, even if they do not have explicit permissions on that site. For more information, see Module 2, Creating a SharePoint 2010 Intranet. By default, members of a sites Owners group have the Full Control permission level on that site. They can perform administration tasks for the site and for any list or library in that site. They receive e-mail notifications for events, such as the pending automatic deletion of inactive sites and requests for site access.
Additional Reading
Choose administrators and owners for the administration hierarchy (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=192722&clcid=0x409
3-9
Lesson 2
In this lesson, you move away from the user interface of the Central Administration Web application and turn to command-line options for administering SharePoint. You explore Stsadm (Stsadm.exe), which is included with SharePoint 2010 to support mixed environments, and Windows PowerShell, which is the recommended tool for administering and automating SharePoint 2010. After completing this lesson, you will be able to: Administer SharePoint from the command prompt with Stsadm. Identify the role of Windows PowerShell for administering SharePoint.
3-10
SharePoint has introduced new command-line administration interfaces with each successive version of the product. SharePoint 2010 aligns with other Microsoft technologies around the use of Windows PowerShell as the primary command-line interface for administration. SharePoint 2010 provides more than 600 Windows PowerShell cmdlets to support administration of a SharePoint farm. PowerShell provides a superset of capabilities found in Central Administration. Windows PowerShell 2.0 is required to install SharePoint and is installed by the Microsoft SharePoint Products Preparation Tool (PrerequisiteInstaller). As you learn in the next topic, Stsadm has been deprecated but is still supported in SharePoint 2010.
3-11
Stsadm
Stsadm is deprecated but is included to support compatibility with previous product versions. There are, however, a small number of rarely used Stsadm operations for which no Windows PowerShell equivalent exists. Some Stsadm operations are no longer supported because of feature or architectural changes in SharePoint 2010. For example, commands used to create, enumerate, and manage Shared Service Providers (SSPs) are not supported because SSPs have been replaced by service applications. To use Stsadm, you must start Command Prompt on a SharePoint server with the Run As Administrator option, and then navigate to the folder that contains Stsadm.exe: C:\Program Files\Common Files\Microsoft Shared\web server extensions \14\BIN
You can avoid having to navigate to this deeply nested folder by adding the path to the folder to the %PATH% environment variable. For example, type the following command:
set path=%path%;C:\Program Files\Common Files\Microsoft Shared\web server extensions\14\BIN
Alternately, use the SharePoint 2010 Management Shell, which includes the path to the \BIN folder in its path variable. Stsadm exposes functionality through operations. Each operation is invoked with this syntax:
stsadm o <OperationName> [-parameter <Value> ...]
Where: <OperationName> is the name of an Stsadm operation. <Value> is the value for a parameter used by the operation.
To discover the operations that are supported, type the following command:
3-12
stsadm -?
To read documentation about a specific operation and the parameters it supports, type the following command:
stsadm help <OperationName>
3-13
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the Microsoft .NET Framework, Windows PowerShell helps IT professionals control and automate the administration of several Microsoft technologies, including the Windows operating system, SharePoint 2010, the Active Directory directory service, and Microsoft Exchange Server. With Windows PowerShell commands, called cmdlets, you can perform management tasks from the command line. With Windows PowerShell providers, you can access data stores, such as the registry and certificate store, as easily as you access the file system. In addition, Windows PowerShell has a rich expression parser and a fully developed scripting language. Windows PowerShell includes the following features: Cmdlets for performing common system administration tasks. A task-based scripting language. Support for existing scripts and command-line tools. For example, you can perform most Cmd.exe commands with Windows PowerShell. Consistent design. Because cmdlets and system data stores use common syntax and naming conventions, data can be shared easily and the output from one cmdlet can be used as the input to another cmdlet without reformatting or manipulation. Providers that expose system resources such as the registry, certificate store, and directory service for simplified navigation by using the same techniques that users employ to navigate the file system. Powerful object manipulation capabilities. You can manipulate objects directly or send them to other tools or databases. Extensible interface. Independent software vendors and enterprise developers can build custom tools and utilities to administer their software.
There is significant overlap between Stsadm and Windows PowerShell in support for operations that are common to both SharePoint 2007 and SharePoint 2010. However, Windows PowerShell provides unique capabilities related to the management of all new features, including support for the following tasks:
3-14
Installation and configuration of SharePoint 2010 Management of service applications Granular control of backup and restore
Additional Reading
About Windows PowerShell at http://go.microsoft.com/fwlink/?LinkID=192723&clcid=0x409
3-15
Cmdlets
Windows PowerShell commands are called cmdlets, pronounced command-lets. List Available Cmdlets The Get-Command cmdlet lists cmdlets. Type Get-Command.
Cmdlets are not case sensitive. The following cmdlets are equivalent: Get-Command get-command GET-COMMAND
Cmdlets always follow the Verb-Noun, also called the Action-Object format. The Noun is always singular. For example, the cmdlet to list all processes running on a machine is Get-Process. To list all processes running on a machine: Type Get-Process.
There are a limited number of verbs, which can be listed with the Get-Verb cmdlet. Nouns follow naming standards managed by the Windows PowerShell team. For example, all SharePoint nouns begin with SP. List All SharePoint cmdlets To list all SharePoint cmdlets:
3-16
Additional Reading
Understanding Important Windows PowerShell Concepts at http://go.microsoft.com/fwlink/?LinkID=192724&clcid=0x409 Learning Windows PowerShell Names at http://go.microsoft.com/fwlink/?LinkID=192725&clcid=0x409
Tab Completion
Windows PowerShell supports tab completion, so you can type a few letters and then press TAB to complete your typing. This applies not only to paths, which is possible in Command Prompt as well, but also to cmdlets and their parameters. To experience tab completion, perform the following steps in SharePoint 2010 Management Shell, which creates a new content database for a Web application: 1. Type New-SPCont, and then press TAB. Windows PowerShell completes the name of the cmdlet, New-SPContentDatabase. The first parameter of the New-SPContentDatabase cmdlet is the name of the database you want to create. 2. Press SPACEBAR, type TestContentDB, and then press SPACEBAR. The next parameter is the name of the database server on which to create the content database. 3. Type -Da, and then press TAB. Windows PowerShell completes the name of the parameter, -DatabaseServer. 4. Press SPACEBAR, type SP2010-WFE1, and then press SPACEBAR. The other required parameter is the name of the Web application with which the content database is associated. 5. Type -W, and then press TAB. Windows PowerShell completes the name of the parameter, -WebApplication. 6. 7. Press SPACEBAR, and then type http://intranet.contoso.com. Press CTRL+C to cancel the command without executing it.
Get-Help
Windows PowerShell cmdlets are well documented with a standard documentation format. Get Help About a Cmdlet To get help about a cmdlet, use the Get-Help cmdlet. Type Get-Help <cmdlet>, where cmdlet is the name of the cmdlet about which you want help.
Where optional parameters produce various types and levels of detail. -examples. Shows examples of the cmdlet.
3-17
-detailed. Shows detailed information about the cmdlet and each of its parameters. Also shows examples. -full. Shows all documentation of the cmdlet.
Without a parameter, the Get-Help cmdlet shows a synopsis, a more detailed description, and the syntax of the cmdlet. For example, to get help, including examples, about the New-SPContentDatabase cmdlet, type the following:
Get-Help New-SPContentDatabase detailed
Additional Reading
Getting Information About Commands at http://go.microsoft.com/fwlink/?LinkID=192730&clcid=0x409 Getting Detailed Help Information at http://go.microsoft.com/fwlink/?LinkID=192731&clcid=0x409
Objects
Unlike Command Prompt, in which commands return text that then must be parsed and processed as text, Windows PowerShell returns objectsrepresentations of the component itself. For example, the Get-Process cmdlet returns objects representing processes on a computer. Type the following to retrieve all processes on a computer:
Get-Process
To limit the processes, use a parameter of the Get-Process cmdlet. For example, the -Name parameter limits processes returned based on their name. The following command retrieves all processes on a computer named iexplore:
Get-Process Name iexplore
The -Name parameter is the default parameter for the Get-Process cmdlet, so it can be omitted:
Get-Process iexplore
In these examples, Windows PowerShell outputs several properties of each process it returns. You are not doing anything with the objects other than showing properties. However, objects returned by a cmdlet can be stored in variables for later use or piped to a subsequent cmdlet as input for the cmdlet.
Pipeline
Windows PowerShell features a pipelinea channel through which the output of a cmdlet can be passed to the following cmdlet. The pipeline is represented by the pipe character (|). For example, type the following to stop all processes named iexplore on a computer:
Get-Process iexplore | Stop-Process
The Get-Process cmdlet gets running processes on a machine. The Stop-Process cmdlet stops processes. In this example, the Get-Process cmdlet gets processes named iexplore, and then passes the processes through the pipeline to the Stop-Process cmdlet.
3-18
As you learn later in this lesson, one of the most important differences between Windows PowerShell and Command Prompt is that cmdlets return objects, not text. In Command Prompt, commands return text, and the text can be piped to another command. In Windows PowerShell, cmdlets return objects, which can be manipulated in much more powerful ways further down the pipeline. For example, the Get-Process cmdlet returns objects representing processes named iexplore. The next command in the pipeline stops those processes, but it could just as easily be a cmdlet that changes the priority of the processes or that returns specific information about the processes, such as their memory and processor utilization.
Additional Reading
Understanding the Windows PowerShell Pipeline at http://go.microsoft.com/fwlink/?LinkID=192732&clcid=0x409
Aliases
Windows PowerShell allows a cmdlet to have aliases, which are alternate names for the cmdlet. For example, gps and ps are aliases for Get-Process. Also, kill is an alias for Stop-Process. List Available Aliases The Get-Alias cmdlet lists aliases. Type Get-Alias.
List Aliases for a Specific Cmdlet To list aliases for a specific cmdlet: Type Get-Alias -definition <cmdlet>, where cmdlet is the cmdlet for which you want to list aliases.
If you see a cmdlet that is not following the Verb-Noun syntax, it is certain that the cmdlet is using an alias. Sometimes it can be difficult to interpret what a command is doing when an alias is used. List the Cmdlet Associated with an Alias To list the cmdlet for a specific alias: Type Get-Alias <Alias>, where Alias is the alias you want to define.
For example, type the following to list the cmdlet for the alias kill:
Get-Alias kill
Additional Reading
Using Familiar Command Names at http://go.microsoft.com/fwlink/?LinkID=192733&clcid=0x409
Variables
As you begin to find and create Windows PowerShell scripts, theres one more concept you must understand: variables. Variables are memory locations that store a value or object and are represented in Windows PowerShell by a name that starts with a dollar sign ($). To assign a variablethat is, to create and define a variablesimply use the following syntax:
$variable = value
For example, the following script stops all processes named iexplore:
3-19
The result is the same as the one-liner shown earlier. However, by separating the name of the process from the line that performs the action of finding and stopping the process, you can more easily modify the script. Or you could use the Read-Host cmdlet to prompt a user for the name of a process, instead of hard-wiring the name of the process into the script. To assign a string value to a variable, enclose the value in single or double quotation marks, as shown earlier. Variables can also store one or more objects. Examine the following script:
$process = Get-Process "iexplore" $process | Select ID, name, description $process | Stop-Process
In this example, the variable $process is set to the collection of processes named iexplore. The variable is then used in two following commands. The first reports the ID, name, and description of each process in $process. The second stops each process.
$_
The special variable $_ represents the current object in the pipeline. You see examples of this later in the module. For now, simply imagine that you are looping through a collection of objectsfor example, each site collection in a Web applicationand you want to do something to each objectfor example, list the site collection administrators. As you loop through the collection, you can use the $_ variable to represent the current site collection. Again, you learn more about $_ and put it to use later in the module.
Additional Reading
Using Variables to Store Objects at http://go.microsoft.com/fwlink/?LinkID=192734&clcid=0x409 Windows PowerShell on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkID=192735&clcid=0x409 Windows PowerShell Scripting Center at http://go.microsoft.com/fwlink/?LinkID=192736&clcid=0x409
3-20
Lesson 3
Now that you have learned some of the fundamental concepts of Windows PowerShell, you can turn your attention to how you can use Windows PowerShell to administer and automate SharePoint 2010. After completing this lesson, you will be able to: Describe the SharePoint 2010 management shell. Delegate permissions to use Windows PowerShell Examine the SharePoint logical structure. Create a SharePoint intranet by using Windows PowerShell. Describe objects, members, properties, and methods in Windows PowerShell. Describe how to select, sort. and format output in Windows PowerShell. Describe how to filter objects. Describe Iteration and iteration in scripts. Automate SharePoint operations with Windows PowerShell.
3-21
Another way to add SharePoint functionality to Windows PowerShell is to use a process called reflection, through which you load the SharePoint .dll files directly. This was required in SharePoint 2007 but is not recommended in SharePoint 2010 now that the SharePoint snap-in is available. Sets the PSThread option to ReuseThread. This is a setting that improves the utilization of memory in Windows PowerShell and reduces the likelihood of memory leaks. In Windows PowerShell, each lineeach commandis started in its own thread, or process. When ThreadOptions are set to Reuse Thread, each command is run in the same thread. If you use Windows PowerShell, you must run the following command:
$Host.Runspace.ThreadOptions = "ReuseThread"
3-22
Adds the Stsadm (SharePoint Root/BIN folder) to the path. SharePoint Management Shell adds the path to the Stsadm.exe command to its path. This allows you to use Stsadm to perform tasks, in addition to Windows PowerShell.
Additional Reading
PS Thread Options at http://go.microsoft.com/fwlink/?LinkId=183145
3-23
So, with just one command, youve given the user the SharePoint_Shell_Access role on the database and added the user to the WSS_ADMIN_WPG local group on each server in the farm. If the user is currently logged on, the user will of course have to log off and log back on for the new local group membership to take effect. To perform this delegation, your account must have the Security_Admin server role for the SQL Server instance and the db_owner role for the database, and you must be in the Administrators group of each server in the farm. In other words, you must be a high-level administrator to delegate to another user the
3-24
ability to use Windows PowerShell. Practically speaking, youll likely be administrator of the SQL Server and of each server in the farm, though technically speaking you dont need quite that much power.
Where: <SiteCollectionURL> is the URL of the site collection. The -OwnerAlias parameters <DOMAIN\User> is the primary site collection administrator. The -SecondaryOwnerAlias parameters <DOMAIN\User> is the secondary site collection administrator.
Run SharePoint 2010 Management Shell with the Run As Administrator Option
Finally, many cmdlets require that you are an administrator of the computer on which the cmdlet is being executed. These cmdlets fail unless you use the Run As Administrator option when opening SharePoint 2010 Management Shell.
Additional Reading
SharePoint 2010 Products administration by using Windows PowerShell at http://go.microsoft.com/fwlink/?LinkID=192737&clcid=0x409
3-25
Retrieve a Collection of Web Applications in the Farm To retrieve a collection representing the Web applications: Type Get-SPWebApplication.
The Get-SPWebApplication cmdlet leaves out Central Administration by default as a measure of protection against scripts that are designed to perform actions against every Web application in a farm. To include the Central Administration Web application, include the parameter IncludeCentralAdminsitration. Retrieve a Collection of All Site Collections in the Farm To retrieve a collection of site collections in the farm: Type Get-SPSite.
To prevent runaway memory and processing, the Get-SPSite cmdlet limits the number of site collections it returns to 20, by default. Add the -limit parameter to increase this limit, or add -limit all to return all site collections. The Get-SPSite cmdlet always excludes the Central Administration site collection. Retrieve a Collection of Web Sites The Get-SPWeb cmdlet retrieves a collection of Web sites in a scope specified by the cmdlets parameters. The -Site parameter specifies a site collection as the scope, and the -Filter parameter specifies a filter as the scope.
3-26
For example, the following command retrieves the Web sites in the intranet site collection:
Get-SPWeb Site http://intranet.contoso.com
The Get-SPWeb cmdlet limits the number of objects it returns to 200 by default. Like the Get-SPSite cmdlet, use the -limit parameter to increase this limit, or use -limit all to return all Web sites in a site collection.
It gets even more tricky when users say something like, I cant access my site. Is that a site collection (SPSite), Web site (SPWeb), or are they really saying that theyre typing http://intranet.contoso.com and getting an error, in which case it may even be the Web application (SPWebApplication) that needs to be examined? Its recommended that when you discuss SharePoint and particularly when you are gathering information for troubleshooting that you avoid the word site by itself. Clarify: Web application, site collection, or subweb.
The Get-SPSite cmdlet, also presented earlier, retrieves all site collections. If you use an Identity parameter, it retrieves only matching site collections. For example, the following command retrieves only one site collection:
Get-SPSite "http://intranet.contoso.com"
You can use the site collection returned by Get-SPSite instead of the -Site parameter of Get-SPWeb:
Get-SPSite "http://intranet.contoso.com"| Get-SPWeb -limit all
You can also save SPSite objects and SPWeb objects to parameters:
3-27
However, when you do this with SPWeb and SPSite objects, you should ensure that you dispose of them properly at the end of your script. This ensures that their memory usage is cleaned up and is done with the Stop-SPAssignment cmdlet:
$site | Stop-SPAssignment
Question: How can you get a list of all site collections in the farm, incding Central Administration, when the Get-SPSite cmdlet always excludes Central Administration? Question: How can you get a list of all Web sites in the farm, including Central Administration, when the Get-SPSite cmdlet always excludes Central Administration?
Additional Reading
Understanding the Windows PowerShell Pipeline at http://go.microsoft.com/fwlink/?LinkID=192732&clcid=0x409
3-28
You can use Windows PowerShell to create logical components of SharePoint, just as you did by using Central Administration in Module 2.
Note the use of the -Confirm:$false parameter. The -Confirm parameter is common to all Windows PowerShell commands that have potentially detrimental effects. By default (-Confirm:$true), the cmdlet will prompt for confirmation. Specifying Confirm:$false suppresses such prompts. You can also use the -WhatIf parameter to simulate a command and report its effects. The -WhatIf parameter is particularly helpful when you are performing a command on a variable or collection of objects so that you know exactly what is being done to which objects.
Where: <Name> is the name of the new Web application. <Port> is the port on which the Web application will be created in IIS.
3-29
<HostHeader> is the host header, in the format server.domain.com. Note that the Get-Help documentation for the cmdlet states that the format for <HostHeader> is http://server.domain.com. The documentation is incorrect. <URL> is the public (load-balanced) URL for the Web application. <ApplicationPool> is the name of the application pool. <ApplicationPoolAccount> is the managed account that the application pool will use. This is required if you are specifying an <ApplicationPool> that does not already exist. Use the GetSPManagedAccount cmdlet as shown in the following example. <DatabaseName> is the name for the first content database for the Web application.
For example, the following command creates the intranet Web application with configuration similar to the intranet that was created by using Central Administration in Module 2.
New-SPWebApplication -Name "Contoso Intranet" -Port 80 -HostHeader "intranet.contoso.com" -URL "http://intranet.contoso.com:80" -ApplicationPool "SharePoint Web Applications" -ApplicationPoolAccount (Get-SPManagedAccount "CONTOSO\SP_Service") -DatabaseName "WSS_Content_Intranet
Where: <URL> is the URL of the site collection you want to create. <Content Database Name> is the name of the content database within which the site collection should be created. This parameter is optional. The -OwnerAlias parameters <domain\user> value defines the primary site collection administrator. The -SecondaryOwnerAlias parameter is used to define the secondary site collection administrator. <Template> specifies the site definition for the top-level sitefor example, BLANKINTERNET#1, the Publishing Site, or STS#0, the Team Site.
For example, the following command creates a site collection at the root of the intranet Web application and creates a top-level site with the Publishing site definition.
Where: <ContentDbName> is the name of the content database to create. <WebApplicationName> is the name of the Web application to which the new database is attached.
For example, the following command creates a content database for the Sales departments intranet site collection:
New-SPContentDatabase -Name WSS_Content_Intranet_Sales -WebApplication http://intranet.contoso.com
3-30
The command also creates a top-level site in the site collection based on the Team Site site definition.
Where: <Identity> is the URL of the new Web site. <Name> is the name of the Web site. <Template> specifies the site definition for the Web site, for example, BLANKINTERNET#1, the Publishing Site, BLOG#0, the Blog Site, or STS#0, the Team Site.
For example, the following command creates a subweb for blogs beneath the Sales Web site:
New-SPWeb "http://intranet.contoso.com/sites/Sales/Blogs" -Name "Sales Blogs" -Template "BLOG#0"
3-31
As you learned in the previous lesson, Windows PowerShell returns objectsrepresentations of the component itself. You can store objects returned by a cmdlet in variables for later use or pipe them to a subsequent cmdlet as input for the cmdlet. Objects have members: properties and methods. Methods are actionsthings you can do with or to the object. Properties are attributes. A special kind of property is a collection, which can contain zero, one, or more items.
For example, the following command lists the properties of the Sales site collection:
Get-SPSite "http://intranet.contoso.com/sites/sales" | Get-Member -MemberType Properties
Additional Reading
Viewing Object Structure (Get-Member) at http://go.microsoft.com/fwlink/?LinkID=192738&clcid=0x409
3-32
Write-Output
If you type the following command:
Get-SPWeb "http://intranet.contoso.com/sites/sales"
the URL of the Web site is returned. As you know, Windows PowerShell works with objects, but when a command completesat the end of the pipelinean implicit Write-Output cmdlet displays the default properties of the object(s) at the end of the pipeline. In the example shown, the default property is a URL, and the default display format is a table.
Display Specific Properties You can limit the properties that are displayed by adding property names to the Select cmdlet. For example, the following command displays the URL and template of the sales Web site:
Get-SPWeb "http://intranet.contoso.com/sites/sales"| Select-Object URL,WebTemplate
3-33
Additional Reading
Selecting Parts of Objects (Select-Object) at http://go.microsoft.com/fwlink/?LinkID=192739&clcid=0x409.aspx
the URL and template of all Web sites in the intranet Web application are displayed. If you want to sort the results by template, you can use the Sort-Object cmdlet, the alias of which is Sort. For example, the following command displays the URL and template of the all Web sites in the intranet Web application, sorted by template name:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb limit all | Select-Object URL,WebTemplate | Sort WebTemplate
You can add the -Descending parameter to the Sort cmdlet to sort in descending order. The default is ascending order, and there is no -Ascending parameter.
Additional Reading
Sorting Objects at http://go.microsoft.com/fwlink/?LinkID=192740&clcid=0x409
Note: Using Format-List (or fl) at the end of the pipeline adds an implicit Select *. All properties are returned. If you want to limit properties returned, add the properties to the Select cmdlet.
Additional Reading
Using Format Commands to Change Output View at http://go.microsoft.com/fwlink/?LinkID=192741&clcid=0x409
3-34
Export-CSV To save output to a CSV file, add | Export-CSV <filename> to the end of the pipeline. ConvertTo-XML Add | ConvertTo-XML to the end of the pipeline to convert output to an XML object. An XML object is not immediately viewable because it is an object, not the text output of an XML file. Therefore, you must save the pipeline, and thereby save the XML file. Follow this example:
( command | ConvertTo-XML ).Save("filename")
For example, the following command creates an XML file consisting of the URL and template of all the Web sites in the intranet Web application, sorted by template name:
(Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb -limit all | Select-Object URL,WebTemplate | Sort WebTemplate | ConvertToXML).Save("C:\Users\SP_Admin\Desktop\SharePointWebSiteTemplates.xml")
Out-GridView Windows PowerShell 2.0 includes an Integrated Scripting Environment (ISE), which provides a data grid view application. You must make sure that the ISE feature is installed. The following example outputs to the data grid view application:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit all | Get-SPWeb limit all | Select-Object URL,WebTemplate | Sort WebTemplate | Out-GridView -Title "Web Site Templates Report"
Additional Reading
Redirecting Data with Out-* Cmdlets at http://go.microsoft.com/fwlink/?LinkID=192742&clcid=0x409
3-35
Filtering Objects
Notice the use of the $_ variable, which you learned in Lesson 2 represents the current object in the pipeline. The Where-Object cmdlet operates on each object in the pipeline, checking each against the filter defined by the expression, which itself is surrounded by braces. As each object in the pipeline is examined, it is represented by the $_ variable, and the objects WebTemplate property must be equal to BLOG for the object to successfully continue down the pipeline. A limited number of cmdlets support a -Filter parameter, which uses server-side filtering. In the example shown previously, all objects are retrieved by the Get-SPWeb cmdlet, and then the Windows PowerShell client must filter the objects. You can reduce the burden on the server by using server-side filtering whenever possible. The SPWeb object can be filtered server-side for the Title and Template properties. The SPSite and SPSiteAdministration objects can be filtered server-side for Owner, SecondaryContact, and LockState. Because, in this example, you have the option of using server-side filtering, it is recommended you do so.
3-36
For example, the following retrieves the Web sites that are based on the Blog site definition by using server-side filtering of the SPWeb object:
Get-SPSite -Limit All | Get-SPWeb -Limit All -Filter {$_.Template -eq "BLOG#0"}
Operators
In the filter expressions shown earlier, you might have noticed the -eq comparison operator, which means equals. The following operators are commonly used in expressions: Comparison Operators -lt. Less than -le. Less than or equal to -gt. Greater than -ge. Greater than or equal to -eq. Equal to -ne. Not equal to -like. Like; uses wildcards for pattern matching Logical Operators -and -or
Additional Reading
Removing Objects from the Pipeline (Where-Object) at http://go.microsoft.com/fwlink/?LinkID=192743&clcid=0x409
3-37
Typical Pipeline
As objects are passed through the pipeline of a Windows PowerShell command or script, there is a common approach and order to working with those objects: Get. Use the Get verb to retrieve objects. Filter. Use the Where cmdlet to filter objects so that the only objects remaining in the pipeline are those with which you want to work. Manipulate. Do something to the objects by using cmdlets appropriate to the type of objects in the pipeline. Select. Use the Select cmdlet to select the properties of objects that you want to output. Sort. Use the Sort cmdlet to sort the results, before output. Output. Use the Format, Export, Out to produce output in the desired format. If you want to convert the pipeline object(s) to a specific format, you can use the Convert cmdlet to do so, and then use the Save method of the pipeline to save an object to a file. An example is shown earlier in which pipeline output is converted to an XML object, and then saved to an XML file.
This command does the following: Gets Web sites in the intranet Web application Filters the pipeline so that only Web sites with the Blog site definition remain Selects properties of the Web sites Sorts the results by the date at which the last item in the Web site was modified Exports the results to a CSV file
3-38
Variables
As you work toward reading and writing more complex scripts, you undoubtedly begin working with variables. As you learned already, all variable names are prefixed with the dollar sign ($). To assign a variable, use this syntax:
$variable = value
To return the current value of a variable, simply type the variable name and press ENTER. For example, the following command assigns the value CONTOSO\SP_Admin to the variable $username:
$username = CONTOSO\SP_Admin"
The following command prompts you to enter the password for the account:
$password = Read-Host "Enter the password: " AsSecureString
Windows PowerShell cmdlets that require a password do not accept plain text. Passwords must be contained in a secure string, the contents of which cannot be displayed. Windows PowerShell also has built-in variables, including the following: $true. Boolean true $false. Boolean false $error. Contains the error object of the last error
Additional Reading
Using Variables to Store Objects at http://go.microsoft.com/fwlink/?LinkID=192734&clcid=0x409
3-39
Iteration (Looping)
Sometimes, iteration is done implicitly by a cmdlet on the receiving side of the pipeline. Earlier, you learned that the Where-Object cmdlet applies a filter to all objects in the pipeline. You also saw that each object in a collection of site collection objects retrieved by Get-SPSite was processed by Get-SPWeb, resulting in a list of all Web sites in all site collections. For-Each is helpful where a cmdlet does not do its own iteration. In the previous example, the EnableSPFeature cmdlet does not do its own iteration.
Additional Reading
Repeating a Task for Multiple Objects (ForEach-Object) at http://go.microsoft.com/fwlink/?LinkID=192744&clcid=0x409
3-40
Iteration in Scripts
Examine the following script, which creates intranet sites for HR and Marketing in their own site collections and content databases:
$i = ("HR", "Marketing") ForEach($url in $i) { New-SPContentDatabase -Name WSS_Content_Intranet_$url -WebApplication http://intranet.contoso.com New-SPSite -Url http://intranet.contoso.com/sites/$url -ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin -Template "STS#0" }
This line creates an arraya collection of multiple items. In this case, the items are string values. The array items are separated by commas. The parentheses around the items are optional, but make it easier to read.
ForEach($url in $i)
This line starts the iteration. For each item in the array variable $i the script block that follows, enclosed in braces, is executed. The current object in the array during each iteration is assigned to the variable $url. During each iteration, $url contains the current item.
{
3-41
The $url variable is used to create a unique content database name for each departmentit is the last component of the content database name.
New-SPSite -Url http://intranet.contoso.com/sites/$url -ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin -Template "STS#0"
The $url variable is used to create a unique URL for the site collection and to assign the site collection to the content database created by the previous command.
}
The right brace ends the script block. There is a blank line at the end of the script. If you are entering the script directly in the Windows PowerShell console, you must enter a blank line to begin the execution of the script.
3-42
There are two categories of SharePoint cmdlets: local and global: Local cmdlets affect something on a single SharePoint server. For example, to start a service on a server, use the Start-SPServiceInstance cmdlet. To connect a new SharePoint server to a farm, use the Connect-SPConfigurationDatabase cmdlet. To perform a command on multiple servers in a farmfor example, to start a service on multiple serversyou need to iterate through the servers in the farm. Global cmdlets affect the farm as a whole, generally by making changes to the SQL Server database. For example, when you set the property of a Web application using Set-SPWebApplication, the property affects all servers hosting that Web application. You do not need to touch each server. Similarly, when you create a new site collection with New-SPSite, the site collection is available to all SharePoint servers.
Additional Reading
Running Remote Commands at http://go.microsoft.com/fwlink/?LinkID=192745&clcid=0x409
3-43
Windows PowerShell scripts are text files saved with a .ps1 file name extension.
Some people overuse aliases, making it difficult for others to make sense of the script. This is particularly true for single- and double-character aliases such as % (ForEach-Object), ? (Where-Object).
Executing Scripts
By default, Windows PowerShell scripts are not allowed to run. This is done to prevent malicious scripts from damaging your environment. The Windows PowerShell ExecutionPolicy determines which scripts are allowed to run. The default ExecutionPolicy is Restricted. To Allow All Windows PowerShell Scripts to Execute You can remove all restrictions by setting ExecutionPolicy to Unrestricted. Type Set-ExecutionPolicy -unrestricted, and then press ENTER.
There are, of course, significant security risks by doing so. However, in a test environment, you may decide that such risks are acceptable. You can also configure Windows PowerShell to allow the execution of scripts with specific characteristics, including scripts signed with a trusted digital signature. In a production environment, you should sign
3-44
scripts. Code signing is beyond the scope of this course, but you can learn more in the resources listed in the Additional Reading section.
Additional Reading
Running Windows PowerShell Scripts at http://go.microsoft.com/fwlink/?LinkID=192746&clcid=0x409 Stop Malicious Code in Windows PowerShell with Execution Policies at http://go.microsoft.com/fwlink/?LinkID=192747&clcid=0x409 Using Windows PowerShell to Sign Scripts with Digital Certificates at http://go.microsoft.com/fwlink/?LinkID=192748&clcid=0x409
3-45
You are responsible for ensuring that the SharePoint farm can be built consistently in both lab and production environments, and that the farm can be rebuilt in the event of a catastrophic failure. Additionally, you are required to produce weekly reports showing the webs and storage utilization of each site collection in the production farm. To meet these goals, you must build Windows PowerShell scripts that can automate SharePoint management tasks.
3-46
Microsoft.SharePoint.dll is not in the list. To use the SharePoint object model, you must load the SharePoint .dll files. Type the following command and then press ENTER:
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
The output displays GAC, version, and location information for the assembly. Repeat the third bullet point in this task to display the loaded assemblies. Tip: You can press the UP key to scroll through previously executed commands. The listing includes the Microsoft.SharePoint.dll.
The output lists the snap-ins that have been added to the current session. The SharePoint snap-in is not listed. Type the following command and then press ENTER:
Get-PSSnapin Registered
The output lists the snap-ins that are registered on the system, except for those that are installed with Windows PowerShell. Type the following command and then press ENTER:
Add-PSSnapin Microsoft.SharePoint.PowerShell
The output lists the snap-ins that have been added to the current session. The SharePoint snap-in is now added.
3-47
To identify the assemblies that are currently loaded, type the following command and then press ENTER:
[AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object { Split-Path $_.Location Leaf } | Sort
The listing includes numerous SharePoint assemblies. Rather than loading each assembly one by one, use the Add-PSSnapin cmdlet to load them all at once. Close Windows PowerShell.
The output lists the snap-ins that have been added to the current session. The SharePoint snap-in is already added to the session. To identify the assemblies that are currently loaded, type the following command and press ENTER:
[AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object { Split-Path $_.Location Leaf } | Sort
The listing demonstrates that SharePoint 2010 Management Shell preloads the SharePoint .dll files. Results: After this exercise, you will have learned how to run Windows PowerShell with the ability to administer SharePoint.
3-48
To enumerate all of the webs in the site collection, type the following command and press ENTER:
$spsite | Get-SPWeb
An error appears indicating that login failed. The SP_Admin user account does not have the permissions required to access the information about the intranet site collection with Windows PowerShell.
Task 2: Configure least privilege rights to manage SharePoint with Windows PowerShell.
Start SharePoint 2010 Management Shell using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. Type the following commands each followed by ENTER:
$spcdb = Get-SPContentDatabase WSS_Content_Intranet Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database $spcdb
Close Administrator SharePoint 2010 Management Shell. Results: After this exercise, you will have delegated SP_Admin the ability to manage SharePoint with Windows PowerShell.
3-49
The listing displays various properties of each site collection. Type the following command and then press ENTER:
Get-SPSite | Select URL, @{Name="Storage"; Expression={"{0:N2} MB" -f ($_.Usage.Storage/1000000)}}, @{Name="Quota"; Expression={"{0:N2} MB" -f ($_.Quota.StorageMaximumLevel/1000000)} } | Out-GridView -Title "Sites with Usage"
An error indicates that the Windows PowerShell Integrated Scripting Environment feature is not installed.
An error indicates that you must run the command with elevated permissions. Start Windows PowerShell using the Run as administrator option. Type the following two commands each followed by ENTER:
Import-Module ServerManager Add-WindowsFeature PowerShell-ISE
3-50
An error indicates that the Windows PowerShell Integrated Scripting Environment feature is not installed. This occurs because you must close and reopen SharePoint 2010 Management Shell to load the component. Close SharePoint 2010 Management Shell. Open SharePoint 2010 Management Shell. Type the following command and then press ENTER, which is the same as the command you executed in the beginning of this task:
Get-SPSite | Select URL, @{Name="Storage"; Expression={"{0:N2} MB" -f ($_.Usage.Storage/1000000)}}, @{Name="Quota"; Expression={"{0:N2} MB" -f ($_.Quota.StorageMaximumLevel/1000000)} } | Out-GridView -Title "Sites with Usage"
A Grid-View window appears displaying the output of the command. Close the Sites With Usage window. Results: After this exercise, you will have used Windows PowerShell to produce reports of your SharePoint environment.
3-51
A site collection and top-level web for the Sales department is created using the Team Site site definition. Open the Sales site with Windows Internet Explorer.
To enumerate all of the site collections in the farm, except Central Administration, type the following command and then press ENTER:
Get-SPSite
The output lists the new site collections. Results: After this exercise, you will have used Windows PowerShell cmdlets and scripts to create new content databases, site collections, and sites.
3-52
The list item will be updated. Notice that you did not use a cmdlet to update a list item. There are things that will require direct access to the object model and, as such, you need to be careful to dispose of objects you create. Switch to Internet Explorer and then refresh the Announcements list, and then observe that the title of the list item has been updated. Close all Internet Explorer and Windows PowerShell windows. Results: After this exercise, you will have updated a list item using a Windows PowerShell script.
3-53
Review Questions
1. What are the advantages of using Windows PowerShell to manage SharePoint? 2. In what scenarios would it be preferable to use Stsadm instead of Windows PowerShell cmdlets to manage SharePoint? 3. By default, who can use Windows PowerShell to manage SharePoint?
3-54
4-1
Module 4
Configuring Content Management
Contents:
Lesson 1: Optimizing Content Storage and Access Lab A: Configuring List Throttling and Remote BLOB Storage Lesson 2: Managing Site Content Types and Site Columns Lesson 3: Configuring the Managed Metadata Service Lab B: Configuring Managed Metadata 4-3 4-23 4-30 4-40 4-72
4-2
Module Overview
As you learned in Module 1, Introducing SharePoint 2010, one of the six capabilities of Microsoft SharePoint 2010 is content. After you have built your SharePoint farm and the logical components of SharePointWeb applications, site collections, sites, lists, and librariesyour users will begin to populate SharePoint with content. Although many content management features of SharePoint 2010 are considered end-user features, and are therefore out of scope for this course, several features warrant coverage because they require configuration by farm, service application, and site collection administrators: list throttling, remote binary large object (BLOB) storage (RBS), site content types and columns, and managed metadata service applications.
Objectives
After completing this module, you will be able to: Configure SharePoint and SQL Server to ensure optimal content access deployment. Create content types and site columns to describe your content. Set up the managed metadata service application to tag and classify content.
4-3
Lesson 1
In this lesson, you explore the administrative tasks related to lists and libraries, the two most important containers for content in sites. You then learn about two important new features of SharePoint Server 2010 with which you can better manage and govern both the performance and storage of SharePoint content: list throttling and RBS. After completing this lesson, you will be able to: Describe the content structure in a site collection. Configure and optimize the performance of large lists. Configure and manage storage of document libraries.
4-4
In Module 2, Creating a SharePoint 2010 Intranet, you examined a diagram of the logical hierarchy of SharePoint. A piece of that diagram, shown in the slide, illustrates the hierarchical structure of contentrelated objects in a SharePoint farm: In a site collection, content is collected into lists and document libraries, also called, simply, libraries. Lists are collections of items, which can optionally be grouped in folders. Libraries are a specialized form of list designed to hold files, called documents, which can also be grouped in folders.
4-5
2.
When creating the list or library, configure the Name field to be the URL. When you create a list or library in the user interface, you are prompted to enter a value for the Name. Unfortunately, the value you enter in the Name box is used to create the Tile and the URL of the list or library. If you use bad practicesfor example, if you include a space in the Namethe space becomes part of the URL. The URL is somewhat challenging to change after it has been createdyou must use Windows PowerShell or SharePoint Designer to change it. The name can easily be changed. Therefore, follow these steps when creating a list or library: 1. 2. Configure the Name so that the result is a URL that follows the rules discussed previously. Do not add the list or library to the Quick Launch when creating the list or library.
3.
After creating the list or library, change the Title. Immediately after creating the list or library, navigate to the List Settings or Library Settings page and click Title, Description And Navigation. Enter a value for the Name. In this interface, the name is used only for the list or library Title property, not for the URL. Therefore, you can use any nameincluding a long name with spacesand thereby configure navigation controls such as the Quick Launch and navigation breadcrumb to display a more descriptive, viewer-friendly name.
4.
Configure list and library settings. When you create a list or library, you should consider the following: Enforce check-out. For document libraries, it is highly recommended to enforce check out if users have the ability to modify documents in the library. Click the Versioning link on the Library Settings page. Consider versioning and approval. Consider implementing versioning and approval based on the business requirements for the list or library. Click the Versioning link on the Library Settings page. Add columns. To modify the metadata of a list or library, add list columns. First, check to see whether an existing site column meets your needs and, if so, add the site column to the list. Otherwise, create a new column.
4-6
The configuration elements of the properties are the following: Action: The Update action creates a Favorite if one does not exist and updates the Favorite if it has changed. Name: The Name is the user-friendly name of the Favorite, as it will appear in the users Favorites folder. Using the foldername\Favorites Name format creates a folder in the Favorites folder. In the preceding figure, a folder named SharePoint Sites is created or updated with a Favorite called Consulting Special Projects. Target Type: This is URL. Location: Explorer Favorites. Target URL: The URL for the SharePoint content.
Additional Reading
Deploying Shortcuts and Favorites to SharePoint Sites at http://go.microsoft.com/fwlink/?LinkID=197205&clcid=0x409
Deploy Network Locations for Quick Access to SharePoint Sites Using Windows Explorer Users dont always access SharePoint libraries by using Internet Explorer. They also navigate to libraries when opening and saving documents from Microsoft Office client applications and other SharePointaware applications. You should make it easier for users to navigate to commonly used libraries when they are using Windows Explorer interfaces, including Open and Save dialogs. The Windows Vista operating system and later clients provide such functionality using network locations. A network location is a node in the Windows Explorer interface that behaves like a mapped drive but that has a name rather than a drive letter. To create a network location, complete the following steps: 1. 2. 3. Open the Computer folder. Right-click in a blank area of the window, and then click Add a Network Location. Complete the wizard by providing a path to the library and a user-friendly name for the network location.
4-7
After you create a network location, you can navigate to the library from the Computer folder. The network location appears in the Network Locations folder. In the Open and Save dialogs, click Computer in the Favorite Links bar. It is easy to deploy network locations to users as long as you know that a network location is a collection of objects in a folder in the following path: %appdata% \Microsoft\Windows\Network Shortcuts, for example, c:\users\username \AppData\Roaming\Microsoft\Windows\Network Shortcuts. You can copy network locations that you have created to a shared folder on the network, and then copy the network locations to the Network Shortcuts folders of other users profiles. You can use Robocopy.exe in a logon script, for example, to update users Network Shortcuts folders. The Windows XP operating system provides identical functionality using network places. Network places are created in the Network Places folder, instead of the Computer folder. They are stored in %userprofile%\NetHood. You can copy network places created on one Windows XP system into the NetHood folder of other Windows XP user profiles. Unfortunately, you cannot copy Windows XP network places to a client running Windows Vista or later operating system, and you cannot copy network places to a Windows XP client.
4-8
SharePoint 2010 lists expose important functionality that was not available in previous versions of SharePoint: Large lists. SharePoint 2010 lists are supported for up to 50 million items. This is possible because of performance enhancements and new features such as multicolumn lists. Multicolumn indexes. You can create an index that contains more than one column. List relationships. SharePoint 2010 lists support relationships. Related lists can enforce referential integrityboth cascade delete and prevent delete. For example, if you have a list of customers that is related to a list of orders, you can configure SharePoint so that you cannot delete a customer for whom orders exists (prevent delete) or so that when you delete a customer, related orders are deleted (cascade delete). Related lists also support projected fields. These are fields from the parent list that can be shown on the child list. For example, an order item that is related to a customer item can display the customers name, address, email address, and telephone number. Data validation. You can perform simple data validation in an out of box SharePoint list. A list column can have data validation, which ensures that a columns value meets specified rules. A list can also have unique columns, which ensures that no two items have the same value in the columns. For example, you can set the email address column of a contacts list to be unique so that no two contacts are created with identical email addresses. Document sets. A Document set is a collection of documents with its own metadata and versions. With Document sets, you can manage an entire collection of documents, worksheets, presentations, or other types of document content as an entire end-to-end work product. Metadata is applied to each document in a Document set, and additional metadata is applied to the Document set as a whole. For documents inside of a Document set, administrators can select columns that they want marked as read-only. The property can be edited only on the Document set. Any changes to the column that are marked as read-only are applied to all of the documents inside.
4-9
A Document set includes a Welcome page that acts as a customizable home page for the Document set, displaying the properties of the Document set. Document sets support templates and versioning. You can create templates in Microsoft Visual Studio 2010. Versioning makes it possible to capture the state of the Document set at different points in its life cycle, view its history, and restore previous versions of the Document set. Content organizer. The content organizer uses an advanced routing engine and administratordefined routing rules to route documents from a drop library to a specific location, based on document metadata, and can apply metadata automatically to a document based on its location. Digital asset management. SharePoint lists now provide capabilities for managing audio, video, and image content types. Document IDs. The Document ID service is a new feature at the site-collection level that adds a unique identifier (ID) to all documents throughout the site collection. This feature enables retrieval of documents by document ID regardless of their current or future location. Location-based metadata defaults. Library administrators can specify different default column values for each folder in a document library. Metadata navigation and filtering. Metadata navigation creates a folder hierarchy based on metadata. Each folder is effectively a filter. This provides a dynamic and effective way for users to discover documents. Filtering produces a multiselect list of filters based on metadata values that allow users to filter a view further.
Additional Reading
What's New: List Enhancements at http://go.microsoft.com/fwlink/?LinkID=197206&clcid=0x409
4-10
Large Lists
SharePoint 2010 can handle tens of millions of items in a list or library. However, operations involving large numbers of items can reduce performance, limit access to data, and cause timeouts. Examples of such operations include the following: Query with no item limit Query with a filter or sort on a column that is not indexed Deleting large lists or sites with large lists Adding a column to a large list
SharePoint 2010 introduces large list throttling, which protects a SharePoint farm and users accessing the farm from the effects of large operations by other users.
4-11
List throttling is configured separately for what is done in the user interface versus what is done using the object model. List throttling is applied differently depending on whether the user is a typical user or a super user.
The most commonly configured settings are as follows: List View Threshold. This value configures the maximum number of items that can be queried by standard users. The default is 5,000 items. It is strongly recommended that you do not change this default. If poorperforming queries are used on lists with more than 5,000 items, overall throughput may significantly decrease when raising this limit. Object Model Override. You can apply a second level of throttling to super users. The override allows a super user to retrieve a larger number of items. To configure super user override, you must configure both of the following: List View Threshold For Auditors And Administrators. This value configures the maximum number of items that can be queried by super users. The default is 20,000 items. Object Model Override. This option specifies that the list view threshold for auditors and administrators is in effect.
Super user override does not allow large list viewsaccess must be through the object model. Developers can set the QueryThrottleMode property of SPQuery and SPSiteDataQuery objects to retrieve up to the number of items specified in the list view threshold for auditors and administrators. Daily Time Window For Large Queries. You can specify a period of time during which large queries can be executed. You should ensure that the time window is configured to minimize the risk of affecting users based on your usage patterns.
4-12
If the user is a member of the Administrators group of Web front end (WFE) with Read permissions, all items are returned. If the EnableThrottling property of the SPList object is set to false, all items are returned. You can do this using the object model, including by using Windows PowerShell. Doing so allows you to set list throttling settings for a Web application, and then exempt specific large lists and libraries from throttling.
Several other list throttling settings are available on the Resource Throttling page. Warning level for administrators. This value configures the warning level shown on the List Settings page. The default value is 3,000. You can configure the warning level by using Windows PowerShell, as in the following example:
$sitecol = Get-SPSite http://intranet.contoso.com/sites/IT $sitecol.WebApplication.MaxItemsPerThrottledOperationWarningLevel = 2500
List View Lookup Threshold. This value, 6 by default, specifies the number of Lookup, Person/Group, or Workflow Status fields that a database query can involve at one time. List Unique Permissions. If a list contains too many unique permissions, the system can experience performance degradation. The default value for this setting is 50,000. As the number of unique permissions in a list increases, performance degrades. Reconsider any design in which all or most content in a large list must be uniquely secured. The throughput difference for operations on a list between 0 and 1,000 unique permissions is around 20 percent. There is a configurable default of 50,000 unique permissions per list; however, Microsoft recommends that you consider lowering this limit to 5,000, and for large lists consider using a design that uses as few unique permissions as possible. This aids not only performance but also manageability.
If you are upgrading to SharePoint 2010, and you have a list in SharePoint 2007 that has a default view with a number of items greater than 5,000, after upgrade the large list will not be available until a new default view is created that returns a number of items lower than the threshold. Another upgrade consideration is related to code that returns large numbers of items. Developers should update their code to account for list throttling. The EnableThrottling property on the list and the RequestThrottleOverride on the query must be specified. Developers can find more information about list throttling on MSDN.
Additional Reading
Designing Large Lists and Maximizing List Performance at http://go.microsoft.com/fwlink/?LinkID=197207&clcid=0x409
4-13
Binary large objects (BLOBs) are used to store large binary data such as documents and media. By default, BLOBs are stored in the Microsoft SQL Server content database. With Remote BLOB Storage, you can move storage of BLOBs to a different data store.
BLOBs
BLOBs are fields that contain binary data. Following are examples of BLOBs: Unstructured data with no schema, such as encrypted data Large amounts of binary data with simple schema, such as a document or digital asset
SQL Server stores BLOB data in databases by default. But as BLOB data expands, it consumes server storage. Additionally, BLOBs use server resources, for example, cache, that are optimized for database access patterns, not for storing large files. Therefore, performance can be degraded.
RBS is a library application programming interface (API) that is integrated into SQL Server 2008. RBS works on a provider model. An RBS provider connects SQL Server and the RBS APIs of the BLOB store. RBS ships with RBS FILESTREAM provider. Therefore, you can immediately start to use the RBS FILESTREAM provider to move BLOBs from the database to a folder on a local NTFS volume.
4-14
Local hard disks only. SharePoint does not support RBS remote storage, such as network attached storage (NAS). Content databases only. Other databases cannot use RBS. No Encryption. BLOBs are not encrypted by the RBS FILESTREAM provider, although you can use the Encrypting File System (EFS). SQL Server versions. SharePoint 2010 supports RBS on SQL Server 2008 with Service Pack 1 (SP1) and Cumulative Update 2 or SQL Server 2008 R2. RBS version. You must use the version of RBS that is included with the SQL Server Remote BLOB Store installation package from the Feature Pack for Microsoft SQL Server R2.
SharePoint also supports third-party RBS providers. You can add features such as storage on remote hard disks and encryption by implementing a third-party RBS provider. For full details of a providers functionality, contact the providers manufacturer before purchasing and installing their provider.
Additional Reading
Overview of RBS (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197208&clcid=0x409
Additional Reading
FILESTREAM Storage in SQL Server 2008 at http://go.microsoft.com/fwlink/?LinkID=197209&clcid=0x409
4-15
Configuring RBS for SharePoint 2010 is a multistep process. In this topic, each step is detailed. To perform these procedures, you must log in with an account with the following characteristics: Account must be a member of the Administrators group on the Web servers and application servers. Account must be a member of the Farm Administrators group for the SharePoint Server 2010 farm. Account must log in with the Dbcreator and Securityadmin fixed server roles on the computer running SQL Server.
Enable FILESTREAM
First, you must enable FILESTREAM by using SQL Server Configuration Manager.
Enable FILESTREAM
1. 2. 3. 4. 5. 6. 7. 8. Start SQL Server Configuration Manager. Click SQL Server Services. Right-click SQL Server (MSSQLServer), and then click Properties. Click the FILESTREAM tab. Select the Enable FILESTREAM for Transact-SQL access check box. Select the Enable FILESTREAM for file I/O streaming access check box. Select the Allow remote clients to have streaming access to FILESTREAM data check box. Click OK.
4-16
Alternately, you can execute the following query to set the FILESTREAM access level:
EXEC sp_configure filestream_access_level, 2 RECONFIGURE
Additional Reading
How to: Enable FILESTREAM at http://go.microsoft.com/fwlink/?LinkID=166110&clcid=0x409
Where: 4. 5. ContentDBName is the name of the content database for which Remote BLOB Store will be provisioned. EncryptionKeyPassword is a password used to generate an encryption key. It should be a unique, complex passphrase.
Click the Execute button in the toolbar. Click the New Query button on the toolbar. The Query Editor opens a new query in the details pane.
4-17
6.
To enable a new filegroup for your RBS provider, type the following query into the Query Editor:
use [ContentDBName] if not exists (select groupname from sysfilegroups where groupname=N'RBSFilestreamProvider')alter database [ContentDBName] add filegroup RBSFilestreamProvider contains filestream
Where: 7. 8. ContentDBName is the name of the content database for which Remote BLOB Store will be provisioned.
Click the Execute button in the toolbar. Click the New Query button on the toolbar. The Query Editor opens a new query in the details pane.
9.
To add a file system mapping for your RBS provider, type the following query into the Query Editor:
use [ContentDBName] alter database [ContentDBName] add file (name = RBSFilestreamFile, filename = 'BlobStorePath') to filegroup RBSFilestreamProvider
Where: ContentDBName is the name of the content database for which Remote BLOB Store will be provisioned. BlobStorePath is the path to the BLOB store folder you want to create, for example, D:\Blobstore. For best performance, simplified troubleshooting, and as a general best practice, you should create the BLOB store on a volume that does not contain the operating system, paging files, database data, log files, or the Tempdb file.
10. Click the Execute button on the toolbar. Repeat the procedure for each content database for which RBS should be provisioned.
Where: InstallLogFile is the name and optional path of a log file that will be generated by the installation, for example, rbs_install_log.txt.
4-18
ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned. DBInstanceName is the server and instance name of SQL Server.
Installation takes a few minutes. You can monitor installation by using Task Manager. You can also monitor the log file for the text Installation completed successfully. For example, use the following command:
type rbs_install_log.txt | find "successfully" /i
Install RBS on Other Servers in the Farm After installing the first SharePoint front-end server, continue with all other servers in the farm. Use the following command to install RBS on the additional servers:
msiexec /qn /lvx* <InstallLogFile> /i RBS.msi DBNAME="<ContentDbName>" DBINSTANCE="<DBInstanceName>" ADDLOCAL="Client,Docs,Maintainer,ServerScript,FilestreamClient,FilestreamServer"
Where: ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned. DBInstanceName is the server and instance name of SQL Server.
Where: ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned.
4-19
Where: ContentDBName is the name of the content database for which Remote BLOB Store has been provisioned.
Additional Reading
Install and configure RBS (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197210&clcid=0x409 Set a content database to use Remote Blob Storage (RBS) (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197211&clcid=0x409 Migrate content into or out of Remote BLOB Storage (RBS) (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197212&clcid=0x409
4-20
BLOB objects stored with the FILESTREAM provider are stored on the file system with globally unique identifier (GUID)-based names that provide a unique link from the RBS tables. BLOB content is not encrypted. Transparent Data Encryption (TDE), which can encrypt the content of BLOBs in SQL Server, is not applied to the FILESTREAM provider. However, you can use NTFS Encrypting File System (EFS): Configure the Blobstore folder to be encrypted after the folder has been created by SQL Server. NTFS EFS is transparent to components accessing the NTFS file system. If you are using RBS, it is important that you consider how you will back up and restore the BLOB store. If you use the SharePoint built-in tools for backup, RBS BLOB stores are included in the backup. You can even restore such a backup to a computer running SQL Server without RBSthe BLOBs will be restored into the database itself. The SQL Server backup command does not necessarily back up BLOBs in RBS for all providers. However, the procedure for properly backing up both a database and the BLOB store is straightforward. First, back up the database. Then, back up the file store. To perform a restore, first restore the file store, and then restore the database.
4-21
When you use RBS with SharePoint Server 2010 SP1 or later, you can use shallow copy when you move a SharePoint site collection from one content database to another.
4-22
Where: <SiteUrl> is the URL of the site collection to be moved. <DatabaseName> is the name of the content database to move the site collection to. <SourceProvider> is the name of the RBS provider in the source database. <TargetProvider> is the name of the RBS provider in the destination database.
4-23
Scenario
You have just installed a new SharePoint 2010 server farm at Contoso, Ltd. Your previous SharePoint 2007 environment included some very large lists that performed poorly for end users and large document libraries that increased the size of content databases and therefore the time required to perform backup and restore operations. Your revised governance policy for SharePoint 2010 requires that large lists have controls to manage performance and that the size of content databases be more carefully managed. To support these requirements, you have been tasked with implementing list throttling and Remote BLOB Storage.
4-24
4-25
$web.dispose() $site.dispose()
You can watch the progress of the script by refreshing the Computer Inventory list page in the IT Web.
You can watch the progress of the script by refreshing the Computer Inventory list page in the IT Web.
4-26
Switch back to the Computer Inventory list. In the Computer Inventory list, point at the Title column header, and then click the drop-down arrow that appears. Verify that the Show Filter Choices command is now available. In Central Administration, change the resource throttling settings for the SharePoint intranet.contoso.com80 Web application. Configure the List View Threshold to 7000, with a daily time window for large queries from 11pm to 4am. Open the List Settings of the Computer Inventory list, and then observe the List view threshold. Verify that the new list threshold of 7,000 items has been applied. Results: After this exercise, you should have modified list throttling settings for a site collection.
4-27
Add a filegroup for the RBS provider by executing the following query:
if not exists (select groupname from sysfilegroups where groupname=N'RBSFilestreamProvider')alter database [WSS_Content_Intranet_IT] add filegroup RBSFilestreamProvider contains filestream
Add a file system mapping for the RBS provider by executing the following query:
alter database [WSS_Content_Intranet_IT] add file (name = RBSFilestreamFile, filename = 'c:\Blobstore') to filegroup RBSFilestreamProvider
Results: After this exercise, you should have enabled FILESTREAM and configured RBS on the computer running SQL Server.
4-28
In SQL Server Management Studio, refresh the view of the Object Explorer tree, and then verify that several tables exist in the WSS_Content_Intranet_IT database that have names that begin with the letters mssqlrbs.
4-29
4-30
Lesson 2
In lists and libraries, users create content. SharePoint Server 2010 offers impressive content management functionality, which begins with the ability to describe content with metadata using columns and to define content types. In this lesson, you learn how to manage site content types and such columns. Although power users can perform these tasks in certain environments, IT professionals must know how to support these tasks. Furthermore, you must have a solid understanding of columns and content types at the site level before you can take advantage of the managed metadata service, the topic of the next lesson. After completing this lesson, you will be able to: Describe the purpose of content types and site columns. Configure content types. Configure templates for document libraries. Configure site columns.
4-31
Content Types
Content types are definitions of types of content that can be stored in lists and libraries. They are, in effect, a schema for the types of objects that can exist in a site. Content types are an important component of your information architecture (IA), which typically refers to both the content type hierarchy and taxonomy. The sites content type gallery lists available content types and exposes content type management functionality. To open to the site content type gallery, complete the following steps: 1. 2. Click Site Actions, and then click Site Settings. In the Galleries section, click Site Content Types.
Content types are scoped to the site in which they are created and all subsites. You can create content types in any site. However, it is a best practice, when possible, to create content types in the top-level site of a site collection so that the content types are available to all sites in the site collection. To deploy content types across multiple site collections, you can use Visual Studio to define and package the content type as a solutions package (.wsp file). This is possible in both SharePoint 2007 and SharePoint 2010. SharePoint 2010 introduces the managed metadata service application, which publishes content types and columns from one site collection across site collections, Web applications, and farms. You learn more about the managed metadata service application in the next lesson. There are two basic steps to make use of content types in a Web site: 1. 2. Create a site content type. Use a content type in a list or library.
These two steps are covered in detail in the next two topics.
4-32
To work with content types in a site, you first create the content type, and then associate it with a list or library. 1. 2. 3. Click Site Actions, click Site Settings, and then click Site Content Types. Click Create. Configure the following: Name. The content type name. Description. A description of the content type. Parent content type. A content type is derived fromis the child ofanother content type. For example, when you create a custom document content type, you typically want to make it a child of the built-in Document content type. A content type inherits its properties from its parent content type. Content types are grouped for organizational purposes. The Document content type is in the Document Content Types group. Group. When you create a content type, you can put it in a content type group to make it easier to locate the content type. The group has no technical impact whatsoeverit is purely organizationalbut it is recommended to keep custom content types that you create separate from content types that are built-in or that are created by third-party tools. Document template. If you create a document content type, you can associate a template with the content type. On the Site Content Type Information page for the content type, click Advanced Settings. Use the Upload option to upload the appropriate template. The template can be any file format.
4-33
By default, a list contains one type of item, and a library contains one content type: Document. To use content types in a list or library, you must first enable the management of content types in the list or library.
If you have more than one content type in a list or library, you can change the order in which the content types appear on the New menu of the ribbon. Click Change New Button Order And Default Content Type. The content type that is listed first is the default content type used if a user clicks the New button. Other content types appear if a user clicks the New buttons drop-down arrow. If you are using custom content types and no longer require the default Document or item content type, you can delete it. In the Content Types list, click Document. Click Delete This Content Type, and then click OK when prompted to confirm.
4-34
When you save the document to the content library, you do not overwrite the template. In the case of Microsoft Office documents, the Office client application remembers the library from which the document was created so that when you save the document, the library is the default location automatically.
4-35
Content types expose many properties, in addition to the document template property for document content types. Content types define the following: Workflows. You can associate workflows with content types. Document Information Panel (DIP). The DIP is a form that appears above the document in some Microsoft Office client applications, such as Microsoft Office Word. The DIP displays the properties of the document, giving users a way to read and modify properties in the client application instead of or in addition to using the SharePoint Web user interface. The DIP can be customized by using InfoPath to include business logic, access to other data sources, and rich interaction. Information management policy settings. You can configure document and record policies including retention, auditing, bar codes, and labels. Columns. You can define columns, also called attributes, properties, or metadata, for a content type. For example, a content type for contracts might be given a date column that specifies the expiration date of the contract.
Content types are an important component of your enterprise information architecture (IA). IA, which also includes taxonomythe subject of the next lessondefines how users identify, locate, and search for content. You can implement IA by classifying content based on content typesfor example, being able to identify contracts versus proposals, and then to be able to bubble up properties such as contract expiration dates.
4-36
Columns
As you discovered in the previous topic, columns are used to define pieces of information that can be associated with a document or list item. Synonyms for columns include fields, attributes, properties, and metadata. Columns describe content and can thus be used to organize and manage content in views, reports, and alerts. Columns can also be used as search attributes, allowing users to locate content more efficiently. A column is scoped to the site in which it is created and to all subsites. As with content types, it is recommended you create site columns at the top-level site of a site collection whenever possible so that it is available to all sites in the site collection. To deploy a column across multiple site collections, you can use Visual Studio to define and package the column as a solutions package (.wsp file). This is possible in both SharePoint 2007 and SharePoint 2010. SharePoint 2010 introduces the managed metadata service application, which publishes content types and columns from one site collection across site collections, Web apps, and farms. You learn more about the managed metadata service application in the next lesson.
4-37
Site Columns
There are two basic steps to make use of site columns in a website: 1. 2. Create a site column. Use a column in a content type, list, or library.
4-38
2. 3.
Click the content type you want to modify. Click Add from existing site columns.
4-39
Content types are a hierarchy, beginning with a limited number of top-level content types such as item. When you create a site content type, you must specify the parent. When you add the site content type to a list or library, you are actually creating a child content type, called a list content typea content type scoped only to the list. A child content type has the same properties as its parent, initially, but because it is an independent object, you can modify and thus override the properties that it obtained from its parent. The same applies to columns. When you add a site column to a list or library, you create a list or library column that is a child of the site column, and it inherits its initial property set from the parent. You can then modify properties of the list or library column. When you update a content type or column at the site level, you have the option to propagate updates to child content types or columns. The change you have made is then copied to child objects, overwriting whatever was the previous state of the object. This is done on a property by property basis, so only properties that you change at the site level are propagated to child objects.
4-40
Lesson 3
In the previous lessons, you learned how to define metadata and content types at the list and site levels. In this lesson, you learn how to configure an important new service application in SharePoint Server 2010, the managed metadata service, which makes terms and content types available across site collections, Web applications, and even farms. After completing this lesson, you will be able to: Describe the roles of the managed metadata service. Configure taxonomy. Configure managed content types.
4-41
The managed metadata service is an important new feature of SharePoint Server 2010. It plays a critical role in enterprise content management because it supports the two primary components of information architecture: enterprise metadata management (taxonomy), and content type syndication. In this lesson, you learn how to use the managed metadata service to manage enterprise taxonomy, and then you learn how to syndicate content types.
4-42
the term set group. The group manager would create term sets that relate to human resources, such as job titles and pay grades in the Human Resources term set group.
4-43
First, take a look at managing and using terms, from beginning to end, at a very high level. This topic focuses on the main tasks involved with creating and using terms.
4-44
Create a Term
To create a term, complete the following steps: 1. 2. 3. 4. 5. 6. Open the Term Store Management Tool. Expand the term store. Expand the term group and the term set in which you want to create the term. Point at the term set or term beneath which you want to create the term, and then click the dropdown arrow that appears. Click Create Term. Type the term, and then press ENTER.
4-45
7. 8.
Pick Terms
After adding a managed metadata column to a list, library, or content type, users can apply terms from the term set as values for the column. The new and edit forms of an item or document display the managed metadata control for a managed metadata column, and the user interacts with this control to enter the columns value. With the managed metadata control, the user can either type a value or select a value by hierarchically navigating the term set that is associated with the column. If the user begins typing a value, the AJAXdriven control displays all terms in the associated term set that begin with the characters the user has typed. The name of the term set and the terms position in the hierarchy are indicated along with the term itself. If the columns definition allows multiple values, the user can select more than one term. If both the term set and the columns definition allow new terms to be added, the user can also create a new term and insert it at the appropriate place in the term sets hierarchy. It is important to note the following about the control: The control consists of a text box, a browse button, and a term selection page. You can type a term into the text box. As you type, the control provides suggestions. If the highlighted suggestion is appropriate, you can press ENTER. Alternately, you can select any suggestion by using the arrow keys to select the suggestion and then pressing ENTER or by clicking the suggestion. If you type a term that does not exist in the term store, your entry is displayed in red with a red dashed underline. You cannot save the change until you correct the entry. Click the Browse For A Valid Choice button. The term selection page opens. The term selection page shows all terms in the term set. To select a term, click the term, click Select, then click OK, as shown in the following graphic:
4-46
If the term set has an email address in the term sets Contact property, the term selection page displays a Send Feedback link. The link is a simple <mailto:> link that opens the users email client with the To: address prepopulated with the term set contacts email address. If the term set is an open term set, the Add New Item link appears. Click the link, and a new, blank term appears. Type the label for the term, and then press ENTER.
Here is a review of some important points about terms: Terms are stored in a term set in a term group. A managed metadata service application can contain multiple term sets. Typically, terms are tightly managed. Most term sets are usually closed, meaning that only term set managers and contributors can add, modify, or delete terms in the term set. A managed metadata column can expose terms from only one term set.
Keywords
Often, enterprises want to allow folksonomythe development of terms and metadata that is driven by users adding tags to content and people. Terms in a folksonomy are typically unmanagedusers can tag content or people with whichever words and phrases they want to apply. Folksonomy in SharePoint Server 2010 is supported by keywords. Keywords are terms that are stored in a single, nonhierarchical term set called the keyword set. When content is tagged and a term does not exist, it is added to the keyword set. There is very little difference, really, between keywords and terms. Both are terms that can be used to tag content. Both are stored in the term store. The primary differences are the following: Terms are highly managed. They have numerous properties, about which you learn later in this lesson. Terms are structured in term sets and term groups and can be reused across term sets and term groups. Term sets are typically closed. The keyword set is typically openusers can add keywords to the keyword set when they tag content with words or phrases that do not already exist in the keyword set.
4-47
The EditForm.aspx page of an item or document displays the managed keyword control for enterprise keyword columns. It is important to note the following about the control: The control consists of a text box, a browse button, and a term selection page. As you type, the control provides suggestions. If the highlighted suggestion is appropriate, you can press ENTER. Alternately, you can select any suggestion by using the arrow keys to select the suggestion and then pressing ENTER or by clicking the suggestion. You can type a word or phrase that does not already exist as a keyword, and it will be added to the keyword set. This is the default behavior of the enterprise keywords column; however, SharePoint can be configured to prevent adding new keywords to the keyword set.
Create a Keyword
Keywords are often created by users when they tag content with a word or phrase that is not already in the keyword set. However, if you want to add a keyword directly to the keyword set, you can do so by following this procedure: 1. 2. 3. 4. 5. Open the Term Store Management Tool. Expand System, and then expand Keywords. Point at the Keywords, and then click the drop-down arrow that appears. Click New Keyword. Type the term, and then press ENTER.
4-48
Manage Terms
Now that you understand the end resulthow terms are incorporated into items and documentsyou can learn how to administer managed metadata, from the bottom up, starting at the terms themselves.
Term Properties
Terms are more than simply words or phrases. They are objects with a variety of properties. Modify a Term To modify the properties of a term, follow this procedure: 1. 2. 3. 4. Open Term Store Management Tool. Select the term. Modify one or more properties of the term. Click Save.
The term properties that you can modify include the following: Sort order. By default, terms are sorted alphabetically in the parent term set or term. However, you can manually specify the sort order by completing the following steps: 1. 2. 3. Click the Custom Sort tab. Click Use custom sort order. Modify the sort order.
Available for tagging. By default, terms are available to be used for tagging. Why would you create a term and then not make it available? Terms themselves are hierarchical in a term set. That is, a term can have one or more terms as child objects. For example, you might have terms for teams or departments in the IT group. If you have a term hierarchy in a term set, you might want nodes that have child terms to be unavailable for tagging.
4-49
Language. If you have a language pack installed, and the term store has the language specified as a working language, you can select each language and modify the Default Label and Other Labels. Description. Use a description to help users understand when to use the term and to disambiguate among similar terms. Default label. This is the default label for the term for the selected language. The default label is what is referred to as the term. However, as you are learning, the term is more than just the label. In fact, behind the scenes, everything is managed with unique identifiers. Other labels. These are synonyms and abbreviations for the term for the selected language. When other labels are configured for a term, users can enter any of the synonyms or abbreviations in a managed metadata control, and their entry will be changed into the default label for the term. The other labels even appear as suggestions when a user begins to type in a managed metadata control. Member of. A term can be reused in multiple locations. The Member Of list is a list of locations in which the term exists. Source. When a term exists in more than one location, the terms properties can be edited in only oneits source. The permissions that apply to the source location affect who can modify the terms properties.
Term Tasks
Use the drop-down menus in the term store hierarchy of the Term Store Management Tool to perform actions. You can perform the following actions related to terms in a term store: Create term. Create a new term in a selected term set or as a child of a selected term. Copy term. Create a new term that is a copy of an existing term. The source terms properties are copied to the new term, and then the new term is a unique object with no relationship or linkage to its original source. Move term. Move a term to another location in the term hierarchy. Delete term. Remove a term from the term store. Deprecate term. Disable the term so that it no longer can be used as a valid term but stays part of the system. Merge term. To merge terms, select a source term, click Merge Term, and then select a target term. The result is that the source term and its synonyms are added as synonyms of the target term. Reuse term. A term can be placed in more than one location in the taxonomic hierarchy. To use a term in a new locationin a term set or as a child of another termselect the target location, click Reuse Term, and then select the source term. The source term is added as a kind of link to the selected target location. Changes to a terms properties affect every instance of the term. The terms Source property defines the location in the hierarchy in which the term can be modified, and the permissions on that location determine which users can modify the term. The terms source can be changed to any of its locations by a user who currently has permission to modify the term.
Enterprise Keywords
As you learned in a previous topic, keywords are stored in a flat, nonhierarchical keyword set. Keywords have only one property: Available For Tagging. You can perform only three actions. The first two are New Keyword and Delete Keyword, which are self-explanatory. The third action is Move Keyword. With this option, you can move a keyword into a term set, where it becomes a managed term and acquires all of the additional properties associated with terms. This process is how an organization can organically grow a folksonomy and migrate resulting terms into a taxonomy.
4-50
4-51
4-52
A term group is a collection of one or more term sets. A term group has a Group Name and a Description. Most important, the term group defines two roles: Contributors. Contributors have full permission to edit terms and term set hierarchies in the term group. Group Managers. Group Managers have Contributor permissions plus the ability to import term sets. Group Managers can also add users to the Contributors role.
You can create a term group from the term store. Create a Term Group To create a term group, complete the following steps: 1. 2. Point at the term store, click the drop-down menu, and then click New Term Group. Type a name for the term group, and then press ENTER.
The following options appear on the term groups drop-down menu: New Term Set. You can use this option to create a new term set in the term group. Delete Term Group. You can use this option to delete the term group. Import Term Set. You can use this option to import a term set using a comma-separated values (.csv) file. You can find a sample import file in the root of the term store. In Term Store Management, click the term store, and then click View A Sample Import File.
Additional Reading
Managed metadata input file format (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197214&clcid=0x409
4-53
Each managed metadata service application has one term store. Metadata service applications cannot share term stores. The term store properties define the following: Term Store Administrators. Term Store Administrators have full control over the term store. Term Store Administrators can perform all actions of Group Managers, can create and delete term groups, and can assign users to the Group Managers role. Term store administrators can also modify the default and working languages of a term set. Default Language. Each term store must have a default language specified, and every term must have a label defined in the default language. Working Languages. After you have installed a language pack, you can add installed languages as a working language for a term set. Then, you can select a term and specify the default label and other labels for each working language. Unlike the default language, you are not required to have a label for every term in a working language. Terms are not added to a term store by default when you add a language pack. There is no automatic translation service. You must manually configure the labels for terms in each language that you want a term set to expose. When a term has labels in multiple languages, the language of the site determines which labels are visible. For example, if the Department term set has terms defined in both French and English, an English-language team site allows users to use English terms from the term set in a managed metadata column, and a French team site allows users to use French terms from the term set. To create a term store, you must create a managed metadata service application. The steps for this procedure are listed later in this lesson. To delete a term store, you must delete the managed metadata service application.
4-54
Assign Term Set Administrators A farm administrator must assign term set administrators. In fact, when you create a new managed metadata service application, even though you created the application, you are not a term set administratoryou must give yourself permission. 1. 2. 3. Open the Term Store Management Tool. In the Term Store Administrators box, type the names of term set administrators separated by semicolons. Click Save.
Note: When working with SharePoint Online deployments the SharePoint Online Term Store can be managed via the Term Store management Tool in the SharePoint Online Administration Center. This allows you to manage metadata within your site, and the same principles and procedures that are called out here for an on premise environment are applicable.
4-55
Here is a review of the characteristics of each component from the perspective of term store design: One or more terms are contained in a term set. Terms can also be created as child objects of other terms. A term set is a group of related terms and is the scope of a managed metadata column. When you add a managed metadata column to a content type, list, or library that will use tags, you specify the term set that is used in the column. Each managed metadata column can use terms from only one term set, and all terms in the term set are available. One or more term sets are contained in a term group. A term group is a security container that manages who can modify term sets and terms. You can specify, for a term group, who has permission to modify the term sets and terms in the term group.
4-56
One or more term groups are contained in a term store. A term store is the database that contains the terms for a managed metadata service application. The scalability of a managed metadata service application is related to performance, but the following guidelines should be used: 1,000 term sets per term store 30,000 terms per term set 1 million terms per term store
The keyword set is a flat, nonhierarchical term set that is used to apply terms to enterprise keyword columns. The managed keyword control displayed by an enterprise keyword column exposes terms from the keyword set as well as all other term sets that are available to the Web application. Term sets can be global or local. A global term set is what you have been examining thus fara term set that is maintained using the Term Store Management Tool and available to all Web applications that connect to the service application. A local term set is maintained in the term store, but it is created and managed in a site collection, rather than in the Term Store Management Tool. The resulting term set is available to all sites in the site collection but not to other site collections. Using a local term set has advantages over legacy methods for tagging datafor example, choice and lookup fieldsbecause the local term set is maintained by the managed metadata service, so you can define synonyms and manage terms just as you would a global term set. Users who are site collection administrators have permissions to create local term sets.
4-57
to enterprise keyword fields in the other farmyou should create a separate metadata application and term store to publish to both farms.
Additional Reading
Plan terms and term sets (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197215&clcid=0x409
4-58
Terms
You can use the managed metadata service to practice enterprise metadata management. As discussed in a previous topic, metadataalso known as attributes, properties, fields, columns, terms, tags, and keywordsis a critical component of taxonomy and therefore of information architecture. Terminology About Terms The term you hear most in relation to the managed metadata service is term. A term is a word or phrase that can be used as an attribute for content. When people refer to taxonomy, they are generally referring to structured, centralized, and managed terms. A closely related concept is folksonomy, which is used to refer to user-generated tags. Terms can be managed and controlled in a variety of ways so that an enterprise can expose a managed taxonomy while allowing user-generated tags (folksonomy). A taxonomy and folksonomy that are designed and managed to support the requirements of a business can allow information architecture to grow organically and change over time. Applying Terms (Tagging) Once you have tagswhether structured or user-drivenyou must be ready to support taggingthe task of assigning descriptors (metadata) to content. SharePoint refers to tagging with several terms, each of which are somewhat ambiguous and are therefore used differently in different contexts. Content tagging or social tagging is the addition of terms to content to describe what it is, what it contains, and what it does. This is in contrast to expertise tagging, which is the association of terms with a person, to describe what the person does, what projects the person works on, and what skills the person has. Tags in SharePoint can be public or private. They can be assigned manually by a user or automatically.
4-59
Using Terms Tags are everywhere in SharePoint Server 2010. You can tag items, documents, pages, and sites from the SharePoint Web interface or by using SharePoint-aware applications such as Microsoft Office 2010. One of the primary reasons to tag content is to make it easier to locate by browsing or by searching. SharePoint uses tags to provide metadata-driven navigation and filtering and to produce a tag cloud control. Tags can be used as search refiners, and tags can be used by the routing rules of the Content Organizer to route content to the appropriate location.
Extensibility
There is no out of the box feature that connects the managed metadata service to external data sources or term stores. However, the managed metadata service is extensible. You can expect numerous solutions to be developed by independent software vendors and by the community. Tools will be available to migrate enterprise taxonomy from other sources into the managed metadata service and to integrate the managed metadata service with other taxonomy management tools.
Additional Reading
Managed metadata overview (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197216&clcid=0x409
4-60
It is common that sites in different site collections require similar content types. For example, the Legal department at Contoso creates a template for nondisclosure agreements (NDAs) and a content type for NDAs that uses the template and declares all new NDAs as records. Each of Contosos business units has SharePoint site collections with document libraries in which NDAs are maintained. The content type can be published, in a manner of speaking, from the Legal department to all Contoso business units. Sharing content types across site collections, Web applications, and farms is quite challenging in SharePoint 2007. The managed metadata service makes it easy in SharePoint 2010. Each managed metadata service application has a Content Type Hub property that specifies the URL of a site collection from which to publish content types. All other Web applications that connect to the managed metadata service receive copies of the content type from the content type hub, and updates made at the hub can be propagated. You must complete several steps to publish content types. They are described in the sections that follow.
4-61
4. 5.
In the Content Type hub box, type the URL of the site collection from which the service application will consume content types. Select the Report syndication import errors from Site Collections using this service application check box, and then click OK. When a Web application tries to import the content types from its managed metadata service applications and encounters an error, the error is always logged to that Web application. This option creates a second error associated with the content type hub site collection so that import errors from all subscriber sites are centralized and can be viewed in one place: the hub.
You can use the same Manage Publishing For This Content Type command to republish, or update, a content type and to unpublish a content type.
4-62
1. 2. 3. 4. 5.
In Central Administration, click Monitoring. Click Review job definitions. Click Content Type Hub. Click Run Now. Wait a few moments for the job to complete. Optionally, you can click Content Type Hub to return to the job definition. Refresh the page and monitor the Last run time property. When it updates to the current time, the job is complete.
6. 7. 8.
Click Content Type Subscriber on the row for the subscriber Web application. Click Run Now. Wait a few moments for the job to complete. Optionally, you can click Content Type Hub to return to the job definition. Refresh the page and monitor the Last run time property. When it updates to the current time, the job is complete.
4-63
4-64
6. 7.
Optionally, in the Content Type hub box, enter the URL to the site collection that will serve as the content type hub. It is recommended that you select the Report syndication import errors from Site Collections using this service application check box. When a Web application tries to import the content types from its managed metadata service applications and encounters an error, the error is always logged to that Web application. This option creates a second error associated with the content type hub site collection so that import errors from all subscriber sites are centralized and can be viewed in one place: the hub.
8.
When you create a new managed metadata service application, a connection to the newly created managed metadata service is automatically created in the same Web application as the service. If you want that connection to be added to the default application connection group, select the Add this service application to the farms default list check box. Click OK.
Create a Managed Metadata Service Application Using Windows PowerShell Use the New-SPMetadataServiceApplication cmdlet to create a managed metadata service application:
New-SPMetadataServiceApplication -ApplicationPool "<ApplicationPoolName>" -Name "<ServiceName>" -DatabaseName "<DatabaseName>" -DatabaseServer "<DatabaseServerName>" HubUri "<HubURI>"
Where: <ApplicationPoolName> is the name of an existing application pool in which the new managed metadata service should run. <ServiceName> is the name of the new managed metadata service. <DatabaseName> is the name of the database that will host the term store. Each managed metadata service must use a unique term store. <DatabaseServerName> is the name of the database server that will host the term store. <HubURI> is the URL of the site collection that contains the content type library that the new managed metadata service will provide access to.
A connection to the newly created managed metadata service is automatically created in the same Web application as the service. Update a Managed Metadata Service Application Using Central Administration 1. In Central Administration, in the Application Management section, select Manage service applications. 2. Select the row that corresponds to the service to update. Note: Do not select the row by clicking in the Name column. Clicking the name of the managed metadata service opens the Term Store Management Tool. Instead, click in another column in the same row. 3. On the ribbon, click Properties. You can then change any properties of the service application. Update a Managed Metadata Service Application Using Windows PowerShell Use the Set-SPMetadataServiceApplication cmdlet to update properties of a managed metadata service application:
4-65
Where: <ServiceApplication> is the name of the managed metadata service application that you are modifying. <HubURI> is the URL of the site collection that contains the content type library that the new managed metadata service will provide access to.
Delete a Managed Metadata Service Application You can delete a managed metadata service application by using the Manage Service Applications page. Click Delete on the ribbon. Publish and Connect to Managed Metadata Service Applications Across Farms SharePoint 2010 supports publishing some service applications across farms. The managed metadata service is one such application. See Module 8, Configuring and Securing SharePoint Services and Service Applications, for more details.
Additional Reading
Create, update, publish, and delete a managed metadata service application (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197217&clcid=0x409
4-66
IMPORTANT: For a given Web application, do not make more than one connection the default keyword location. If no connection is specified as the default keyword location, users cannot create new enterprise keywords. Default term set location. Web applications using this connection store local term setscustom term sets created for site columns in site collections in the Web applicationin this managed metadata services term store. IMPORTANT: For a given Web application, do not define more than one connection as the default term set location. If no connection is specified as the default term set location, users can specify only an existing term set when they create a site column whose data type is managed metadata. Use of content types. You can use this option to decide whether to make the content types that are associated with this managed metadata service (if any) available to users of sites in this Web application. This option is available only if the service has a hub defined to share content types. Pushing down content type publishing updates from the content type gallery to subsites and lists using the content type. Use this option to update existing instances of the changed content types in subsites and libraries.
Update a Managed Metadata Service Application Connection Using Central Administration 1. In Central Administration, in the Application Management section, select Manage service applications. 2. Select the row that corresponds to the service application connection to update. Do not select the row by clicking in the Name column. Clicking the name of the managed metadata service opens the Term Store Management Tool. Instead, click in another column in the same row. 3. On the ribbon, click Properties. You can then change any properties of the service application connection.
Additional Reading
Create, update, and delete a managed metadata service connection (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197218&clcid=0x409 Plan to share terminology and content types (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197219&clcid=0x409
4-67
Additional Reading
Plan to share terminology and content types (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197219&clcid=0x409 Managed metadata service application overview (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=201254
4-68
A number of roles, capabilities, and permissions determine a users ability to modify or use terms in a term store. A managed metadata service application and its term store can be modified directly, with Central Administration or the Term Store Management Tool, and by site administrators and end users on a site.
Modify the Term Store with the Term Store Management Tool The following roles can perform tasks on the term store by using the Term Store Management Tool: Contributors. A term groups Contributors have full permission to edit terms and term set hierarchies in the term group. Contributors can do the following within a term group: Create, rename, copy, reuse, move, and delete term sets.
4-69
Modify all term set properties. Create, rename, copy, reuse, merge, deprecate, move, and delete terms. Modify all term properties
Group Managers. A term groups Group Managers have Contributor permissions plus the ability to import term sets. Group Managers can also add users to the Contributors role. Term Store Administrators. Term Store Administrators have full control over the term store. Term Store Administrators can perform all actions of Group Managers, can create and delete term groups, and can assign users to the Group Managers role. Term Store Administrators can also modify the default and working languages of a term set.
Modify the Term Store with the Managed Column Properties Page A user with permission to add or modify columns can do the following: Create a local term set. An administrator of a site can create a local term set that is available only to sites in the site collection. This local term set, also called a site collection term set or a column-specific term set, is stored in the managed metadata service term store specified by the Web applications connections as the default term set location. The default term set location must be specified, and the user must have permission to create or modify columns in the site.
Informational Roles
The term set Owner, Contact, and Stakeholders properties are informational only. They are used to document individuals and groups that have an interest in the term set. The properties do not convey any permission of any kind. However, the Contact email address is used to create a Submit Feedback link in the managed keyword control so that users can propose changes or request new terms by email.
Use Terms
Numerous tasks can be performed that use managed metadata. These tasks are performed in the user interface and security context of the task.
4-70
Create new managed metadata columns. Users with permission to create columns can create a managed metadata column that validates its terms against a local or global term set. Add managed metadata columns to content types. Users with permission to create content types can create a content type that includes a managed metadata column or an enterprise keywords column. Add managed metadata to SharePoint documents and items. Users with permission to create or modify content can use the managed metadata control and managed keyword control in managed metadata columns and enterprise keyword columns, respectively, to tag content. Add enterprise keywords to non-SharePoint items. If social tagging is allowed, users can add tags from the keyword set to non-SharePoint items, such as external Web sites or blog posts. Create and refine queries based on term sets. Users can use terms in term sets in search queries, and, when a list of search results is returned, they can use terms in term sets to create refinersfilters that narrow down search results.
Connection Permissions
A managed metadata service application, by default, allows all Web applications that connect to it to have full access to the term store. With this default, all Web applications connecting to the managed metadata service application can perform all of the activities listed previously. Some scenarios may require restricting the capabilities of specific Web applications. To support these scenarios, a managed metadata service application has connection permissions. Configure Connection Permissions Connection permissions are configured in Central Administration on the Manage Service Applications page. 1. 2. In Central Administration, click Application Management. Click the row of the managed metadata service application. Do not click the name of the service application. The name is a link that opens the Term Store Management Tool. 3. On the ribbon, click Permissions.
By default, the Local Farm group has Full Access To Term Store permission. The Local Farm group includes all app pools for all Web applications in the farm. To restrict permissions, you must first remove the permission assigned to Local Farm. You can then add individual Web application app pool accounts and assign permissions to the accounts. Connection permissions are as follows: Read Access To Term Store. This permission grants read access to the term store and content types that are associated with the managed metadata service. A Web application with this permission to the managed metadata service can use terms and content types from the managed metadata service but cannot make any changes. Read And Restricted Write Access To Term Store. This permission grants Read access to the term store and content types that are associated with the managed metadata service. Additionally, this permission grants the ability to create local term sets and to add terms to open term sets, and permission to create enterprise keywords. A Web application with this permission can allow users to create local term sets, to add keywords, and to add terms to open global term sets. Full Access To Term Store. This permission grants Read and Write access to the term store and Read access to content types that are associated with the managed metadata service. A Web application
4-71
with this permission can publish content types to the content type hub and can manage terms and term sets. To reiterate, the default permission for all Web applications is Full Access To Term Store. With this permission in place, a users capabilities are governed by permissions on the term store, on the site collection, and on content in the site. Any permission more restrictive than this limits the activities that were listed earlier in this topic. The following table summarizes connection permissions. Action View terms and term sets Read Yes Restricted Yes Yes Yes Yes Yes Yes Yes Full Yes Yes Yes Yes Yes Yes Yes Yes Yes
Add existing terms and existing enterprise keywords to documents and list Yes items Bind columns to existing term sets View and use content types from the content type hub (if the service provides a hub) Add new terms to open term sets Create new enterprise keywords (if the connection is configured to enable this) Create local term sets (if the connection is configured to enable this) Add and modify content types in the content type hub (if the service provides a hub) Manage terms and term sets (if the user is authorized to do this) Yes Yes
Additional Reading
Plan to share terminology and content types (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197219&clcid=0x409 Managed metadata service application overview (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkId=201254
4-72
Scenario
The knowledge management team at Contoso is excited about the ability of SharePoint 2010 to support an enterprise taxonomy. They have asked you to prototype the functionality of the managed metadata service and of terms.
4-73
Tip: To add a new term you must add it to the term store by clicking the Browse For A Valid Choice icon, and then clicking the Add New Item link.
Tip: Use the Suggestions list to enter departments without having to type the entire department name.
4-74
Review Questions
1. 2. 3. 4. Why does list throttling benefit the users of a SharePoint farm? What are the advantages of using RBS with SharePoint? What advantage does the managed metadata service provide to an enterprise that is implementing an information architecture. What are the advantages of using metadata navigation?
Configuring Authentication
5-1
Module 5
Configuring Authentication
Contents:
Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated Authentication Lab A: Configuring Custom Authentication Lab B: Configuring Secure Store 5-3 5-19 5-28 5-33
5-2
Module Overview
Authentication is the process of verifying the identity of a user making a request to an application. The application must be assured that the user is authentic before the system performs authorization, which is the process of verifying that the user has permission to make the request, and personalization, which determines how the application interacts with the user.
Objectives
After completing this module, you will be able to: Describe Microsoft SharePoint Server 2010 authentication. Describe SharePoint Server 2010 federated authentication.
Configuring Authentication
5-3
Lesson 1
Classic-mode authentication is one of two types of authentication supported by SharePoint 2010. Classicmode authentication supports one authentication providerWindowsand several methods of Windows authentication, each of which are described in this lesson. You can use classic-mode authentication in simple environments that do not require the benefits of claims-based authentication.
Objectives
After completing this lesson, you will be able to: Describe identity and classic-mode authentication. Configure classic-mode authentication. Describe integrated Windows authentication. Configure Kerberos authentication. Describe additional Windows authentication methods. Configure the Secure Store Service.
5-4
SharePoint Server 2010 is a distributed application that is logically divided into three tiers: the front-end Web server tier, the application server tier, and the back-end database tier. Each tier is a trusted subsystem, and authentication can be required, and by default is required for access to each tier. Controlling access to each tier requires an authentication provider. Authentication providers are software components that support specific authentication methods. In SharePoint Server 2010, there are two types of authentication: Classic-mode authentication. Classic-mode authentication is the same type of authentication that was used in Microsoft Office SharePoint Server 2007. Classic-mode authentication uses Microsoft Windows as the authentication provider. Claims-based authentication. Claims-based authentication is a new authentication mode, built on the Windows Identity Framework (WIF). It supports Windows authenticationjust as classic-mode doesas well as forms-based authentication (FBA) and Security Assertion Markup Language (SAML) token-based authentication.
If you are upgrading from Microsoft Office SharePoint Server 2007, consider using classic-mode authentication if you have no plans to implement forms-based authentication or SAML token-based authentication in the future. If you ever plan to use forms-based authentication or SAML token-based authentication, claims-based authentication is a requirement because classic-mode authentication only supports the Windows authentication provider. FBA is not supported by classic-mode authentication, even though FBA was supported in SharePoint 2007. You must use claims-based authentication to use FBA. The table below summarizes the authentication modes, providers, and methods. You will learn about each as this lesson progresses. Type Classic Provider Methods Windows Anonymous, Basic, Digest, Certificates, NTLM, Negotiate (Kerberos or NTLM)
Configuring Authentication
5-5
Type
Provider Methods Windows Anonymous, Basic, Digest, Certificates, NTLM, Negotiate (Kerberos or NTLM)
Claims-based
FBA SAML
LDAP, SQL database, Other DB, Custom ADFS 2.0, Windows Live ID, Third Party
5-6
You can configure classic-mode authentication (CMA) when creating a new Web application or subsequently by editing the authentication option as listed below for both situations.
Edit Authentication
After a Web application is created, you can modify authentication settings on the Edit Authentication page. You will then be able to change the settings for Security Configuration, and review the settings under Authentication Type. You can access the Edit Authentication page from the Web Applications Management or the Authentication Providers page. To configure authentication settings from the Web Applications Management page, follow these steps: 1. 2. 3. 4. 5. In the Central Administration Quick Launch, click Application Management. In the Web Applications section, click Manage web applications. Select the Web application that you want to modify. On the ribbon, click Authentication Providers. Click the link to the zone that you want to modify. By default, each new Web application has a single zone, called Default. You will learn more about zones later in this module. The Edit Authentication page appears. 6. Make your changes, and then click Save.
Configuring Authentication
5-7
To configure authentication settings from the Authentication Providers page, follow these steps: 1. 2. 3. 4. In the Central Administration Quick Launch, click Security. In the Web Applications section, click Specify authentication providers. Click the Web Application menu to select the Web application that you want to modify. Click the link to the zone that you want to modify. The Edit Authentication page appears. 5. Make your changes, and then click Save.
5-8
Windows authentication is available in both classic-mode and claims-based authentication. However, when a Web application is using classic-mode authentication, only the Windows authentication provider is supported. Windows authentication supports the following authentication methods: Integrated Windows authentication. Can use either NT LAN Manager (NTLM) or Negotiate (Kerberos or NTLM) authentication methods. Basic. In the same fashion as Windows authentication, basic authentication relies on a set of credentials for the user in Active Directory. However, basic authentication enables a Web browser to submit credentials while making an HTTP request, and so the credentials are sent in plaintext, and unencrypted, to the server. Anonymous. Anonymous authentication enables users to connect to a Web application without providing credentials. Digest. Digest authentication provides the same functionality as basic authentication, but with increased security. User credentials are encrypted instead of being sent over the network in plain text. Client certificates. Client-certificate authentication supports the exchange of public key certificates using Secure Sockets Layer (SSL) encryption over HTTP.
NTLM
NTLM is the most established form of authentication in Microsoft products, as it was introduced more than a decade ago. The Process Behind NTLM Authentication When a user logs on to a computer, the user is prompted for a user name and password. The user name is sent to the domain controller, but the password is never sent over the network. Instead, a hash of the password is passed through a one-way hashing algorithm (the challenge) by both the client and the domain controller through an encrypted challenge/response protocol. The client sends the result (the
Configuring Authentication
5-9
response) to the domain controller. If the result matches what the domain controller obtained as a result, then the password entered by the user must have been correct, and the user is authenticated. It gets more complicated when a user connects to a server, such as a SharePoint server. If the SharePoint server is a member servernot a domain controllerthen it has no way of knowing the users password. Therefore, when the user connects to the server, the server has to pass the authentication request to a domain controller. If the domain controller responds to the server that the user is valid, then the authentication succeeds. NTLM Summary While NTLM is not the most efficient authentication method, and while it is slightly less secure than Kerberos, it is often chosen as the authentication method for SharePoint Web applications because it is easy to set up.
Kerberos
Kerberos is the default authentication method for Windows clients and servers in an Active Directory domain. The Process Behind Kerberos Authentication Kerberos uses a process that involves encrypted tickets to verify authenticity. When a user logs on and authenticates with the domain, the domain controllers Key Distribution Center (KDC) issues the user a ticket-granting-ticket (TGT) that effectively represents that the user has been authenticated. For the lifetime of the TGTten hours by defaultthe user no longer needs to be authenticated. When the user wants to connect to a service, such as a SharePoint Web application that uses Kerberos authentication, the client application returns to a domain controllers KDC, presents the TGT, which confirms that the client has already been authenticated, and requests from a domain controller a service ticket for the specific service to which the client will connect. The client then goes to the service and presents the service ticket. Because the entire process is encrypted with keys unique to each requestor (the client, the service, and the domain), the service is able to examine the service ticket and determine that it is being presented by an authenticated client. The service ticket contains the clients identity and roles; the session is established. Summary of Kerberos Authentication One of the benefits of Kerberos is that when the client connects to the service, the service does not have to send back to the server and back to the client for the authentication to happen to a domain controller, as in NTLM. Instead, the clients ticket for the service ensures the client has been authenticated. This results in improved authentication performance for Kerberos as compared with NTLM. Another benefit is that Kerberos tickets can be delegatedforwarded or proxiedbetween tiers. For example, a client connecting to a Web site provides a Kerberos ticket, and the Web site can pass the ticket to a back-end data source that can authenticate the user for data access. The Web tier does not need to know the users password to achieve this double-hop authentication. The Web tier also does not need permissions to the back-end data source, since it is all done by using the authentication of the client. Kerberos is considered by many organizations to be a preferable authentication mechanism because of the following advantages: More secure than NTLM. Kerberos protocols ensure mutual authentication, which prevents what are called man in the middle attacks whereby a rogue service could pretend to be a domain controller and intercept authentication requests from clients. Kerberos tickets also contain timestamps that reduce the likelihood of replay attacks in which an authentication token can be intercepted and used later for malicious purposes.
5-10
More scalable than NTLM. Kerberos supports authentication across trusted realms and, because it is an industry standard, is supported by platforms other than Windows. Supports delegation. Delegation was explained previously. It allows a service to impersonate a user without knowing the users password. Windows Server 2003 and later support constrained delegation as well, which adds a further level of security to the implementation of Kerberos in a Windows enterprise. Reduced load on domain controllers. Kerberos requires fewer trips to a domain controller for authentication than NTLM.
The disadvantage of Kerberos is that it requires additional steps to configure. For example, the process of setting the SPN entries for services.
Configuring Authentication
5-11
One of the systems involved in the authentication cannot use Kerberos authentication. The calling application does not provide enough information to use Kerberos authentication.
If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.
5-12
Configuring Kerberos authentication requires that you create service principal names, or SPNs, for your SharePoint services, Web applications, and SQL Server. To summarize the process of Kerberos Authentication, it is important to keep in mind that when a client wants to connect to a Web application that uses Kerberos authentication, the client requests a service ticket from a domain controllers KDC. The request indicates the service to which the client will connect by specifying the services SPN. The SPN is made up of the following three components: 1. 2. 3. The service class for the request, which is always HTTPthe HTTP service class includes both the HTTP and HTTPS protocols. The host name. The port (if not port 80) of the Web application.
For example, a request to http://intranet.contoso.com on port 80 equates to an SPN of HTTP/intranet.contoso.com. Note that the SPN syntax uses a single forward slash between the service class and host name portions of the name. A request to http://sp2010-wfe1:9999 for Central Administration equates to an SPN of HTTP/sp2010-wfe1:9999. A security principala user or computer account in Active Directorycan have one or more associated SPNs. When a domain controllers KDC receives the service ticket request from a client, it looks up the requested SPN. The KDC then creates a session key for the service and encrypts the session key with the password of the account with which the SPN is associated. The KDC issues a service ticket containing the session key, to the client. The client presents the service ticket to the service. The service, which knows its own password, decrypts the session key and authentication is complete. If a client submits a service ticket request for an SPN that does not exist in the identity store, no service ticket can be established, and the client will cause an access denied error to occur.
Configuring Authentication
5-13
For this reason, each component of a SharePoint infrastructure that uses Kerberos authentication requires at least one SPN. For example, the intranet Web application app pool account must have an SPN of HTTP/intranet.contoso.com. Note that it is the app poolnot the serverthat is associated with the SPN because the app pool is the security context within which the servicethe Web application in this caseis running. It also makes sense if you consider that each SPN can be associated with only one security principal. Therefore, if a Web app is load balancedrunning on several serversit is the one app pool account that is constant across all servers and therefore must have the SPN. For each Web application, you should assign two SPNsone with the fully qualified domain name for the service, and one with the NetBIOS name of the service. Thats why the intranet Web application pool account should also be assigned an SPN of HTTP/intranet. In many environments, a single application pool may be used by multiple Web applications. The app pool account should be given a pair of SPNs for each of its Web applications that use Kerberos authentication. Configure Service Principal Names for a Service or Application Pool Account Using ADSI Edit To configure an SPN for a service or application pool account, you must have domain administrative permissions or a delegation to modify the servicePrincipalName property. 1. 2. Start ADSI Edit. In the console tree, right-click ADSI Edit, and then click Connect To. The Connection Settings dialog box appears. 3. 4. 5. Click OK. In the console tree, expand Default naming context, expand the domain, and then expand the nodes representing the OU(s) in which the account exists. Click the OU in which the account exists. In the details pane, right-click the service or application pool account, and then click Properties. The Properties dialog box appears. 6. In the Attributes list, double-click servicePrincipalName. The Multi-Valued String Editor dialog box appears. 7. In the Value to Add field, type the SPN, and then click Add. Repeat Step 7 for additional SPNs. Remember that an app pool account should have two SPNs, in the form HTTP/site.domain.com and HTTP/site, for each Web application that uses Kerberos authentication in the app pool. Remember also to add the port number if the site runs on a port other than port 80, for example, HTTP/site.contoso.com:9999 and HTTP/site:9999. 8. 9. Click OK. Click OK.
Configure Service Principal Names for a Service or Application Pool Account Using SetSPN You can also use the command line tool Setspn.exe to add SPNs to an account. The following example adds the SPNs for the intranet Web application to the app pool account:
setspn CONTOSO\SP_Service a HTTP/intranet.contoso.com setspn CONTOSO\SP_Service a HTTP/intranet
Type Setspn.exe /? for more information. Be careful about using setspn.exemany typing mistakes do not cause an error message, but result in configuration problems.
5-14
Configure Service Principal Names for SQL Server To configure Kerberos authentication for SQL Server, you will need to add SPNs to the SQL Server service account, for example, CONTOSO\SVC_SQL. By default, SQL Server communication is over port 1433, so the two SPNs for a SQL Server running on a server named SQLSERVER01 would be the following: MSSQLSvc/sqlserver01:1433 MSSQLSvc/sqlserver01.contoso.com:1433
Additional Reading
Plan for Kerberos Authentication (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197059&clcid=0x409 Kerberos (Windows Server 2008 and Windows Server 2008 R2 Technical Library) at http://go.microsoft.com/fwlink/?LinkID=197060&clcid=0x409 Kerberos Authentication Technical Reference (Windows Security Collection) at http://go.microsoft.com/fwlink/?LinkID=197061&clcid=0x409 Windows Authentication at http://go.microsoft.com/fwlink/?LinkID=197062&clcid=0x409 Kerberos Explained at http://go.microsoft.com/fwlink/?LinkID=197063&clcid=0x409 How to use SPNs when you configure Web applications that are hosted on Internet Information Services at http://go.microsoft.com/fwlink/?LinkID=197065&clcid=0x409 SETSPN at http://go.microsoft.com/fwlink/?LinkID=198479&clcid=0x409
Configuring Authentication
5-15
Although NTLM or Negotiate (Kerberos or NTLM) are the most commonly-used authentication methods, classic-mode and Windows authentication also support anonymous, basic, digest, and client certificate authentication methods.
Anonymous
You can enable anonymous authentication on either the Create New Web Application or Edit Authentication pages. Anonymous authentication does not provide anonymous users with permission to view content within a Web application. Anonymous access must be granted at the securable object level. You can grant anonymous users permission to an entire site or to specific lists and libraries.
Basic
Because basic authentication relies on the exchange of plaintext, unencrypted credentials if you choose to use basic authentication, it is recommended to enable Secure Sockets Layer (SSL) encryption to provide a secure implementation.
Digest
User credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. Digest authentication for SharePoint is not particularly common. To implement digest authentication, you must: 1. 2. Select Windows authentication in Central Administration. Configure the IIS Web site for digest authentication.
5-16
Client Certificates
Client certificates are issued by a Certificate Authority (CA), and they must conform to the Public Key Infrastructure (PKI). To implement client certificate authentication, you must: 1. 2. 3. 4. Select Windows authentication in Central Administration. Configure the IIS Web site for certificate authentication. Enable SSL. Obtain and configure certificates from a CA.
Configuring Authentication
5-17
Secure Store Service, or SSS, is the replacement to Microsoft Single Sign On. An important point: SSO and SSS are an enterprise single sign on solution. This means that it only stores the user name and passwords. It is not the responsibility of the SSS to do any logging on. An application must make a call to SSS, and then based on the application or services that make the call, a set of credentials are returned. The new SSS has improved APIs and more integration across the SharePoint farm through various service applications. BCS, Excel Services, and PerformancePoint are examples of this. They require credentials for users that execute reports when they do not explicitly have access to those data sources.
5-18
Do not store the backup media for the encryption key in the same location as the backup media for the Secure Store database. If a user obtains a copy of both the database and the key, the credentials stored in the database could be compromised.
Application IDs Each Secure Store Service entry contains an application ID that is used to retrieve a set of credentials from the Secure Store database. Each application ID can have permissions applied so that only specific users or groups can access the credentials that are stored for the application ID. Applications use application IDs to retrieve credentials from the Secure Store database on behalf of a user. The application can then use the retrieved credentials to access a data source. Application IDs map your users IDs to credential sets. Mappings are available for groups or individuals. In a group mapping, every user that is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials. Secure Store Service Mappings The Secure Store Service supports individual mappings and group mappings. The Secure Store Service maintains a set of credentials for the application IDs of resources stored in the Secure Store database. The application ID retrieves individual credentials. Individual mappings are useful when you need logging information about individual user access to shared resources. For group mappings, a security layer checks group credentials for multiple domain users against a single set of credentials for a resource identified by an application ID that is stored in the Secure Store database. Group mappings are easier to maintain than individual mappings and can provide improved performance. Secure Store Service and Claims Authentication The Secure Store Service is a claims-aware service. It can accept security tokens and decrypt them to get the application ID, and then perform a lookup. When a SharePoint Server 2010 Security Token Service (STS) issues a security token in response to an authentication request, the Secure Store Service decrypts the token and reads the application ID value. The Secure Store Service uses the application ID to retrieve credentials from the Secure Store database. The credentials are then used to authorize access to resources.
Configuring Authentication
5-19
Lesson 2
Federated authentication provides a unified approach to combining credentials from a heterogeneous environment where multiple methods for authentication exist and different authentication databases play a role. While this lesson does not focus on setting a standard, it does cover the process of unifying an enterprise and giving access to the SharePoint Server resource.
Objectives
After completing this lesson, you will be able to: Describe federated identity. Describe Active Directory Federated Services (ADFS). Describe how claims authentication works. Understand the federated sign-in process. Describe SharePoint identity normalization. List the forms-based authentication changes. Compare claims with the Windows token service.
5-20
Key Points
Federated identity allows you to use credentials hosted in select external authentication systems. This results in lower costs from not having to manage your own authentication provider. In addition, usability increases because users have only one user name and password that they can use with any application. There are many large identity providers in the world; for example, the largest is Windows Live ID and OpenID. In most cases, your users are not located in a single authentication system, which means you must set up a gateway to map each of those external users into a gateway with a single integration point for your own applications to use. This is an alternative to implementing your own gateway in each of your applications. When we talk about federating these attributes, we call them claims. Since the authentication system is external, these claims are not known to contain valid facts about the users until further identified.
Claims Providers
Claim providers are the entities that do all the work. They implement the WS-* standards and provide the claims back to the calling clients (in this case, SharePoint). Keep in mind that a system can be a consumer and provider at the same time. SharePoint implements its own claims provider for forms-based identity in 2010. Claims providers perform the following tasks: Augmentation of Claims Add application-specific claims Authorize over the claims
Configuring Authentication
5-21
Search and Resolve Enumerate and select claims Use the claims in SharePoint applications
Federated identity uses the following three industry standard specifications: WS-Federation 1.1. Provides the architecture for a clean separation between trust mechanisms, security tokens formats, and the protocols for obtaining tokens. WS-Trust 1.4. Requests and receives security tokens. SAML Token 1.1. XML vocabulary represents claims in an interoperable way.
5-22
Key Points
ADFS is a platform for integrating external authentication stores and trusting them with federated authentication. This means that instead of creating a user name and password database for external users or creating a new domain, you can simply point to an external authentication store and allow users to continue to use their own user name and password. As part of any authentication system, users have attributes. ADFS implements industry standards of the WS-* stack which means that it can integrate with any authentication system in the world that implements these global standards. ADFS has a simple to use interface that allows you to build rules around the target systems and the claims that will be trusted. You can build rules to use these claims and allow or disallow requests based on claims information.
Configuring Authentication
5-23
Key Points
When authenticating to an external system, a token is generated that contains the information about the user. This token can be used by the target application to make decisions about what you will let the user do in the system. A key element about a claims-based system is trust. An external system can claim many things about a user, but you have to determine if your systems trust what that external system claims about that user. Advanced claims-based authentication systems may pull claims from more than one system and aggregate them together to make an authorization decision. The following describes the federated sign-in process for a user to perform an action that requires authentication: As a user, you will request to access the SharePoint site you are interested in visiting. You are then redirected to the Identity Provider (IP) and after that, the external Secure Token Service (STS) generates the requested token. You are given a token, which will then be forwarded to the application (in this case, SharePoint). SharePoint uses the token to authorize you for the actions requested.
For example, most Microsoft sites require you to have a Live ID to log in. When you click login on the Microsoft system, it will redirect you to Live ID where Live ID will let the user logon. Then the user will be redirected to the application with claims data, for example, a token. The site then uses that token to allow the user to access its resources.
5-24
In SharePoint 2010, at logon, all identities are converted to ClaimsIdentities. These claims identities are then translated to the SPUser. That is what happens behind the scenes, but we see it represented by an identity (or user name claim) and it being translated to a valid and recognized (therefore validating the claim) SharePoint user.
Configuring Authentication
5-25
Key Points
Forms-based authentication has changed in SharePoint Server 2010. It is no longer based on ASP.NET Generic Identities, but rather a claims identity is created. This is accomplished by the SecurityToken.svc service and a custom Microsoft Identity Framework Token Service Host Factory. You must also enable your forms membership and role providers in this SecurityToken service or your Web application will not be able to use forms-based authentication. Forms-based authentication is an identity management system that uses the ASP.NET membership and role provider authentication. In SharePoint Server 2010, FBA is only available when you use claims-based authentication. FBA is used for authentication purposes. The process accounts that connect to Microsoft SQL Server database software and run the farm must be Windows accounts, even when using alternative methods of authentication to authenticate users. SharePoint Server 2010 supports SQL Server authentication and local computer process accounts for farms that are not running Active Directory Domain Services. For example, you can implement local accounts by using identical user names and passwords across all servers within a farm. To use FBA to authenticate users against an identity management system that is not based on Windows, or that is external, you must register the custom membership provider in the Web.config file. In addition to registering a membership provider, you can register a role manager. SharePoint Server 2010 uses the standard ASP.NET role manager interface to gather group information about the current user. Each ASP.NET role is treated as a domain group by the authorization process in SharePoint Server 2010. You register role managers in the Web.config file the same way you register membership providers for authentication. When you want to manage membership users or roles from the Central Administration site, you can register the membership provider and the role manager in the Web.config file for the Central
5-26
Administration site. You would do this in addition to registering those membership users in the Web.config file for the Web application that hosts the content. Ensure that the membership provider name and role manager name that you registered in the Web.config file is the same as the name that you entered in Central Administration. If you do not enter the role manager in the Web.config file, the default provider specified in the Machine.config file might be used instead. For example, the following string in a Web.config file specifies a SQL membership provider: <membership defaultProvider="AspNetSqlMembershipProvider">. Integrating with FBA places additional requirements on the authentication provider. In addition to registering the various elements in the Web.config file, the membership provider, role manager, and HTTP module must be programmed to interact with SharePoint Server 2010 and ASP.NET methods.
Configuring Authentication
5-27
Key Points
Since SharePoint uses claims identities, SharePoint must convert that identity to the corresponding NT Token in order for a user to access Windows-only authenticated resources. In SharePoint 2010, claims to Windows Token Service (C2WTS) are responsible for converting the claims identity to the NT Token. C2WTS is a Windows service that monitors requests and then creates the mappings and token (NT Token) creation. If this service is not running, then calls to Windows authenticated resources will not succeed.
5-28
Scenario
The Client Services department at Contoso, Ltd. has asked you to establish a SharePoint site with which employees and clients can collaborate. Your organizational IT Policy states that only employees shall have an Active Directory account. Therefore, you must configure a custom authentication mechanism using forms based authentication, so that user accounts for clients can be maintained in a separate database.
Configuring Authentication
5-29
Accept all of the defaults in the ASP.NET SQL Server Setup Wizard.
Ignore the error message that indicates the membership provider name specified is invalid. Type the following command.
$status
5-30
Ignore the error message that indicates the membership provider name specified is invalid. Type the following command.
$status
Verify that the last message you see is Success. Close SharePoint 2010 Management Shell.
Configuring Authentication
5-31
Task 1: Create a Web application that uses both Windows and forms-based
authentication.
In Central Administration, click the Manage web applications link and create a new Web application with the following settings: Authentication: Claims Based Authentication Port: 80 Host Header: clients.contoso.com Claims Authentication Types: Integrated Windows Authentication (NTLM) and Forms Based Authentication ASP.NET Membership provider name: AspNetSqlMembershipProvider ASP.NET Role manager name: AspNetSqlRoleProvider Application Pool: SharePoint 80 (CONTOSO\SP_ServiceApps) Database name: WSS_Content_Clients
Create a site collection in the new Web application with the following settings: Title: CONTOSO Client Portal Template Selection: Publishing Portal Primary Site Collection Administrator: CONTOSO\SP_Admin Secondary Site Collection Administrator: SiteAdministrator
Task 2: Add a DNS host record for the new Web application.
Start DNS Manager using the Run as different user option. Enter the user name, CONTOSO\Administrator, and the password, Pa$$w0rd. In the contoso.com forward lookup zone, create a new host record named clients with the address 10.0.0.21. Close DNS Manager.
5-32
Results: After completing this exercise, you should have created a Web application that is accessible both by employees, using Windows authentication, and by clients, using forms-based authentication.
Configuring Authentication
5-33
Scenario
Information workers at Contoso, Ltd. have started using the new intranet portal site and would like to start using SharePoint Designer 2010 to add Business Connectivity Services applications to pages. Organizational IT policy states that under no circumstances shall credentials be stored in an unencrypted manner in applications. Because of this policy, users will not be allowed to embed credentials in the ASP.NET pages. You have been tasked with configuring Secure Store Service to facilitate the authentication for these information workers.
5-34
Configuring Authentication
5-35
Target Application ID: ExcelUnattendedSA Display Name: Excel Unattended Service Account Contact E-mail: sharepoint@contoso.com Target Application Type: Group Target Application Page URL: None Target Application Administrators: CONTOSO\SP_Admin Members: Domain Users
Target Application ID: VisioUnattendedSA Display Name: Visio Unattended Service Account Contact E-mail: sharepoint@contoso.com Target Application Type: Group Target Application Page URL: None Target Application Administrators: CONTOSO\SP_Admin Members: Domain Users
5-36
Enter the user name, CONTOSO\SP_Visio_USA, and the password, Pa$$w0rd. Results: After completing this exercise, you should have fully configured the Secure Store Service and created two target applications.
Configuring Authentication
5-37
5-38
Review Questions
1. 2. What does SPN stand for and which authentication provider uses SPNs? How would you describe the role of the Secure Store Service?
Securing Content
6-1
Module 6
Securing Content
Contents:
Lesson 1: Administering SharePoint Groups Lesson 2: Implementing SharePoint Roles and Role Assignments Lesson 3: Securing and Auditing SharePoint Content Lab: Configuring Security for SharePoint Content 6-3 6-14 6-25 6-29
6-2
Module Overview
Many organizations must store sensitive or confidential information. Microsoft SharePoint 2010 includes a complete set of security features. You can use these features to ensure that users can access the information they need, can modify the data they are responsible for, but cannot view or modify confidential information. The SharePoint 2010 security model is highly flexible and adaptable to your organizations needs. In this module, you explore the objects you can use to authorize users in SharePoint 2010, including users, groups, permissions, and roles. You also experience the integration with Active Directory Domain Services (AD DS) users and groups and set up and test an authorization scheme.
Objectives
After completing this module, you will be able to: Describe how security principals assign permissions in SharePoint 2010 and administer group membership. Describe and assign SharePoint Roles to security principals. Assign permissions and configure auditing on SharePoint content.
Securing Content
6-3
Lesson 1
In SharePoint 2010, you can grant permissions and roles directly to user accounts in AD DS in addition to other identity providers. However, if you have more than a small number of users, or if you plan to have more users in the future, you should organize users into groups and grant those permissions and roles to the groups. By using groups, you can manage large numbers of users in single operations and help to ensure that permissions oversights do not occur. In this lesson, you learn about SharePoint groups and AD DS groups, how they integrate together, and how you should use them to organize your user accounts for authorization. After completing this lesson, you will be able to: Describe the SharePoint 2010 security model. Implement security by using default groups. Administer SharePoint custom groups. Compare SharePoint groups with AD DS groups. Implement security with AD DS groups. Understand how to use SharePoint administrative groups.
6-4
In SharePoint 2010, there is a flexible model for organizing users and authorizing them to access content. This consists of security principals, permission levels, and securable objects such as lists or libraries.
Security Principals
A security principal is an object to which you can assign permissions. You can organize user accounts into groups to ease administration. For example, if you place all Sales staff into a single group, you can authorize them all to access the Sales Team Site in a single operation by assigning permissions to the group. Furthermore, when a new member of staff starts work you do not need to assign that user permission individually. By placing the new member in the Sales group, you implicitly grant the user permission to the Sales Team Site and all the other resources to which you have granted the Sales group permission. By grouping users in this way, you can significantly reduce administrative overhead. In SharePoint 2010, you can create SharePoint groups to assign permissions and permission levels. Alternatively, you may use AD DS groups that you already have to secure access to computers and Microsoft Windows resources.
A permission level is a combination of permissions that grants a range of operations that are commonly required. For example:
Securing Content
6-5
The Read permission level includes the View Items and Open Items permissions but not the Edit Items permission. The Full Control permission level includes all the permissions.
You can use the five permission levels included with SharePoint 2010 or create your own by assembling a combination of permissions.
Securable Objects
A securable object is an object in the SharePoint hierarchy on which you can assign permission levels for a user account or group. These include the following: Sites Lists Libraries Folders Documents Items
You can assign permission level at a very granular level, right down to single items, but consider that these many permissions granted at low levels can make access confusing for users and difficult to administer and troubleshoot. Instead, place items with similar sensitivity in lists or libraries and assign permission levels on the list or library.
6-6
SharePoint 2010 creates some SharePoint groups by default whenever you create a new site. In many cases, these default groups may satisfy all your authorization requirements and render custom groups unnecessary. Before you plan to create extra groups, understand the membership and permission levels applied to the default groups.
Securing Content
6-7
Restricted Readers. Members can read items in certain parts of the site and have limited access to specific lists. Style Resource Readers. Members can read only master pages and the style library.
6-8
When default groups are not sufficient for your needs, you can choose to create custom SharePoint groups. You should consider custom groups in the following situations: When you have more user roles in your site than you can model with the default groups. When you want to use names different from the default groups. For example, in your organization those people who design sites may be referred to as Interface Managers or some other name. In this case, rename the Designers group to Interface Managers. When you want to preserve a one-to-one relationship between SharePoint groups and AD DS groups.
Securing Content
6-9
AD DS has a rich and flexible set of features for grouping users, and in SharePoint, you can assign permissions and permission levels directly to AD DS groups. However, this approach limits some SharePoint capabilities. This topic compares AD DS and SharePoint groups to help you understand when to use each.
AD DS Groups
AD DS groups are managed outside SharePoint. Therefore: You must use Active Directory Users and Computers to set up membership; this tool is designed for technically able IT personnel and other users may not find it easy. SharePoint cannot provision group membership. For example, the members of the Site Managers group cannot assign members to the Site Members group if it is stored in AD DS. You centrally manage AD DS groups. If you want only one set of groups for all systems in your organization, place them in AD DS.
SharePoint Groups
By contrast, the following points are true of SharePoint groups: SharePoint has a membership user interface for SharePoint groups that is easy for nontechnical authors to use and appears in the relevant site. SharePoint can provision group membership. For example, a workflow can add a member to a SharePoint group. You can view SharePoint groups and users for a site in a single Web page. You can use SharePoint groups only in SharePoint.
6-10
You can choose from several approaches for using groups in SharePoint.
Securing Content
6-11
Disadvantages SharePoint administrators cannot see the individual members of a group in the SharePoint user interface (UI). They must trust AD DS administrators to assign membership correctly. Sites to which you grant the group access do not automatically appear in My Sites. However, the user can manually add them. The User Information List does not show individual users until they have contributed to the site. AD DS groups with deep nesting or contacts as members can cause issues in SharePoint.
6-12
Administrative Groups
SharePoint 2010 also has built-in groups for system administration, and Windows administrators can configure SharePoint settings. Note: In a small or medium-sized company, or in a larger organization with a single administration team, a user may be a member of more than one of the following groups.
You can also add new users or groups to the Site Collection Administrators after the site collection has been created.
Securing Content
6-13
Windows Administrators
Members of the local Administrators group on the SharePoint server also take a role in SharePoint administration. A user account can be a direct member of this account, such as the local Administrator account, or inherit membership from an AD DS group, such as the Domain Admins group. Windows Administrators have the following characteristics: Can perform all the actions of a SharePoint Farm Administrator. Can install new products and applications on the server, such as antivirus packages. Can deploy Web Parts and other custom components to the global assembly cache (GAC). Can create Web sites, Web applications, and control other Internet Information Services (IIS) settings. Can stop and start Windows Services on the SharePoint server. Can run Stsadm.exe commands.
6-14
Lesson 2
SharePoint permission levels are also referred to as roles. Now that you understand how SharePoint uses user accounts, AD DS groups, and SharePoint groups, you can study how to assign permissions and roles to those security principals. After completing this lesson, you will be able to: Plan for and enable anonymous access to SharePoint sites. Assign permissions to lists and libraries. Assign permissions to folders and items. Understand permission inheritance in the SharePoint hierarchy. Assign the Override Checkout permission to appropriate users.
Securing Content
6-15
In scenarios with sensitive data, anonymous access presents a security concern. Therefore, it is disabled in SharePoint 2010 by default. However, in many scenarios you need users to be able to access SharePoint Server anonymously. For example, if you host your organizations Internet-facing Website in SharePoint, most users need anonymous access to the majority of the content. You can authenticate them for access to certain parts of the site if you wish. To enable anonymous access you must make two administrative changes.
6-16
5.
Select the level of access you want to grant to anonymous users, and then click OK. Note: The Anonymous Access button on the ribbon is disabled until you have configured anonymous access in Central Administration.
Securing Content
6-17
In many cases, with careful planning and good use of permissions levels at the site collection level, you can avoid assigning permissions to users at the site, list, or library levels. Such a permissions scheme is easy for users to understand because the level of access they receive is consistent throughout a site collection. It also eases troubleshooting because administrators have a single location where all permissions are assigned. However, in other cases, you may have to assign more granular permissions at the site, list, or library levels.
Site-Level Permissions
When you create a new site, permissions are inherited by default from the parent site and you cannot set extra permissions on the site. However, if you wish not to use this inheritance model, click More Options in the Create dialog. Then, under User Permissions, click Use Unique Permissions. You can also break inheritance at any subsequent time on the Site Permissions page for a subsite by clicking Stop Inheriting Permissions on the ribbon. When you break permissions inheritance in this way, the initial permissions for the site are those that would have been inherited from the parent. However, you can now remove these or configure additional permissions.
6-18
Securing Content
6-19
You can also control permissions at the level of individual items, documents, and folders.
Inheritance
Permissions on items, documents, and folders are inherited from the parent by default. You should maintain inheritance whenever possible as a best practice for the following reasons: Users can easily understand their level of access because it is consistent throughout the site. You can manage permissions more easily because they are set at a single level in the hierarchy. You can maximize performance because multiple levels of permissions need not be evaluated.
However, when required, you can break inheritance on folders and items. If you break inheritance, you can remove inherited permissions and configure additional permissions to create an entirely independent level of access. Subsequently, you can reestablish inheritance if your requirements change.
6-20
For this reason, the Search service in SharePoint is configured not to crawl ASPX pages by default. If you wish to enable this functionality and have considered the security implications fully, you can do so by clicking Site Settings, Search And Offline Availability, and then configuring Indexing ASPX Page Content.
Securing Content
6-21
Permission Levels
SharePoint 2010 eases the administration of authorization by providing permission levels. You can define permission levels at the site collection level. Each permission level consists of a set of individual permissions that apply to items, sites, and other objects. These permissions are inherited by objects in the site collection. When users access SharePoint resources, the permissions they receive are determined by the permission level assigned to their user account or groups.
Some permission levels, such as Read and Full Control, exist by default in every site collection. Other default permission levels are added by certain site templates. For example, when you create a site using the publishing template, the Approve and Manage Hierarchy permission levels are added. The Read permission level, for example, consists of the following permissions: List Permissions View Items Open Items View Versions Create Alerts View Application Pages
Site Permissions
6-22
View Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open
It is a recommended best practice to define permission levels and allow inheritance to determine access to resources instead of applying permissions at lower levels. By using permission levels in this way you ensure that the following occur: Administrators can troubleshoot permissions rapidly without having to investigate permissions at multiple levels. Users understand their level of access because it is consistent throughout sites. Performance is maximized because multiple levels of permissions need not be evaluated for every access.
Securing Content
6-23
In SharePoint sites that require check out, users must check out documents and other items before they can make changes. While the document is checked out, other users cannot make changes; this ensures that proper version control is maintained so that no two users can simultaneously make changes to the same document, thereby overriding one anothers edits. Sometimes, however, a user forgets to check a document back in. If this happens, other users cannot be productive until the check-out is removed. To prevent productivity barriers like this, you should ensure that you grant users the Override Check Out permission.
6-24
content the team develops. Therefore, consider who has this permission carefully whenever version control is in place. You should ensure that you do the following: Grant the powerful Override Check Out permission to only a restricted set of users. Explain the implications of overriding check-out to those users and provide guidance on how to use this feature. Ensure that there is always at least one person available to override check-outs.
You should consider creating a new permission level that includes only the Override Check Out permission so that you can carefully manage the assignment separately from other permissions. A separate permission also reduces the chance that you accidentally grant Override Check Out to users who should not have it.
Securing Content
6-25
Lesson 3
SharePoint also provides a range of settings at the Web application level; as a farm administrator, you can use these to impose restrictions on site collection administrators and set policies that govern users, anonymous access, and permissions. You can also set up auditing to record user actions and ensure that you can always determine who made a particular change. After completing this lesson, you will be able to: Set up user policies for a Web application. Manage permissions that are available in a Web application. Configure auditing for a site collection.
6-26
In the SharePoint Central Administration site, when you manage a web application, you can set a range of security options. These settings determine, for example, default permission levels that appear in every site collection in the Web application. Farm administrators can use web application security settings to restrict the capabilities of site collection administrators.
User Policy
With user policies, you can grant user accounts or groups permission levels that apply to all site collections in the Web application. These policies override permissions set at lower levels by site collection administrators. To configure a user policy, first select the Web application you wish to administer, and then click User Policy. When you add a policy you can select the zone to which it applies. In this way, you can apply a different policy to a user depending on the authentication mechanism the user used to connect.
Anonymous Policy
The anonymous policy for a Web application restricts what anonymous users can do. You can use anonymous policies to deny users Write access or prevent any access at all. As for user policies, you can apply different anonymous policies to users depending on the zone through which they connect.
Permission Policy
In the permission policy for a Web application, you can create permission levels just as you do in site collections. The permission levels in the Web application policy appear as default permission levels for all site collections in that application. Also, these permission levels are those selectable in the user policy. Note: Site templates may add extra default permissions to sites as you create them.
Securing Content
6-27
You can also restrict the permissions that are available in the site collections in a web application. This is an unusual step, but you might find it useful when you need to place boundaries on user actions throughout a site collection.
6-28
Configuring Auditing
You can use auditing to create a record of the actions of users. Use this record to examine who is doing what in your SharePoint farm. By examining audit reports regularly, you can be confident that permissions are appropriate, users are viewing information appropriate to their role, and sensitive documents are not being seen by unauthorized personnel. Auditing is thus essential for good security.
With the Audit Log Trimming settings, you can ensure that audit logs are stored for a limited time and so do not consume large amounts of disk space. Specify the number of days to keep audit logs and a location to store audit log reports.
A large range of audit reports is available to display different events in your site collection, and you can also create custom reports. Only site collection administrators can view audit reports.
Securing Content
6-29
Scenario
You have created an intranet on a new SharePoint 2010 farm at Contoso, Ltd. You have been tasked with helping set up users, groups, and permissions on the intranet until governance and training are in place, at which point permission management will be delegated to site collection administrators. Additionally, you must configure SharePoint to support the business requirement that the internal security and compliance audit team has the ability to access all information stored on the intranet.
6-30
Task 5: Create a new group and assign it the Design permission level.
Sign in to the site as CONTOSO\SP_Admin with the password Pa$$w0rd. Create a new group named Information Technology Dept Designers, and give it the Design permission level. Configure the groups description to read as follows: Use this group to grant people Design permissions to the SharePoint site: Information Technology Dept. Results: After this exercise, you should have added users to the Members and Visitors groups and created a new SharePoint group.
Securing Content
6-31
Task 1: Create a custom permission level to allow viewing Web analytics reports.
Create a custom permission level named View Usage with the description Can see only usage data about this site. Assign the View Web Analytics Data permission. Additional permissions will be selected automatically. Create a group named Usage Monitors with the description Use this group to grant people permission to view Web Analytics data for the SharePoint site: Information Technology Dept. Assign the group the View Usage permission level. Add the user, CONTOSO\LolaJ to the group.
6-32
Securing Content
6-33
6-34
Securing Content
6-35
Review Questions
1. 2. What differences exist between the available permissions and the behavior of inheritance in SharePoint in contrast to a folder on an NTFS volume? Describe scenarios, other than auditing, in which a Web application policy would be useful.
6-36
7-1
Module 7
Managing SharePoint Customizations
Contents:
Lesson 1: Customizing Microsoft SharePoint Lesson 2: Deploying and Managing Features and Solutions Lesson 3: Configuring Sandboxed Solutions Lab A: Administering Features and Solutions Lab B: Administering Sandboxed Solutions 7-3 7-11 7-20 7-26 7-30
7-2
Module Overview
Microsoft SharePoint 2010 provides a number of facilities to support customization by a variety of users; these rich capabilities encompass both the simple and the complex. For example, a user can apply a new theme to her own My Site, or a developer can create a custom solution, built on SharePoint, that includes custom Web Parts, forms, workflows, timer jobs, and Microsoft Silverlight applications. This model makes SharePoint extremely flexible but, importantly, it also includes features to retain control of server resources and to ensure stability and flexibility. In this module, you learn how to make customizations and control customizations made by both users and developers.
Objectives
After completing this module, you will be able to: Customize SharePoint installations to suit your organizational needs. Deploy and manage SharePoint features and solutions. Configure sandboxed solutions.
7-3
Lesson 1
You can use several different tools to customize SharePoint to meet your requirements. For example, in the browser you can apply themes and add Web Parts to pages. To make more extensive changes, you may need to use Microsoft SharePoint Designer 2010. For advanced customization, developers commonly use Microsoft Visual Studio 2010, which includes advanced integration with the SharePoint platform. As a SharePoint administrator, you should understand the changes developers can make so you can ensure the SharePoint farm remains stable and secure when it runs custom code. After completing this lesson, you will be able to: Describe the different methods available for SharePoint 2010 customization. Customize SharePoint pages in the browser. Use SharePoint Designer 2010 to make custom changes to a SharePoint site. Describe customizations that developers can make with code.
7-4
Some SharePoint customizations are quick and easy to use and make simple changes; you can make these changes in the browser. Others require extensive expertise but are very powerful; you need specialist tools to make these changes. Note: The customizations that each user can complete are restricted by their permissions and permission levels. For example, contributors cannot, by default, choose or modify master pages.
7-5
requires no custom code or .NET framework knowledge; in other words, you need not be a developer to use SharePoint Designer. In SharePoint Designer, you can complete all the customizations that are possible in the browser. In addition, you can: Create new master pages. Create new forms or customize default forms. Create new workflows to manage business processes. Make connections to external databases or systems to integrate them with SharePoint. These are Business Connectivity Services (BCS) connections.
7-6
You can begin customizing a SharePoint site in the browser user interface you already use to access SharePoint.
Browser Customizations
In the browser interface, the customizations you can make include the following: Change the site theme. A theme applies a set of colors and fonts to a site. In addition, you can upload a theme from a Microsoft Office PowerPoint slide deck and use it as a SharePoint theme. This is a simple way to apply corporate colors and fonts to a SharePoint site. Change the master page. A master page is an ASP.NET Web page with a set of common controls and other common features. For example, in SharePoint, the Quick Launch control is part of the master page. SharePoint includes several master pages and your organization can create more by using SharePoint Designer or Visual Studio. In the browser, you can choose the master page from the existing list but you cannot create new master pages. Add lists and libraries. You can choose from various types of lists and libraries, such as calendars and asset libraries. Add content types. A content type describes a new kind of item and document.
7-7
Edit text. For example, users can edit the "Wake Up Call Service Control" text in the slide screenshot. Add images. You can insert images to illustrate a point or enliven the page. Add rich graphs. You can visualize data by using the Chart Web Part.
7-8
SharePoint Designer
Microsoft SharePoint Designer 2010 is designed to enable advanced customization in SharePoint sites and farms. Power users, administrators, and developers use SharePoint Designer to create and configure sites, modify their look-and-feel, create lists and libraries, assign permissions, and so forth. You can use all the features of SharePoint Designer without writing any .NET code.
7-9
Microsoft Visual Studio 2010 provides the greatest array of possibilities for customizing SharePoint 2010. In many cases, where a customization cannot be completed in SharePoint Designer, you may need to work with a developer who uses Visual Studio.
Use Visual Studio for any solution that requires custom compiled code.
7-10
When a custom code project is complete, you must deploy it to the production SharePoint farm that you administer. Developers should be encouraged to package their customizations into SharePoint features or solution packages for ease of deployment and management. Administrators must therefore install these features or solution packages into the production farm and activate them. At that point, the custom functionality becomes available for users. These administration tasks are described in Lesson 2.
7-11
Lesson 2
A SharePoint feature is a set of functionality that administrators can activate or deactivate at any time. SharePoint includes many features out of the box and developers can add more by creating them in Visual Studio. Multiple features can be packaged with other components, into a solution package. A solution package is a complete set of customizations to SharePoint that can be installed in a single operation, but may make changes across your SharePoint organization. Administrators commonly must install, activate, upgrade, deactivate, and remove features and solution packages, so it is essential to understand these SharePoint objects. After completing this lesson, you will be able to: Describe features and how administrators enable them. Explain the content of features created by developers and third parties. Deploy and activate features in a SharePoint farm. Describe farm solutions and contrast them with features. Add and install farm solutions in a SharePoint farm. Understand the Developer Dashboard and describe the information it presents. Enable the Developer Dashboard.
7-12
Features
A SharePoint feature is a set of functionality that an administrator can enable or disable. Features can include many types of objects, for example (Web Parts, workflows and forms). When an administrator enables a feature, all the functionality that is part of it is enabled and becomes available to users.
Feature Scope
A SharePoint feature is installed into one of four possible scopes depending on where its functionality is relevant and who should administer the feature. These include the following: Farm Scope These features can include customizations that apply throughout the SharePoint farm across multiple servers, site collections, and web applications. Farm scope features are enabled and disabled by farm administrators. Web Application Scope These features can include customizations to all servers that host a web application. Web application scope features are enabled and disabled by farm administrators. Site Collection Scope These features can include customizations to a single site collection and its subsites. Site collection scope features are enabled and disabled by site collection administrators. Website Scope These features can include customizations to a single SharePoint site only. Website scope features are enabled and disabled by site administrators, site collection administrators, and site owners.
Built-In Features
Much of the out of the box SharePoint functionality is encapsulated into features. These features allow you to enable the functionality that you need and disable the functionality that you consider unnecessary.
7-13
For example, in the slide, you can see the Content Organizer feature, which is currently enabled. If you dont use the Content Organizer to file content automatically, you can disable this feature in your site. Keep built-in features in mind when troubleshooting SharePoint: if users cannot find a tool or facility in SharePoint that they know is included in the product, it may be because a built-in feature must be enabled.
Custom Features
Custom functionality is usually encapsulated in features. Therefore, the features you see in your SharePoint system depend on the customizations you have installed. Custom features may be created by any of the following: Third parties. If you purchase and install a SharePoint customization, it is likely to add one or more features. These features may appear in different scopes. Your own developers. Developers in your organization usually build their customizations into features. You must install and activate these features to make the custom functionality available to users.
7-14
When a developer has created a SharePoint feature to encapsulate the customizations they have programmed, you must install and activate it to make the custom functionality available to users.
Deploying Features
A feature consists of a folder hierarchy. The top folder name is the name of the feature and it contains a file called Feature.xml and other files and folders. To begin deploying your feature, copy this folder to the following location:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\FEATURES
Now that the feature is in the right location, you must install it. To do this you can use Windows PowerShell:
Install-SPFeature Path "ContosoProjects"
When you have installed the feature, it is visible in the list of features at the correct scope. The scope is determined by the developer when they create the feature.
Activating Features
Although you have installed your feature, its functionality is not available to users until you activate it. You can do this in the browser interface. For example, if the feature is site-scoped: 1. 2. In the site where you want to use the feature, click Site Actions, and then click Site Settings. Click Site Features.
7-15
3.
When you have installed and activated a feature, users can begin to employ its custom functionality. Note: If you have multiple web front-end servers in your SharePoint farm, you must install each feature on every web front-end server to ensure its availability. In many cases, you do not install features manually but as part of solution packages, which are described later. If you want to deactivate and remove features, similar PowerShell commands and Stsadm.exe options are used. Note: If a feature is incorporated into a solution package, administrators need not deploy the feature to each web front-end server in the farm. For more information about deploying solution packages, see the topic that follows.
7-16
Farm Solutions
As you have seen, a SharePoint feature is a set of functionality that administrators can enable or disable in a single operation. By contrast, a SharePoint solution package is a set of functionality that administrators can install in a single operation. Solution packages make administration and distribution of SharePoint customizations significantly easier than with features alone.
Package Content
A solution package can contain any number of the following: Features Site Definitions Assemblies Files Updates to Web.config files
Notice, for example, that you could include two featuresone with site scope and one with Web application scope, into a single solution package for easy deployment.
7-17
Note: When you have multiple web front-end servers, you must install each feature on each one. However, this is not necessary with solution packages. SharePoint automatically installs the contents of your package on all front-end servers. Most third-party SharePoint customizations are distributed as solution packages, not individual features. You do not have to install these features manually, because they install with the solution package, but you might have to activate these features.
7-18
You must be a farm administrator to add a solution to a farm and deploy it. If you are a farm administrator, you can use PowerShell or Stsadm.exe for both these operations. You can also use the browser to deploy a solution you have previously added.
Adding Solutions
When you add a solution package, you upload the package to the SharePoint solution store so that it is ready for installation. Use the following command to add a solution in PowerShell.
Add-SPSolution LiteralPath "c:\custom\contososolution.wsp"
Notice that you do not need to copy the solution package into the SharePoint Templates folder before you add it. Instead, you supply the path to the .wsp file. Use the following command to add a solution in the Stsadm.exe.
Stsadm o addsolution filename c:\custom\contososolution.wsp
Installing Solutions
When you deploy a solution, you install all the features and other objects it contains, and the functionality becomes available to users. Once a solution package has been added, you can view and deploy it in the browser. To do this, follow these steps: 1. 2. 3. 4. Start Central Administration. Click System Settings. Click Manage Farm Solutions. Click the solution you wish to deploy and then click Deploy.
7-19
Alternatively, you can also deploy a solution by running the following Stsadm.exe command.
Stsadm o deploysolution name ContosoSolution
To uninstall and remove a solution package by using Stsadm.exe, run the following commands.
Stsadm o retractsolution name ContosoSolution Stsadm o deletesolution name ContosoSolution
7-20
Lesson 3
Farm solutions, as created by developers in your own organization or by third parties, are powerful and can add rich functionality to your SharePoint farm. However, poorly written or untested solutions can cause problems. They can reduce stability and security and cause interruptions in service. They can consume server resources indiscriminately and reduce server responsiveness. SharePoint 2010 introduces the sandbox as an isolated and controlled environment in which you can run code. Solutions in the sandbox are still powerful but cannot take actions that compromise stability. Administrators can set quotas on sandboxed solutions to eliminate contention and ensure the farm responds quickly. SharePoint users can also create their own sandboxed solutions or install third party solutionsadministrators remain in control of the farm. After completing this lesson, you will be able to: Describe how the sandbox ensures stability. Configure the user code service application. Configure quotas and points for controlling resource usage.
7-21
Sandboxed Solutions
The SharePoint 2010 sandbox is an isolated and restricted environment in which to run solution packages. Solutions in the sandbox cannot affect stability and administrators can set strict quotas on the resources they consume.
7-22
When a SharePoint composite is complete, a user can save it as a user solution. This packages the site as a .wsp file and stores it in the Solution Gallery. You can download the .wsp file from the gallery and use it to install the composite application in other site collections or SharePoint farms. This enables users and power users to distribute their custom applications to other parts of your organization.
7-23
The sandbox relies on the user code service to provide the restricted environment in which to run solutions. As an administrator, you must understand this service application and configure it in Central Administration.
7-24
A key feature of the sandbox is the way it restricts the server resources that each solution can consume in a day. When a solution runs, an algorithm calculates points that reflect the processor time, memory usage, database queries, and other server resources that it uses. Farm administrators set a maximum number of points that each sandboxed solution can consume in a day. Administrators can also tune the algorithm to adapt it more closely to the available resources on their servers.
Setting Quotas
To set quotas for a site collection, take the following steps: 1. 2. 3. 4. In Central Administration, click Application Management, and then click Configure quotas and locks. At the top of the window, select the Site Collection you wish to administer. Under Site Quota Information, you can specify the Maximum usage per day in points. You can also specify a warning level. Administrators receive an e-mail alert when a solution exceeds this limit.
Points Calculation
SharePoint uses 14 metrics to calculate points. These include the following values: CPU Cycles. When the processor uses a predefined number of cycles on the sandboxed solution, a point is logged. Percentage Processor Time. When the sandboxed solution uses more than a predefined percentage of the processing time, a point is logged. Critical Exception Count. When a predefined number of exceptions occur in a sandboxed solution, a point is logged. Thread Count. When the solution exceeds a predefined number of threads in the SPUCWorkerProcess process, a point is logged.
7-25
SharePoint Database Queries. When a solution initiates more than a predefined number of queries to the SharePoint content database, a point is logged.
As you can see, there is a predefined number involved in each metric. The administrator can influence the algorithm by setting these numbers in PowerShell.
4. 5.
7-26
Scenario
You have just installed a new SharePoint 2010 farm at Contoso, Ltd. Several developers would like to test the functionality of features and solutions they created for SharePoint 2007. Corporate IT policy states that only administrators may modify the production environments, so it is your job to install these features and solutions.
7-27
7-28
7-29
Open SharePoint 2010 Central Administration, and then from System Settings open the Manage farm solutions page. Observe that the two solutions are installed, but are not deployed.
7-30
Scenario
Developers have started testing their solutions on your SharePoint farm, and some users have complained that the new solutions seem to be causing performance problems. Your manager has tasked you with examining the resource usage of the solutions and with changing the resource point settings of sandboxed solutions for the time being to prevent database queries made by custom solutions from causing problems.
7-31
7-32
7-33
Open the file C:\ResourceMeasures.txt. This file contains a listing of the resource measures that are monitored for sandboxed solutions.
Find the section for SharePointDatabaseQueryCount, and then record the current values of ResourcesPerPoint and AbsoluteLimit. Close the file.
This script sets the ResourcesPerPoint property for SharePointDatabaseQueryCount to 1 and will cause SharePoint database queries to increase the resource usage point count very quickly. Type the following command:
iisreset
IIS restarts and enables the new resource settings. Close Administrator: SharePoint 2010 Management Shell.
7-34
In the Webs Solutions Gallery, observe that the BadReceiver solution shows no resource usage. That is because the timer job has not yet calculated resource usage for the solution. If you see resource usage of 2.00, then you were lucky! The timer jobs executed just in time. Skip to Step 6.
Repeat Task 1 of Exercise 2 to run the sandboxed solutions timer jobs. Refresh the view of the IT intranet Web Solutions Gallery. Observe that the resource usage of the solution is increasing more rapidly. If you do not see the updated resource usage, then you may need to wait for up to 5 minutes for the timer jobs to execute.
Question: What was the value of ResourcesPerPoint for SharePointDatabaseQueryCount? Explain the relationship between this number and one resource usage point.
7-35
Review Questions
1. You want to create a workflow that models an authoring process in one of your SharePoint sites. The workflow will not contain any custom code. Would you use the browser, SharePoint Designer, or Visual Studio to create this workflow? You want to connect your SharePoint farm to a SQL Server database and display external data in a SharePoint list. Would you use the browser, SharePoint Designer, or Visual Studio to make this connection? A developer gives you a solution package to install on the production SharePoint server farm. The farm has 3 Web front-end servers and a dedicated database server. How many times must you install the solution? A user contacts you and asks you to test a sandboxed solution that he has downloaded from a third party. He says he wants to ensure the solution does not over-consume resources on the SharePoint servers. What advice do you give him?
2.
3.
4.
7-36
8-1
Module 8
Configuring and Securing SharePoint Services and Service Applications
Contents:
Lesson 1: Securing the Enterprise SharePoint Service Lesson 2: Securing and Isolating Web Applications Lesson 3: Services and Service Applications Lab A: Administering SharePoint Services Lab B: Configuring Application Security Lab C: Configuring Service Applications 8-3 8-14 8-18 8-31 8-36 8-41
8-2
Module Overview
Configuring and securing Microsoft SharePoint and its service applications are important steps to isolate sensitive data in your organization and keep your environment free of unwanted SharePoint installations. Planning the deployment of SharePoint thoroughly is important to a successful SharePoint environment.
Objectives
After completing this module, you will able to: Secure your enterprise-level SharePoint service. Secure web applications. Configure SharePoint services and service applications.
8-3
Lesson 1
Awareness of where SharePoint is installed in your organization and who has permissions to perform those installations are critical to maintaining security in your network infrastructure. This lesson teaches you how to track those installations and configure many of the services and accounts used to keep your SharePoint implementation secure.
Objectives
After completing this lesson, you will be able to: Track SharePoint installations in your organization. Block inappropriate SharePoint deployments. Approve relevant SharePoint deployments. Manage services on your SharePoint servers. Describe SharePoint services. Describe administrative accounts. Describe managed accounts.
8-4
Key Points
Service connection points (SCPs), also known as Active Directory markers, are data points in Active Directory Domain Services (AD DS) that represent the presence of a SharePoint server and farm. By putting several pieces together, you can both track and control SharePoint installations in your enterprise. You can use the following process to track your SharePoint installations. 1. Use ADSIEdit to create a container object, CN=Microsoft SharePoint Products,CN=System,DC=contoso,DC=com. Note: You can use other container names. However, if you do, you must create a Group Policy for the domain computers to set a string value ContainerDistinguishedName under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SharePoint. This makes it possible for the SharePoint Products Configuration Wizard to detect the new name. 2. Assign Create serviceConnectionPoint objects permission to the accounts that are used to install SharePoint.
You must follow these steps before you create the farm. The SharePoint Configuration Wizard, PSConfig.exe, checks whether the container has been created, and then creates the marker. The marker contains the URL for the Application Discovery and Load Balancer Service. You can also create markers manually by using Windows PowerShell cmdlets.
8-5
To retrieve service connection point information for a farm, use the following command.
Get-SPFarmConfig -ServiceConnectionPoint
Additional Reading
Track SharePoint 2010 Installations by Service Connection Point at http://go.microsoft.com/fwlink/?LinkID=197124&clcid=0x409 Track or block SharePoint Server 2010 installations at http://go.microsoft.com/fwlink/?LinkID=197125&clcid=0x409
8-6
Key Points
You can block unwanted SharePoint installations in your domain by applying a group policy object (GPO). Use the following procedure to block unwanted SharePoint deployments: 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Group Policy Management tool in Administrative Tools. Locate and edit the most appropriate GPO. For example, to prevent SharePoint installations on Domain Controllers, edit the Default Domain Controllers Policy GPO. Under Computer Configuration, expand Preferences, expand Windows Settings, and then click Registry. Create a new Registry Item. Select the HKEY_LOCAL_MACHINE hive. In the Key Path box, type Software\Policies\Microsoft\Shared Tools \Web Server Extensions\14.0\SharePoint. In the Value Name box, type DisableInstall. In the Value Type box, select REG_DWORD. In the Value Data box, type 1.
10. Click OK, and then close the Group Policy Editor and Group Policy Management tool. After this GPO is in place in your domain, users will receive the message, SharePoint installation is blocked in your organization. Please contact your network administrator for more details, when they try to install SharePoint.
8-7
Key Points
In an environment where you are using a GPO to block SharePoint installations, you must create a group of servers that are approved for installation. Use the following procedure to control where SharePoint can be installed. 1. 2. 3. 4. Create a new group in AD DS that contains all computer objects on which SharePoint is allowed to be installed. In Group Policy Management, apply a security filter to the Group Policy Object (GPO) that enables the disableinstall registry setting Grant the new group permissions. Give the group DENY - APPLY GROUP POLICY permission. This overrides the installation block for this specific group. Add approved servers to the new group that you created.
8-8
Key Points
The SharePoint installation process creates additional Windows Services. Most of these services start and stop themselves as needed by SharePoint. The one exception is the SharePoint Timer service; this service must be running at all times for SharePoint to send email messages and perform scheduled tasks. You can manually start this service if it is in the stopped state. Some of the other services created by the SharePoint installation process are the following: SharePoint Administration. Performs administrative tasks for SharePoint. SharePoint Tracing. Manages trace output. SharePoint User Code Host. Executes user code in a sandbox. SharePoint VSS Writer. Volume Shadow Copy Service. SharePoint Foundation/Server Search. Provides full-text indexing and searching.
8-9
Key Points
You can manage the services in SharePoint 2010 by navigating to Central Admin Manage services on the server. Depending on the specific version of SharePoint that you have installed, the number of services that are available to you may differ. Other products, such as Microsoft Project Server, install new services in SharePoint. You can start or stop the available services and configure them with separate permissions from Central Administration. By configuring separate permissions, you can delegate administration on each service application instance. This model allows for flexible scaling and balancing of load. These are the SharePoint services: Access Database Service. View/edit/interact with Microsoft Office Access 2010 databases in the browser. Application Registry Service. Enables users to search and collaborate around business data. Business Data Connectivity Service. Access line-of-business data. Central Administration. Central Administration Website. Claims to Windows Token Service. Used for claims authentication. Document Conversions Launcher Service. Enables document conversion. Document Conversions Load Balancer Service. Load balancer for document conversion. Excel Calculation Services. View/edit/interact with Microsoft Office Excel 2010 files. Lotus Notes Connector. Enables SharePoint to connect directly with Lotus Notes and retrieve data. Managed Metadata Web Service. Access managed taxonomy hierarchies, keywords, and social tagging infrastructure as well as content type publishing across site collections. Microsoft SharePoint Foundation Incoming E-Mail. Simple Mail transfer Protocol (SMTP) for SharePoint.
8-10
Microsoft SharePoint Foundation Sandboxed Code Service. Allows for sandboxed development. Microsoft SharePoint Foundation Subscription Settings Service. Tracks subscription IDs used in multi-tenant configurations. Microsoft SharePoint Foundation Web Application. Allows for hosting Web content. Microsoft SharePoint Foundation Workflow Time Service. Used for SharePoint workflow. PerformancePoint Service. Provides the capabilities of PerformancePoint Services. Search Query and Site Settings Service. Performs a query across built indexes. Secure Store Service. Replaces single sign-on (SSO) in SharePoint 2007. Used to store user names/passwords for external data systems. SharePoint Foundation Search. Provides full-text indexing and search to SharePoint users. SharePoint Server Search. Provides enhanced full-text indexing and search capabilities. User Profile Service. Allows for creation of MySites. User Profile Synchronization Service. Synchronizes user profiles with Active Directory data. Visio Graphics Service. View/edit/interact with Microsoft Visio documents. Web Analytics Data Processing Service. Used for processing data for Web trending and site usage. Web Analytics Service. Used for Web trending and site usage statistics. Word Automation Services. View/edit/interact with Microsoft Office Word documents.
8-11
Administrative Accounts
Key Points
SharePoint 2010 needs a few domain accounts for setup and configuration. SharePoint uses these accounts for setup and/or administrative access to the farm. You can also use separate domain accounts for other service applications. The following summary provides information about the necessary administrative accounts.
You can manage this account by using Central Administration. This account has the following requirements: Domain user account permissions Local Administrator permissions on all SharePoint servers in the farm except Microsoft SQL Server and SMTP servers Access to SharePoint 2010 databases If you are running Windows PowerShell so that it affects databases: member of db_owner role Assigned to db_creator and security_admin SQL Server roles during setup and configuration
After you have run the configuration wizards, this account assumes the following characteristics:
8-12
Becomes a member of the WSS_ADMIN_WPG security group Becomes a member of the IIS_WPG role Is granted db_owner permissions on the Config Database and CA Content Database
8-13
Managed Accounts
Key Points
A managed account is an AD DS user account whose credentials are managed by and contained in SharePoint. In addition to storing the credentials of the object, SharePoint Server 2010 can also use Active Directory domain policies to reset passwords automatically while meeting the requirements established by policy. You do not have to know the password for an account to assign it to service applications in SharePoint. You can manage these accounts from Central Administration, where you can view the existing managed accounts, register a new managed account, or change a password. Once you have established these accounts, you can assign them to a service application from Central Administration.
8-14
Lesson 2
By implementing isolation in your SharePoint environment, you can segment data into logical groups and give access only to those users who need it. Securing communication also helps keep users from accessing sensitive data.
Objectives
After completing this lesson, you will be able to: Describe how to manage isolation with a new application pool. Configure an application isolation pool. Configure SharePoint to use Secure Sockets Layer (SSL) communication.
8-15
Key Points
SharePoint uses application pools to isolate certain Web and service applications. There are advantages and disadvantages to using separate application pools for each Web application in your SharePoint farm.
Advantages
Different identities. Each application pool runs under a single domain account. The account has restricted permissions that allow it to do only what it needs to inside the specific Web application. Isolation of processes. Each application pool runs under a different process ID. This makes it easier to track events and logging corresponding to the process. Recycle/restart without affecting others. When an application pool is recycled, all Web sites using the pool are unavailable until the pool comes back online. Separate application pools limit this issue to a specific Web application. Throttling of resource usage. Application pools use many resources, CPU, RAM, and disk. You can limit the usage of these resources to certain values in an application pool.
Disadvantages
Administration overhead. Managing one application pool versus managing multiple application pools. Idle worker process. When an application pool has been idle for a specific amount of time, the worker process associated with the application pool shuts down. When the site is accessed again, the worker process has to be recycled, which can take some time, and the user may experience a delay in accessing that page.
8-16
Key Points
This diagram shows a totally isolated environment. Each service application and Web application has been created with its own application pool. You should weigh the advantages and disadvantages previously discussed to determine whether this type of design is appropriate for your environment.
8-17
Key Points
Before you can enable SSL, you must have an SSL certificate. You can get one from a third party or create one using Active Directory Certificate Services (AD CS). When using AD CS, after installation you must create a certificate by using Internet Information Services (IIS). You can accomplish this by using the Service Certificates module in IIS 7. Once you create the certificate, you must install it on all Web front-end (WFE) servers in your farm. To configure sites to use SSL in SharePoint, you must either configure the environment to use SSL every time a new Web application is created or add an alternate access mapping (AAM) to an existing Web application. By adding an internal URL, you can add a new Web application zoned for the intranet that uses Secure HTTP (HTTPS).
Additional Reading
How to enable Active Directory Certificate Service in Windows Server 2008 R2 at http://go.microsoft.com/fwlink/?LinkID=197126&clcid=0x409 How to enable SSL on a SharePoint 2010 web application at http://go.microsoft.com/fwlink/?LinkID=197127&clcid=0x409
8-18
Lesson 3
Services and service applications in SharePoint 2010 replace the Shared Service Provider (SSP) model in SharePoint 2007. There are many advantages to the service application model.
Objectives
After completing this lesson, you will be able to: Describe the SharePoint 2010 Service Application Framework service model. Describe service applications. Describe service application connections. Configure application connection groups. Plan service applications. Describe types of service applications. Implement service applications across farms.
8-19
Key Points
In SharePoint 2007, the Shared Service Provider (SSP) is a single point of failure that contains shared services, for example, search, profile, and Excel services. In many cases, there is a steep learning curve to understand how to use the SSP and how it interacts with the rest of SharePoint; consequently, it is difficult to deploy and manage. A Web application can be associated with only a single SSP, which means that the SSP in that farm has to contain every service that any Web application uses. Management is also inflexible because you either have access to the entire SSP or to none of it. The SSP is essentially a single database, so there is no way to scale to larger implementations. There is also limited documentation concerning larger implementations. The all-or-nothing approach of the SSP also leads to extraneous resource usage because a Web application has to use all services in the SSP, even if it needed only one. Service applications (SAs) are the perfect alternative to the older Shared Service Provider architecture of SharePoint 2007. SAs are fundamental to the application and are included with the SharePoint Foundation Stock Keeping Unit (SKU). The SA model is much more flexible than is the SSP model: You can create more than one instance of a service application in a single farm. Web applications can consume any or all of the available services. You can also share service applications across farms. You can install applications separately from one another.
All of this gives you finer-grained control of the service that you are deploying to your users.
8-20
Now, with the SA architecture, you can load balance the services in the farm on all front-end servers or just a subset of them, allowing for future scaling in the farm or even into the cloud. The SA architecture also allows for third-party development. Some other Microsoft products already have service applications that are installed to interact with SharePoint. You can manage all service applications in the SharePoint farm in Central Administration without having to navigate to an entirely different area to do so. You can also use Windows PowerShell to interact with service applications. Note: When you upgrade from SharePoint 2007, your SSP is converted to service applications. Refer to Module 12, Installing and Upgrading to SharePoint 2010 for more details.
8-21
Key Points
Several components make up the service application architecture. These components combine with one another to ensure that Web applications can consume services. Service. In SharePoint, you can configure services to run on the same server, or you can spread them across multiple servers. You can also load balance services automatically when two or more servers are configured to run a service. Service applications. Service applications are instances of services that are created. An application pool is associated with each service application instance. For most service applications, you can deploy multiple instances in a farm. You can also share them across multiple farms. Service application connections. For a service application to talk to a specific Web application, it must use a service application connection (proxy). A proxy is created automatically when you create a new service application. Service application connection groups. You can group multiple proxies together, which is then referred to as a service application connection group (proxy group). Web applications. Web applications are the component that users see in their browsers. Web applications can consume any number of the services available.
Additional Reading
Services architecture planning at http://go.microsoft.com/fwlink/?LinkID=197128&clcid=0x409
8-22
Service Applications
Key Points
You can create a service application instance by navigating to Manage Service Applications in Central Administration. There, you can see all of the service application instances that you have created, as well as create a new instance of a service application.
8-23
Manual configuration of service groups is also possible through Central Administration or Windows PowerShell. Manual configuration is good for larger farms, where you must plan and design the service applications more thoroughly. You can assign different permissions to each instance of a service application so that you have distributed management of the SharePoint service application model.
Additional Reading
Services architecture planning at http://go.microsoft.com/fwlink/?LinkID=197128&clcid=0x409
8-24
Key Points
A service application connection, also known as a proxy, allows the user-driven Web applications to talk to service applications. Web Parts, the SharePoint object model, or internal code can use proxies to connect to service applications. Service application connections are created automatically when a service application is created. Example: 1. 2. 3. When a search query is performed by the user, the Search Web Part on the WFE talks to the service application proxy. In turn, the service application proxy uses Windows Communication Foundation (WCF) to connect to the application server that is running the instance of the Search Service. This application retrieves information from the database and returns the results to the WFE to be displayed in the Web Part.
8-25
Disadvantages You cannot isolate service application data. Any Web application can consume any service application and its data. Individual departments or teams cannot manage service applications on their own.
Recommendations The architecture that includes a single farm and a single service application group is the recommended configuration for most organizations, at least initially. This configuration works well when you want to host many sites for a single company on the same farm. Use this configuration to meet the following goals: You want to optimize the resources required to run service applications in a farm.
8-26
You are sharing content and profile data across sites that otherwise require process isolation for performance or security reasons.
Disadvantages This architecture is more taxing on farm resources because multiple instances of certain service applications have been created and run at the same time. Recommendations The architecture that includes a single farm and multiple service application groups is the recommended configuration for organizations that require that specific departments have their own isolated data and service application management. This configuration works well when you want to host many sites for a single company on the same farm, yet have some isolation. Use this configuration if you are sharing content and profile data across sites that otherwise require process isolation for performance or security reasons and you would like to isolate one departments data.
Disadvantages This architecture is the most taxing on farm resources because multiple instances of service applications have been created and run at the same time. This architecture requires more hardware to support the scaled-out infrastructure.
8-27
Recommendations The architecture that includes multiple farms and multiple service application groups is the recommended configuration for large organizations that need distribution of data and/or management of service applications. This configuration works well when you want to isolate certain departments but share data across multiple farms. Use this configuration to meet the following goals: You are sharing content across farms. You are isolating certain department data from the rest of the farms.
8-28
Key Points
The biggest struggle when planning your service application infrastructure is striking a balance between performance and separation. The more proxy groups you define and use, the more you tax the servers in the farm. You should create new proxy groups only when you must isolate processes, data, or performance. Some typical services that are deployed for dedicated use are Excel Services, Managed Metadata, and Business Data Connectivity (BDC): Excel Services. To optimize performance for a targeted team or to isolate sensitive data. Managed Metadata. To allow a team or department to manage their own taxonomy, hierarchies, keywords, and so on. SharePoint Server 2010 combines the results of multiple Managed Metadata service applications so that taxonomies, content types, and other elements can be shared across an organization. Business Data Connectivity. Individual teams or departments can integrate with their own line-ofbusiness data systems and keep the data isolated from the rest of the organization.
8-29
Key Points
You can publish certain service applications and use them across farms. Some large implementations create a separate farm in which are kept all service applications that can be shared with all other farms to consume. This is most commonly done with Search and/or user profiles. Often, Managed Metadata is also shared so that an organization can share a single corporate taxonomy. Question: How would you use the Search Service as a cross-farm service application? Question: How would you use the User Profile Service as a cross-farm service application?
8-30
Key Points
You can publish certain service applications and make them available to other SharePoint farms to consume. To do so, servers exchange certificates across the farms. An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm. You can export and copy certificates only by using Windows PowerShell 2.0. You must configure permissions on both the shared service application and the Application Discovery and Load Balancer Service Application. When everything is set up, you can publish the service for other farms to consume. Note: If the farms are in two different domains, you must set up a two-way trust for User Profile or BDC Services to be shared.
8-31
Scenario
The Communications team at Contoso wants to publish content to the intranet by using Microsoft Word. The teams manager discovered that SharePoint includes a feature that can convert Word documents to Web pages and is complaining that the intranet site does not expose the document conversion command. Additionally, developers are experiencing errors that suggest some SharePoint services may not be running correctly. You have been asked to troubleshoot the problems and to ensure that SharePoint and Windows Services that are required to support the SharePoint farm are running correctly.
8-32
8-33
Click SharePoint - intranet.contoso.com80. In the Enable Document Conversions section, click Yes, and then click OK. At the top of the page, a message appears that indicates you must choose a document conversion server.
Click the Load Balancer server drop-down arrow. Observe that you have no options. Click Cancel. You must enable the SharePoint service on front-end Web servers before you can enable document conversions.
Results: After this exercise, you should have enabled document conversions on the intranet Web and configured and started several SharePoint farm services.
8-34
When you attempt to create this application, Central Administration will pause indefinitely. Wait two minutes, and then click Cancel. Refresh the page, and then observe that the Managed Metadata Human Resources service application is listed as Stopped, and that there is no Managed Metadata Service Connection created for the service application. The Timer service must be running to process the jobs related to the creation of a service application.
8-35
Results: After this exercise, you should have experienced an effect of a stopped SharePoint 2010 Timer service and started the service.
8-36
Scenario
You recently inherited a SharePoint farm that was not set up using best practices. Your manager is a Certified Information Systems Security Professional (CISSP) and advocates security best practices. He would like you to explore the service account permissions and SSL settings of the SharePoint server and possibly change these settings to use specific service accounts. He would also like you to install SSL to secure the metadata that is traveling between the clients and servers.
8-37
8-38
Confirm that the Last password change column of the CONTOSO\SP_Farm row indicates that the password was changed. Results: After completing this exercise, you should have changed the farm account, reset its password, and configured the password change policy.
8-39
8-40
8-41
Scenario
Your company Contoso has adopted SharePoint 2010 for many reasons. One is its new, more optimized service application environment and another is its ability to manage metadata. You want to allow sites in the client-facing Web application to use managed metadata and keywords, but you do not want managed metadata and keyword columns in the client Web application to have visibility into terms used internally. Therefore, you must configure a separate Managed Metadata Service for the client Web application.
8-42
Observe that there is an application proxy group labeled custom assigned to the intranet Web application.
8-43
Results: After this exercise, you should have configured a new managed metadata service application, modified the default proxy group, and created a custom application proxy group.
8-44
Review Questions
1. 2. 3. How would you use Active Directory markers in your environment? Which Active Directory accounts would you manage in SharePoint? Explain the different components of the service application architecture.
9-1
Module 9
User Profiles and Social Networking
Contents:
Lesson 1: Configuring User Profiles Lesson 2: Implementing SharePoint 2010 Social Networking Features Lab: A: Configuring User Profiles Lab: B: Administering My Sites 9-3 9-14 9-26 9-34
9-2
Module Overview
Social Computing has shown to be a growing trend for Internet related business; the impact it has brought to the corporate world has allowed for the evolution of information into a dynamic and rapidly changing form; information that communities of users can collaborate on and share with others within your organization. This is where social computing fits perfectly with the goals of Microsoft SharePointto be able to capture and share information, enable people to find information and other people, and the need to improve efficiency and productivity.
Objectives
After completing this module, you will be able to: Configure user profiles. Implement SharePoint 2010 social networking features.
9-3
Lesson 1
User profiles provide access to the people aspect of the social element of SharePoint. It provides the baseline to gather and capture information about the individuals you want to engage and interact with within your organization. In this lesson, you will see how that information can be gathered from different sources and the process to get that information into SharePoint.
Objectives
After completing this lesson, you will be able to: Describe the User Profile Service Application. Understand user profiles. Describe each of the profile properties. Understand data connections. Edit profile data. Describe the user profile synchronization process. Implement Microsoft Forefront identity manager.
9-4
Key Points
The user profile service is a service application in Microsoft SharePoint Server 2010 that provides a central location for configuring and managing the key elements of personalization settings and a key component in the social computing capabilities of the SharePoint platform. The manage profile service page cannot be accessed until an instance of a user profile service application exists. You can use the SharePoint Central Administration Web site in addition to Windows PowerShell to create and manage user profile service applications and other service applications for non-hosted environments. You can delegate management of a user profile service application to someone who does not have permissions to manage other services or settings contained in Central Administration.
9-5
Key Points
SharePoint users contain key characteristics by default and can optionally provide additional information about themselves that will enable users to communicate and share information effectively.
9-6
Additional reading
Enable SharePoint Server 2010 Colleague in Outlook 2010 at http://go.microsoft.com/fwlink/?LinkID=197040&clcid=0x409 ADSI Edit at http://go.microsoft.com/fwlink/?LinkID=197041&clcid=0x409
9-7
Profile Properties
Key Points
A profile property is the field that holds information about a given user that exists in your organization. An extensive set of fields is available and included by default. Examples include: skills, birthday, manager, and responsibilities. In many implementations, the default properties may be enough, but there are likely scenarios and situations that require the creation of custom properties. Examples might include items that describe a training path, certification, or product specialty. Since properties are specific types of data, and they do correspond to fields, when customizing we need to consider this. You can provide centrally defined values from the Managed Metadata Services Term sets to standardize on options and organizational policies.
Additional reading
User profile properties at http://go.microsoft.com/fwlink/?LinkID=197042&clcid=0x409
9-8
Data Connections
Key Points
Data connections allow you to establish the relationship and connectivity to the source providing the profile data. There are sources that will be primary sources, which means they will be able to be defined by themselves with no additional data connections. Then there are secondary sources, which do require the configuration of a primary source. Primary sources are typically AD DS or LDAP Stores. Secondary sources are typically connections to line of business applications (LOBs) using the Business Connectivity Services functionality. A secondary source would complement the information retrieved from a primary source as it would be one directional and would not allow an overwrite of the information synchronized from a primary source.
9-9
Key Points
Profile data is stored in a SharePoint profile database as a replica of the source data. Based on the security settings of the profile properties, end users may actually be able to edit these properties by using their My Site or any custom profile editing page. Developers can write tools to update profile properties rather than using the importing mechanisms in SharePoint. Each profile property can have security set on it. This allows you to make profile properties required, optional, or even to disable a property if needed. You can also set the visible security of a property if it is sensitive data like a social security number, bank account number, or something similar.
9-10
Key Points
Profile synchronization in Microsoft SharePoint Server 2010 enables user profile service administrators to synchronize user and group profile information that is stored in the SharePoint Server 2010 profile store with profile information that is stored in directory services and business systems across the enterprise. When you define the user profile synchronization, you need to meet the following security and process requirements: AD DS. At a minimum, the Replicate Directory Changes permission is needed on the AD DS domain(s) from which you wish to import data for SharePoint Server 2010. This account must be a member of the Farm Administrators group or must be an account that is designated as a user profile service administrator. If the NETBIOS name is different from the domain name, at least Replicate Directory Changes permission is also needed on the cn=configuration container. To export properties, such as profile pictures, from SharePoint Server 2010 to AD DS, at least Replicate Directory Changes permission is needed on the object and all child objects for the AD DS domains to which you want to export data from SharePoint Server 2010. Read/Write permission is also needed on the container that stores the user picture attribute, for example, the ThumbnailPhoto attribute. Authenticated users who have Replicate Directory Changes permissions will be granted read-access to AD DS objects. Additional permissions can be granted using access control lists (ACLs) in AD DS. SharePoint Server 2010 will not write profile data back to AD DS unless Write permission is explicitly set on the account that has Replicate Directory Changes permissions. Business Data Connectivity service. The Business Data Connectivity model must include Finders and Specific Finders methods in SharePoint Server 2010:http://go.microsoft.com/fwlink/?LinkId=179316 Novell eDirectory version 8.7.3 (LDAP). Only Full Sync for users is supported in SharePoint Server 2010 SunOne version 5.2 (LDAP). Both full and incremental are supported. You must set up a change log to use Incremental Sync.
9-11
IBM Tivoli 6.2 (LDAP). Both full and incremental are supported.
Profile synchronization can occur when profile information has changed in the SharePoint Server 2010 profile store or when profile information has changed in the directory service. After you configure profile synchronization, changes to either store are detected. Import or export occurs depending on the import/export settings for a particular user profile property. Synchronization is defined within the user profile service application. This is configured and set up between SharePoint and the directory services applications that will provide the details on the user profile data being imported to be consumed by SharePoint. The high level process is defined by: Farm account must be a local administrator on all SharePoint servers. A user profile service application must be created. User profile service must be started. User profile service synchronization service must be started. A new connection must be created. Map user profile properties (import/export). Set up a synchronization schedule (Full and/or import).
9-12
Key Points
Forefront Identity Manager (FIM) 2010 builds on the meta-directory, certificate and smart card management and user provisioning available in ILM 2007, and adds a rich management environment including integrated user management, self-service for comprehensive credential management, group management, policy management, and expanded extensibility and connectivity. The benefit SharePoint 2010 gets from FIM 2010 relates to FIM providing the core engine that drives two-way replication between the source and the user profile imports associated. FIM 2010 feature investments are categorized into four areas.
Policy Management
SharePoint-based console for policy authoring, enforcement and auditing Extensible WS-* APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization & consistency
Credential Management
Heterogeneous certificate management with third-party CA support Management of multiple credential types Self-service password reset integrated with Windows logon and web-based tool Integrated provisioning of identities, credentials, and resources
User Management
Automated, codeless user provisioning and de-provisioning Self-service user profile management
9-13
Group Management
Rich Microsoft Office-based self-service group management tools Offline approvals through Office Group and distribution list management also including dynamic membership calculation in these groups and DLs based on users attributes
9-14
Lesson 2
SharePoint 2010 brings social networking capabilities into the enterprise, where enormous value can be unlocked through information contained not in typical pages or files, but rather in social relationships, behavior, and expertise.
Objectives
After completing this lesson, you will be able to: Implement My Sites. Configure social networking features.
9-15
My Sites Overview
Key Points
My Site Web sites are personal sites in Microsoft SharePoint Server 2010 that provide users in an organization with a rich set of social networking and collaboration features. These features include: My Newsfeed page for managing colleagues, interests, and newsfeed settings My Content page for managing documents and other content such as lists, libraries, etc. My Profile page for managing things like user profile information and social tags and notes
These features give users a way to discover areas of expertise, projects, and business relationships from one central location. Each user can view his or her My Site website by clicking the corresponding user name in the top, right corner of any page and then clicking My Site. In SharePoint Server 2010, My Site websites enable users to easily share information about themselves and their work. This sharing of information encourages collaboration, builds and promotes expertise, and targets relevant content to the people who want to see it. You can display profile properties to particular users in the organization, and enable administrators to set policies to protect privacy. My Site Web sites in SharePoint Server 2010 include the following: A profile for each user where users can share their expertise, profile pictures, and so on A newsfeed for tracking activities such as social tags, status updates, note board notes, and content ratings A tag and note tool that helps you conveniently tag or post notes on sites directly from a web browser A shared picture library, shared document library, and personal document library with the ability to create and manage additional content as standard on other SharePoint site types
9-16
The ability to add Web Parts such as a Really Simple Syndication (RSS) viewer, or My Links, to see a list of your saved libraries and links An organizational browser that uses Microsoft Silverlight 3 to provide a dynamic organizational browsing experience The ability to manage colleagues and memberships from one location
9-17
Key Points
The user profile service stores information about users in a central location. Information in a users profile includes a profile picture, the organization to which a user belongs, colleagues, and properties such as skills. SharePoint Server uses this information to personalize the data presented on a users My Site Web site. To provision My Site websites and enable social computing features such as social tagging and newsfeeds, you must create and enable the user profile service. The My Site Host is a special purpose site collection used for hosting My Site websites. The content part of My Site websites is hosted in its own site collection. My Site Host site collections are not created automatically in SharePoint Server 2010. An administrator of the User Profile Service Application must first create a My Site Host site collection before provisioning My Site websites in addition to the web application that serves as its host. Trusted My Site Host locations are used in organizations where multiple server farms are deployed or where multiple user profile service applications are configured. In such environments, users can create multiple My Site websites. For example, in a geographic deployment with a central farm in Europe and a regional farm in Africa, a user can click the My Site link when browsing content hosted by either farm. Consequently, the user can create a My Site Web site on the Europe farm and a My Site website on the Africa farm. If your organization includes multiple farms or multiple User Profile Service Applications that host My Site websites, you can prevent users from creating multiple My Site websites by using the Trusted My Site Host Locations feature. This feature enables you to specify trusted My Site locations. When trusted My Site locations are specified, users are redirected to the My Site that is intended for their user accounts, regardless of where they are browsing when they click the link to create a My Site website. This feature ensures that each user creates only one My Site website in the organization and relies on audience targeting. Pages support the three distinct views of My Sites:
9-18
My Newsfeed page that shows colleague activities My Content site that lists shared documents, personal documents, pictures, libraries, lists, discussion boards, and surveys that a user owns My Profile page that displays personal profile information
Users can navigate between these pages by clicking the links on the My Site link bar at the top of the page. My Site websites rely on the following related features: Profile synchronization. Enables you to integrate profile information that you have stored in a directory service such as Active Directory Domain Services (AD DS) or a business system, such as SAP or Siebel, with SharePoint Server 2010. Expertise tagging. Allows users to list the areas in which they have experience as part of their profile. This information can be used by other users in the organization to locate subject matter experts for a particular area. People search. Allows users to find people by department, job title, knowledge, expertise, and common interests.
9-19
Deploy My Sites
Key Points
After a farm administrator has created a user profile service application, a designated administrator of the user profile service application can manage the following My Site website settings: My Site websites setup Trusted My Site host locations Personalization site links Links to Microsoft Office 2010 client applications
To perform the initial setup of My Sites, you must do the following: Create a My Site Host web application, for example mysites.contoso.com. Dont forget to add a DNS host (A or AAAA) record. Use either the My Site Host site definition (template) or a blank site template. Create a search center site collection, for example mysites.contoso.com/sites/Search using a search center site definition such as Enterprise Search Center. Give users permission to the search center. For example, add the Domain Users group to the search center Visitors group, or give Domain Users read permission to the search center. Add a managed path for My Sites, for example personal, with wildcard inclusion. Enable self-service site creation for the web application. On the Manage Service Applications, click the link for the User Profile Service Application. You will be prompted to set up My Sites. Enter the URL to the My Site host, the search center, the managed path, etc. You will perform these procedures in the lab for this module.
9-20
Administrative Credentials To use Central Administration to set up My Sites, you must be a member of the Farm Administrators group or a Service Application Administrator for the user profile service application.
9-21
Key Points
To configure social networking features, including My Sites, user profiles, organization profiles, and profile synchronization, open the Manage Profile Service page: 1. 2. 3. On the Central Administration page, under Application Management, click Manage Service Applications. On the Manage Service Applications page, click the name of the user profile service that you want to manage. The Manage Profile Service page opens. In the People section, you can configure user permissions. By default, Authenticated Users have permission to use all social features and to create My Sites. You can restrict the permissions of users in your enterprise by removing Authenticated Users and adding specific groups or users. Click Manage Policy to specify which social and My Site features are visible, and to control the visibility level of profile attributes.
4.
You can enable or disable social tags and note boards for a user or group. See http://go.microsoft.com/fwlink/?LinkID=197047&clcid=0x409 In the Manage Farm Features page, you can disable the Social Tags and Note Board Ribbon Controls, which removes the I like it and Tags and Notes commands from the ribbon. This is a user interface change only, but if you disable tagging, you should remove the social ribbon control so that users dont click it, only to discover that it doesnt work. The Trusted Host Locations setting specifies other locations for My Sites that are trusted. This is not necessary in a typical farm that has only one User Profile Service Application. However, if you have multiple farms or multiple User Profile Service Applications, you should add the locations of their My Sites as a trusted host location. If you want to push a link to a users My Site, click Configure Personalization Site. Links created here can be targeted to audiences, and appear in the top navigation bar of a users My Site.
9-22
You can also push links into Microsoft Office client applications. Click Publish Links to Office Client Applications.
Additional reading
Enable or disable personal and social features for users or groups at http://go.microsoft.com/fwlink/?LinkID=197043&clcid=0x409 Activate or deactivate the SocialRibbonControl farm-level feature at http://go.microsoft.com/fwlink/?LinkID=197044&clcid=0x409 Plan policies for user profiles at http://go.microsoft.com/fwlink/?LinkId=235053
9-23
Audiences
Key Points
Audiences group users in an organization so that you can personalize information to ensure that it is relevant to them. Audiences enable organizations to target content to specific users. Audiences are groupings of users determined by their memberships in Microsoft Exchange distribution lists (DL) or SharePoint groups, or by rules configured by an administrator. In Microsoft SharePoint Server, the audience rules can be based on information in the user profile; on membership in an identity management system, for example, Active Directory Domain Services (AD DS) or Business Connectivity Services; or on the organizations reporting structure (if this information is stored in Active Directory). Audiences are defined and contained in the User Profile Service Application. When you configure an audience, you specify one or more rules to determine the membership of the audience. The rules will be applied as All, or Any. When you add a new audience, you also select an owner for the audience. This is an informational attribute onlyit does not grant any permissions. The owner should be someone who understands why the audience was created and who can be contacted if there is a problem with the audience. The person who created the audience is often specified as the owner, but this is not a requirement. Having audience owners is helpful in enterprises that have a large number of audiences created by several different administrators. Each audience must be compiled before content can be targeted to that audience. Compilation identifies membership in an audience by crawling the data most recently reported from the identity management system. Note: You will not see membership of a new audience until it is complied.
9-24
Additional reading
Add, edit, or delete an audience (SharePoint Server 2010) at http://go.microsoft.com/fwlink/?LinkID=197046&clcid=0x409
9-25
Organization Profiles
Key Points
Organization profiles support the creation of communities of practice. Much like user profiles, an organization profile has attributes and relationships to other organizations and users. It becomes very important for an organization to be able to categorize and identify users based on organizational needs or to identify specific levels of expertise with your community of work. It is important to gather and assess the value of networks of knowledge and expertise. For example, giving you the opportunity to identify specific resources with experience in a given product. It allows making those networks stronger and better aligned with the needs an organization has. Finding communities of interest allows for internal subject matter experts and perhaps even the furthering of the adopting of an environment such as SharePoint 2010. Providing insight into an organizations makeup provides you with a better understanding of how to find information that is essential to how a task is performed and who to go to in case of questions. An organizations profile lets you know how and where to find information by better defining the teams, departments and individuals that are part of it.
9-26
Scenario
Your corporation has never had an employee directory despite the multiple requests of the Human Resources department. Since implementing SharePoint 2010, the Human Resources department has again requested the directory be implemented using SharePoint user profiles. Previous IT policies prevented making changes to Active Directory and forced the creation of a separate Human Resources database of user information. You have been tasked to set up user profiles in the new farm using Active Directory as the primary data source and integration with profile properties that come from the secondary HR data source.
9-27
9-28
Monitor the page. Press F5 to refresh the page. Repeat this step until the ProfileSynchronizationSetupJob disappears. Note: It can take up to 15 minutes for the ProfileSynchronizationSetupJob to complete.
Navigate to the Job History page. Confirm that the Status of ProfileSynchronizationSetupJob is Succeeded. Click the System Settings link and then navigate to the Services on Server page. Confirm that the Status of the user profile synchronization service is Started. Close SharePoint 2010 Central Administration.
If a service is not started, then press F5 to refresh the view. Repeat this step until the services have started. Note: This can take several minutes. Close the Services console. Open the folder C:\Program Files\Microsoft Office Servers\14.0 \Synchronization Service\MaData. Confirm that the ILMMA folder exists. Confirm that a folder named MOSS-GUID exists with todays date. If they do not exist, wait until the timer job has completed fully, at which point the folders will appear. Close the Windows Explorer window that is showing the MaData folder.
9-29
Tip: l (lowercase L) is the Lightweight Directory Access Protocol (LDAP) name for the locale, or city attribute.
9-30
9-31
9-32
9-33
Question: What group does the farm account have to be in in order for user profile synchronization to work? Results: After completing this exercise, you should have configured and performed profile attribute synchronization from an external source.
9-34
Create a new site collection in the Web application with the following configuration: Title: My Site Host Template: My Site Host Primary site collection administrator: CONTOSO\SP_Admin
9-35
9-36
Configure your birthday to display to My Colleagues. Save your changes. On the profile page, click More information. Observe that the newly populated profile properties are now visible.
9-37
Results: After completing this exercise, you should have created a My Site for Dan Jump, and modified his user profile.
9-38
9-39
Results: After this exercise, you should have configured various social networking features.
9-40
Review Questions
1. 2. What group does the farm account have to be in in order for user profile synchronization to work? Which three features must be present and activated for My Site websites to function?
10-1
Module 10
Administering and Configuring SharePoint Search
Contents:
Lesson 1: Configuring Search Lab A: Configuring Search Lesson 2: Refining Search Lab B: Tuning SharePoint Search 10-3 10-16 10-27 10-33
10-2
Module Overview
Configuring and refining Microsoft SharePoint 2010 Search correctly are critical to finding content in your organization in a quick and relevant manner. Enterprise Search has been greatly enhanced to provide for a consistent and interactive environment for you to organize and find your content and/or external content.
Objectives
After completing this module, you will be able to: Configure the search features of SharePoint Server 2010. Refine searches in SharePoint 2010.
10-3
Lesson 1
Configuring Search
By configuring SharePoint Search in your environment, you can help users have a better experience when searching for content. This lesson teaches you how to configure Search to match your organizations needs and also monitor issues that may arise.
Objectives
After completing this lesson, you will be able to: Describe SharePoint 2010 Search editions. Describe the SharePoint 2010 Search architecture. Understand how to scale searching. Describe content distribution. Administer searching. Configure crawling. Configure queries. Report on searches.
10-4
Key Points
SharePoint 2010 Search has three different product editions: Search Server 2010 Express. Search Server 2010 Express can only be used as a standalone system and has the following characteristics: Scales to 10 million items with subsecond response times. Search Server 2010 Express can meet the scale and performance needs of your organization. Searches 31 file types using the extensible iFilter platform, including Microsoft Office; Hypertext Markup Language (HTML); SharePoint 2003, SharePoint 2007, and SharePoint 2010 sites; Open Document format; and many others. Helps find information across your company in 51 languages. Improvements include compound handling, numbers, and dates in languages such as Thai, Russian, and Arabic. SharePoint 2010 Search. SharePoint 2010 Search includes all the features of Search Server 2010 Express but can be scaled to several servers. Microsoft FAST Search Server 2010 for SharePoint. FAST Search adds increased performance and relevancy tuning algorithms, along with several layers of extensible interfaces. Each of these is a different product with different features. As you move down the list, each edition builds on the last, adding more features. This module concentrates on SharePoint 2010 Search.
Additional Reading
SharePoint 2010 Enterprise Search at http://go.microsoft.com/fwlink/?LinkID=192165&clcid=0x409
10-5
Key Points
In SharePoint 2007, the search architecture has several limitations: Only one Search database is shared by the crawl and query components. In larger environments, this introduces latency in both crawling content and querying indexes. There is also a large impact on Microsoft SQL Server resources. Often, crawling has to be done during nonbusiness hours so as not to interfere with searches during the business day. Consequently, the content is refreshed only once a day. A single index file stored on the query servers is used, creating a single point of failure and no scalability. If the index file is corrupted or lost, a full crawl has to be completed.
In SharePoint 2010, there are four main components to the search architecture. Component Crawl components Description Role of the index servers. Can be scaled out to include additional servers for balancing the index. Crawler is a stateless worker and does not store any of the index on the hard drive. When crawling is complete, it propagates the content to the query servers. Both stored in SQL Server, which can be scaled with additional databases and/or servers. Crawl History database stores the history and logs of past crawls. Metabase database stores the metadata of searched items. Role of the query servers. Can be scaled out to include additional index partitions on additional servers. Search Admin database.
Index partitions
Administration component
10-6
Component
Description There is only one, used for Search Administration page in Central Administration; no need to scale.
During the indexing process, the crawler accesses and reads content items. The process of extracting the information from these files results in a content index that is propagated to the file system of the query server and the Search database in SQL Server. User search queries run against this content index and the Search database. Depending on how much content you have, you may need more than one crawling server. Similarly, depending on the number of users and queries they send, you may need more than one query server to service their requests.
Additional Reading
Whats new in enterprise search at http://go.microsoft.com/fwlink/?LinkID=197049&clcid=0x409
10-7
Scaling
Key Points
Using the built-in management tools, you can monitor the usage of your crawlers and query servers. When their performance starts to degrade, you should consider adding more of them. Because of the componentized architecture of SharePoint 2010 Search, you can scale very easily compared with SharePoint 2007 Search. Each crawl server in the farm can crawl different content so that a multithreaded approach can be used to create the index. Also, adding crawl databases relieves input/output (I\O) contention issues because all crawl servers wont be trying to write to the same database at the same time. Multiple query servers allow for load balancing of requests. Also, each query server has a smaller partition of the index. When a query comes in from a user, all query servers are notified and search their part of the index. The results are merged and then presented to the user.
Additional Reading
Search Architectures at http://go.microsoft.com/fwlink/?LinkID=167739
10-8
Content Distribution
Crawl Distribution
In SharePoint 2010, you can distribute the crawl role to multiple servers. This allows for built-in load balancing of crawls. You can also create more crawl databases to ease the burden on the hardware. You can overwrite the default load balancing by using host distribution rules. With these rules, you can force certain crawlers to crawl certain content. You can also implement crawler impact rules to reduce the load on the content sources being crawled.
Query Distribution
You can distribute the query role to multiple servers so that users have a faster search experience as a result of load balancing. Crawlers partition the data, called an index partition, and propagate it to each query server. When a user searches, all query servers are notified to look for content. When the content is found, all results are consolidated and sent back to the user.
10-9
Administration
Search Administration
After the planning and installation of SharePoint, you must make sure that the services that make up Search are running on a server in the environment. On the Search Administration page, you can configure the following items: Component System status Details Configure the default account used to access content Configure the contact email address Configure the proxy server information Scopes update schedule Enable/disable search alerts and query logging Note: These settings must be configured before using the Enterprise Search service. Crawl history Search application topology Shows you, by content source, the past crawls and any errors that were encountered. It also shows the start time, end time, and duration of each crawl. Shows you the components used to make up the search architecture. Any crawl, query, administration, or database components are shown here along with their status.
Farm-Level Administration
On the Farm Search Administration page, you can see the following farmwide settings: Proxy server being used for the entire farm. A proxy server is used in most organizations to access the Internet. This setting allows you to crawl content that is external to your network.
10-10
Time-out settings for a search. Configure the amount of seconds the search system waits when connecting to a content repository. Ability to toggle on/off Secure Sockets Layer (SSL) warnings. If SSL warnings are on, the crawler will not crawl a site if the site name does not match the name on the SSL certificate. Note: These settings must be configured before using the Enterprise Search service.
This page also contains links to the Search Service application and to where you can modify the topology.
Additional Reading
Post-installation steps for search at http://go.microsoft.com/fwlink/?LinkID=197050&clcid=0x409
10-11
Crawl Configuration
Content Sources
SharePoint 2010 enhances content sources and how they are indexed. It now supports more than 400 structured and unstructured content types. You can have up to 500 content sources, each supporting up to 500 start addresses. The content processing algorithms were enhanced to use stronger linguistics. Support for crawling 85 different languages has been added. Also, there are now ways to build custom content types to crawl external data using a common connector framework. After creating an instance of the Search service application, a default content source is created: Local SharePoint sites. Crawls are not performed or scheduled automatically when a Search service application is created unless you do a basic installation. When creating a new content source, you can select the type of content to be crawled. SharePoint sites, Web sites, file shares, Microsoft Exchange Server public folders, line-of-business data, and custom repositories can be crawled. By selecting Line Of Business Data, you can choose a Business Data Connectivity (BDC) service application to crawl. You can crawl either all data sources associated with that service application or just a subset. You also can create new content source types for crawling custom repositories. To do so, you must register a custom connector. You can schedule full crawls or incremental crawls. You typically use full crawls only for the first crawl because they create the index from scratch and take a lot of time to complete. By setting the content source priority for crawls, you can prioritize certain content sources over others.
Crawl Rules
You can configure crawl rules to omit or include certain paths during a crawl. You can do so to exclude sensitive data in the farm that should not be searchable. Example: Files starting with a certain phrase such as SSN
10-12
All files under a certain folder, such as the Payroll folder Certain Web sites, such as the Completed HR InfoPath forms library
Use Search Administration to create a crawl rule by providing a path that should be affected by the rule. You can also use wildcards (*) to denote all folders or files under a path. You can choose to exclude all items in the path or just ones with complex URLs. You can also choose to include all items in the path instead. Specifying different authentication to the content source is also supported.
Crawl Logs
Crawl logs provide information about all content that was indexed for a particular content source. They can provide insight on why some content was not indexed and any errors that were encountered during the crawl. It is very possible that after running a full or incremental crawl you lose some of your search results. This could indicate any number of errors including the following: Permission error, such as a possible password change iFilter error, such as a file does not have a supported iFilter installed Protocol error, such as a possible blocked protocol in the environment
You use a crawl log timer job to schedule how often the logs are refreshed. By default, this interval is set to five minutes, but you can change this in the settings. Using the crawl logs in Search Administration helps you troubleshoot issues with Search and resolve them in a timely manner.
Additional Reading
Manage crawl rules at http://go.microsoft.com/fwlink/?LinkID=197051&clcid=0x409 Best practices for using crawl logs at http://go.microsoft.com/fwlink/?LinkID=197052&clcid=0x409
10-13
Query Configuration
Authoritative Pages
You can use authoritative pages to enhance the overall search rankings of items in a site. Sites can be added to the following areas: Most authoritative pages. The items on these pages show up first in the search results and are ranked higher than the rest. By default, the first Web application created in the farm is added to this field. This is a required field. Second-level authoritative pages. These items show up right under the most authoritative pages and the search rankings are slightly lower. Third-level authoritative pages. Yet another level of authoritative pages that controls search rankings and results page placement. Sites to demote. The sites placed here are actually pushed to the bottom of the search results page and are the lowest in the search rankings.
You can also force a refresh after you make any changes to the rankings.
Federated Search
With Federated Search, you can use other search indexes to supplement your own, and vice versa. Use Federated Search when you already have other search architectures in place. Rather than have SharePoint replicate the indexing process, you simply federate results from other repositories of content. Following are several reasons why you might set up Federated Search: You have a need for a quick, powerful way to bring together results. Data is distributed across many repositories. Multiple interfaces are complicated. Size, security, or cost makes crawling infeasible. Search already exists on repositories.
10-14
OpenSearch is a popular term used for search engines/products that support interoperability between searching and indexes. The interface is very simple, searches are performed over HTTP requests, and results are returned as really Simple Syndication (RSS) and Atom feeds. When you plug in other federated OpenSearch providers, you must provide an .osdx file of those search systems. Consider the following points before doing this: How will security be implemented? The provider is responsible for security trimming, not SharePoint.
Metadata Properties
When SharePoint Search crawls data, it automatically extracts metadata from the content. You can map these crawled properties to managed properties to drive a taxonomy that users can use to refine search results. The managed property types that you can configure are as follows: Text Integer Decimal Date and time Yes/no
Also, you can use multiple values at the same time when mapping.
Example
A text type managed property (UserName) is configured and is mapped to the crawl property People:UserName(Text). During a crawl, when content with a UserName attribute is found, it is linked to the UserName managed property. When users search on this content, they can refine the results to only those that are owned by a specific UserName.
Search Scopes
Search scopes are subsets of content from the search index file. Users can choose a specific search scope when searching by using the drop-down menu to the right of the search box. You can create search scopes for the following items: Project data that needs to be searched separately A specific content source that contains data from only one Web site An organizational group that needs to see only their data A search scope can encompass several other search scopes and can be set at either the service application level or the site administration level. You can also configure a search scope to send users to another search results page when they search on that scope.
Additional Reading
Manage federated locations at http://go.microsoft.com/fwlink/?LinkID=197053&clcid=0x409 Manage metadata properties at http://go.microsoft.com/fwlink/?LinkID=197054&clcid=0x409 Manage search scopes at http://go.microsoft.com/fwlink/?LinkID=197055&clcid=0x409
10-15
Search Reporting
Key Points
SharePoint 2010 makes it easy for administrators and users to manage Search. Reports can give them a view into their environment. The first step is to make sure that the Web Analytics service application is started in the farm. When users run search queries, Web analytics data is gathered, and every 24 hours the data is processed into reports. The gathering process allows the Web Analytics service to provide automatic recommendations for Best Bets for administrators. The data also helps identify I/O issues and memory pressure from crawl and query statistics. The analytics data can be displayed in three different levels: Farm level (Central Administration, Administrative Reports, Monitoring, View Administrative Reports) Web application level (Monitoring, View Web Analytics Reports) Site collection level (Site Settings, Site Collection Web Analytics Reports)
Additional Reading
Use search administration reports at http://go.microsoft.com/fwlink/?LinkID=197056&clcid=0x409
10-16
Scenario
You have installed a new SharePoint 2010 farm to address the needs of employees at Contoso, Ltd., to search for information across both intranet sites and shared folders. You have been asked to prototype a SharePoint search capability on the Information Technology Department Web site and, based on your experience with the prototype, to configure SharePoint to support search requirements.
10-17
Create a file named C:\Data\Temporary Drafts\Crawl Rules.txt with the following text:
SharePoint crawl rules allow you to manage the content that is included and excluded.
Copy D:\LabFiles\Lab10\SharePoint Governance Checklist.pdf to C:\Data. Results: After this exercise, you should have created text files in a shared folder.
10-18
10-19
10-20
Perform a search for the keyword excluded. No results are returned. Results: After this exercise, you should have created a content source for the shared folder Data, a crawl schedule, and a crawl rule that excludes files from the Temporary Drafts folder.
10-21
Results: After this exercise, you should have created a file type for PDFs.
10-22
10-23
10-24
10-25
Add the following element inside the <PropertyDefs> element: <PropertyDef Name="ContosoSummary" DataType="text" DisplayName="Summary"/> Add the following element as the last element in the <ResultType DisplayName="All Results" Name="Default"> element: <PropertyRef Name="ContosoSummary"/> After making your changes, click Save & Close.
10-26
10-27
Lesson 2
Refining Search
When you refine SharePoint Search in your environment, users have better search results and a more interactive experience when searching for content. This lesson teaches you how to refine Search to improve how it works and how relevant the results are.
Objectives
After completing this lesson, you will be able to: Describe the concept of search relevance. Use the Refinement panel. Understand how to use keywords and Best Bets. Eliminate noise words. Use the thesaurus.
10-28
Relevance
Key Points
Relevance is about how closely the search results returned to the user match what the user wanted to find. Ideally, the results on the first page are the most relevant so that the user does not have to look through several pages of results to find the best matches for the search. Enterprise Search in SharePoint includes a revamped ranking engine developed in collaboration with Microsoft Research. It is specifically tuned for the unique requirements of searching enterprise content. The following factors can affect search rankings: Static or dynamic algorithm. Dynamic ranking looks at the properties of the content to decide how relevant it is. Static ranking ignores the metadata and just looks at the content itself, such as file type and language. Authoritative pages. Sites that are manually configured to be higher in the search rankings than others. Social tagging and ratings. In SharePoint 2010, users can tag certain items or sites that they like so that they can find them quicker the next time. They can also rate items or sites. Both of these actions increase the relevancy of the item. Click-through history. The more a search result is clicked, the higher the search ranking for that item. Overall search results are also security filtered, meaning that if a user does not have access to a document, that document will not show up in the search results.
Additional Reading
Relevance in SharePoint Search at http://go.microsoft.com/fwlink/?LinkID=197057&clcid=0x409
10-29
Refinement Panel
Key Points
The Refinement panel is a new feature of SharePoint 2010 Enterprise Search. It allows for multifaceted searching so that users can search for items and receive hundreds of results. Users can filter the results using metadata such as the following: File type. For example, Word files, Microsoft Office Excel files, PDFs Site. For example, the company intranet, microsoft.com Author. For example, Bill, Steve, Nancy Modified date. Taxonomy. For example, specific keywords
You can link these properties to managed properties in Search Administration, but you must edit the Refinement panel Web Part as well to take advantage of any new properties. Because the Web Part is editable, it is extensible to third-party development.
10-30
Key Points
Keywords are words that are attached to content to help make it easier for users to find specific content when searching. Best Bets are keywords that raise the search rankings for that content. You add Best Bets to a keyword to mark the items that are most relevant for that keyword. When a portal user types a keyword into the search box, all results for that keyword are displayed prominently in the search results. After you add, edit, or delete a keyword or Best Bet, you must wait until the next scheduled update of the portal content before the Best Bets appear in the search results. Because Best Bet results are rendered in their own Web Part, you can move them around the search page wherever you like. You can also change the Extensible Stylesheet Language Transformations (XSLT) that is used to display the results of the Best Bets.
10-31
Noise Words
Key Points
Noise words are words that are disregarded during a search. There are a list of predefined noise words out of the box, including words such as it, is, and a. You can add noise words to the noise word list by adding them to the language file. There are noise lists for each language and a language-neutral list. The file names are like noise*.txt (US English = Noiseenu.txt). When you want to reduce the size of the index you can add noise words to the noise word files. By adding noise words, you effectively tell the indexer not to add the words to the index. When a noise word is added, it is automatically removed from any search thereafter. There is no need to re-index the content.
10-32
Thesaurus
Key Points
You must train SharePoint Search on how some words relate to each other. Out of the box, words such as run and jog are not considered the same. You must build thesaurus files to tell SharePoint how these words interact. This allows users to replace words in a query with other words that they specify or to extend the definition to include other words. A thesaurus file must be built for each language you support in your environment.
10-33
Scenario
During the testing of the prototype Search Center on the Information Technology Department Web Search Center, users complained that the relevance of results was not accounting for the fact that the most important files are, at this point, the files stored in shared folders. Users also pointed out that searches with specific keywords should yield predefined results that are likely to be most useful, and that certain keywords should be treated as synonyms. Finally, the governance committee added a requirement that you prevent searches using keywords that are frowned on by Contosos employee ethics policies. You are tasked with refining SharePoint Search to meet these expectations.
10-34
10-35
<br/> </div> </xsl:if> <xsl:if test="$DisplayUrl = 'True'" > <span class="srch-BB-URL"> <a href="{$url}" id="{concat('BBR_U_',$id)}" dir="ltr"> <xsl:value-of select="$url"/> </a> </span> <br/> <br/> </xsl:if> </xsl:if> </xsl:if> </xsl:template>
After making your changes to the Web Part, click Save & Close.
10-36
10-37
Perform a search for the keyword MOSS. Verify that the number of results is equal to the number of results returned when you searched for sharepoint. Search results appear because searching for MOSS now produces search results for SharePoint through replacement. Perform a search for the keyword WSS. Write down the number of results. More results appear than in Task 1 because searching for WSS also returns results for the term SharePoint Foundation because of expansion. Results: After this exercise, you should have modified the English thesaurus file.
10-38
Results: After this exercise, you should have added new noise words and validated the behavior of noise words.
10-39
Review Questions
1. 2. 3. How would you design the architecture for your environment? How can reporting be used to better understand your environment and assess needs for changes to the infrastructure? How can you use relevance tuning to give your users a better search experience?
10-40
11-1
Module 11
Implementing Productivity Service Applications
Contents:
Lesson 1: Implementing Business Connectivity Services Lesson 2: Configuring Excel Services Lesson 3: Understanding PerformancePoint Services Lesson 4: Implementing InfoPath Forms Services Lesson 5: Implementing Visio Services Features Lesson 6: Implementing Access Services Lesson 7: Implementing Office Web Apps Lab: Implementing Office Web Apps 11-3 11-10 11-17 11-22 11-27 11-32 11-36 11-40
11-2
Module Overview
When discussing Microsoft SharePoint, it is important that you understand you are working with a business platform. SharePoint is an environment that lets you enable different services that act as a gateway to applications and tools that bring business value to the user. SharePoint provides tools you have used and are familiar with in your day-to-day activities. You can configure and enable services that allow access to data that resides in line of business applications such as ERP systems or database environments that host data or the information thats critical for your business. For example, SharePoint can work as a central repository that is connected to your organizations help desk environment to keep track of service tickets. Being able to access information is a great capability that brings information closer to the user and provides services that allow for visualization in a graphical manner rather than in a tabular format. Graphic representations of data are attractive and appealing to the user.
Objectives
After completing this module, you will be able to: Describe business connectivity services. Configure Excel services. Describe PerformancePoint Services. Configure InfoPath services. Implement Visio services. Implement Access services. Install Office Web Apps.
11-3
Lesson 1
Business Connectivity Services (BCS) is the gateway to an interconnected approach to data. You can configure data through a central location that allows you to use, reuse, and modify the data. The capability of using BCS as a means to access information that you can then integrate with the profile elements of SharePoint make it an important concept to understand.
Objectives
After completing this lesson, you will be able to: Describe BCS. Configure BCS. Describe Business Data Catalog indexing.
11-4
Key Points
BCS is the new name for what was previously called Business Data Catalog (BDC). BDC still exists and is very much a part of the new BCS functionality. BCS is a set of services and features that provide a way to connect SharePoint solutions to sources of external data and to define external content types that are based on that external data. External content types resemble content types, in the form of using columns to define the information they will hold, and allow the presentation of and interaction with external data in SharePoint lists, known as external lists, and include: Web Parts Microsoft Office Outlook Microsoft SharePoint Workspace 2010 Microsoft Office Word 2010 clients. Microsoft SQL Server databases SAP applications Web services including Windows Communication Foundation Web services Custom applications Web sites based on SharePoint
By using BCS, you can design and build solutions that extend SharePoint collaboration capabilities and the Office user experience to include external business data and the processes that are associated with that data. Examples of the BCS goals are to: Bring external data into SharePoint.
11-5
Provide external data in a central location. Extend the reach of enterprise data. Enable you to easily create and customize solutions.
Custom Solutions
Using BCS, you can create, read, update, delete, and query (CRUDQ) external systems from a Microsoft Office application or SharePoint site if the external system supports the operations and is appropriately modeled in the BDC service. The core function of BDC is to provide connectivity support to the following types of external systems: Databases Web/WCF services .NET connectivity assemblies Custom data sources
11-6
Description In addition to connectors for the previous list of data sources provided by BDC, BDC provides a pluggable framework with which developers can plug in connectors for new external system types, thus enabling these new data source types to be accessed via the BDC. In Office SharePoint Server 2007, BDC supported only single item operations, such as search. BDC now provides batch and bulk operation support, which enable you to read multiple items in a single call, thus reducing round trips to the backend. BDC now supports reading blob data. This is useful for streaming blobs of data from the external system. BDC now supports dot notation in field names and therefore enables you to read and write complex types. Business Connectivity Services provides a set of tools to facilitate creation of models and Office 2010 application artifacts, declaratively and by writing code. You can use Microsoft SharePoint Designer 2010, which can rapidly create composite solutions that meet external unit needs without writing code. You can use Microsoft Visual Studio to create or extend solutions with sophisticated workflows and data that spans structured line-of-external (LOB) systems, unstructured SharePoint applications or Microsoft Office applications, and Web 2.0 services. Developers can use the BDC Runtime object model to write generic applications by using the stereotyped APIs as building blocks. Such generic applications are then assured to work against any external system, including those that are preexisting and those that are yet to be built. Developers can also write specific applications that make assumptions about the abstract entity model (the fields exposed by these, and the types of the fields). In addition, with the .NET Assembly Connector, Custom Connector and the pluggable Secure Store Provider, it provides a rich extensibility mechanism for software developers.
11-7
Key Points
The Business Data Connectivity service is a shared service in SharePoint 2010. It is available in both SharePoint Foundation and SharePoint Server. Important elements that you must understand are: For SharePoint Server 2010, services are not contained within a Shared Services Provider (SSP) as they were in Microsoft Office SharePoint Server 2007. The infrastructure for hosting services has been transitioned and integrated into SharePoint Foundation 2010. You can configure individual services independently with different sets of administrators. This allows for multiple instances of the same service, such as the Business Data Connectivity service.
You can share an instance of the Business Data Connectivity service across server farms. For example, a Business Data Connectivity service can be run in a central farm and accessed from regional locations so that the same solution is available across these locales, and the applied elements are specific to each culture. Within a server farm, you deploy service applications such as the Business Data Connectivity service, by one of the following methods: Selecting services while running the Farm Configuration Wizard and choosing the Business Data Connectivity service. Adding services individually on the Manage Service Applications page in the Central Administration Web site. Using Windows PowerShell.
You can administer shared services, such as the Business Data Connectivity service, in isolation. The administrators of a particular instance of a shared service may only have permissions to administer that service instance and are not necessarily able to administer other services or other features in the Central Administration Web site. This feature, called delegated administration, allows administration to be managed by administrators who have expertise in the particular service being administered but who are
11-8
not members of the central IT organization. Thus, for example, an administrator of a Business Data Connectivity service application in an enterprise might be familiar with the following information: The particular external content types being managed by that Business Data Connectivity service application The solutions supported by it The security implemented on the external data sources that provide the data
The administrator would have permissions to administer those objects but would not have permissions to administer other elements of the SharePoint deployment.
Disable-SPBusinessDataCatalogEntity
Deactivates an external content type in the Business Data Connectivity Metadata Store. Activates an external content type in the Business Data Connectivity Metadata Store. Exports a Business Data Connectivity Model. Exports all data from the Business Data Connectivity Metadata Store associated with a partition. Returns a Business Data Connectivity Metadata Store metadata object. Grants a right to a principal for the specified Business Data Connectivity Metadata Store metadata object. Imports data that is associated with the Business Data Connectivity Metadata Store for a partition. Imports a Business Data Connectivity Model.
Enable-SPBusinessDataCatalogEntity
Grant-SPBusinessDataCatalogMetadataObject
Import-SPBusinessDataCatalogDotNetAssembly
Import-SPBusinessDataCatalogModel
11-9
Description Creates a new Business Data Connectivity service application in the farm. Creates a new Business Data Connectivity service application proxy in the farm. Deletes a Business Data Connectivity Model. Revokes a right to a principal in the specified Business Data Connectivity Metadata Store metadata object. Sets the value of a property or attribute of a Business Data Connectivity Metadata Store metadata object. Sets global properties for a Business Data Connectivity service application in the farm. Imports data associated with an exported file that contains all data associated with the Business Data Connectivity Metadata Store for a given partition. Removes the Business Data Connectivity Metadata Store for a partition.
Set-SPBusinessDataCatalogMetadataObject
Set-SPBusinessDataCatalogServiceApplication
ImportSPSiteSubscriptionBusinessDataCatalogConfig
RemoveSPSiteSubscriptionBusinessDataCatalogConfig
11-10
Lesson 2
Microsoft Office Excel Services in Microsoft SharePoint Server 2010 is a shared service that you can use to publish Microsoft Office Excel workbooks to a SharePoint Server. The published workbooks are available for your users to consume and collaborate. You can manage and secure any published workbook according to your organizational needs and then share it within your organization. Excel Services extend the value that business intelligence can bring to your organization; you can store data that represents your organizations key business processes, organize that data in a useful manner, and present that data as meaningful information. Knowledge workers can act on that information to increase productivity and to provide feedback that improves underlying business processes.
Objectives
After completing this lesson, you will be able to: Describe Excel services. Configure Excel services
11-11
Key Points
Excel Services in Microsoft SharePoint Server 2010 is designed to help you analyze business data and increase business intelligence. Excel Services is a Microsoft SharePoint Server 2010 shared service that you can use to publish Microsoft Excel client workbooks on SharePoint Server. The published workbooks are available throughout your organization for knowledge workers to use. You can secure and manage any published workbook according to your organizational needs and then share it throughout your organization. With business intelligence, you can store data that represents your organizations key business processes, organize that data in a useful manner, and present that data as meaningful information. Excel Services allows you to use compatible browsers to be able to work with Excel spreadsheets. It accomplishes this with a zero footprint client; you dont have to install any plug-ins in the browsers. This allows heterogeneous platforms to work with Excel workbooks, providing: Better symmetry across Excel and Excel Services. The paradigm changed from refusing to open files, which contain unsupported features to making a best effort to open any workbook. For features partially supported, either cached valuesfor example, query tablesare displayed or the user is notified to remove the feature prior to displaying the workbookfor example, Office Art shapes. More support for common features such as embedded images but also new Excel 2010 features like Sparklines, Slicers, PowerPivot, improved conditional formatting, and improved functions. Continued integration with SharePoint. Continued tight integration with SharePoint for security, content management, version control, document-level compliance, data connection management, service administration, as well as integration between Excel Services, PerformancePoint Services, and other BI-related capabilities shipped in SharePoint 2010. Improved user experience. Its an Ajax-based service, which means you can refresh elements of a page instead of having every change require a page refresh. New scrolling which lets you easily and smoothly navigate through your Excel content. Tools for application development. Improvements to the Excel Services Web services, and an introduction of a JavaScript Object Model and a REST API. With these new APIs, both professional
11-12
developers and end users can build business applications, mash-ups, or just provide an easy way to share Excel content beyond the workbook. Unattended service account. Excel Services provides a low privilege unattended service account for users to consume as a single retrieval of data account. Users then can use this as a privileged account in Microsoft Office 2010. Excel Services relies on the Secure Store Service to store the encrypted unattended account. The unattended account credentials are stored or cached as needed per session or connection so that when a workbook is loaded that contains a data connection for the unattended account, this account is called from the Secure Store and used. The Secure Store stores the Excel Services secured data and is present on all SharePoint Server farms. The Secure Store functions regardless of how authentication is configured in a farm. Manage Service Applications. The SharePoint Central Administration Web site contains a link to the Manage Service Applications page, which lists all of the services the user has rights to administer. Essentially, all available services for a particular user or role are collected on the Manage Service Applications page. This page will allow you to manage the specific service you are using. For example, managing Excel Services. Windows PowerShell. Windows PowerShell is capable of providing a complete Excel Services deployment, as well as the unattended installation and deployment of Microsoft SharePoint 2010 products. Administrators who need to look up trusted locations and user-defined functions are now able to do this by using a single Windows PowerShell key. All Stsadm.exe commands used against Excel Servicesspecific settings will fail; instead use the SPServiceApplication Windows PowerShell command. Trusted Locations. Trusted locations are now provided by default; no administrator action typically is needed. However, if Universal Naming Convention (UNC) types of trusted folders or locations are used with Excel Services, the administrator must create new trusted locations for these. Multi-User Collaboration. The multi-user collaborative environment provides multiple users with the ability to edit any workbook simultaneously. (When user is active, the polling rate is determined by an adaptive algorithm executed on the Excel Calculation Services. All edits are processed in the order in which they are received by the ECS so the last edit overwrites any previous edit to the same workbook cell.) Delegate services permissions. SharePoint Server contains a new shared service infrastructure that allows the administrator to delegate permissions to manage other services to users. Slicer feature. The Slicer feature is a new type of data filter in Microsoft Excel 2010 that is interactive, flexible in design and layout, and always conveys the current filtering state. With these data filters, more people benefit from the power of analyzing data using PivotTables and OLAP functions. The Slicer feature gives Excel 2010 authors the ability to easily write OLAP data models and build rich, interactive reports around them. The reports can then be published to Excel Services and will display and interact just as they do in the Excel client. The Slicer feature also is parameterized by other Web Parts in BI dashboards. The Slicer feature does manual filtering only and does not provide advanced filtering such as label, date, value, and top-10 types of filtering. The Slicer feature can be connected to multiple PivotTables and act as a common, shared filter so selections made in this Slicer feature are automatically propagated to all PivotTables that are connected to it. Additionally, the Slicer feature can be formatted by applying styles.
11-13
subset of Microsoft Office Excel Web Access functionality that lets an administrator or developer insert JavaScript code on a Web page to affect range navigation, cell values, and other grid operations. The ECMAScript mirrors the Excel Services Web Services API functionality; however, it is not a proxy for this API.
Additional Information
Browser compatibility details at http://go.microsoft.com/fwlink/?LinkID=197236&clcid=0x409
11-14
Key Points
Several different settings are configurable from the Service Application management page. Excel Services provides functionality that requires fine tuning depending on the scenario you will be running. Two examples of the different scenarios are: accounting data being centrally accessed, and high performing scientific worksheets. The scenarios mentioned previously, while both are focused on providing numeric meaning to the application they support, their performance values and thresholds may be different based on your requirements. Several elements of Excel Services that can be adjusted and configured are: Global settings. Defines load balancing, memory, and throttling thresholds to adjust performance. You can also set the unattended service account and data connection timeouts. Trusted files locations. Defines the places or libraries where spreadsheets can be loaded from. Trusted data providers. Defines the data providers that can be added or removed when refreshing data connections. Trusted data connection libraries. Define a SharePoint document library where data connections can be loaded and accessed from. User-defined function assemblies. Define custom developed code assemblies that provide functionality and data to be used by spreadsheets.
11-15
PowerShell cmdlet
Description
GetReturns a trusted data connection library or a list of trusted data SPExcelDataConnectionLibrary connection libraries.
Get-SPExcelDataProvider
Get-SPExcelFileLocation
GetSPExcelUserDefinedFunction New-SPExcelBlockedFileType
Adds a file type to the list of file types that Excel Services Application prevents from being loaded.
NewAdds a new data connection library to Excel Services Application. SPExcelDataConnectionLibrary New-SPExcelDataProvider Adds a new safe data provider to Excel Services Application.
New-SPExcelFileLocation
Removes an entry from the list of file types that are prevented from being loaded on Excel Services Application.
RemoveRemoves a data connection library from Excel Services Application. SPExcelDataConnectionLibrary Remove-SPExcelDataProvider Removes a data provider from Excel Services Application.
Remove-SPExcelFileLocation
RemoveSPExcelUserDefinedFunction
SetSets properties of a data connection library for Excel Services SPExcelDataConnectionLibrary Application.
11-16
Description Sets properties of a safe data provider for Excel Services Application.
Set-SPExcelFileLocation
SetSPExcelUserDefinedFunction
11-17
Lesson 3:
PerformancePoint Services is a business tool that enables you to measure the data complexities of day-today performance. By extending the capabilities of understanding business performance, you are able to deliver better results and understand the points your organization needs metrics for by implementing dashboards, reports and key performance indicators.
Objectives
After completing this lesson, you will be able to: Describe PerformancePoint. List PerformancePoint features.
11-18
PerformancePoint Overview
Key Points
PerformancePoint Services is a performance management service that you can use to monitor and analyze your business. It is an extension of the Business Intelligence process that provides tools your organization can use to determine the gains and losses a business needs to be aware of and informed about. Those tools include key performance indicators, easy-to-read charts, and a central repository in the form of a dashboard. PerformancePoint Services give you the ability to focus on understanding information thats critical to your business in the form of a scorecardmeasures the importance of, for example, sales values, and their critical elements when relevant to a geographical location or region. It provides something very similar to a house made of glassevery side you see provides relevant information to the person that has access to that information. For example, a sales manager will likely see the same information a general manager does, but the meaning of that data will be interpreted differently. PerformancePoint Services allow you to set the level of detail behind the information that those relevant roles need to access. PerformancePoint Services assist organizations in enabling their users to make informed business decisions that match the objectives and strategies your organization has defined. Dashboards, scorecards, KPIs, and reports help drive accountability. Integrated analytics help workers quickly move from monitoring information to analyzing it, and where appropriate, sharing it throughout the organization. Before PerformancePoint Services became part of Microsoft SharePoint Server 2010, Microsoft Office PerformancePoint Server 2007 was a standalone server. Now the functionality of Microsoft Office PerformancePoint Server 2007 is available as an integrated part of the Office SharePoint Server Enterprise license. PerformancePoint Services retains much of the same features and functionality as its predecessor while including additional benefits, enhancements, and new functionality.
11-19
PerformancePoint Features
Key Points
PerformancePoint Services include many new and updated features and functionality.
Physical Architecture
For information about the physical architecture, see the diagram in Overview of PerformancePoint Services architecture, http://go.microsoft.com/fwlink/?LinkId=235058, which shows the PerformancePoint Services architecture for farm deployment that utilizes three servers.
11-20
ClearClears all the trusted locations for a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application identity. Get-SPPerformancePointSecureDataValues Get-SPPerformancePointServiceApplication Displays unattended service account settings. Returns a PerformancePoint Service application object and properties.
GetReturns a trusted location object and properties SPPerformancePointServiceApplicationTrustedLocation for a PerformancePoint Services application. New-SPPerformancePointServiceApplication Creates a new service application for PerformancePoint Services. Creates a proxy for a PerformancePoint Services application.
New-SPPerformancePointServiceApplicationProxy
11-21
ClearClears all the trusted locations for a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application identity. NewCreates a new trusted location for a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application. Remove-SPPerformancePointServiceApplication Deletes a PerformancePoint Services application from a farm. Deletes the proxy for a PerformancePoint Services application.
Remove-SPPerformancePointServiceApplicationProxy
RemoveRemoves a single trusted location from a SPPerformancePointServiceApplicationTrustedLocation PerformancePoint Services application. Set-SPPerformancePointSecureDataValues Sets global settings for the unattended service account. Sets global run-time properties for a PerformancePoint Services application.
Set-SPPerformancePointServiceApplication
11-22
Lesson 4:
InfoPath Forms Services supports the deployment and integration of InfoPath browser forms in SharePoint Server 2010. This provides employees, customers, and business partners of an organization to use forms to standardize, customize, and validate data collection. Forms are often deployed as one element in a business solution that uses a broad functionality of the services and features offered in SharePoint Server.
Objectives
After completing this lesson, you will be able to: Describe InfoPath forms. Configure the InfoPath forms service.
11-23
Key Points
InfoPath Forms Services in Microsoft SharePoint Server 2010 gives you the ability to deploy your organization's forms to Microsoft SharePoint Server and enable users to fill out these forms by using a Web browser. Users can publish form templates to a list or form library in a site collection with InfoPath Forms Services in SharePoint Server 2010, if the form template: Contains no business logic. Does not require full trust. Does not use data connections that are managed by an administrator.
Site collection administrators can also publish user form templates that contain code by using sandboxed solutions. Since user form templates can be deployed by many users, a server can potentially host thousands of user form templates. Even form templates that contain no business logic can cumulatively put a heavy load on the server. Sandboxed solutions enable users to upload form templates with code or data connections in environments without full trust. Sandboxed solutions make connections and execute code in a limited environment, without needing individual approval by administrators, and they cannot include code that requires full trust, such as impersonating accounts by using administrator-level privileges. The level of trust for sandboxed solutions is configured in advance by the administrator. InfoPath Forms Services is an ASP.NET 2.0 Web application. It allows users to fill out business forms online and without InfoPath installed on their client machines. It allows control over your forms solutions by providing centralized management of electronic forms for the entire organization.
11-24
A form template designer can create browser-enabled forms in InfoPath and deploy them to IFS. When publishing InfoPath forms, the data validation can be set up as JavaScript and made such that the forms do not post back on validation on the Web pages. Browser-enabled forms can also be targeted at mobile devices. When modifying or upgrading your forms, IFS will help you to manage the versioning process.
11-25
Key Points
When configuring InfoPath Forms Services, you can apply many settings to control performance adjustments to the needs of your organization. This is achieved by limiting what the forms can do when being published to end users. Configuration options for user form templates include the following: Browser-enabled user form templates settings. User form templates, which are form templates that are deployed by non-administrators, can be opened in a browser. Administrators can choose to disable this feature so that only administrator-approved form templates are browser-enabled. They can also configure whether form templates are rendered in the browser. The other option available to access those forms is the InfoPath Filler desktop application. Authentication and connection settings. Form templates make data connections by using the default authentication methods and authorization settings for the user account in Windows. Administrators can decide to use data connection files with settings that are specific to InfoPath Forms Services. They can set the time-out and response size settings for connections to user form templates. They can also decide to use the Web Service Proxy to authenticate form template requests. User sessions settings. Forms that are being filled out can generate a large amount of transient data. InfoPath Forms Services uses the Microsoft SharePoint Server State Service to store this data so that repeated round trips to and from the form do not repeatedly transfer this data. Administrators configure the precise settings that are used to fill out forms.
Form templates can use data connection (.udcx) files to specify data connection options for forms that are made from those form templates. The Configure InfoPath Forms Services page contains settings for allowing cross-domain data connections and using data connection files for user form templates. You can configure the following settings for authentication and data connections: Data connection time-out length and maximum data connection response size. Authentication settings for user form templates. Cross-domain access for user form templates.
11-26
Designers can use custom code to modify the time-out for a data connection, but the maximum time-out value set by the farm administrator cannot be exceeded. When the custom time-out and maximum time-out values differ, the shorter time-out value is always used.
Data connection files that are used by form templates can be stored in a central data connection library in the Central Administration Web site, or in a data connection library on the same site collection as the form template. Data connection files that are stored in the central library are used by administratorapproved forms. Data connection files that are stored on individual site collections can only be used for forms that are based on form templates in that site collection. Data connection files can be packaged and deployed along with form templates as part of solution packages.
11-27
Lesson 5
Microsoft Visio Services in Microsoft SharePoint Server 2010 is a service application that lets users share and view Microsoft Visio Web drawings. The service also enables data-connected Microsoft Visio 2010 Web drawings to be refreshed and updated from various data sources.
Objectives
After completing this lesson, you will be able to: Describe Visio services. Configure Visio services.
11-28
Key Points
The Visio Services Web Part is a very powerful way to connect your Visio process shapes to other Web Parts on the page. There is also a new site definition called the Visio Process repository site that is a central location for storing your Visio diagrams.
11-29
OLE DB or ODBC connections Custom Data Providers implemented as .NET Framework assemblies
11-30
Key Points
Visio Services provide you with a range of options to work with in order to provide the best performance possible. Performance is a key element that needs to be addressed when configuring Visio Services as it has graphics elements that provide great value to your deployment, but at the same time, it can limit the response time needed based on the volume of users you have considered. The settings that can be configured can be modified by using Central Administration. The settings are: Global settings. Manages settings for performance and security. Settings define the maximum size you can use for a Visio drawing to be rendered and also the maximum amount of time, in minutes, that a drawing will remain on cache. Trusted Data Providers. This setting presents you with the capability of adding or removing the data providers, odbc, oledb, or SharePoint lists that can be used when refreshing or accessing data connections. Description Returns the settings for external data connections for a Visio Services application.
Get-SPVisioPerformance
Returns the Visio Services settings for the performance of a Visio Services application.
Get-SPVisioSafeDataProvider
Returns the settings of a safe data provider for a Visio Services application.
11-31
Description Returns properties of a Visio Services application or a collection of Visio Services applications.
GetSPVisioServiceApplicationProxy
Returns properties of a Visio Services application proxy or a collection of Visio Services application proxies.
New-SPVisioSafeDataProvider
New-SPVisioServiceApplication
Configures settings related to external data connections for a Visio Services application.
Set-SPVisioPerformance
Set-SPVisioSafeDataProvider
Set-SPVisioServiceApplication
11-32
Lesson 6:
Access Services is a service application available in SharePoint Server 2010 that allows users to edit, update, and create linked Access 2010 databases that can be viewed and manipulated by using an Internet browser, the Access client, or a linked HTML page.
Objectives
After completing this lesson, you will be able to: Describe Access services. Publish Access content to SharePoint.
11-33
Key Points
Access Services is a service application of Microsoft SharePoint Server 2010 that allows users to edit, update, and create linked Microsoft Office Access 2010 databases that can be viewed and manipulated by using an Internet browser, the Access client, or a linked HTML page. IT professionals and end users can use Access Services to allow the use of Access applications inside a Web browser, to publish and share information across teams, and to create and modify applications where no Access client is available. Access Services allows you to create, edit, and save Access databases in the following ways: By allowing access and configuration of a Microsoft SharePoint Server database on any computer that can connect to and has permission to use Access Services on a networked computer running SharePoint Server. By allowing the creation, publishing, and sharing of a SharePoint Server Web database from any computer that can connect to and has permission to publish to a computer that is running SharePoint Server and that has Access 2010 installed. By allowing the download, modification, and republishing of modified data in an Access Web application from any computer that has Access 2010 installed and can connect to a computer running SharePoint Server.
11-34
Key Points
Access 2010 provides templates that allow for quick creation of powerful applications that can address the needs that your users have for a system that allows interaction with data. The interaction with data can be for data retrieval purposes, or to modify data. While those solutions bring the power to their desktop applications, your users can now publish their Access solution to SharePoint and enable rich functionality that presents a solution in a Web-driven format. Access Database published as: Access Database becomes a Site Access Tables become Lists Access Forms become ASPX Pages UI Macros map to JavaScript Data Macros to SharePoint Workflows
SQL Server 2008 R2 is required for Access Reports to become RDL files
Additional Reading
For more information, read Improving the Reach and Manageability of Access 2010 Database Applications with Microsoft Access Services at http://go.microsoft.com/fwlink/?LinkID=197238&clcid=0x409
Windows PowerShell is a tool for you to manage Access Services and also to conduct automation of process management
11-35
NewSPAccessServiceApplication SetSPAccessServiceApplication
11-36
Lesson 7
Within a SharePoint 2010 environment where Microsoft Office Web Apps have been installed and configured, Office Web Apps give you browser-based viewing and editing of Office documents from anywhere you have a connection to your organizations SharePoint site. If you have Microsoft Office 2010, you can save Word, Excel, PowerPoint, and OneNote documents directly from your Office program to SharePoint. Even if you dont have Office 2010, you can store documents in a SharePoint library and start using Office Web Apps right away. There are two different modes to work with hereone is the capability of reading directly from the browser, and the other is to edit directly from the browser, each is treated as a different mode. Office Web Apps are a separate download that you can add to the SharePoint Server Enterprise or Standard editions, or to SharePoint Foundation 2010.
Objectives
After completing this lesson, you will be able to: Describe Office Web Apps. Configure Office Web Apps.
11-37
Key Points
Office Web Apps extend the Microsoft Office programs you already knowWord, PowerPoint, Excel, and OneNotewith the added benefits of anywhere-access and easy sharing. When you click on an Office document that is stored in a SharePoint Library, the document opens directly in your browser. The document looks similar in the browser as it does in the Office program, and Office Web Apps allows you to edit documents in the browser, using the familiar look and feel of Office. Office Web Apps work in some of the most widely used browsers, and are officially supported in Windows Internet Explorer 7 and 8 and Firefox 3.5 for Windows, Mac, and Linux, as well as Safari 4 for the Mac. When you want to make changes beyond what is available in the browser, you can easily open the document in an Office program on your computer, and then save it back to the document library. Office Web Apps make it easier for you to: Extend your Office experience on the Web. Use the Office tools you are familiar with, in a Web environment. Work anywhere. A browser is all you need to access your documents. Work together. Your teammates can work with you on projects regardless of which version of Microsoft Office they have.
To use Office Web Apps in SharePoint, you must have access to a SharePoint 2010 environment where Office Web Apps have been installed and configured. OneNote Web App gives you and your team a centralized place for collecting notes, brainstorming on a topic, or assembling the bits and pieces that will become a formal document. Microsoft PowerPoint Web App extends your Microsoft PowerPoint experience to the Web browser, where you can work with presentations directly on the Web site where the presentation is stored.
11-38
PowerPoint Web App is part of Office Web Apps, available in Windows Live SkyDrive and in organizations that have configured Office Web Apps on SharePoint 2010. Broadcast Slide Show is a new capability in Microsoft Office 2010 that enables presenters to broadcast a slide show from Microsoft PowerPoint 2010 to remote viewers who watch in a Web browser. Broadcast Slide Show provides companies with a low-infrastructure presentation broadcast capability that works through the Web. Two kinds of broadcast services are available: PowerPoint Broadcast Service. By default, PowerPoint 2010 provides all presenters with a link to the public PowerPoint Broadcast Service hosted by Microsoft. This service requires presenters to sign in with a Windows Live ID. Presenters who use this service receive a public Internet link that they can share with anyone on the Internet they invite. Internal Services. You can host your own broadcast service with Office Web Apps installed on SharePoint 2010 products. You create one or more broadcast services by creating site collections that use the PowerPoint Broadcast site template. You can set permissions for who can use the service through group membership on the site. Up to ten services can be specified.
11-39
Key Points
Office Web Apps can be installed in standalone or farm SharePoint 2010 deployments. For both standalone SharePoint servers and SharePoint server farms, deploying Office Web Apps involves three primary phases: Running setup and PSConfig. Tasks include running Setup.exe and SharePoint Products and Technologies Post Setup and Configuration Wizard (PSConfig) on a standalone SharePoint server or each server in a SharePoint server farm. Running Setup.exe installs Office Web Apps files and components on a server. Running PSConfig is required as part of Office Web Apps setup in order to register the Office Web Apps services and, depending on the SharePoint installation type, start the service instances, create the service applications, service application proxies, and activate the Office Web Apps feature. Activating the Office Web Apps services. Includes starting the service instances, and creating the service applications and service application proxies. Whether you must activate the services will depend on the state of SharePoint and whether PSconfig and the SharePoint Farm Configuration Wizard have previously been run. Activating the Office Web Apps feature. Includes activating the Office Web Apps feature on all existing SharePoint site collections where the Office Web Apps should be available. If PSconfig or the SharePoint Farm Configuration Wizard has been run before installing Office Web Apps, at least one site collection will exist. The feature will be activated automatically for new site collections created after Office Web Apps is installed.
11-40
Scenario
Contosos strategic objectives for the year set a target for improved employee productivity. SharePoint 2010s collaboration features are a pivotal component to achieving this objective. One initiative related to this project is to provide Microsoft Office client application functionality to users in a variety of scenarios, including remote users on personal computers that may not have Microsoft Office installed. You have been tasked with installing, configuring, and testing Office Web Apps to improve end user productivity.
11-41
11-42
11-43
Open Marketing Strategy. The presentation opens in the browser in view mode. Click Edit in Browser. The presentation opens in edit mode. Add a new slide after the existing title slide. Apply the Title and Content layout. Add the title, Market Demographics, to the slide. View the slide show. Close the presentation. Results: After completing this exercise, you should have tested the functionality of Office Web Apps.
11-44
Review Questions
1. 2. What software applications and SharePoint features are available for working with Office files? What are some options to configure Service Applications?
12-1
Module 12
Installing and Upgrading to SharePoint 2010
Contents:
Lesson 1: Installing SharePoint Servers and Farms Lesson 2: Upgrading to SharePoint 2010 Lesson 3: Evaluating Installations and Upgrades Lesson 4: Configuring SharePoint Operational Settings Lesson 5: Updating SharePoint Lab A: Preparing SharePoint 2007 for Upgrade to SharePoint 2010 Lab B: Upgrading SharePoint 2007 to SharePoint 2010 12-3 12-13 12-25 12-28 12-35 12-43 12-51
12-2
Module Overview
This course introduces you to many of the fundamental concepts of Microsoft SharePoint 2010, as well as the basics of how to perform common activities such as installing SharePoint on a server. This module is designed to take that knowledge and apply it to what may seem to be more complex situations and implementations of SharePoint 2010, but which are also common ways that SharePoint 2010 is used in by many organizations. This module covers a wide range of operational activities, such as building SharePoint farms consisting of multiple servers, upgrading SharePoint 2007 installations to SharePoint 2010, ensuring operational stability and utility of your SharePoint farm, and the proper way to keep your environment stable and secure by applying regular updates effectively.
Objectives
After completing this module, you will be able to: Install SharePoint servers and farms. Upgrade SharePoint 2007 to SharePoint 2010. Plan SharePoint installations and upgrades. Configure operational settings in SharePoint 2010. Update SharePoint.
12-3
Lesson 1
Building a SharePoint farm with multiple servers presents you with far more choices, as well as much more complexity, than does a single-server farm. This lesson introduces the various roles a server can play in a SharePoint farm, common models for deploying servers in a farm, and the actual processes involved in creating a farm with multiple servers.
Objectives
After completing this lesson, you will be able to: Describe SharePoint server roles. Describe SharePoint server topologies. Build a SharePoint farm consisting of multiple servers. Script the farm-building process. Build a farm that supports multiple languages. Slipstream updates into the SharePoint installation hierarchy.
12-4
Key Points
SharePoint 2010 can meet the needs and constraints of a broad range of use cases. It serves small teams of five or fewer users, but also the largest of enterprises use it. It enables collaboration, makes information more discoverable, serves anonymous content to millions of users over the Internet, or all three at once. To enable this flexibility and complexity, SharePoint assigns servers in a farm various roles that dictate the specific functions and features each server contributes to the overall environment. You can assign multiple roles to a single server, and multiple servers in a farm can have the same role assigned. The SharePoint 2010 server roles are the following: SharePoint Foundation Web Application Server Application Server Query Server (Search) Crawl Server (Search Service Application Server
SQL Server
12-5
Key Points
You can consolidate SharePoint server roles on a single server or spread the roles across multiple servers. When moving from one to two servers in a farm, you should always move Microsoft SQL Server to its own server first. Some topologies require additional configuration, such as the creation of a failover cluster for SQL Server, or additional hardware, such as a load-balancing device for Web servers. You typically separate farms with three or more servers into three tiers, according to server roles: The Web Tier contains servers assigned the Microsoft SharePoint Foundation Web Application Server role. Servers with this role are also known as Web front ends (WFEs). These are the servers responsible for serving content to end users over SharePoint Web pages and Web services. The Application Tier contains servers assigned the Search Crawl role, the Search Query role, and servers hosting the farms service applications. The servers in this tier host services such as Search, PerformancePoint Services, Microsoft Office Excel Calculation Services, and other services consumed by the farms users through SharePoint. The SQL Server Tier contains servers hosting the farms SQL Server instance or instances. The servers in this tier host the farms databases in SQL Server.
Every server farm configuration is unique. You must consider your specific requirements, resources, and constraints when designing your SharePoint 2010 farm.
12-6
Key Points
Before building a multiple-server SharePoint farm, identify the server that should host the SharePoint Central Administration Web site; it should be the first server in the farm. Run the SharePoint 2010 installation application to begin installing the platform on the server hosting the Central Administration Web site. Run the SharePoint 2010 Prerequisite Installer on the server. When installing SharePoint, select the Complete Install option.
Create the farm using the SharePoint 2010 Products and Technologies Configuration Wizard before installing SharePoint 2010 on any other servers in the farm. Follow the steps listed previously to install SharePoint on each of the other servers in the farm, and then join each server to the new farm. Once they are joined to the farm, use the Central Administration site or the SharePoint 2010 Windows PowerShell cmdlets to provision the proper service applications on each new server and apply the desired server role (or roles) to it.
12-7
Key Points
By scripting the build process for a farm, you can automate the installation of SharePoint on a server and the creation of your SharePoint farm itself. Scripting the build process ensures that your deployment process is consistent and accurate in its activities. You should script the Microsoft SharePoint Products Preparation Tool (PrerequisiteInstaller.exe) using command-line switches that can, alternately, be placed in a file called PrerequisiteInstallerArguments.txt. Note: Switches are documented in the command Help: type PrerequisiteInstaller.exe /?. You must also create an installation configuration file to ensure that SharePoint 2010 is properly installed on your server by the script. To extract an example Config.xml file from the installation media, complete the following steps: 1. 2. Open a command prompt on a computer storing the SharePoint installation media and navigate to the directory containing it. Run the following command:
Officeserver.exe /extract:C:\SPInstallation
3. 4.
In Windows Explorer, open the C:\SPInstallation\files\setup directory and make a copy of the Config.xml file. Open the copied Config.xml file with Notepad.exe and make the following edits: a. b. Provide your product key in the PIDKEY node. Set the SERVERROLE node to APPLICATION.
5.
12-8
a. b. c. d.
Run PrerequisiteInstaller.exe to automate the installation of the software required to install SharePoint 2010. Call the installers Setup.exe with your custom Config.xml file to install SharePoint 2010 on the server. Build the farm using SharePoint 2010 Windows PowerShell cmdlets. Install SharePoint on additional servers and join them to the farm (this can be done by using a separate script if desired).
12-9
Key Points
After you have installed SharePoint 2010 on the first server in your farm, your script must call several key SharePoint 2010 cmdlets to begin the process of actually building your farmthe equivalent of running the SharePoint 2010 Products and Technologies Configuration Wizard during a manual build. To build a farm, your script must run the following cmdlets: New-SPConfigurationDatabase. Creates the farms configuration and Central Administration site content databases Install-SPHelpCollection. Installs the SharePoint Help files on the server Initialize-SPResourceSecurity. Secures SharePoint files and registry entries on the server Install-SPService. Installs and provisions SharePoint services in the farm Install-SPFeature. Installs the features on the server; use the -AllExistingFeatures switch New-SPCentralAdministration. Creates the Central Administration site Install-SPApplicationContent. Installs the application content Note: Use the Windows PowerShell Get-Help cmdlet to review the functionality and requirements of each cmdlet before implementing it in your script. To add a new SharePoint 2010 server to an existing farm your script must run the following cmdlets: Connect-SPConfigurationDatabase. Connects the server to the farms configuration database Install-SPHelpCollection, Initialize-SPResourceSecurity, Install-SPService, Install-SPFeature, and Install-SPApplicationContent. Same usage as described previously
12-10
When you have joined a server to a farm, calling the Get-SPFarm cmdlet to select the servers in the farm should return a result if the process was successful. If it does not, review the SharePoint log files to troubleshoot the problem.
12-11
Key Points
In Windows Server 2008 operating system on all Web servers in the farm, install the system language files using Control Panel Regional And Language Options. Only install the language files for the language packs you plan to implement in your SharePoint farm. East Asian languages include Chinese, Japanese, and Korean. Complex script and right-to-left-oriented languages include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese.
Install the SharePoint 2010 language packs you plan to implement on each Web server in the farm. After each language pack is installed, run the SharePoint 2010 Products and Technologies Configuration Wizard on each server. Note: Do not run the wizard in parallel on multiple servers.
12-12
Key Points
Microsoft publishes updates to SharePoint 2010 software and you should ensure that your farm is up-todate. Updates are covered in full in Lesson 5, Updating SharePoint. However, to integrate updates before installation, you should consider using the slipstreaming technique. To slipstream an update means to incorporate the update into your SharePoint installation medium either on a disk or a shared network location. This places the update into the UPDATES folder within the hierarchy. When you perform an installation, updates in that folder are automatically applied immediately after the SharePoint binaries are installed. In this way, you avoid the need for a separate update operation, as described in Lesson 5. To slipstream an update, first copy the installation disk to a writable location, such as a shared network folder. Then, use the /extract option on the updates executable file. For Service Pack 1, for example, use the following command.
sharepointfoundation2010sp1-kb2460058-x64-fullfile-en-us.exe /extract:D:\SP2010\installfolder\EN\UPDATES
12-13
Lesson 2
Likely many organizations with existing SharePoint 2007 environments plan to upgrade to SharePoint 2010; your organization may be one of them. The upgrade process has flexibility built in to give options to fit your organizations capabilities and resources, as well as the ability to grant site owners control over upgrades to their individual sites.
Objectives
After completing this lesson, you will be able to: Determine the prerequisite steps to perform prior to upgrading. Perform an in-place upgrade. Perform a database attach upgrade. Perform a visual upgrade. Complete the upgrade process. Upgrade a farm that supports multiple languages.
12-14
Preparing to Upgrade
Key Points
To upgrade to SharePoint 2010 successfully, your farm must meet Microsoft-defined prerequisites to qualify for an upgrade. Several tools are available to evaluate the current state of a SharePoint 2007 farm and its readiness to be upgraded to SharePoint 2010: SharePoint 2007 Service Pack 2 introduced a new STSADM operation, PreUpgradeCheck, which you can run to evaluate whether your farm meets those prerequisites set by Microsoft and can be upgraded. PreUpgradeCheck generates an HTML report, and you can run the operation multiple times to evaluate the progress of your preparations. Note: Improvements were added for the PreUpgradeCheck operation in the October 2009 SharePoint Cumulative Update (CU) packages. It is recommended you apply this upgrade prior to using the operation to test the farm and upgrade it. SharePoint 2007 Service Pack 2 and October 2009 CU also added and enhanced another important STSADM operation: EnumAllWebs. Use this operation to identify any orphaned sites in your environment, which must be repaired or deleted prior to an upgrade. SharePoint 2010 Test-SPContentDatabase cmdlet can be used with SharePoint 2007 content databases to evaluate their readiness for upgrade to a new farm. It identifies missing customizations and files, which is especially important for database attach upgrades (described later). SPDiag version 2 (included in the SharePoint Administration Toolkit 4.0) gathers a great deal of important and useful data about your SharePoint 2007 farm. Run it prior to an upgrade as an additional way to identify any possible issues or errors that may exist in the farm and present a risk to a successful upgrade to SharePoint 2010.
Two types of upgrades are available to move a SharePoint 2007 farm to SharePoint 2010:
12-15
The in-place upgrade uses the resources of your existing farm and upgrades them to SharePoint 2010. The database attach upgrade requires additional hardware on which to build a new SharePoint 2010 farm. Your SharePoint 2007 content databases are moved to the new farm and upgraded to SharePoint 2010.
Test the upgrade process thoroughly before doing it in a production environment. Make a point to document in detail each step necessary to complete the process, identify required information and components, and determine how long the upgrade takes to complete.
12-16
Key Points
An in-place upgrade takes a SharePoint 2007 farms binaries and database and upgrades them to SharePoint 2010 functionality and settings. As long as your existing farm meets the SharePoint 2010 hardware and software requirements, it can be upgraded without the purchase of new assets. Another benefit of the in-place upgrade is that it is designed to allow for failed upgrades or upgrades with errors to be restarted at the point of failure so that you do not have to repeat successful steps in each successive attempt. It also offers deep and informative error reporting and logging capabilities to give you better insight into the upgrade process. However, the in-place upgrade is often not the best solution for upgrading to SharePoint 2010. For large farm deployments of SharePoint 2007, the database attach upgrade offers a much better possibility of success because it greatly reduces the complexity, scope, and delivery time of the upgrade. If your hardware is not up-to-date or is marginal for meeting SharePoint 2010 base requirements, you are most likely better off procuring new hardware and using the database attach upgrade to move your farms contents over to a new SharePoint 2010 farm. Because it uses your farms existing severs and infrastructure, the in-place upgrade does require that the farm be unavailable to users during the upgrade, and it takes more time to complete because it updates a single server at a time. It is also an all-or-nothing activity: once the upgrade process starts, you cannot reverse it; the farm cannot reset to SharePoint 2007 without a complete rebuild. Prior to beginning an inplace upgrade, review the available disk space on each server in your farm. The upgrade process requires considerable storage to hold its files, logs, and output.
12-17
Key Points
Prior to executing the upgrade in a production environment, it is important to test the process in a staging or testing environment set up to mirror the content and configuration of your production farm. Testing is an important part of the upgrade process because it gives you valuable information about which items in your farm need updating or fixing prior to the upgrade, identifies steps that may have been omitted during planning, and helps with estimating the amount of time it takes to complete the upgrade. Understanding how your environments configuration and content should be upgraded before you start the upgrade process greatly increases your chances for success. Consider using server virtualization for your test environment; it can help lower costs and be easily reset to a starting point for multiple tests. To upgrade, complete the following steps: 1. 2. 3. 4. Run the SharePoint 2010 Installer to update the SharePoint binaries installed on the targeted server in your farm to SharePoint 2010. Run the SharePoint 2010 Products and Technologies Wizard to update the farms databases to SharePoint 2010 and the servers records in the configuration database. Repeat steps 1 and 2 individually for each server in the farm. You can perform a visual upgrade to upgrade the farms site collections and sites to the SharePoint 2010 user experience, or you can postpone this if you find issues or errors when previewing the visual upgrade. Do not allow users entry until the entire farm has been reviewed and validated as functional and properly upgraded.
5.
12-18
Key Points
The database attach upgrade is designed to migrate the contents of a SharePoint 2007 farm and upgrade them to SharePoint 2010 by adding them to a new SharePoint 2010 farm. Database attach upgrades allow for content to be moved from SharePoint 2007 to SharePoint 2010 gradually (a content database at a time) as well as in parallel, which can also help to reduce or eliminate downtime required for the upgrade process. It does, on the other hand, require separate hardware and software because the existing SharePoint 2007 environment is not used for the SharePoint 2010 farm, and additional work is necessary to configure the new environment to meet the same specifications as the original. Because a new farm is used to host the content, you may need to update URLs in the SharePoint farm as well as URLs pointing to it to avoid broken links. Finally, it is important to remember that the database attach upgrade method only migrates the content of your SharePoint 2007 environment to SharePoint 2010; no configuration settings or customizations are included in the upgrade.
12-19
Key Points
Like the in-place upgrade, effective and thorough testing plays an important role in a successful database attach upgrade. You can use two methods to test the upgrade throughout the process; both should be considered to provide the best opportunity for a successful upgrade: Using a test environment to verify that content databases can be successfully attached to the new farm and upgraded to SharePoint 2010 The Test-SPContentDatabase SharePoint 2010 Windows PowerShell cmdlet, which tests the targeted content database to identify potential issues, such as the following: Orphaned sites Missing customizations (including site definitions, features, templates, and assemblies)
To begin the upgrade, you must construct a new SharePoint 2010 farm. When the target SharePoint 2010 farm is built, deploy any customizations used by the sites in the SharePoint 2007 content databases to be upgraded as well as applicable configuration settings made in the SharePoint 2007 farm to the SharePoint 2010 farm, if they are compatible. To perform a database attach upgrade, complete the following steps: 1. 2. 3. Copy the content database backups to the SharePoint 2010 farms SQL Server instance and attach them to the instance. To perform the upgrade, attach the content databases to the SharePoint 2010 farm using the MountSPContentDatabase cmdlet. You can perform visual upgrades to upgrade the farms site collections and sites to the SharePoint 2010 user experience, or you can postpone this if you find issues or errors when previewing the visual upgrade.
12-20
4.
If desired, you can migrate the SharePoint 2007 farms user profiles to the SharePoint 2010 farm by attaching the SharePoint 2007 farms shared services provider (SSP) database to the SharePoint 2010 farm with Mount-SPCContentDatabase. Note: This is the only aspect of a SharePoint 2007 SSP database that can be migrated to SharePoint 2010 using the database attach upgrade method.
5.
12-21
Key Points
After completing an in-place or database attach upgrade, the SharePoint 2010 farms site collections and their Webs, or subsitesstill have the SharePoint 2007 user interface (UI). The UI, the SharePoint master pages, and Cascading Style Sheets (CSS) must be upgraded separately using a visual upgrade. The visual upgrade options for site administrators are the following: Keep the previous interface. Preview the site with the SharePoint 2010 UI. Update the site to the SharePoint UI.
Farm administrators can also update the UI of all site collections in the farm using the SharePoint 2010 object model and Windows PowerShell.
12-22
Key Points
By previewing the visual upgrade using the sites Site Actions menu, site administrators can save their users from dealing with upgrade errors: If there are issues, they can be resolved before committing the upgrade. Updating the user interface using the Site Actions menu finalizes the visual upgrade and cannot be rolled back, so site administrators should preview it at least once.
Farm administrators can batch visual upgrades of multiple site collections with the Windows PowerShell and the SharePoint 2010 object model: This method allows for the mass update of a large number of site collections quickly and effectively. This method does not offer preview or rollback options, but farm administrators can change back the settings using the same process.
12-23
Key Points
When you have finished the selected type of upgrade, you may still have several tasks to do before the upgrade is complete. You should not consider your farm open for end users until these, or any similar steps you may define for your specific environment, are completed so that users are presented with a stable and feature complete SharePoint environment to work in. Your farms service applications may require the following: Configure new services and service applications (in-place upgrades only). Update user profiles with new taxonomy and social data. Set up the Secure Store service and migrate single sign-on (SSO) data (database attach upgrades only). Update Business Data Catalog components to compatibility with Business Connectivity Services (database attach upgrades only).
Farm administrators are granted permissions to all services using the database attach upgrade. If you follow the practice of assigning the least privilege required, make sure to restrict this after the upgrade. Update InfoPath form template links (database attach upgrades only). If the migrated applications use forms-based authentication (FBA), they must be updated to use claims-based authentication (CBA) because SharePoint 2010 now requires that CBA be enabled to use FBA. Validate the upgrade one last time to ensure that the upgrade is completely finished and the farm can be opened for use.
12-24
Key Points
If your SharePoint 2007 farm had a certain language pack deployed to it, you must deploy a SharePoint 2010 version of the language pack to your new farm. If you need to change a sites language, do not do it before the upgrade; wait until it is safely in a SharePoint 2010 farm. It is better to move the site into SharePoint 2010 while it is in a known and stable state, rather than attempt to update it with a new language. That way, if changes need to be made to a sites UI or content for the new language, you have to do them only once in SharePoint 2010 rather than in both SharePoint 2007 and SharePoint 2010. If you need to change the language used on a server in the farm, implement the new languages files and language pack on a new SharePoint 2010 farm. Then, use the database attach upgrade to bring the new content database into the new farm, upgrading its database and its language all at once.
12-25
Lesson 3
In information technology administration, just like in life in general, things rarely go as you may have planned. No matter how much you test your installation or upgrade processes (and test them you should!), there is always the opportunity for something unforeseen to occur and cause you problems. The important point to strive for is not to avoid these obstacles, but to be prepared for them, to know how to identify them, and to be able resolve them quickly and effectively. This lesson is designed to introduce you to some of the common ways you can assess the outcome of your operations and take action on your findings. The items in this lesson focus on the ways that SharePoint can inform you of an error or an issue, but they are not the only tools available to you. Be careful to also analyze the stability of your entire environment after an install or upgrade and never lose sight of your SharePoint farms ultimate goal: to provide your users with tools and resources to help them be more productive and successful in their work.
Objectives
After completing this lesson, you will be able to: Review and describe result data. Troubleshoot upgrade errors and issues.
12-26
Key Points
Whether you are building a new SharePoint 2010 farm or upgrading from a SharePoint 2007 environment, always make sure to review the results documentation created by the process. The log files created during an installation or upgrade and the tool associated with those activities contain valuable information about not only the outcome of the activity, but also the current state of your environment when the installation or upgrade completes. The log files generated by these processes include the following: The SharePoint 2010 Setup.exe log file The SharePoint 2010 Products and Technology Configuration Wizard (PSConfig.exe) PSCDiagnostics log file The SharePoint 2010 upgrade Upgrade log files
SharePoint 2010 creates a new log file each time one of these processes is executed, rather than appending the new data on to an old file. You can use tools such as Windows PowerShell and LogParser to improve data extraction and reporting. You can also review the Central Administration site Check Update Status page for additional information, and you should run STSADM o LocalUpgradeStatus on all SharePoint servers in the farm to review their individual statuses.
12-27
Key Points
SharePoint creates a new upgrade log, as well as a new log listing only the errors encountered during the process, for each iteration of the upgrade process that you complete. Review the contents of each log file associated with the installation or upgrade carefully to verify that the process did not encounter any issues or errors. Search the log files for key terms such as Error, Warning, Failure, or Success, as well as any items that may be of significance to your situation or environment. If you find any issues, try to resolve those with the broadest impact or scope first before focusing on small problems or errors. The Test-SPContentDatabase cmdlet is still very useful after the completion of an upgrade, or even an install. It can run against a SharePoint 2010 farms content databases long after an installation or upgrade has been completed to check the status and health of a content database. Do not forget to validate the end-user experience of your SharePoint 2010 farm after it is built or has been upgraded. Review the following items to ensure that they are fully functional and meet the requirements of your end users: Verify themes, styles, and images. Verify permissions. Identify broken links. Identify broken, missing, or hidden Web Parts. Identify large lists that may be throttled by default.
12-28
Lesson 4
Even though you may have successfully installed SharePoint 2010 in a new environment, it may not be automatically set up and ready for your users to start using. In almost every SharePoint 2010 farm, you still must perform several activities, regardless of whether you have 1 server or 10 servers or it is a fresh install or an upgrade from SharePoint 2007. This lesson identifies some of the most common activities you need to complete in your farm before you can open it for business. This lesson discusses configuring some of the core components of your farm, introduces a great new tool for assessing the health of your SharePoint 2010 farm, walks you through how to establish additional paths of access to the farm as well the process behind setting up the farm to host multiple organizations in siloed site collections.
Objectives
After completing this lesson, you will be able to: Use the farm configuration wizard tools. Run the SharePoint Health Analyzer. Configure alternate access mappings. Configure email and Short Message System (SMS) settings. Enable multi-tenancy. Set up timer jobs.
12-29
Key Points
The Farm Configuration Wizard is a tool new to SharePoint 2010 that is designed to help you complete some of the common tasks necessary to get your farms first SharePoint site up and running, as well as the services it needs to deliver content and functionality to end users. It is available to your farms administrators on the SharePoint Central Administration Web site. Although administrators can manually carry out the tasks completed by the Farm Configuration Wizard either through the Central Administration site or with Windows PowerShell cmdlets, the Farm Configuration Wizard is a good way for administrators new to SharePoint 2010 to understand what information is necessary to complete its tasks and to complete them in a consistent manner. What it does: Configures selected service applications for your farm, such as Excel Calculation Services or the Managed Metadata service application Sets up managed accounts for those service applications, allowing SharePoint to manage account passwords directly without administrator intervention Creates your farms first content Web application
What it does not do: Do not confuse it with the SharePoint 2010 Products and Technologies Configuration Wizard. The Farm Configuration Wizard configures components and services in the farm, whereas the SharePoint 2010 Products and Technologies Configuration Wizard is responsible for creating and updating the farm itself. It does not do fine-grained configurations; the service applications and Web application created by the Farm Configuration Wizard still require additional administration and configuration before they are fully functional.
12-30
Key Points
Another valuable tool available in SharePoint 2010 to measure the well-being and stability of your SharePoint farm is the SharePoint Health Analyzer, located in the Monitoring section of your farms Central Administration Web site. It is intended to help you identify configuration issues in your SharePoint farm and optimize availability and performance. The SharePoint Health Analyzer is included with every edition of SharePoint and is preconfigured with a full set of defined health rules for evaluation. What it does: It checks rules on a scheduled basis, and it can also be run at any time. Administrators can enable or disable rules, configure schedules, and determine a rules scope. It generates visual alerts in the Central Administration site and emails alerts. It can be extended with custom-developed rules.
What it does not do: The SharePoint Health Analyzer does not replace comprehensive monitoring solutions such as Microsoft System Center Operations Manager. The SharePoint 2010 Management Pack (MP) for System Center Operations Manager actually includes the same set of default rules used by the Health Analyzer, as well as additional event and monitoring rules, integration with SharePoints Unified Logging System (ULS) logs, and valuable Microsoft Knowledge Base articles that provide contextual information and troubleshooting guidance for administrators.
12-31
Key Points
Alternate access mappings (AAMs) enable a single SharePoint 2010 Web application to be accessed through multiple URLs. Each SharePoint Web application can have up to five different AAMs for accessing its content. When you create each AAM, you must assign it an identifying label, such as Default or Intranet; these labels do not dictate how the AAM must be used or add any additional functionality to the AAM, they are simply for identification. Usage scenarios for AAMs include the following: Reverse proxy access Load-balanced Web servers Enabling multiple authentication providers for a site
You can create AAMs in the Application Management section of your farms Central Administration site or by using the New-SPApplication Windows PowerShell cmdlet.
12-32
Key Points
In SharePoint 2010, you can configure your farm to communicate directly and automatically with its users and administrators by email and/or SMS text message. This makes it easier for users to receive important notifications quickly as well as allows administrators both to receive and send messages through the farm. On the Central Administration sites System Settings page, you can configure the following settings: Delivery of email from the farm to users for access notifications, alerts, task assignments, and so forth Delivery of email to administrators from users requesting access or assistance with issues Delivery of text messages between your farm and mobile devices
To configure outgoing email you need a Simple Mail Transfer Protocol (SMTP) server and an email address for sending and receiving. To configure incoming email you need an SMTP server configured (it can be the same server you used for outgoing email) and a drop folder for storing messages on the servers file system. To configure SMS messaging, you need a URL for your SMS service provider and account access data for the SMS service.
12-33
Enabling Multitenancy
Key Points
The new SharePoint 2010 multitenancy features allow for site collections in a single Web application to be grouped and for each groups user experiences, profile stores, search indices, and other resources to be isolated from one another while still using the shared resources of the overall farm. You can use multitenancy to deliver hosted SharePoint environments for multiple customers without configuring separate infrastructure resources for each customer account. Common use cases are the following: Hosted SharePoint sites as a service for sale to the public, similar to Microsoft SharePoint Online offerings Hosted SharePoint sites as a service provided by a large enterprise to its internal divisions, allowing for rapid deployment of sites, segmentation of functionality and information, and shared infrastructure resources Delegation of common administrative tasks
12-34
Key Points
SharePoint 2010 gives administrators much more control over timer jobs, how they are scheduled, when they can be run, and where they are run. In previous editions of SharePoint, administrators could use the Central Administration site only to check on the status of timer jobs and delete failed jobs. The Central Administration sites Timer Jobs Definitions page now enables the following configuration: Code-free modification of an individual timer jobs schedule A Run Now option to enable ad hoc execution of specific timer jobs Rich information on the status and outcome of a timer job on the timer jobs status page
The Timer Job Definitions page also displays useful information about what a timer job does, where it runs, and when it is run. To view more detailed information about the current status of a timer job, you can visit the Timer Job Statuses page. It displays information about when a timer job is next scheduled to run, which timer jobs are currently running, any failed timer jobs, and historical execution data for each of the farms timer jobs.
12-35
Lesson 5
Updating SharePoint
When SharePoint is up and running the way you want it, your focus should turn to more operational matters: performing maintenance on your environment and ensuring its long-term health and stability. A key maintenance activity for any software platform, and for SharePoint in particular, is updating to the application in the form of updates, hot fixes, and service packs. Whether these updates introduce new functionality, enhance existing capabilities of the environment, or resolve important issues, when you apply them in an effective and timely manner you can maintain a secure and robust SharePoint environment. Microsoft has done a lot to make the application of SharePoint updates a much more manageable process, with specific attention to reducing the amount of downtime necessary for updating. SharePoint 2010 can integrate multiple versions of SharePoint into a single farm so that administrators of environments with multiple servers can gradually distribute updates throughout a farm without interrupting services to users.
Note: Microsoft published Service Pack 1 (SP1) in June 2011. New CUs are published every two months. Objectives
After completing this lesson, you will be able to: Describe the SharePoint update process. Describe SharePoint update types. Update a single-server farm. Update a multiple-server farm.
12-36
Key Points
To update most applications, even complex server-based applications, is usually a matter of running an installer to apply updates to the application, verify the results of the process, and then declare it complete. Because SharePoint stores so much of its configuration data in its databases, the update process requires additional planning and consideration. The SharePoint platform is updated in two distinct ways: Binary updates Database updates
Binary updates modify the installed SharePoint binaries on each SharePoint server in the farm by deploying updates through installation packages, similar to how most typical software updates are done. Database updates can modify the configuration, structure, and content of the farms SQL Server databases and can be scripted using Windows PowerShell cmdlets; this part of the update process is what makes SharePoint unique. In previous versions of SharePoint, the binaries on every server in a farm, as well as its databases, all had to be using the same version of SharePoint. If they were not using the same version, the farm could encounter errors, lose some functionality, or even become completely inoperable. In SharePoint 2010, a farms binaries can be updated to a newer version than its databases use, allowing for more fluid updating activities that require less downtime for end users. This gives administrators more flexibility in planning their updating activities so that updates can be rolled out gradually to meet tighter requirements for uptime while keeping the SharePoint platform updated and secure.
12-37
The eventual goal of applying updates to SharePoint is still the same: to update the SharePoint environment to the latest and most stable version so that it has the best combination of security and functionality available from Microsoft. This is accomplished by finalizing the update process with the SharePoint Products and Technologies Wizard, bringing all of a farms components to a consistent version.
12-38
Key Points
SharePoint follows Microsofts standard convention for numbering versions of software products: MMMM.mmmm.BBBB.rrrr (where MMMM indicates the major version for the product, mmmm is the minor version, BBBB is the build version number, and rrrr is the revision number, which indicates the versions type of update). The two important values to consider when reviewing the version number of a SharePoint installation are the major version number and the build version number. The major version indicates the released version of the product; all versions and updates to SharePoint 2010 are marked with a major version value of 14. Because upgrading a farm from SharePoint 2007 to SharePoint 2010 changes the farms major version from 12 to 14, that process is considered to be a version-to-version upgrade. The build version number indicates the specific level in the major version that SharePoint has been updated to, such as the release to manufacturing (RTM) version or that of a later cumulative update (CU) or service pack (SP). Applying updates to SharePoint is considered to be a buildto-build upgrade. Update compatibility ranges define the spectrum of version numbers that servers and databases in a farm can cover and still function cohesively. Services packs should delineate compatibility ranges, meaning that all updates to SharePoint between its RTM release and Service Pack 1 should be in the same compatibility range, while updates made between Service Pack 1 and Service Pack 2 are in a separate compatibility range. Microsoft makes the following types of updates available: Individual updates to resolve specific issues or vulnerabilities as they arise. Cumulative updates (CU), which cumulatively roll up all publicly released updates since the last major update and are released every two months. Service packs, which indicate a major update to the platform and include updates as well as new functionality. Service packs are released very infrequently and should represent the boundary for compatibility ranges. SP1 for SharePoint 2010 was released in June 2011.
12-39
Additional Reading
Service Pack 1 for SharePoint Foundation 2010 and SharePoint Server 2010 at: http://go.microsoft.com/fwlink/?LinkId=234972 Service Pack 1 Tutorial at: http://go.microsoft.com/fwlink/?LinkId=234973
12-40
Key Points
In a single-server SharePoint 2010 environment, the important point to understand is that downtime or an outage is unavoidable. Because the farm does not include any redundancy it must be unavailable during the upgrade process to prevent resource contention, data corruption, and fatal errors. You need to communicate that outage proactively to your farms users, as well as make it unavailable during the updates in case the message is not delivered in time to all users. Always take the time necessary to review the documentation completely for each update prior to installing it and adjust the following steps according to the installation information included with the update. If at all possible, test the updates in a separate environment prior to deploying them in your production environment and back up your production environment before updating itthe only way to roll back a SharePoint 2010 update is to rebuild your farm and restore your content to it. To apply a build-to-build update to a single-server SharePoint farm, complete the following steps: 1. 2. 3. 4. Back up the farm and test the restoration procedure. Obtain the update from Microsoft and copy it to the server. Schedule an outage window during off-peak hours and communicate it to your users. Prior to the advertised outage window, run the updates installer to deploy the binary update to the servers file system. 5. When the outage window begins, make the farm unavailable by stopping its Web sites in Internet Information Services (IIS), and then update the farms content databases using the UpgradeSPContentDatabase cmdlet. 6. Finalize the update by running the SharePoint Products and Technology Configuration Wizard. 7. Review the updates log file to verify that the update completed without error. 8. Validate that the farms sites are fully functional. 9. Back up the farm and test the restoration procedure. 10. Communicate to users that the outage window has ended.
12-41
Key Points
The steps to update a SharePoint 2010 farm with multiple servers are similar to those for updating a single-server farm. However, in addition to the obvious changes in scale, more detailed planning is necessary to reduce downtime and issues. You should update in stages servers assigned redundant roles in the farm so that you can shift traffic and workloads to some servers with a given role while the other servers are updated. This allows your farm to continue to function without disrupting service, or at least it keeps disruptions to a minimum. You should still alert users about the update activity because they may experience degraded performance (resulting from a reduction in available resources in the farm) or unforeseen errors may force you to take an outage. As with a single-server farm, it is important always to take the time necessary to review the documentation completely for each update prior to installing it and adjust the following steps according to the installation information included with the update. Make sure to review the documentation carefully for instructions specific to farms with multiple servers. It is still critical to test your update and protect your production environment with a backup prior to starting the update process. To apply a build-to-build update to a multiple-server SharePoint farm, complete the following steps: 1. 2. 3. 4. Obtain the update from Microsoft and copy it to each server in the farm. Back up the farm and test the restoration procedure. Schedule an outage window during off-peak hours and communicate it to your users. Update the binaries on each SharePoint server in the farm prior to the advertised outage window. a. Review the farms servers to identify each servers role(s) so that you can group together servers with the same roles for updating. b. If the farm has load-balanced WFEs, remove half the clusters node and update them, and then reverse the configuration to ensure optimal uptime.
12-42
Ensure that the binary updates installer has been run on every server in the farm prior to the outage window. 6. When the outage window begins, update the farms content databases using the UpgradeSPContentDatabase cmdlet. 7. Finalize the upgrade by running the SharePoint Products and Technology Configuration Wizard. 8. Review the upgrades log file to verify that the upgrade completed without error. 9. Validate that the farms sites are fully functional. 10. Back up the farm and test the restoration procedure. 11. Communicate to users that the outage window has ended.
5.
12-43
12-44
12-45
2.
3.
To open the site listing in Notepad, type the following command and press ENTER:
notepad C:\SiteList.xml
4.
Delete the following two elements (the entire line of XML): Site Url="http://intranet.contoso.com" Site Url="http://intranet.contoso.com/sites/IT"
5. 6. 7. 8.
Confirm that the only remaining Site element is for the Sales site collection. Click File, and then click Save. Close Notepad. Switch to Administrator: Command Prompt. To move the Sales site collection from the WSS_Content_Intranet content database to the WSS_Content_Sales content database, type the following command, and then press Enter.
"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin\stsadm.exe" -o mergecontentdbs -url http://intranet.contoso.com sourcedatabasename WSS_Content_Intranet -destinationdatabasename WSS_Content_Intranet_Sales -operation 3 -filename C:\SiteList.xml
9.
12-46
2. 3. 4.
5.
6. 7. 8. 9.
Click Format, and then click Word Wrap. Observe the information that is reported for each site collection, including the owner (primary site collection administrator), content database, and storage utilization. Close Notepad. Close Administrator: Command Prompt.
12-47
8. Click the Execute button. 9. Confirm that at the bottom of the Results panel, the status indicates Query executed successfully. 10. Repeat steps 69 to back up and truncate the WSS_Content_Intranet_IT database. Use the following query.
use WSS_Content_Intranet_IT dbcc shrinkfile ('WSS_Content_Intranet_IT') dbcc shrinkfile ('WSS_Content_Intranet_IT_log') go backup database WSS_Content_Intranet_IT to disk = 'C:\Backups\WSS_Content_Intranet_IT.bak' go backup log WSS_Content_Intranet_IT to disk = 'C:\Backups\WSS_Content_Intranet_IT_log.bak' go dbcc shrinkfile ('WSS_Content_Intranet_IT') dbcc shrinkfile ('WSS_Content_Intranet_IT_log')
12-48
go
11. Repeat steps 69 to back up and truncate the WSS_Content_Intranet_Sales database. Use the following query.
use WSS_Content_Intranet_Sales dbcc shrinkfile ('WSS_Content_Intranet_Sales') dbcc shrinkfile ('WSS_Content_Intranet_Sales_log') go backup database WSS_Content_Intranet_Sales to disk = 'C:\Backups\WSS_Content_Intranet_Sales.bak' go backup log WSS_Content_Intranet_Sales to disk = 'C:\Backups\WSS_Content_Intranet_Sales_log.bak' go dbcc shrinkfile ('WSS_Content_Intranet_Sales') dbcc shrinkfile ('WSS_Content_Intranet_Sales_log') go
12. Repeat steps 69 to back up and truncate the WSS_Content_MySites database. Use the following query.
use WSS_Content_MySites dbcc shrinkfile ('WSS_Content_MySites') dbcc shrinkfile ('WSS_Content_MySites_log') go backup database WSS_Content_MySites to disk = 'C:\Backups\WSS_Content_MySites.bak' go backup log WSS_Content_MySites to disk = 'C:\Backups\WSS_Content_MySites_log.bak' go dbcc shrinkfile ('WSS_Content_MySites') dbcc shrinkfile ('WSS_Content_MySites_log') go
Open the C:\Backups folder. Confirm that the database and log backup files were created. Close the C:\Backups folder. Close SQL Server Management Studio. When prompted to save your changes, click No.
12-49
2. 3. 4. 5.
Select the check box next to Farm. Click Continue to Backup Options. In the Backup location box, type C:\Backups. Do not perform a backup at this time. Click Cancel.
12-50
3. 4. 5. 6. 7.
Switch to Command Prompt. Review the output of the command. Switch to Internet Explorer. Review the report. Close all open windows and applications.
12-51
12-52
2. 3. 4. 5.
12-53
7.
12-54
12-55
12-56
Review Questions
1. 2. 3. What options are available to administrators when running visual upgrade? Which are the application server roles available? What advantages does scripting a build process offer?
13-1
Module 13
Implementing Business Continuity
Contents:
Lesson 1: Protecting and Recovering Content Lesson 2: Working with Backup and Restore for Disaster Recovery Lesson 3: Implementing High Availability Solutions Lab A: Implementing a Backup Strategy Lab B: Implementing a Restore Strategy 13-3 13-10 13-23 13-33 13-40
13-2
Module Overview
This module describes the principles and processes that are behind business continuity. It identifies possible solutions, and identifies which elements of Microsoft SharePoint can help you determine the plan that you implement. The cost that loss of a system can represent is minimal in comparison to the impact the loss of information can have on an organization. Loss of information can happen in many different types of failures. Some may be natural causes, and others can be man-made. Business continuity is defined as the process and procedures that are implemented to outline a plan that sets the path to recovery from disruption of service and restores access to information in a given time period.
Objectives
After completing this module, you will able to: Describe how to protect content and recover content. Perform backup and restore operations to mitigate against disasters. Implement high availability solutions with SharePoint Server.
13-3
Lesson 1
When working as an administrator, one essential task is determining how to protect the information that is part of the lifecycle of your organization. In order to achieve this, you must be able to use features that are an intrinsic part of SharePoint, including version control and the Recycle Bin.
Objectives
After completing this lesson, you will be able to: Configure version control. Configure and manage the Recycle Bin. Use the Site Recycle Bin to restore sites and site collections. Import and export content.
13-4
Key Points
Version control is a way to store multiple copies of a document. Those multiples you can store are defined by the historical changes you may want to keep on an item. Version control has the following options: No versioning. Nothing is stored and all changes overwrite the previous version, leaving no trail. Major version. This represents major changes in the document, and each change becomes a major version. Major and minor versions. Documents can exist in two formsa major version, denoted by a .0, or a minor version, denoted by a .1 to .9. This setting is the most granular setting possible, and it will require the most planning for space considerations.
13-5
Key Points
The Recycle Bin is a means of simple content recovery that users can perform in a SharePoint 2010 implementation. The default setting for the Recycle Bin is to be active and to provide a 30-day window within which a user can recover an item without administrator intervention. In order to provide this recovery window, it is important to understand the way the Recycle Bin operates. The Recycle Bin has two stages: Stage 1. This first stage of the Recycle Bin is a site level protection that allows users with contribute, design, or full control permission to recover items intended for deletion. Stage 2. The second stage Recycle Bin is a site collection level protection. At this level, information needs to be recovered by the site collection administrator.
The process to go from Stage 1 to Stage 2 depends on the configuration of the Recycle Bin settings in Central Administration. These settings are specific per Web application. The configurable settings include: Enable or disable the Recycle Bin protection Define the time in days to keep a given item through the stages Define the percentile amount of live site quota allocated for Stage 2 items
13-6
Key Points
Before SharePoint 2010 Service Pack 1 was released, if a site or site collection was accidentally deleted, you could only recover it by restoring a previous backup. This operation takes significant administrative time and involves an interruption in service to users. SP1 adds the Site Recycle Bin to SharePoint 2010 so that you can avoid costly restoration operations. When a site or site collection is deleted, it remains in the Site Recycle Bin for the same time period as other content. At any time during this period, you can restore the site or site collection to its original location without resorting to a backup.
Restoring Sites
When a site administrator deletes a SharePoint site, it is automatically placed in the Stage 2 recycle bin at the site collection level. Site collection administrators can restore a deleted SharePoint Site in exactly the same way as they restore deleted items and documents. Note: If a site is deleted in PowerShell with the Remove-SPWeb cmdlet, it is not sent to the Site Recycle Bin unless the Recycle parameter is specified. You can also restore sites by using the Restore-SPDeleteSite cmdlet as described below.
13-7
If there is only one site collection available to restore, you can restore it with the following command.
Get-SPDeletedSite | Restore-SPDeletedSite
If there is more than one deleted site or site collection, the restoration procedure is slightly more complex because you must pipe the right one to the Restore-SPDeletedSite cmdlet. Start by listing all the deleted site collections.
Get-SPDeletedSite
This command lists the available site collections with their Site IDs. Select the instance you want to restore and use its Site ID with the Restore-SPDeletedSite cmdlet:
Restore-SPDeletedSite Identity <SiteID>
Where: <SiteID> is the Site ID of the site or site collection you want to restore.
13-8
Key Points
The importing and exporting content feature provides a level of granularity that is useful when working with sites, lists, or libraries. It provides a quick way of protecting sensitive information that uses a simple mechanism to help provide protection. Import and export operations can be centrally managed by using Central Administration or by taking advantage of Windows PowerShell.
Exporting Content
The export option in SharePoint gives you a very granular level of control over the content that you want to extract, such as sites, lists, and libraries. This export process will create a file that will contain the information you select. To export content using Windows PowerShell: 1. 2. 3. 4. On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products. Click SharePoint 2010 Management Shell. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press ENTER:
Export-SPWeb -Identity <Site URL> -Path <Path and file name> [-ItemUrl <URL of site, list, or library>] [-IncludeUserSecurity] [-IncludeVersions] [-NoFileCompression] [GradualDelete] [-Verbose]
Importing Content
The import option in SharePoint lets you bring in content in a granular style. It allows you to select the items that are needed from an export that was performed previously from a backup or from read-only databases.
13-9
To import content using Windows PowerShell: 1. 2. 3. 4. On the Start menu, click All Programs. Click Microsoft SharePoint 2010 Products. Click SharePoint 2010 Management Shell. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command, and then press Enter.
Import-SPWeb -Identity <Site URL> -Path <Export file name> [-Force] [NoFileCompression] [-Verbose]
Note: It is important that you do not rely on import and export to replace backup and restore procedures.
Additional Reading
Export a site, list or document library at http://go.microsoft.com/fwlink/?LinkID=197239&clcid=0x409 Import a list or document library at http://go.microsoft.com/fwlink/?LinkID=197240&clcid=0x409
13-10
Lesson 2
You can recover from various disaster scenarios if you have a well-defined plan that describes the actions that you must take in a given situation and the processes you must complete after a system failure or instance of data loss.
Objectives
After completing this lesson, you will be able to: Define disaster recovery. Protect your content by using backup. Protect your farm deployments by using backup. Perform backup operations to protect your configuration. Protect customizations. Use restore to recover from disasters. Use Microsoft System Center Data Protection Manager (DPM) 2010.
13-11
Key Points
As a SharePoint Administrator, you are responsible for implementing an effective disaster recovery solution that meets the needs of your users; a solution that takes into consideration your organizations goals, and overall, a platform that offers healthy and functional operations. Disaster recovery is the process of bringing the SharePoint solution back to a healthy and functional operational state after a failure or disaster. It is important to define and understand the metrics that dictate the effectiveness of the process; this is known as Recovery Point Objective, or the amount of data to be recovered and lost; and Recovery Time Objective, or the time that will elapse for the solution to be in a recovered operational state and back online. This information is not only to have a value for the information you collect. There is a need to make sure the plan you are defining and stating is part of the collection of considerations you are taking into your Service Level Agreement and also part of your Operational Level Agreement. The SLA is the overall agreement between IS/IT and the business department. OLAs are agreements between different IS/ITdepartments and the Service Level Manager.
13-12
Key Points
When working with backups, you are creating a copy of data that is used to restore and recover that data in the event of a system failure. Backups allow you to restore data after a failure. If your backup strategy is sound, you have a greater chance of recovering from many system failures, including the following: Media failure User errors (such as accidental content deletion) Hardware failures (for example, a failed hard disk or permanent loss of a server) Natural disasters
When considering SharePoint content, you should focus on working with items that are stored in a site collection; this is a common process to add a safety level to protecting content beyond version control and the stages of the Recycle Bin. There are several features you can take advantage of when running backups of a site or site collection. The features are: Executing backups from Central Administration. Executing backups of content databases by using Microsoft SQL Server Administration tools like SQL Server Management Studio.
13-13
SQL No No Yes No
Granular Backups
In SharePoint 2007, all granular backup and restore operations were only available by using STSADM. SharePoint 2010 has integrated granular backup and restore operations into both Central Administrator and PowerShell. Performing backup operations deemed as granular can be performed from Central Administrator or PowerShell. Granular restore operations are only available using PowerShell. SharePoint 2010 offers more flexible options in terms of what can be backed up and restored. Its possible to back up and restore site collections, sites, lists, document libraries, and items. The options for performing granular backups using Central Administrator are: Perform a site collection backup. Export a site or list. Recover data from an unattached content database.
The granular backup and export architecture uses a Transact-SQL query and export calls. This process results in a more read-intensive and processing-intensive operation than farm backup. A farm backup will capture most of the information with regards to configuration and content in a SharePoint deployment. From the granular backup system, a user can back up a site collection, or export a site or list. If your database implementation is based on Microsoft SQL Server Enterprise Edition, the granular backup system can make use of SQL Server database snapshots to ensure that data remains consistent while the backup or export is in progress. When a snapshot is requested, the SQL Server database snapshot of the appropriate content database is taken. SharePoint Server uses it to create the backup or export package, and then the snapshot is deleted. Database snapshots and their originating database are linked. If for any reason the originating database were to become deleted or unavailable, this would affect the snapshot as well.
Additional Reading
To back up a site collection: http://go.microsoft.com/fwlink/?LinkID=197243&clcid=0x409 Back up a content database: http://go.microsoft.com/fwlink/?LinkID=197242&clcid=0x409
13-14
Key Points
It is recommended for your backup plan that you consider backing up the complete farm by including both the configuration and content. Regular backups of the farm will greatly reduce the possibility of data loss that is possible due to hardware failures, power outages, or other elements that may impact your environment. Performing a backup does not affect the state of the farm. It does require resources and has the potential to affect farm performance when the backup process is taking place.
Considerations
To avoid performance issues, run backups of the farm during off hours. Backing up the farm backs up the configuration and Central Administration content databases, but these cannot be restored using Microsoft SharePoint Server 2010 tools. In order for SharePoint Server 2010 to backup remote Binary Large Objects BLOB), the FILESTREAM remote BLOB store provider needs to be used. This will allow for the BLOBs to be safely stored. If you are using another provider, you must manually back up the remote BLOB stores. The farm backup process does not back up any certificates that you used to form trust relationships. Ensure that you have copies of those certificates before you back up the farm. You must re-establish these trust relationships after restoring the farm. If you are using SQL Server with Transparent Data Encryption (TDE), and you are backing up your environment by using SharePoint tools or SQL Server tools, the TDE encryption key is not automatically backed up or restored. You must back up the key manually. When restoring, you must manually restore the key before restoring the data.
A farm backup will include all elements of server farm. It is considered a full backup.
13-15
Considerations:
Farm backups cannot be restored to other product versions. Downgrade and upgrade topologies with farm backup and restore are not possible. The destination farm must have the same topology as the original farm.
Additional reading
To back up a farm: http://go.microsoft.com/fwlink/?LinkID=197244&clcid=0x409
13-16
Key Points
You should perform backups at the farm level; however, there are circumstances that may require you to perform certain types of backups that align more with business requirements. For example, performing configuration or service backups. When performing a farm backup, the configuration information is included, but you cannot recover the configuration data without performing a full farm restore. If the configuration changes and no other element within the farm is affected, then it is good practice to back up the configuration settings. Service application backups allow you to be granular in having only the needed services backed up. For example, Access Services is not critical, but the items for Excel Services are.
Considerations:
You cannot use SQL Server tools or Data Protection Manager (DPM) to back up the farm configuration. Backing up the farm configuration will not back up the information you have to have to restore service applications. If you want to restore a service application, you must perform a configuration and content backup of the farm or service application.
13-17
When performing a service application backup for the first time, you need to use the Full option. This defines a marker so Differential backups can be used.
13-18
Protecting Customizations
Key Points
Customizations to SharePoint sites can include the following: Custom DLLs, assemblies that have been deployed to the global assembly cache (GAC) XML files used to configure feature or site definition XML files Master pages, page layouts, and cascading style sheets Web Parts, site or list definitions, custom columns, new content types, custom fields, custom actions, coded workflows, and workflow activities and conditions Third-party solutions and their associated binary files and registry keys, such as IFilters
13-19
Key Points
Once you have a valid backup, you have the ability to restore that backup to the same farm or to new server hardware. There are manual steps that you must perform following your restore operation to get the farm back up and running. In SharePoint 2010, most of the missing items have been added into the backup process, and you have fewer items that require a manual set up after the restore. Before you restore a SharePoint 2010 farm, ensure that the following requirements are met: To restore a farm by using the SharePoint Central Administration Web site, you must be a member of the Farm Administrators group. To restore a farm by using Windows PowerShell, you must be a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed. The database server's SQL Server account, the Timer service account, and the Central Administration application pool account must have Read permissions to the backup locations. The database server's SQL Server account must be a member of the sysadmin fixed server role. Your login account must have Read permissions to the backup locations. Ensure that the SharePoint Foundation Administration service is started on all farm servers. By default, this service is not started on stand-alone installations.
Consider the following before you restore a farm: Restoring from one version of SharePoint Products and Technologies to a different version is not supported.
13-20
After recovery, search might take as long as 15 minutes to be available again. It can take longer than 15 minutes if the search system has to crawl all the content again. If you backup and restore the complete service, the system does not have to perform a full crawl.
13-21
Key Points
System Center Data Protection Manager delivers unified data protection for Microsoft Windows servers and clients as a backup and recovery solution for Windows environments. DPM 2010 provides the protection and restore scenarios from disk, tape, and cloudin a scalable, manageable, and cost-effective way. Benefits you see by implementing System Center Data Protection Manager: No need for a recovery farm Automatic protection of new content databases without the need for a consistency check Scheduling of the SharePoint catalog job which enables item level recovery
13-22
Example
1. 2. 3. 4. DPM initiates a database recovery to a recovery database server. This could be on the passive node in a SharePoint server cluster. The production WFE used to protect the farm connects to the recovered database and begins the extraction process. Content Migration API on the production WFE is used to export content from the unattached database. Content Migration API is used again to import the package back into the SharePoint object hierarchy and associated SQL Server database in the production farm.
13-23
Lesson 3
A highly available solution considers many factors that allow the implementation to achieve the expectations of your organization. Redundancy of services is essential to provide the best possible means of access for your users. The goal of a high availability solution provides continuous, long-term access to data. When analyzing such solutions, one must consider the needs of the business and various technical and non-technical constraints that impact high availability solutions, including all factors that contribute to planned and unplanned downtime. In this lesson, you will learn and discuss how to implement solutions that mitigate those situations.
Objectives
After completing this lesson, you will be able to: Describe high availability. Describe SharePoint Roles and Services. Implement Load Balancing. Implement SQL Server Clustering. Implement SQL Server Database Mirroring. Implement Log Shipping.
13-24
Key Points
Organizations have come to rely more and more on their Information Technology (IT) infrastructure to support their business needs. In many cases, an organizations server infrastructure provides applications or contains data that is critical to business operations. As a result, the availability of those applications and the retention and safety of that data must be managed to ensure business continuity through high availability and data recovery. High availability refers to the ability of a server infrastructure to remain available and operable in the event of hardware, application, or service outages within the server infrastructure itself. Organizations that are required to meet service level agreements (SLAs) or that run applications critical to an organizations daily business typically use high availability solutions to achieve required server uptimes. This uptime value is often referred to as the number of 9s referred to in the percentage of that servers total availability. It is not uncommon for companies to strive for five nines of uptime (99.999%), which equates to less than ten minutes per year of server downtime. High availability typically involves multiple servers configured to perform the same role or provide similar services. If one of the servers experiences a hardware or software failure, the remaining servers continue to provide the services. SharePoint Server 2010 contains several features that assist you in maintaining high availability in your server infrastructure.
13-25
Key Points
SharePoint is a distributed platform consisting of services that run on servers in specific roles. The roles are identified as: Web front-end. Connection points for users, configured by using load balancing. Application Servers. Host service applications can provide redundancy and load balanced solutions. Database Server. Hosts the content and configuration databases for a SharePoint environment. There are several solutions for implementing a high availability solution. For example, the list below describes some the possible solutions that can be used individually or combined to extend the scope of protection: Failover Clustering. Failover clustering allows for a group of servers to work together to provide a set of applications or services. The level of protection provided is at the server level. Database Mirroring. Microsoft SQL Server database mirroring is a software-based high availability solution that sends transactions directly from a principal database to a mirror database when the transaction log buffer for the principal database is written to disk. The level of protection provided here is at the database level and does not include system databases. Log Shipping. Log Shipping is a low-cost method of creating a standby server by using standard hardware. Log shipping works by initially restoring a full database backup of the database from the primary server to a secondary server, and then periodically applying transaction logs. The level of protection provided here is at the database level and does not include system databases. Database Snapshots. Database snapshots are read-only, static views of a database. Each database snapshot is transactionally consistent with the source database as of the moment of the snapshot's creation. Snapshots can be used in the event of a user error on a source database, because an administrator can revert the source database to the state it was in when the snapshot was created. Data loss is confined to updates to the database since the snapshot's creation. The level of protection provided here is at the database level and does not include system databases.
13-26
Key Points
NLB provides high availability and scalability for TCP/IP-based services, including Web servers, File Transfer Protocol (FTP) servers, as well as other mission-critical servers and services. In an NLB configuration, multiple servers run independently, and do not share any resources. This group of servers is referred to as a cluster. Client requests are distributed among the servers, and in the event of a server failure, NLB detects the problem and distributes the load to another server. NLB allows you to increase network service performance and availability. In terms of a SharePoint implementation, it is the structuring and distribution of the Web front-end roles to maximize the experience the users will have when accessing the SharePoint site. Using multiple components with load balancing, instead of a single component, increases reliability through redundancy. The load balancing service is usually provided by dedicated software or a hardwarebased device (such as a multilayer switch or a DNS server). It is commonly used to mediate internal communications in computer clusters, especially high-availability clusters. If the load is more on a server, then the secondary server takes some load while the other is still processing requests. NLB typically provides the following features: High availability Performance Scalability
13-27
Key Points
Failover clustering allows for a group of servers to work together to provide a set of applications or services. Together, these servers provide a fault tolerant configuration that continues to provide its applications and services, even if one of the servers in the cluster fails or becomes unavailable. Failover clustering is another technology in Windows Server 2008 R2 that provides for high availability. In a failover cluster, a group of servers, or cluster, work together to increase the availability of a set of applications and services. Physical cables and software connect the clustered servers, referred to as nodes. If any of the cluster nodes fail, other nodes begin to provide service to clients (a process known as failover). With this method, system downtime is minimized and a high level of availability is provided. Applications that are best suited for configuration in a failover cluster are applications that use a centralized set of data. Applications like Microsoft SQL Server, Microsoft Exchange Server, and services like Dynamic Host Configuration Protocol (DHCP), file and print, and Dynamic Name System (DNS) use centralized data sets and are therefore ideal for being configured as a failover cluster.
Applications or services that are added to a failover cluster must be cluster-aware in order to take advantage of the full benefits provided by failover clustering. Cluster-aware refers to the applications ability to register with the failover cluster in order to communicate with the cluster and take advantage of the clusters features. SQL Server is a cluster-aware application.
13-28
SQL Server is a cluster aware service that works under the Microsoft Windows Clustering and the functionality of the database engine then is controlled and monitored by the cluster functionality so it can failover to a partner node in the event of failure. A failover cluster instance appears as a server on the network, but has functionality that provides failover from one node to another if the current node becomes unavailable. For a SharePoint Server 2010 implementation, this is fully transparent and automatic.
Additional Reading
Getting Started with SQL Server 2008 R2 Failover Clustering at http://go.microsoft.com/fwlink/?LinkID=197245&clcid=0x409 Installing a SQL Server 2008 R2 Failover Cluster at http://go.microsoft.com/fwlink/?LinkID=197246&clcid=0x409
13-29
Key Points
Microsoft SQL Server database mirroring is defined as a software-based high availability solution that sends transactions directly from a principal database to a mirror database when the transaction log buffer for the principal database is written to disk. To implement SQL Server Database Mirroring on a Microsoft SharePoint Server 2010 farm, you implement the high availability database mirroring capability, also known as high safety mode with automatic failover. In order to implement the high availability database mirroring configuration, you will define three server instancesa principal, a mirror, and a witness. The witness server enables SQL Server to automatically fail over from the principal server to the mirror server. While there is only one witness server in this configuration, in the event of witness failure, the servers in the configuration would establish quorum and continue with the operations. Failover from the principal database to the mirror database typically takes several seconds. In a SharePoint Server 2010 farm, SQL Server Database Mirroring provides redundancy for the content and configuration databases. It can also be configured for service databases.
13-30
Configuration Central Administration in SharePoint 2010 provides an entry point that configures the failover partner for the database mirroring configuration. Note: Configuration databases do not have an entry point to configure database mirroring. You can use Windows PowerShell to configure the failover partner.
Additional Reading
Configure availability by using SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197247&clcid=0x409 Sample script for configuring SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197248&clcid=0x409
13-31
Overview
Log shipping is a low-cost method of creating a standby server by using standard hardware. Log shipping works by initially restoring a full database backup of the database on the primary server to a secondary server, and then periodically applying transaction logs from the primary server to the standby system. Log shipping is available for user databases but not system databases.
13-32
If you require more than one destination database, you need to use log shipping, either alone or with database mirroring. Combining these approaches gives you the benefits of database mirroring along with the support for multiple destinations provided by log shipping. If you need to delay restoring a log on the destination database (typically to protect against logical errors), use log shipping, alone or with database mirroring.
Additional Reading
Configure availability by using SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197247&clcid=0x409 Sample script for configuring SQL Server database mirroring at http://go.microsoft.com/fwlink/?LinkID=197248&clcid=0x409
13-33
Scenario
The Contoso SharePoint governance plan requires that sites be backed up regularly. You have been asked to demonstrate the out of box backup functionality of SharePoint Server 2010, and to create an automated, nightly backup of the SharePoint farm.
13-34
Perform a full backup of the Web application, SharePoint intranet.contoso.com80, to the backup share, \\SP2010-WFE1.contoso.com\SharePointBackup.
The Backup and Restore Job Status page opens. The page refreshes every few seconds. You can click Refresh to refresh the page manually. Wait until Phase shows as Completed. Note: The backup operation may complete with warnings. This is expected in this lab. You may continue to the next step.
13-35
Results: After this exercise, you should have backed up the intranet Web application using Central Administration.
13-36
Locate the SPHistoryObject element. This element describes the backup operation, and is used during a restore operation.
Locate the SPBackupDirectory element. This element is a reference to the folder in which the backup files are stored.
Locate the SPWarningCount and SPErrorCount elements. These elements report warnings and errors.
Close Notepad. Open the spbr0000 folder, and then observe the backup (*.bak) files in the folder. Open the file, Spbackup.xml, in Notepad. Examine the file. This file contains attributes related to the backup operation and to each of the components. It is used during a restore operation. You should not modify, delete, or rename the Spbackup.xml file.
Close Notepad.
13-37
Examine the log. Observe that each of the backup operations is listed, including the T-SQL commands that were sent to SQL Server. Observe the last lines of the log, which indicate that the backup completed and summarize the number of warnings and errors. Navigate to the top of the log, and then use the Find command to find the text, Warning:. Tip: Include the colon. Write down the warning message.
Navigate to the top of the log, and then use the Find command to find the text, BACKUP DATABASE. Observe the command that was sent to SQL Server to back up one of the SharePoint databases. Answer the following questions: Which SharePoint database was backed up? Which database backup (.bak) file in the backup folder contains that SharePoint database?
Repeat step 5 to identify the database backup file that contains the backup of the WSS_Content_IT database. Close Notepad. Results: After this exercise, you should have investigated the files and logs in the SharePoint backup share. You should also have identified the database that is a backup of the SQL database, WSS_Content_IT.
13-38
13-39
Refresh the page and examine the information that is presented on the page. Browse to the Backup and Restore History, and then examine the information that is presented. Return to the Backup and Restore Job Status page, and then wait for the Phase to be Completed before continuing to the next lab. Close all open applications and windows. Results: After this exercise, you should have created a backup script using Windows PowerShell and scheduled the script to run nightly.
13-40
Scenario
You have recently configured an automated, nightly backup of your SharePoint farm. The SharePoint governance policy requires you to test your backups every 60 days. You have been tasked with testing the most recent backup by restoring it to a staging environment. You must also verify that you can perform a partial restore of a site collection, site, and list.
13-41
13-42
13-43
Navigate to the top of the log, and then use the Find command to find the text, RESTORE DATABASE. Observe the command that was sent to SQL Server to back up one of the SharePoint databases. Answer the following questions: Which SharePoint database was backed up? Which database backup (.bak) file in the backup folder contains that SharePoint database?
Close Notepad. Results: After this exercise, you should have investigated the restore logs in the SharePoint backup share.
13-44
After you start the export, monitor the Granular Backup Job Status page until the job is complete.
13-45
After you start the export, monitor the Granular Backup Job Status page until the job is complete.
13-46
Module Review
Review Questions
1. 2. What tools can be used to back up SharePoint 2010 out of the box? Is there an advantage to combining multiple High availability technologies?
14-1
Module 14
Monitoring and Optimizing SharePoint Performance
Contents:
Lesson 1: Monitoring Logs Lesson 2: Configuring SharePoint Health Analyzer Lesson 3: Configuring Usage Reports and Web Analytics Lesson 4: Monitoring and Optimizing SharePoint Performance Lab A: Configuring SharePoint Monitoring Lab B: Analyzing SharePoint Health Lab C: Reporting SharePoint Usage 14-3 14-8 14-12 14-16 14-19 14-21 14-25
14-2
Module Overview
This module explores the activities you need to perform to have a well-tuned Microsoft SharePoint deployment. Being able to use capabilities SharePoint provides and being able to configure them to get the most out of the information those agents gather lead to understanding better what is happening in your environment. Lesson 1 describes the needed elements to establish a performance baseline by using the Unified Logging Service (ULS). Lesson 2 describes how SharePoint can keep track of its health and how you can configure what to keep track of and any actions needed to recover from a potential error condition. Lesson 3 explores the possibilities behind out of the box reports that can identify the usage in counters and values that enable you to make informed decisions based on the situations users are experiencing when using SharePoint Server. Lesson 4 provides guidelines needed to determine the running values and establish a baseline about your environment to fully understand recommended practices and be able to determine how they fit into your deployment.
Objectives
After completing this module, you will be able to: Use monitoring logs to establish a baseline for performance monitoring. Configure SharePoint Health Analyzer. Configure both usage reports and web analytics. Monitor your SharePoint servers performance and optimize them.
14-3
Lesson 1
Monitoring Logs
From time to time, situations arise with server performance or behavior that result in the need for you to log information to troubleshoot your SharePoint deployment. To gather useful information and have relevant data to interpret, it is important to understand the Unified Logging Service, or ULS. This service provides a unified approach to retrieving log data and the different areas and tools to work with to the make the most out of logging information.
Objectives
After completing this lesson, you will be able to: Configure diagnostic logging. Administer ULS log files. View and interpret administrative reports.
14-4
Key Points
Following deployment, it might be necessary for you to configure the diagnostic logging settings of your SharePoint Server 2010 environment. The guidelines in the following list can help you form best practices for your specific environment. Change the drive that logging writes to. Diagnostic logging is configured by default to the same location where SharePoint is installed; this can cause an adverse impact on performance as a result of the amount of data being written to the log. Restrict log disk space usage. By default, there is no limit on the amount of disk space logging can use; however, it is possible to configure size-based restrictions so that when the disk restriction is used up, the oldest logs are removed and new logging data information is recorded. Use the Verbose setting sparingly. You can configure diagnostic logging to record verbose-level events. This can become quite active because it writes every possible action SharePoint performs. You can use verbose-level logging to record a greater level of detail when you are making critical changes, and then reconfigure logging to record only higher-level events after you make the change. Note: When configuring values that are different from their default representation, in SharePoint Central Administration the logging level is shown in bold type. Back up logs. The diagnostic logs contain important data. Back them up regularly to make sure that this data is preserved. Enabling restrictions causes the logs to be overwritten and possibly deleted. The true value of logs, however, is presented by the information you can access during critical events. This is an option to implement for organizational purposes where log archival is required. Enable event log flooding protection. Enabling event log flooding protection configures the system to detect repeating events in the Microsoft Windows event log. This set of values is configurable through Windows PowerShell.
14-5
Key Points
The concept of a unified logging service is not new to SharePoint Server 2010; however, the level of control and information you can gather is. The trace logs hold valuable information about the activity that occurs in a SharePoint deployment. By default, the logs are stored in the path C:\Program Files\Common Files \Microsoft Shared\Web Server Extensions\14 under the LOGS directory. A recommended best practice is to change this path to one that is meaningful to your deployment. It is also a good idea to move this off of the C drive to save space on the C drive. SharePoint gets very fussy if the C drive becomes full. It is also important to note that if you do move the logs off of your C drive, all members of your farm must have this alternate location. If you move them to D:\Logs, every farm member has to have a D drive. When working with users and trace logs to troubleshoot any errors, it is important to remember to introduce users to the value behind correlation IDs. Correlation IDs are globally unique identifiers (GUIDs) that appear in the event of an error on attempting to access a resource through a browser. The correlation ID is useful to track the event in the trace logs. Correlations IDs can appear even if there isnt an error, such as in the Developer Dashboard. They also can be used in Microsoft SQL Server profiler traces, not just the browser. Also, correlation IDs are farm wide, so a conversation that hits multiple servers has the same correlation ID in each servers logs. Here recommended practices for logging: Use non-system drives that are write-optimized to store the ULS logs. Rely on correlation IDs to isolate problems as they occur. Implement a logging policy that defines retention periods.
14-6
Additional Reading
Logging and events cmdlets at http://go.microsoft.com/fwlink/?LinkID=197197
14-7
Key Points
Administrative reports give you access to information on the performance and execution of components such as search crawls and query performance. The administrative reports you can access are provided in the form of standard reports and advanced reports; in SharePoint, you can also add custom reports. As you view reports, you have the option to apply filters to focus on a given application and time frame. You can access reports in the Monitoring section in Central Administration.
Additional Reading
View administrative reports at http://go.microsoft.com/fwlink/?LinkID=197198
14-8
Lesson 2
Key Points
The SharePoint Health Analyzer is a new configurable option that enables SharePoint Server to report on potential issues and in some situations take action to mitigate those issues. You can configure the SharePoint Health Analyzer to identify conditions that fit your specific deployment needs. Some conditions are active on completing installation of SharePoint Server 2010.
Objectives
After completing this lesson, you will be able to: Configure health rules. Define health schedules. View health reports.
14-9
Key Points
Health rules give you the ability to monitor SharePoint Server and be proactive in understanding any potential issues that may arise. This information is presented to you as a list, just like other list items in a SharePoint deployment. For example, health rules can identify issues such as search crawls not running and a content database indicating an error or offline status. Also, you can receive proactive information about configuration or security issues such as when accounts are given more access than is necessary. For example, the databases used by SharePoint have a fragmented indices rule that checks for a very specific condition that requires verification of status from SQL Server. If that rule is triggered, a preconfigured action will take place if the rule is set to repair automatically. Not all rules are configured to repair automatically. Whether or not a rule repairs automatically depends on how the rule is created and whether it includes the necessary implementation to execute a repair. The same is also common when working with health rules that require your intervention as an administrator. The default rules that are in place monitor some conditions; however, you can customize your own conditions and provide actions that execute to mitigate the errors. To configure a health rule you must have access to Central Administration and be a member of the Farm Administrators group. To learn how to create your own health rules, see http://go.microsoft.com/fwlink/?LinkID=197199
14-10
Key Points
A health rule checks for specific conditions that affect performance, configuration, and security in your SharePoint Server deployment, and a health schedule defines the execution or timer definition for running that health rule. You can configure schedules by using either Central Administration or Windows PowerShell. The following table lists the Windows PowerShell cmdlets that are useful for health scheduling. Windows PowerShell Cmdlet Get-SPTimerJob Set-SPTimerJob Start-SPTimerJob Description Retrieves the timer job Sets the schedule for a timer job Starts a specific timer job
You can configure a schedule by the second, minute, hour, day, week, or month. Specific date conditions are also an option, for example: First Monday of every month. Rules can be executed immediately in the rule definition. This is a great way to verify that a problem has been fixed without waiting for the job to run again: Resolve the issue, run the rule manually, and see whether the condition is resolved.
14-11
Key Points
Health reports return data collected on performance characteristics of your farm. Out of the box, the two reports included list the slowest-loading pages in your farm and the most active users in your farm. In both of these reports, you can refine the results based on a specific criterion such as server or Web application to better determine where problems may be.
14-12
Lesson 3
As the system or farm administrator, your purpose is to guarantee the well-being of your organizations SharePoint environment. This, of course, includes being able to monitor health and performance of the different components that enable users to access your SharePoint environment. At some point, you must learn about your users patterns of usage. The frequency at which users view a specific page or the department a user comes from becomes part of the information you consume, and you can also identify latency in displaying specific content given a network segment that is geographically remote. This is the information you can gather when you configure and view usage reports and gather details in the form of Web Analytics.
Objectives
After completing this lesson, you will be able to: Configure usage data collection. View and interpret the collected data.
14-13
Key Points
The usage and health data settings are farm-wide; you cannot set them for individual servers in the farm. Logging uses system resources and can affect performance and disk usage. Only log those events for which you want regular reports. For ad hoc reports or investigations, enable logging for specific events, and then disable logging for the events after the report or investigation is complete. Usage and health data collection is the collection of binary large objects (BLOBs) that are processed into a logging database. You can configure the logging database retention period. For processing both BLOBs and databases, you need to consider disk performance and capacity in addition to network considerations. The usage database collects information from health rules, the event viewer, diagnostics, and so forth. You can use this database to build custom reports. The Usage and Health Data Collection service application is a prerequisite to Web Analytics and other service applications such as Search and is provisioned by default if you run the Farm Configuration Wizard. These settings are applied to all events. To set event collection settings for individual event types, use the following Windows PowerShell cmdlets. To change the Database Server and Database Name values, you must use Windows PowerShell. Windows PowerShell Cmdlet Set-SPUsageService Description Sets parameters for the usage data to be gathered. Settings such as log location and maximum space to be used are configured here. See http://go.microsoft.com/fwlink/?LinkID=199509
14-14
Description Configures the retention period for the usage logs. See http://go.microsoft.com/fwlink/?LinkID=199510
Set-SPUsageApplication
Configures the settings for the Usage database, such as database server and credentials to be used. See http://go.microsoft.com/fwlink/?LinkID=199511
14-15
Key Points
Web Analytics reports are based on the information that is gathered by configuring the usage logs. The reports presented include prebuilt reports in Central Administration. Reports are assigned to logical elements in a SharePoint environment, such as farm, site collection, and site level; each provides different yet pertinent information for that level. You can access the reports by clicking the link, View Web Analytics Reports. This presents the usage data gathered. Samples of the reports available include Summary Report, Number of PageViews, Unique Daily Visitors, Top Pages, and Top Destinations. A key element provided as well is automatic Best Bets recommendations for Search configuration. You can define reports to be viewed based on a date range. Here, it is important to consider the value you set for the retention policy because this limits the range of data available to report on. You can also export the reports to Excel and conduct further analysis on the information.
Additional Reading
View Web Analytics reports at http://go.microsoft.com/fwlink/?LinkID=197200
14-16
Lesson 4
SharePoint is a very complex product that is composed of several different elements, including SQL Server, which defines the storage location for configuration, logs, and content; and Windows Server services such as Internet Information Services (IIS), which hosts ASP.NET and the Microsoft .NET Framework, which provide functionality and the user interface for SharePoint Web sites. Because of this, you have a wide range of checkpoints for validation and monitoring of your SharePoint environment. It is very important to use the monitoring and performance analysis tools provided by the components of SharePoint, such as SQL Server. Counters and dynamic management views are very useful in determining proper parameters for the databases. An understanding of the proper rendering of content coming from the Web functionality is key to knowing whether a page is loading efficiently.
Objectives
After completing this lesson, you will be able to: Determine how to collect performance monitoring statistics. Use those statistics to improve the performance of your SharePoint servers.
14-17
Performance Monitoring
Key Points
You can add to the usage database the performance counters that assist you in monitoring and evaluating your farms performance so that they are logged automatically at a specific interval. Then, you can query the usage database to retrieve these counters and graph the results over time. The following is an example of using the Add-SPDiagnosticsPerformanceCounter Windows PowerShell cmdlet to add the %Processor Time counter to the usage database. Note: You need to run this on only one of the web servers.
Add-SPDiagnosticsPerformanceCounter -Category "Processor" -Counter "% Processor Time" Instance "_Total" -WebFrontEnd
Additional Reading
System Center Operations Manager at http://go.microsoft.com/fwlink/?LinkID=197201 Planning for Virtualized deployments at http://go.microsoft.com/fwlink/?LinkID=197202
14-18
Performance Optimization
14-19
Scenario
The Contoso SharePoint governance plan specifies levels of monitoring for the development and production environments that differ from the out of box settings. You have been tasked with configuring monitoring and with demonstrating how developers can use monitoring to troubleshoot errors generated by their code.
14-20
14-21
Scenario
You have just installed a SharePoint 2010 farm. When you open Central Administration, an error message appears at the top of the page that indicates an error in configuration. The SharePoint governance plan mandates that SharePoint farms at Contoso should be deployed using Microsoft-recommended best practices. You have been tasked with determining the cause of the error message and correcting the configuration of the farm.
14-22
Tip: The list of rules is paged. Click the Next Page button, displayed as a right-pointing arrow below the list, to see additional rules. 2. Open the Some content databases are growing too large rule. Observe that you can change the following attributes of the rule, but do not make any changes at this time: Title Scope Schedule Enabled Repair Automatically Version
Note: You cannot change the actions that the rule uses to perform its health analysis task. The rules actions are determined by the code used to develop the rule. 3. Edit the rule and change the Schedule to Daily.
14-23
Results: After this exercise, you should have configured rule definitions and run two rules.
14-24
14-25
Scenario
Contoso recently implemented a systems management report center. You are required to submit reports related to performance and usage. You have been tasked with creating a SharePoint performance and usage report that uses the SharePoint logging database as its data source.
14-26
4.
14-27
Create a PivotTable report. In the PivotTable Field List panel, in the Choose fields to add to report list, select the following options: MachineName WebApplicationName JobTitle
5.
Drag the Duration field from the field list to the Values box. You now have a report of timer job durations presented by server, by webapplication, and by timerjob. Results: After this exercise, you should have created a usage report based on data from the SharePoint logging database.
14-28
Review Questions
1. 2. 3. How can you minimize the impact of logging in your environment? What is event log flood protection? What value do Correlation IDs bring to troubleshooting?
Tools
Tool Use for Where to find it http://go.microsoft.com/fwlink/ ?LinkID=199513
ULS Log A windows application for viewing SharePoint ULS log files Viewer more easily. Supports filtering and easy viewing of data.
15-1
Module 15
SharePoint Online and Office 365
Contents:
Lesson 1: Introducing Office 365 and SharePoint Online Lesson 2: Setting Up Office 365 Lesson 3: Administering SharePoint Online 15-3 15-10 15-23
15-2
Module Overview
This module introduces Microsofts cloud services and Microsoft SharePoint Online. When you subscribe to SharePoint Online, you get a hosted SharePoint system that your users can access whenever they have an Internet connection. You do not need to install SharePoint servers and concern yourself with scalability SharePoint Online automatically scales to respond to your users as you add them, and as they add content, to the system. SharePoint Online is one of the key components of Microsoft Office 365, Microsofts suite of collaboration and productivity tools delivered through the cloud. Office 365 also includes Microsoft Exchange Online for email services and Microsoft Lync Online for instant messaging and conferencing as well as the Microsoft Office Professional Plus suite of desktop applications for enterprise subscribers.
Objectives
After completing this module, you will be able to: Describe the components of Office 365 and compare the functionality of SharePoint Online to that of a SharePoint on-premise farm. Create and configure an Office 365 subscription to host a Web site, team collaboration sites, and connections to desktop software. Enable users, in and outside your organization, to access SharePoint Online and perform other administrative tasks.
15-3
Lesson 1
Office 365 is Microsofts cloud-based productivity solution. By taking the functions traditionally provided by back-office server software and hosting them in the cloud, Office 365 ensures high-availability, simple scalability, and access from a wide range of client computers and devices. The Office 365 suite includes SharePoint Online, which provides content creation and management functions within Office 365. The suite is completed by Exchange Online, Lync Online, and the Office Professional Plus suite.
Objectives
After completing this lesson, you will be able to: List all the components of Office 365 and describe how they enable productivity in a modern, distributed organization. Describe the advantages and disadvantages of using SharePoint Online as compared to a SharePoint on-premise farm. Describe typical situations in which you can usage SharePoint Online and select an architecture for each of those situations.
15-4
Key Points
Office 365 is designed to provide a complete, cloud-based productivity suite for modern businesses that scales from the smallest to the largest organizations. It has five different components. SharePoint Online. This is the cloud implementation of SharePoint Server 2010 hosted in Microsoft data centers world-wide. SharePoint Online supports most of the functionality that you have seen from SharePoint Server 2010 in this course. For example, it includes a Team Site that you can use for content creation and management including workflows, approvals, versioning, checkout, and so on. Full enterprise search features are included and each user is given a user profile just as they are in an on-premise farm. However, there are some restrictions; for example, although customizations can be deployed in the form of SharePoint solution packages (.wsp files), these can only be deployed in the sandbox. InfoPath and Access Services are not available in all editions. Youll see more of the differences between SharePoint Server 2010 and SharePoint Online later in this module. Exchange Online. Each Office 365 user has an Exchange mailbox, which they can access using Microsoft Office Outlook 2010 or in the browser with Microsoft Outlook Web Access (OWA). Rich functionality is supported in a wide range of popular browsers. A calendars and task list is available in each mail box and meeting requests can be used to organize co-workers. Lync Online. Lync 2010 is Microsofts messaging software. In Office 365 you can use Lync to exchange instant messages and presence information with friends within and outside your organization. You can also use Lyncs extensive conferencing facilities for audio and video calls and to share applications. For example, you can deliver a Microsoft Office PowerPoint presentation by sharing the application in a conference. Office Professional Plus. Office 365 for midsize businesses and enterprises includes the Office Professional Plus 2010 suite of desktop applications. All the familiar Microsoft Office applications, such as Word and Excel, give users the richest range of document editing features and InfoPath supports rapid development of forms that can be used in SharePoint for items, document libraries and workflows. In addition, you can use Microsoft Office Workspace 2010 to automatically synchronize SharePoint Online with local folders. This means you can continue to work on documents
15-5
when you do not have an Internet connection, in which case your local changes are synchronized with SharePoint Online the next time you connect. Office Web Apps. Office Web Apps are implementations of the Office Desktop applications that work in the browser. You can use Office Web Apps to read and edit Word documents, Excel spreadsheets, and PowerPoint presentations from any location with an Internet connection. A wide range of popular browsers are supported, including Google Chrome and Mozilla Firefox. Although Office Web Apps do not have the complete features of their equivalent desktop applications, the majority of basic editing features are available.
Three different Office 365 subscription plans are available: Office 365 for Professionals and Small Businesses. This subscription plan includes all of the above components except Office Professional Plus, although subscribers can purchase Office desktop software separately. Subscription is on a monthly basis and includes access to online community support forums. This is also known as Plan P1. Office 365 for Midsize Businesses and Enterprises. This plan is the premium Office 365 subscription and adds Office Professional Plus to the previous plan. Extra administration and control features are also included and subscribers get 24x7 support from Microsoft support personnel. This is also known as Plan E3. Office 365 for Education. This special plan is designed for educational establishments that want to provide productivity tools to their staff and students. Global 24x7 support is included and custom rates are available.
Additional Reading
Office 365 Subscription Plans: http://go.microsoft.com/fwlink/?LinkId=239823 SharePoint Online Homepage: http://go.microsoft.com/fwlink/?LinkId=239824 Features Available by License: http://go.microsoft.com/fwlink/?LinkId=239825
15-6
Key Points
A SharePoint Online subscription provides a very similar environment for users to a SharePoint onpremise farm but there are differences that you must be aware of before you decide which to use. To assist you in choosing the most appropriate implementation for an organization, use the following table to compare a SharePoint Server 2010 on-premise farm to a SharePoint Online subscription.
Area
SharePoint On-Premise
SharePoint Online
Server Hardware
You must purchase and install server hardware on which to install SharePoint. At least one server is required for all implementations. Scalable and highly available farms can require many more servers. When you plan a SharePoint farm it is your responsibility to ensure that it scales to the number of users and volume of content your organization needs. If the organization grows you may need to add new hardware, move service applications, or purchase load-balancing solutions. To ensure high availability and meet your departments service level agreement (SLA) you may have to create a farm with no single-point of failure. This requires fault-tolerant disk arrays, multiple servers for each server role, advanced load-balancing, and other redundant components such as network cards.
You do not have to purchase any server hardware because SharePoint Server runs in Microsoft data centers. SharePoint Online automatically scales as you add new users and more content. You do not have to reconfigure SharePoint Online to support extra capacity, although your subscription charges may rise. SharePoint Online includes 99.9% availability as part of all subscriptions. It is not your responsibility to ensure that SharePoint is online. However, you should bear in mind that users must have a functioning Internet connection in order to access
Scaling
High Availability
15-7
Area
SharePoint On-Premise
Office Web Apps are not included with SharePoint Server 2010 Standard but are available with SharePoint Server 2010 Enterprise. You must deploy and configure the appropriate service application before Office Web Apps are available to users. All features are available in on-premise farms, depending on the Edition of SharePoint you have purchased.
Office Web Apps are included with most Office 365 subscriptions and do not require any configuration by administrators.
Available Features
Business Connectivity Services (BCS) are only available using the client object model.. Custom SharePoint Solutions are supported in SharePoint Online but they must run in the Sandbox. For example, a solution that accesses data outside SharePoint cannot be successfully deployed to SharePoint Online. You can also make customizations by using the browser, such as adding a new page, and by using SharePoint Designer, such as editing a Master Page.
Additional Reading
1. Comparison of SharePoint Online Features and SharePoint Server Features: http://go.microsoft.com/fwlink/?LinkId=235463 Subscription Cost Estimator: http://go.microsoft.com/fwlink/?LinkId=225285
15-8
Usage Scenarios
SharePoint Online can be used to solve a wide variety of business problems and is particularly suited to companies with distributed or mobile users. It can also assist companies with small IT departments because the infrastructure is built and maintained by Microsoft. The following sections describe some typical scenarios in which SharePoint Online can help.
Hybrid Environments
Whether to install SharePoint Server 2010 on-premise or subscribe to SharePoint Online is not an either/or decision. You can choose to implement both SharePoint Online and SharePoint Server 2010, either on a temporary or permanent basis. In the following scenarios, both systems are used:
15-9
Travelling User Support: In some regions, travelling users may have difficulty connecting to SharePoint at your premises from client sites and other locations. By placing SharePoint in the cloud, you can ensure they can connect whenever there is an Internet connection available. By implementing SharePoint on-premise as well, you ensure that office-based users have maximum connectivity to SharePoint. External Projects: You can support collaboration with your partner organizations by implementing an extranet and granting access to your on-premise SharePoint farm. However, an extra level of separation and security can be achieved by placing such external and partner projects in SharePoint Online. In this way you can avoid permitting partner access to your internal SharePoint farm which may store highly sensitive data. Migrations to SharePoint Online: Organizations already using SharePoint Server 2010 on-premise may wish to migrate fully to SharePoint Online but must ensure this process does not impact on users. To mitigate the risks of this migration a staged approached is usually adopted, in which data and users are migrated to SharePoint Online, team-by-team or project-by-project over several months. This interim stage is an example of a hybrid solution and is the most common of the examples in this section. Farm Solutions: Although you can customize SharePoint Online in many ways you cannot implement Farm-level SharePoint solutions in the cloud. If you have a custom SharePoint solution that cannot be run in the sandbox, you could consider maintaining an on-premise farm where farm solutions can run outside the sandbox.
Additional Reading
Hybrid SharePoint Environments with Office 365: http://go.microsoft.com/fwlink/?LinkId=239933
15-10
Lesson 2
Many of the administrative tasks you have seen in this course are not necessary if you choose to subscribe to Office 365 and SharePoint Online. For example, you need not install SharePoint on server hardware or run the SharePoint configuration wizard because these tasks are completed for you on Microsoft servers at data centers. However, some administrative tasks are required and some, such as setting up a vanity domain, are unique to SharePoint Online. In this lesson, you will learn how to complete these tasks and make the right design decisions for your organization.
Objectives
After completing this lesson, you will be able to: Create a new subscription to Office 365 for an organization. Configure Office 365 to use a vanity domain for email, web sites and team sites. Configure the SharePoint Online default team site and enable sub-site creation. Configure and style the Internet-facing website included in the SharePoint Online subscription. Set up desktop Office applications to connect to SharePoint Online.
15-11
Key Points
Creating a new Office 365 subscription is a simple process that requires only a normal range of contact information. To create a new subscription visit: http://go.microsoft.com/fwlink/?LinkId=239822 Before you create your subscription, consider the following issues carefully: Evaluation Period. Most organizations choose to take advantage of the free 30 day trial that is available on small business or enterprise subscriptions. However, if you prefer you can buy a subscription immediately. A Plan P1 evaluation includes 10 user licenses and a Plan E3 evaluation includes 25 user licenses. Note: There is currently no free trial period for Office 365 for Education. Education establishments that want to evaluate Office 365 should choose the Plan E3 trial, which provides a similar level of service. Switching Plans. You cannot change your subscription plan after it has been created. In order to move from Plan P1 to E3 you would have to back up data, cancel your subscription, create a new subscription, and restore data. Be careful to select the most appropriate plan at the beginning. Choosing Domain Name. When you create a new subscription, you must choose a unique subdomain within the onmicrosoft.com parent domain. This cannot be changed later; however, you can add a so-called Vanity Domain to your subscription. For example, Contoso Inc. might have registered the contoso.com Internet domain. They could add this to their subscription so that the included web site is at http://www.contoso.com instead of http://contoso.onmicrosoft.com. The same domain name can also be used for email and messaging. See the Setting Up a Vanity Domain topic for more details on vanity domains.
15-12
Choosing Country or Region. The Country or Region you choose is important because it determines taxes and billing details and the data center that hosts your subscription. It cannot be changed later. Usually the best choice is obvious because the company operates in a single country or has the majority of users based in a single country. However, international organizations should think carefully about billing and the location of the majority of their users before specifying this value.
Additional Reading
Getting Started with Office 365: http://go.microsoft.com/fwlink/?LinkId=235464
15-13
This demonstration illustrates how to create and configure a new Enterprise trial subscription for Office 365. It also shows how to create and configure a new public Web site. The instructor will perform this demonstration by creating a new Office 365 subscription, unless an Internet connection is not available in the classroom. A recording of this demonstration is also available for student download as part of the course companion content which can be obtained via the companion moc site. http://www.microsoft.com/learning/en/us/training/companionmoc.aspx You can use this to review the steps after the course.
15-14
Key Points
When you subscribe to Office 365, all services are provided through the domain you selected when you created your subscription. This domain is always within the parent domain onmicrosoft.com. For example, if you select the domain contoso.onmicrosoft.com: The included Web site is at http://contoso.onmicrosoft.com. Emails and Instant Messages are sent to and from addresses like administrator@contoso.onmicrosoft.com.
Most organizations have registered one or more Internet domain names and would like to use them for all public communications. You can add these domains to Office 365 and configure the system to use them instead of the onmicrosoft.com domain. These are called Vanity Domains. For example, if you added the vanity domain contoso.com to your subscription: The included Web site could be at http://www.contoso.com. Emails and Instant Messages are sent to and from addresses like administrator@contoso.com.
The Office 365 service includes DNS servers, but Microsoft does not register domain names or host name server records. Therefore, you must maintain a relationship with an ISP, even if you no longer host a Web site or other services on their servers. The ISP registers domain names and maintains NS records. These NS records should point to the Office 365 DNS servers. You can obtain the correct IP addresses for NS records when you configure the vanity domain in Office 365. All other DNS records, including A, CNAME, and MX records, are hosted on Microsoft DNS servers. These records enable client to locate Office 365 SharePoint, Exchange, and Lync servers in Microsoft data centers.
15-15
1. 2.
3.
Add the domain to Office 365. On the Admin page, click Domains and then click Add a Domain. Verify the domain belongs to your organization. To complete this step you must first add a specific TXT or MX record to the DNS zone file at your ISP. In Office 365, you click Verify. Office 365 queries for the TXT or MX record you just created. If the record is found, the domain is verified. At this point, a zone file is created for your new domain on the Office 365 DNS servers. This includes A, MX, CNAME and other records. At your ISP, configure NS records to point to the Office 365 DNS servers. Office 365 displays the correct addresses to configure but you must update ISP records yourself.
Changes to DNS records can take up to 24 hours to propagate through the system. You can add multiple vanity domains to Office 365 but you cannot add the same domain to two separate Office 365 subscriptions.
15-16
Key Points
SharePoint Online includes a private team site by default. The team site is intended to be the document management hub for your organization and looks very similar to an on-premise team site. This familiarity helps users who are already skilled in SharePoint. In this topic, you will see how to configure the team site and other collaboration sites. You can also add a range of other collaborative sites. Many of the configuration tasks are the same as the equivalent tasks in SharePoint Server 2010 and can be accomplished with the same tools After you create a subscription, the default configuration includes one site collection and two sites. The top-level site is the public-facing Web site and includes predefined styles and themes. You will see more about this site in the Setting Up The Public Web Site topic. The first sub-site is the team site. Subscribers to the P1 plan are restricted to a single site-collection but can create sub-sites. Enterprise subscribers can create extra site collections if they are required for more flexible administrative hierarchies. Note: If you view Site Settings for the default team site, you will see administrative tools for a SharePoint site. Site collection tools, such as the Web Part Gallery and Solutions Gallery, will not be visible. To access these tools, click Go to top level site settings or access the Site Settings for the default Web site.
Creating Sub-Sites
As in SharePoint on-premise farms, you can create sites for each team, each project, each product, or on whatever other basis is most appropriate for your organization and its processes. The user interface is similar to the on-premise tool but includes a Silverlight application that presents site templates and helps you choose to site best template for your requirements. To create a sub-site:
15-17
1. 2. 3. 4.
In the default Team Site, click Site Actions, and then click New Site. The Silverlight application presents six Featured Items, each of which is a site template. Click on each for more details. To see a list of all the installed site templates, click Browse All at the top left of the application. When you have chosen a site template, type a Title and URL and click Create. The new site is created and displayed.
Note: Many custom site templates created in a SharePoint on-premise farm may not work in SharePoint Online. This is because not all the features present on-premise are available in SharePoint Online. All the active features present when you created the user solution file are listed as required for that solution. If you come across this issue, determine which feature is not present in SharePoint Online. Deactivate this feature in the on-premise farm and then re-create your user solution file.
15-18
Key Points
The SharePoint Online subscription includes a public-facing Web site with rich Web content management features. You may choose to continue using an existing Web site host, but many subscribers use their SharePoint Online Web site as their principal Internet presence because of the built-in flexibility and the simple WYSIWYG editing tools available in the browser. In this topic, you will see some of the features you can use to build this Web site. To edit the Web site: 1. 2. Log into Office 365. From the Office 365 Home page, click Admin. Under Website, click Edit website.
SharePoint displays the Web Pages list. In the Quick Launch on the left, you can see links to the Images, Documents, and Templates lists as well as links to any sub-sites you have created.
15-19
Important: In the Page Properties dialog you can set keyword and description metatags. These are vital for search engine optimization. They should be different for each page in your site. Make sure they accurately reflect the content of the page. Header: You can use this section to select a style, theme, and text for the header shown at the top of all Web site pages. Navigation: You can use this section to position site navigation links and set their order. A simple, understandable navigation hierarchy is essential to help visitors locate the content they need. Zone: Each page contains one or more zones in which text, images, links and other content can be placed. You can use the Zone section of the Design tab to select the number and layout of zones on the current page. You can also set a background image for a zone. Advanced: If you have Cascading Style Sheet (CSS) skills, you can use the Advanced section to apply custom CSS code to style text, colors, links and all other aspects of the site.
Adding Content
To create a new page in the Web site, follow these steps: 1. 2. 3. 4. 5. 6. 7. Go to the Web Pages list, and then on the Pages tab, click New Page. Choose the most appropriate page template from the list and then click Next. On the Choose Page Properties page, in the Page Title textbox, type an appropriate title. In the Web Address textbox, type the URL where the page will be found. Under Navigation, specify the navigation title and choose a parent page. Select whether to include standard page elements such as the Header and Footer. Click Finish. The new page is created and shown in the Editor.
When you edit a page, the Home ribbon tab includes common editing tools such as font and paragraph formatting tools. To add richer content to the page, use the Insert ribbon tab. This includes the following sections: Objects: You can use this section to insert Images, horizontal lines, and tables in the page at the cursor. You can choose images from the sites Images library or upload them from your computer. Links: You can use this section to insert a new hyperlink to internal content or an external address. Gadgets: You can use this section to add various types of rich content to your page. For example, you can rapidly create a slide show that cycles through images from your Images gallery, a Bing map to display a location and driving directions, a stock ticker, or Contact Us form. Manage: You can use this section to reconfigure gadgets already added to the page and to reformat tables.
As for the default Team Site, you can also add sub-sites to the SharePoint Online Web site. For example, you may want to add a blog for each of your users.
15-20
This demonstration illustrates the user-friendly tools available in SharePoint Online for editing Web content. The instructor will perform this demonstration in the new Office 365 subscription created in the previous demonstration, unless an Internet connection is not available in the classroom. A recording of this demonstration is also available for student download as part of the course companion content which can be obtained via the companion moc site. http://www.microsoft.com/learning/en/us/training/companionmoc.aspx You can use this to review the steps after the course.
15-21
Key Points
The browser is the primary way to access Office 365 and SharePoint Online. However, by installing Office desktop software and integrating it with Office 365, maximum productivity can be achieved for users. A user can perform a variety of tasks once you complete this integration, including: Send and receive email and organize tasks and appointments in Outlook 2010. Although Outlook Web Access provides a rich experience in the browser, the highest functionality is only available in the Outlook desktop application. Arrange online meetings in Outlook and partake in them using Lync 2010. Audio, video, and data conferencing facilities are available. Save documents directly to SharePoint libraries from within Office applications. Synchronize SharePoint documents and items with the local hard drive so that documents can be edited when there is no Internet connection available.
The following sections describe how to integrate each users desktop software with Office 365.
15-22
Small business subscribers do not receive the Office Suite as part of their subscription. However, they can purchase any edition of the Office Suite separately. The configuration steps in the next section will work in the same way.
Note: In some browsers you might be prompted to save the setup_en.exe file, and the option to execute it might not appear. If this happens, you can save the file to a local folder and execute it there. 3. The desktop setup tool scans your system for compatibility. When the scan is complete, select the applications you want to integrate with Office 365 and accept the service agreements. The desktop setup adds shortcuts to your start menu, configures Outlook to send and receive email through Exchange Online, and configures Office applications to save to SharePoint Online.
4.
Additional Reading
Set Up Your Desktop for Office 365: http://go.microsoft.com/fwlink/?LinkId=219644 Software Requirements for Office 365: http://go.microsoft.com/fwlink/?LinkId=218052
15-23
Lesson 3
SharePoint Online is the cloud-based version of SharePoint Server 2010, so anyone who administers an on-premise farm will find many administration tasks familiar. For example, the procedures for creating sites, applying customizations, and enabling features are similar or the same as those in previous modules. By contrast, many of the tasks that were outlined in this course are unnecessary in SharePoint Online because the SharePoint farm is configured for you. For example, installing SharePoint updates, creating Web applications, installing service applications, and monitoring SharePoint performance are all tasks carried out by Microsoft staff at data centers and not the responsibility of the subscriber. This lesson identifies the administration tasks that are important, different, or exclusive to SharePoint Online.
Objectives
After completing this lesson, you will be able to: Configure SharePoint Online users and authorize them to access content. Enable people outside your organization to access SharePoint content. Configure SharePoint Online for single-sign on authentication so that users are asked for credentials a minimum number of times.
15-24
User Administration
Key Points
In an on-premise SharePoint farm, Active Directory usually stores user accounts and credentials and Active Directory User and Computers is used to create and configure accounts. You can authorize these user accounts to access SharePoint by configuring the membership of SharePoint groups. In SharePoint Online, user accounts are actually stored in Active Directory but, instead of using Active Directory Users and Computers, there is a Web-based tool to create and configure accounts. The following sections describe how to administer Office 365 accounts and authorize them to access SharePoint content.
Note: Office 365 licensing is calculated on a per-user basis. Every user account you add increases licensing costs. Therefore, plan carefully which employees to create accounts for. To create a new user account: 1. 2. Click New, and then click User. Under Name, enter identity details. If you have added a vanity domain, you can choose it for the username domain, or use the .onmicrosoft.com domain. The username cannot be changed after the account is created. Under Additional Details enter extra contact information, and then click Next.
3.
15-25
4. 5.
6.
On the Settings page, choose the users location and whether the new user should be an administrator for Office 365. On the Licenses page, choose which products the user can access. If you have used all your licenses, you must use the Purchase tool on the Admin page to add new licenses before you can add a user account. On the Email page, select an email address for the new user account. Click Finish to create the account.
During the bulk import process, the wizard requests some properties that will apply to all the users in the file. For example, you select the user location and the licenses to apply. If for example, you have some users in the United States and others in the United Kingdom, create two .CSV files and perform two bulk imports.
15-26
4. 5. 6.
In the Quick Launch on the left, under Groups, click Members. Click New. Type the name of the account in the Users/Groups box, and then click the Check Names button. If the name is resolved, SharePoint underlines it. Under Send E-Mail, compose the subject and body of a welcome email. This should explain the purpose of the site and the reason for the invitation. A link to the site will be added by SharePoint. Click OK.
15-27
Key Points
SharePoint Online is an excellent location from which to share content with people outside of your organization, such as partners or customers. For example, if your company has been hired to develop some documents and the customer wants close involvement with the authoring process, you could grant them membership to the Visitors group for the site. The customer could log into the site and see documents as they progress but make no changes. External users can only be used to access SharePoint content. They cannot use Lync conferences or Exchange Online. You do not need to purchase an extra Office 365 license for each external user. Currently, however, each subscription is restricted to 50 users. Note: Do not confuse a SharePoint Online External User with an Exchange External Contact. External Users grant access to SharePoint Online content; External Contacts are entries in the Exchange Global Address that are used to email contacts.
Enterprise subscribers must also complete the following procedure to enable invitations: 1. Log into Office 365 and click the Admin link.
15-28
2. 3. 4. 5.
Under SharePoint Online, click Manage. In the SharePoint Online Administration Center, click Manage site collections. Ensure you do not select a site collection. On the ribbon, click Settings and then click Manage External Users. In the External Users dialog, click Allow and then click Save.
Note: To ensure security, Microsoft only permits users with Microsoft Online Services accounts or Windows Live accounts to access SharePoint Online as external users. To create a Live account for any users that do not already have one. To do this, go to: http://go.microsoft.com/fwlink/?LinkId=133221 4. Enter a subject and a message that will be sent to the addresses you configure. The message includes links to accept the invitation and add the SharePoint site to favorites.
15-29
Key Points
Users dislike having to remember credentials and grumble when passwords expire, even though these measures are vital for security. If you use Active Directory to store user accounts on premise, you can enable those user accounts to be used to access Office 365 services. This has the following advantages: Each user must only remember a single username and password. Users are less likely to forget their passwords and require an administrator to reset them. They are also less likely to write down their passwords, thus compromising security. Users are prompted for credentials less often.
Active Directory Federation Services 2.0 (AD FS) is required to synchronize Active Directory user accounts with Office 365. A relying party trust relationship is established between AD FS and Office 365. This trust acts as a secure channel through which authentication tokens can flow. The following sections describe how to set up single sign-on for Office 365. Single sign-on and Active Directory synchronization are only available Office 365 Enterprise subscribers. Note: Setting up single-sign on is an advanced task that requires Active Directory and AD FS skills. It is too involved to cover in detail in this SharePoint course. Here you will see the main stages and find links to sources of the full step-by-step procedures.
15-30
Use Windows Update to ensure that client operating systems are up-to-date. Windows 7, Vista, and XP are supported. User accounts must have full User Principal Names (UPNs) such as administrator@contoso.com. These UPNs must not be in a .local domain.
You can use the Office 365 Deployment Readiness Tool to test your Active Directory. You can find this tool at: http://go.microsoft.com/fwlink/?LinkId=219173.
Deploy AD FS 2.0
You should plan, deploy and configure AD FS on your premises. This service exchanges tokens and synchronizes account changes between Active Directory and Office 365. Read more about planning and deploying AD FS at: http://go.microsoft.com/fwlink/?LinkId=212852
Additional Reading
Single Sign-On Roadmap: http://go.microsoft.com/fwlink/?LinkId=239821
15-31
Review Questions
1. You are evaluating SharePoint Online and comparing it to a SharePoint on-premise farm you have already implemented. When you designed your on-premise farm, you included Redundant Array of Inexpensive Disk (RAID) arrays, load balanced front-end servers, and clustered database servers for high availability. Your manager is concerned that availability from SharePoint Online might not be as good. What do you tell him? You have moved your Web site, email services and instant messaging facilities to Office 365 including a vanity domain. Should you cancel all services from your old ISP? You have used all the Office 365 licenses you purchased for office staff. You are starting a new project with a new customer. How can you grant them access to a SharePoint Team site without buying extra licenses?
2. 3.
Tools
Tool Office 365 Deployment Readiness Tool Microsoft Online Services Module Use for This tool checks your Active Directory to ensure that servers are at the correct version level and user accounts have suitable UPNs. This tool adds a range of commands to PowerShell that can be used to established a trust relationship for single sign-on. Where to find it http://go.microsoft.com/fwlink/ ?LinkId=219173 http://go.microsoft.com/fwlink/ ?LinkId=235468
15-32
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential, and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.