470 likes | 654 Views
UK SharePoint User Group London, UK 26 February, 2009. Michael Noel Convergent Computing michael @ cco.com. Building the Perfect SharePoint Farm. Michael Noel.
E N D
UKSharePoint UserGroup London, UK 26 February, 2009 Michael Noel Convergent Computing michael @cco.com Building the Perfect SharePoint Farm
Michael Noel • Author of SAMS Publishing titles “SharePoint 2007 Unleashed,” the upcoming “Teach Yourself SharePoint 2007 in 10 Minutes,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 Unleashed,” “Exchange Server 2007 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . • Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco, U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
Session Objectives And Agenda • Walkthrough Farm build process from best practices perspective • Examine each stage in the build process • Dive into specific details for each step: • Server Architecture • Hardware • Operating System • SharePoint Binaries Installation • Farm Installation/Adding to farm • Shared Services Provider Configuration • Farm Configuration
Best Practice Designs Architecting the Farm
Farm ArchitectureAll-in-One Farm • All SharePoint roles and SQL Server on the same box • For very small environment without a lot of load • SQL contention with SharePoint • Easy to deploy, but highest potential for contention • NOTE: Only the smallest environments use SQL Server Express or SQL Embedded
Farm ArchitectureDedicated SQL Database Server • Dedicated SQL Server • All SharePoint roles on single box • Disk IO contention lessened by moving SQL off SP Server • Greater performance can be gained by breaking SharePoint roles onto separate servers
Farm ArchitectureSmallest Highly-Available Farm • 2 Web/Query/Application Servers • 1 Dedicated Index Server (With Web role to allow it to crawl content) • 2 SQL Standard Edition Cluster Nodes (Active/Passive) • Smallest fully redundant farm (loss of any one server will not affect functionality)
Farm ArchitectureScalable Farm • Multiple Dedicated Web Role Servers • Multiple Dedicated Query Servers • Multiple Dedicated Application Servers • Dedicated SharePoint Central Admin Server(s) • Single Index Server (per Shared Services Provider) • Multiple node or multiple instance SQL Server Enterprise Edition Cluster(s)
Virtualized Farm ArchitectureSingle Host Virtual Environment • Allows organizations that wouldn’t normally be able to have a test environment to run one • Allows for separation of the database role onto a dedicated server • Can be more easily scaled out in the future
Virtualized Farm ArchitectureDual Host Virtual Environment • High-Availability across Hosts • All components virtualized • Uses only two Windows Ent Edition Licenses
Virtualized Farm ArchitectureMixed Virtual/Physical Environment • Highest transaction servers are physical • Multiple farm support, with DBs for all farms on the SQL cluster • Only five physical servers total, but high performance
Planning for the farm Hardware
Hardware Planning ConsiderationsDisk, Memory, and Processor • SQL Database role requires a great deal of space, especially if versioning is turned on in Document Libraries. Don’t underestimate! • Index and Query servers also need hard drive space • The more memory and processor cores that can be given to SharePoint the better, in the following priority: • Database Role • Index Role • Web/Query Role
Hardware Planning ConsiderationsVirtualization • Windows Server 2008 Hyper-V is an excellent option, and can save money. • Microsoft supports third party if they are a member of the SVVP (KB 897615), this includes VMware and Citrix XenServer. There are some limitations, consult the KB article. • Not all roles should be virtualized, depending on the level of disk I/O that is expected. The best candidate for virtualization is the Web/Frontend, followed byy Query, then Index, and finally SQL.
Laying the foundation Operating System
Operating System Best PracticesVersions • Highly recommended: Windows Server 2008 for security, performance (client/server traffic improvements), and ease of setup • x64 bit also very highly recommended (Next version of SharePoint is x64 bit only. • Enterprise Edition of Windows only required for very large SQL instances (More than two cluster nodes, high transaction volume, etc.) Standard edition of Windows is adequate in all other cases.
Operating System Best PracticesSQL Server • SQL Server 2008 Recommended, particularly if you have high security requirements, as it allows for transparent encryption of databases • SQL Server 2005 also fully supported • Enterprise edition of SQLonlyrequired for more than two nodes in a cluster, Asynchronous database mirror replication, and/or greater than 32GB RAM • Use a SQL Alias to make it easier to move SharePoint config database to a new server in the future • Separate Reporting Services server may be required for intensive reporting
Operating System Best PracticesInstallation: SQL Server • Install the defaults for Windows Server 2008 • SQL Server • Install SQL Server 2005/2008 • Install any service packs and updates (i.e. SQL 2005 SP2) • Open port 1433 on the Windows Firewall.
Operating System Best PracticesInstallation: SharePoint Server • Install the defaults for Windows Server 2008 • SharePoint Servers • Add the ‘.NET Framework 3.0 Features’ from the Add Features wizard • Default Windows Firewall settings will work for front-ends
Adding the SharePoint binaries SharePoint Installation
SharePoint InstallationVersions • Windows SharePoint Services 3.0 has a similar installation process than MOSS 2007. • MOSS 2007 Enterprise Edition recommended if using advanced functionality such as Excel Services, Infopath Forms Services, etc. • MOSS 2007 Standard Edition can be used to start, can upgrade the farm later. • Once upgraded to Enterprise edition, farm cannot be downgraded.
SharePoint InstallationService Accounts • Never use a single account for all services unless it’s a test farm. • At a minimum, create the following accounts: • SQL Admin Account • Installation Account (Local admin rights on SP servers) • SharePoint Farm Admin (Requires local admin rights on SP servers, SQL DBCreator and SQL Security Admin on SQL box) • Search Admin (Requires local admin rights on any Query or Index servers • Default Content Access Account (Read-only access to all indexed locations) • Application Pool Identity Account (at least one, can use multiple for each App pool.) It is critical for security that this isn’t the farm admin account.
SharePoint InstallationInstallation Process • For most flexibility, choose ‘Complete’ Installation, even if not installing all of the roles on the server. This will allow for the addition of roles in the future as needed. • Be sure not to select ‘Stand-Alone’, unless you plan on having a very small farm with a limited database (SQL Server Express)
SharePoint InstallationInstallation Process • Highly recommended to choose the final destination for the Index/Query to live (i.e. if it’s on a different drive, enter that during installation). It’s difficult to change index location later. • Remember, after installing the binaries, the server is not a farm member yet…it can be added to any farm. Good concept to use to pre-stage servers.
SharePoint InstallationCommand-line Installation of SharePoint • Good to understand how to install SharePoint from the command-line, especially if setting up multiple servers. • Allows for options not available in the GUI, such as the option to rename the Central Admin Database to something easier to understand. • Use SETUP, PSCONFIG and STSADM to script the install process, check online blogs for details.
Or adding new servers to it… Creating A Farm
Creating the FarmRunning the Config Wizard to Install the Initial Farm Server • Consider using an easy to remember port for the Central Admin service (i.e. 8888) • You are welcome to change the Config Database name to match a common naming convention • Your database access account is the SP Service account, which only needs DBCreator and Security Admin rights on SQL. Don’t give it more!
Creating the FarmUsing a SQL Alias • Do yourself a HUGE favor and don’t forget to use a SQL Alias when creating the SQL Config Database. For example, if your SQL server name is ‘SQLSERVER1’, use something like ‘SPSQL’ to connect, and have DNS point to the proper server location. This makes it MUCH more flexible.
Creating the FarmInstalling Additional Farm Members • Run the Config Wizard on all remaining servers to add them all to the farm. • Consider running SharePoint Central Admin on your web front-ends for redundancy (Advanced button). • After adding to farm, configure the roles on the servers.
It doesn’t have to be difficult… Creating the Shared Services Provider
Reviewing SharePoint ArchitectureUnderstanding the Shared Services Provider • A Shared Services Provider coordinates services that are used by multiple servers in a farm, including: • AD Profile Import • Enterprise Search (Including Index) • Business Data Catalog • Audiences • Excel Services • My Sites • Usage Reporting • There can only be one Index per SSP • It’s not common, but there are reasons to create multiple SSPs include the following: • If needing to separate Indexes from multiple content sources (Security reasons) • Unique search required for different branches of the organization • If needing to separate My Sites content, including custom settings
Creating the SSPSSP Best Practices • After creating Web Applications for the SSP and for MySites, you can administer the SSP. • Configure Index Settings • Configure Connection to Active Directory and profile imports • Turn on Site Collection Reporting from the SSP
Creating the SSPWeb Application Best Practices • Highly, highly recommended to create multiple Web Applications, even for smaller farms, i.e.: • SP Central Admin Web App • ssp1.companyabc.com • mysite.companyabc.com • home.companyabc.com • Much more flexible approach to use dedicated web applications. Mysite and the root SP site can be combined in certain circumstances, but is not as flexible.
Creating the SSPWeb Applications Best Practices • Consider using unique hosts headers when creating the web applications, even if you will separate by IP later. This helps when provisioning new web front-ends. • For the SSP and Central Admin Web Apps you can use NTLM for convenience, but highly consider Kerberos for MySites and Content related Web Apps.
KerberosBest Practices • When creating any Web Applications for Content, USE KERBEROS. It is much more secure and also much faster as the SP server doesn’t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves performance and security considerably.
KerberosBest Practices • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: • Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAME\MYSiteAppAccount • Setspn.exe -A HTTP/mysite DOMAINNAME\MYSITEAppAccount • Setspn.exe -A HTTP/home.companyabc.com DOMAINNAME\HOMEAppAccount • Setspn.exe -A HTTP/sp DOMAINNAME\HOMEAppAccount
KerberosBest Practices • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. • Windows Server 2008 front-ends requires the ApplicationHost.config file to be modified to contain the following string: • <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
A smattering of best practices Configuring the Farm
Configuring the FarmBest Practices • For Email enabled content, create a dedicated OU for Email enabled contacts and distribution lists and give the SP Admin account rights to create and modify contacts and groups in that OU. • Use the Index server (if a separate role) as a dedicated server for crawling content, to do this you have to turn on the web role, however. • Don’t forget to configure an NLB VIP for inbound Mail using the SMTP service in a multi-server environment. • You can use multiple web applications that are ‘extended’ if you need to provide multiple access mechanisms to the same content.
Configuring the FarmBest Practices • Don’t forget Alternate Access Mappings if connecting to the content in more than one way (i.e. https://home.companyabc.com vs. just http://home) • If using SSL on a web app, it must have a dedicated IP address, not just a host header • Don’t forget to install Antivirus (MS Forefront Security for SharePoint recommended) • Don’t forget a comprehensive backup solution (MS System Center Data Protection Manager (DPM) 2007 recommended)
Configuring the FarmThird Party Add-Ons • For Indexing of PDFs on 64bit Servers, consider installing the FoxITiFilter on the Index server • For advanced search, consider a third party tool such as Ontolica • For advanced reporting, consider third party such as Quest or Nintex • For replication, consider Syntergy or AvePoint • Look at other SharePoint companies for additional offerings, there are many
Key Takeaways • There is no ONE way to configure SharePoint, but there are many best practices. • Use multiple service accounts • Use Kerberos for any user facing web application • A five server farm is the smallest that is fully redundant • Separate the DB role from the SP server if you can • Refer to the upcoming SAMS Teach Yourself SharePoint 2007 in 10 Minutes for step by step instructions
For More Information • SharePoint 2007 Unleashed (SAMS Publishing) (http://www.samspublishing.com) • SAMS Teach Yourself SharePoint 2007 in 10 Minutes • (http://www.samspublishing.com) • Microsoft ‘Virtualizing SharePoint Infrastructure’ Whitepaper (http://tinyurl.com/virtualsp )
Thanks for having me at your User Group in the UK!Questions? Michael Noel michael @cco.com www.cco.com