Category Archives: SharePoint

An email about what goes into a corporate SharePoint farm

SharePoint

A short while back my Friend Nik asked me if I could outline some details about how the corporate IT farm was structured.

He commented that the email I sent him was pretty handy, so I thought it might make a good blog post for others as well.

——
Nik

Our Portal environment consisted of the following:
(Sharepoint 2010 – adjust OS/Software versions as needed for 2013)

Database Layer:
2 physical machines, with Windows Server 2008 R2 and SQL Server 2008 R2, in a clustered configuration – with storage for the Cluster being provided by a SAN

Sharepoint Layer:
4 Virtual Machines, with Windows Server 2008R2 and Sharepoint 2010 with SP1 and the latest CU
2 of these servers were designated as “App” servers and 2 as “Web Front Ends”

IP addresses:
Each Server needs 1 IP address for general network connectivity.
For our web front ends, we chose to allocate an additional IP per DNS name (it is possible to share the general machine IP address with multiple Non-SSL websites, but when SSL gets involved, you need 1 IP per dns name)
When there is more than one IP per server, you add them on the network adapter on the advanced button where you would normally specify the IP address.
From an IP perspective all IP addresses generally need to be in the same subnet.
At the Sharepoint Machine layer, these are all internal IP addresses, not publicly accessible.

Load Balancing:
If a hardware Load balancer is used, then it would typically get a dedicated IP for the DNS name it is load balancing – this is in addition to any management IP that would be used to manage the load balancer. Here we use an F5 load balancer. There is also a certificate requirement which I’ll talk about below.

Another LB option is Microsoft’s Network Load Balancer – This requires a slightly different config on the servers – I think the WFE’s end up sharing the same IP address per DNS name, but the addition of NLB then needs a second IP on each node and a second network interface so the nodes can communicate through the “back channel”

SSL Certificates:
The rules for SSL are, you need one cert per DNS name (Unless you use what’s known as a wildcard certificate) so for example a.yourcompany.com and b.yourcompany.com would each need a separate certificate, but another option would be to obtain a wildcard certificate that covers *.yourcompany.com, which would then work with all subdomains of yourcompany.com. (a.yourcompany.com, b.yourcompany.com, c.yourcompany.com, etc) I am not a certificate expert, but I have heard there are pros and cons to using a wildcard cert.

SSL certs are requested from within IIS – you have to fill out a few fields, and it will create a text file with the request – this text file then goes to the certficiate authority, they send back the certificate file and you go back into IIS and “complete the certificate request” – note that you do all this on only one of the two WFE’s – and you complete the request on the same box it originated from.
If you are load balancing then your next step is to “Export” the certificate from IIS of the box that has the cert – you will need to give the exported file a password (if not then you are not exporting correctly) copy the exported file (it will have a .pfx extension) to the other node, and “Import” it into IIS – and you’ll be prompted for the password you used.
As far as where the certificate requests go, We had someone on staff here that handled that. On other projects, I’ve used godaddy and also Verisign to get SSL certs. Both have websites where you’d upload the request file, make a payment, validate your identity and your right to create certificates for the domain in question and then receive the certificate.

SSL and IIS – Once you have the certificate in IIS you’ll need to tell IIS which website to assign it to – this is done by right clicking on the site and choosing “Bindings” when you select SSL, you’ll see a drop down of installed SSL certificates.

SSL and a hardware Load balancer – depending on the Loadbalancer used – it might be necessary to provide the certificate to the Load balancer so that it can decrypt traffic to inspect it before sending it forward. In our case I think our team wanted a .pem file – I have instructions somewhere on how to convert that if you need it.

SharePoint installation and Service accounts –
I used the AutoSPInstaller from CodePlex http://autospinstaller.codeplex.com/
In the installer package is a configuration file that you will need to modify to supply different accounts.
This is a great place to get a list of all the accounts you could ever possibly need (though of course it’s possible to re-use the same account, but the installer script spells out all the different places you could possibly want a different account – it’s up to you to choose if you’re going to type in the same thing in several places)
The installation of SP allows for “ Slip-streaming” updates so that the installation can be done all in one step including Service Packs and CU’s (Probably not an issue right now with 2013 since it’s new)

Admin rights – this area is tricky and I can’t say I’m an expert here.
In general, what I’ve found is that there are a LOT of operations during setup and Maintenance that require an account to be in the local administrators group.
The autoSPInstaller documentation actually does a decent job of discussing a few account that need admin on a temporary basis, that can later be removed from the admin group – however – on thing to watch out for is that they would then need to be added back in for things like applying service packs and CU’s

Inbound access to SharePoint from the internet:
UAG –
I know a little bit here – I’m not the UAG guy per say but here’s how it works –
Internally you still have all the same private IP addresses – if you’re using a load balancer then it has an IP for the site you want to “publish” on the internet – this is an internal IP.
UAG is installed on a box somewhere – I would expect to see this in a DMZ, between two firewalls – one on the outside and one between UAG and the internal network.
UAG will need an external, public IP and an internal – UAG will need the SSL certificate if SSL is being used. Here is one area where the wildcard seems to help – you can only have one IP per SSL certificate – unless that certificate is a wildcard – so our UAG box has a wildcard cert for *.mycompany.com and the public DNS of all our sites point to the same Public IP address, the address of the UAG box. (Note that the DNS we use inside the private network is different and internally DNS for each website points to the load balancer for that site, not to the UAG box)

Siteminder –
Just say no…

A note about the number of servers and their roles –
This is all documented by MS – I think it’s pretty typical to do a 2 App 2 Wfe farm as a starting point as it gives some redundancy – you could also do a 1 app 2 wfe, or 1 and 1.
Search in 2013 is pretty awesome so It might be good to dedicate a box or two to that- I still need to read up on the infrastructure there – typically you have one or more crawlers, and then one back end for the crawlers to talk to – here we’ve used the WFE’s as crawlers.

A note about installing in the DMZ –
Some might find it desirable to install some or all of SharePoint in the DMZ – There really shouldn’t be a problem with this so long as all the needed ports are opened up – for example if SQL is in the network, and SP is in the DMZ you’d need SP to be able to talk to SQL (I think that’s port 1433) You’d also need to open ports internally so that internal clients can hit the site, and use webdav for opening files with explorer. If you decided to split SharePoint with some boxes in the DMZ and some on the internal network, you’d need to open ports used by SharePoint for internal communication (I think port 38??? Is used for services)

A note about the “WFE” role –
There really aren’t roles in SP – there is a service in 2010 called something like the “SharePoint Foundation Web Site” or something like that – You can sometimes get away with disabling that (from CA) on the boxes that are “App” server boxes- but there are times when this causes deployments or 3rd party installations to fail. There is no harm leaving it on,but you will then see the websites in IIS on the “App” boxes – so long as you don’t route any traffic to those boxes (from the load balancer for example) then those sites will never spin up and really shouldn’t be a problem.

A note about memory – sizing, etc…
Follow the Microsoft “best practices” where possible – I think they currently recommend 8-16 gb minimum per machine.

A note about log files –
I store these on the D drive – the AutoSPInstaller makes it easy to specify these in advance.

I hope this helps!

It’s funny – I’ve never actually thought about all this at once – It might make a good blog post!

– Jack

As a follow up to this email – Server 2012/IIS 8 supports Server Name Indication which may allow you to share an IP address amongst multiple SSL sites (Browser support varies so it’s not a given)
http://en.wikipedia.org/wiki/Server_Name_Indication

Simple batch file to run a directory of powershell .ps1 files

SharePoint

A few times our support team has given me a zip file full of .ps1 files they want me to run – today I got two zip files with about 20 powershell scripts.

Not wanting to write them by hand, I wrote this small batch file called run.bat and put it in the directory with the ps1 files. 

powershell -Command "& {Set-ExecutionPolicy bypass}" -NoExit
for %%f in (*.ps1) do powershell -Command "& {.\%%f}" -NoExit
pause

Map a drive letter to SharePoint in a way that can survive a reboot.

SharePoint

If you’ve tried to map a network drive to sharepoint, and found it didn’t survive a reboot, here’s a Trick a fellow sharepoint person shared with me:

  \\domain@ssl\davwwwroot\subsite\library

In other words, if your site is https://www.mycompany.com/RootSite/Subsite/Library,
to get to that in windows, without opening a browser first, you’d go to \\www.mycompany.com@ssl\davwwwroot\RootSite\subsite\library

Update 6-2014 — renamed article to make it easier to find.

Also, please note, there is the “net use” command which can map a drive from the command prompt.

For example:

net use z: \\sharepoint.yourcompany.com@ssl\davwwwroot\subsite\library /user:domain\user yourpassword  /Persistent:yes

(You can leave off the password part and type it in at runtime)

Does your organization do SharePoint Training?

SharePoint,

This is more of a twitter question, but with 140 characters, I can’t really explain what I am looking for…

This is not a call for trainers (sorry trainers!)

I’m looking for feedback from people who’ve seen organizations tackle training.

What did that organization do well?
What was received well from users?
Did the training help push the SharePoint platform forward?
Did it increase productivity?
Did it work with Executives?
What format was used?
Was there anything that did not work?

Moving the Managed Metadata service to a new SharePoint (2010) Farm

SharePoint

We’re rebuilding an environment at work so I moved the managed metadata service over.

Doing so should be fairly easy:

  • Find the name of the database from your old MMS.
  • Copy / move that DB so it’s available on the new farm’s DB server
  • Set permissions on the server to the farm can get to the DB
  • Create a new Managed Metadata App on the new Farm, when you get to the point where you specify a database name, specify the name fo your newly restored/moved DB

That should be it – the system should use your existing metadata and you get to go to lunch on time.

Or do you?

I did this today after following some advice online only to be greeted with:

The Managed Metadata Service or Connection is currently not available. The Application Pool or Managed Metadata Web Service may not have been started. Please Contact your Administrator.
 
Hmm What’s going on here – I did a quick google and was told to look at the ULS logs, confirm permissions etc…
However, for me the answer was much simpler – it was actually in the error message!
Creating a new manged metadata service hadn’t actually started it on any node in my farm.  I went to CA->System Settings->Services on Server and my Managed Metadata Web Service was in the “stopped” state- I started it and went back for another look at the MMS console.
Still no luck:
The Managed Metadata Service or Connection is currently not available. The Application Pool or Managed Metadata Web Service may not have been started. Please Contact your Administrator.
 
Now what? I remembered reading in the logs earlier, a line that talked about the application load balancer not being able to find an endpoint for this app.
I know from experience that the internal load balancer in SharePoint updates via a timer job that only runs every so often (15 min is the default).
 
I went to CA->Monitoring->Timer Jobs->Job Definitions and manually kicked off the “Application Addresses Refresh Job”
 
Then went back to look at the Managed Metadata Service and BINGO – It worked.
 

Sharing service apps between farms.

SharePoint

See http://technet.microsoft.com/en-us/magazine/hh528474.aspx Section 8

Run this PS on both farms and exchange certs:

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content D:CertsConsumingFarmRoot.cer -Encoding byte
$stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$stsCert.Export(“Cert”) | Set-Content D:CertsConsumingFarmSTS.cer -Encoding byte

Then you can use Central admin (Security->Manage Trusts) to enter these in.

From the Consuming Farm, run get-farm | Select ID to get the ID of the consuming farm.

$farmID = 
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmID
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security

SideNote: Pear Note

SharePoint

I’m using a nifty program called Pear Note.

Pear Note is a note taking program, with a twist.
You can import a video (for example, I am using it now with a recorded session from the SharePoint Conference)
While the video plays, you type in your notes.

The magic happens when you select any word in your notes and the video immediately jumps to the position in time that it was playing at when you took your notes.

I’ve used it before and it’s super handy for taking notes and then knowing exactly where you were in the video when you found it.

http://www.usefulfruit.com

Using MaintenanceWindows in SharePoint 2013

PowerShell, SharePoint, SP2013,
Sharepoint 2013 Maintenance Window Banner ScreenShot
Sharepoint 2013 Maintenance Window Banner

 

At the SharePoint Conference this week, Session SP210 on upgrading to SP2013 mentioned a brand new feature that didn’t exit in the preview edition: MaintenanceWindows.

As you can see from the screenshot above, this feature puts up a simple banner alerting users of the upcoming work.

The message is localized in the users language so long as language packs are installed.

The “More Information” link can point to any page you specify.

I was pretty excited about this, and couldn’t wait to try it out!

The PowerShell to do this wasn’t as easy as I expected.

I’ve pasted below what worked for me.
 

 #1st get a content database
 get-SPContentDatabase  #this will list them all
                        #copy and paste a database ID and use it to assign a specific DB to a variable
 $ContentDB = Get-SPContentDatbase -Identity #ID goes here

 #now we're going to add a maintenance window to the SPContentDatabase with $ContentDB.MaintenanceWindows.Add()
 #before we can do that we need to create a Maintenance window object and populate it.

 #                         Parameter List             "MaintanceWarning or MaintanencePlanned",  Mt Start   ,  Mt End   , Notify Start, Notify End, duration , urlforinfo
 $MaintWindow = New-Object Microsoft.SharePoint.Administration.SPMaintenanceWindow "MaintenancePlanned", "1/1/2013", "1/2/2013", "11/16/2012" , "1/3/2013", "1:00:00", "http://www.mydomain.com/outageinfo.html"
    #Parameter List for above:
      #1: MaintanceWarning or MaintanencePlanned,
      #2: Maintenance Start Date
      #3: Maintenance End Date
      #4: Notification Start Date
      #5: Notification End Date
      #6: Duration in the format of DD:HH:mm:ss - "1:00:00" = 1 hour, "1:00:00:00" = 1 day
      #7: URL for info
      # Parameters 2-5 all take a date time in this format: "1/20/2012" or "1/20/2012 5:00:00 PM"  

  #Now we can see the properties of a single MaintenanceWindow by just typing in $MW and hitting enter:
  $MaintWindow

  #for me this looked like this:
  # MaintenanceStartDate        : 1/1/2013 6:00:00 AM
  # MaintenanceEndDate          : 1/2/2013 6:00:00 AM
  # Duration                    : 01:00:00
  # NotificationStartDate       : 11/16/2012 6:00:00 AM
  # NotificationEndDate         : 1/3/2013 6:00:00 AM
  # MaintenanceType             : MaintenancePlanned
  # MaintenanceLink             : http://www.mydomain.com/outageinfo.html
  # UpgradedPersistedProperties :

  #ok with that out of the way, we just need to add it to he content database
  $ContentDB.MaintenanceWindows.add($MaintWindow)
  $ContentDB.Update()

Ok so that’s it – refresh your website and you should see the pink banner on the screenshot above!

Note, I originally tried to do this by just setting up a blank object without paramters, and then setting the properties one by one, but I found that MaintenanceStartDate and NotificationStartDate could not be changed after the object was created.

– Jack