Managed Accounts vs unmanaged accounts in SharePoint 2010

04/10/2010

A Managed Account is effectively an Active Directory user account whose credentials are managed by and contained within SharePoint. This scenario is what enables farm administrators to join machines to the farm without specifying the credentials as had to be done in previous versions of the product: http://blogs.technet.com/b/wbaer/archive/2010/04/11/managed-accounts.aspx

Attention: Some SharePoint 2010 services will break, because they are default configured with managed accounts (search, usersync). SharePoint 2010 default behavior cross-pollinates unfortunately managed accounts (Search Service app) with unmanaged accounts (default cralwer).

Advertisements


Architecting and Managing Virtual- ized SharePoint 2010 Farms (MIT09) – my notes

30/09/2010

SharePoint Connections 2010, Den Haag, 29 September 2010

Session: Architecting and Managing Virtual- ized SharePoint 2010 Farms (MIT09)

Speaker: MICHAEL NOEL (http://www.cco.com )

  • Dynamically expandable disks a penalize performance so for PROD try to define a disk size
  • Recommendations for Database Roles
    • If possible try not to virtualize the database servers
    • Mirroring and clustering are now supported in virtualization (KB 956893)
    • Use best practices for tempDB (put it on fast disk, resize it – there is a guidance on how to configure tempDB for SharePoint)
  • Sample specifications presented for various farm types (check slides)
    • Cost effective Farm would be 1 Host with 2 quad core supporting:
      • 1 vm (10Gb, 4 proc) for SQL
      • 1 vm (10GB, 4 proc) for web applications
    • High available Farm with only two servers hosts
    • Best Practice Virtual/Physical with High availability
      • High transaction servers are physical (DB). Multiple farm support with DBs for all farms on the SQL cluster
      • 2 server hosts quad core supporting each
        • 4 vm: 2 vm for web applications for PROD environment, 1 vm for web applications for TEST environment & 1 vm for web applications for DEV environment
        • VMs are load balanced for PROD, TEST and DEV environments
    • Large virtual Farms:
      • 3 server hosts quad core supporting each:
        • 1 vm for DB
        • 1 vm for web applications
        • 1 vm for search server
        • 1 vm for central admin
        • 1 vm for service applications
    • NUMA (non uniform memory access) memory Limitations and Guidelines
      • It exists at the hardware level
      • You can end up with swaps if you allocate more memory to sessions than the NUMA boundary -> instead of increasing performances you end up with decreasing performance
      • Don’t get cheap on memory if you bought a server with many CPU’s
    • Monitoring:
      • Configure Counters and Thresholds on Hosts & on Guests Very interesting slide (check photo)
        • Monitoring processor on guests is useless…you have to measure this on the host
        • Memory…over 50% free is good
    • Support from Microsoft is conditioned by:
      • The hardware used for virtualization (Intel VT or AMD-v)
      • Hardware-enforced Data Execution Prevention (DEP) is available and enabled
      • Deployed on Microsoft Hyper-V (RTM or R2) or on a validated third party hypervisor (SVVP program –> ok for VMware ESX/ESXi)
    • Tooling: System Center Virtual Machine Manager (VMM 2008 R2)
      •  SCOM 2007 is aware of SharePoint features
      • Quick provisioning: Allows creation of SharePoint template servers which can be quickly provisioned on TEST or DEV environments
    • Licensing:
      • Very important to know that licensing rules related to virtual guest licensing are applicable to all SVVP program vendors: e.g. you can run VMWare ESX/ESXi on a 1 processor host and have only one windows datacenter license for all guests (Windows Datacenter license is per host processor: 4 processors on the hosts = 4 Windows datacenter licenses; it might nevertheless be more interesting to use the Windows Enterprise virtual licensing facilities)

Windows PowerShell Crash Course for SharePoint Administrators (MIT07) – my notes

30/09/2010

SharePoint Connections 2010, Den Haag, 28 September 2010

Session: Windows PowerShell Crash Course for SharePoint Administrators  (MIT07)

Speaker: DON JONES (http://concentratedtech.com/)

  • Most of DOS and UNIX well known commands work in Powershell  (PS) (including the good old functionality of using TAB to complete partially typed commands)
  • Powershell drives – adapts all forms of storage into a powershell drive get –psdrive
  • Extending the commands available in Powershell by default (400 commands by default out of the box): PSSnapin (Old way) vs. Modules (new Way
  • IMPORTANT: there is only one Powershell environment. The modules or the snapins are not different environments of Powershell but just predefined command set extensions.
  • Almost every Microsoft product will come with it’s own Powershell predefined Module (or Snapin) (e.g. event Active Directory has it’s own PS module)
  • PSSnapin to add snap-ins in PS and use various commands of a particular environment (e.g. a powershell snapin for SQL server will let you type SQL commands in powershell)
  • PS is build around the idea of piping = like DIR | more
  • Each time a command is run, there is an invisible table, which is generated into memory. Using an XML configuration file, PS knows how to choose what to show on the screen (obviously not all the information would fit on the screen and a choice has to be made)
  • ALL PS commands start with a verb: get, set, new, move, remove (-service, -process, -comand, etc)
  • For SharePoint, PS commands start with ‘sp’.  For SQL, PS commands start with ‘sql’; Exception is Exchange as it was the first product out on PS…well done Exchange guys 🙂
  • HELP on Powershell
    • ‘-full’ provides full help including usage examples for all commands.
    • “help * event *” will list all powershell commands or help files containing events
    • If there is a space in one parameter value you can use either ‘ or “ to include the value. Both work.
    • what if” parameter simulates the command and displays you the result without actually doing it
    • “-confirm” parameter ask you for a confirmation for each action needed for the command to complete
    • Unlike in UNIX, Powershell user does not have to process the output text of the command. Instead the user can ‘tell’ powershell how and what you want to look like (e.g. sorting a column..you only have to know the name of the column and PS will display for you the results sorted on that column)
    • Pipeline input parameters (fastest way to make things happen): get –service –name bits | stop-service  (this will return the service which will be fed as parameter for stop –service command)
      • Another example: import-csv  ./users.csv |new –user (given the csv has the column names maching the command parameters names)
  • Remote Control
    • Requires PSH v2
    • ‘enter –pssession – computer server-r2’ will get us on the remote server-r2 (given we have access); “exit-pssession” to get out of it
    • You can import a remote set of commands not available on the local session (what happens is not a real import of commands but rather like a shortcut to the commands – if used such an ‘imported’ column it actually runs on the remote computer
    • 1:1 or 1:N remoting:
      • Enter-PSSession –computername X
      • Exit-PSSession
      • Invoke Comand – scriptblock {commands}
      • For SharePoint make sure you have granted shell administrator rights!
  • Tooling & resources:

Nettoyage MySite SharePoint – Utilisateurs supprimés ou désactivés dans l’Active Directory

28/07/2010

Récemment mes managers ont reçu des notifications concernant le MySite des personnes qui ont quité l’organisation. Les notifications sont standard et inchangeables:

Subject: The My Site of NOM Prénom is scheduled for deletion

The My Site of NOM Présnom is scheduled for deletion. As their manager you are now the temporary owner of their site. This temporary ownership gives you access to the site to copy any business-related information you might need. To access the site use this URL: http://portalMySiteURL/personal/<username>

Explication: lorsqu’un user est deleted ou disabled de l’active directory, SharePoint envoyera automatiquement à son manager (à condition qu’il en a un dans l’AD et heureusement nous avons prévu cette configuration au début). Celui-ci a la possibilité de récupérer le contenu qu’il souhaite et éventuellement deleter le site. (le manager devient automatiquement site collection secondary owner). Ce mécanisme permets donc que les infos stockées sur MySite ne soit pas perdues lorsqu’un user part de notre organisation.

 Le problème:

Si l’user est effacé dans l’AD, le home page de son MySite  devient en fait inaccessible. Le site par contre continue lui d’exister. (Le homepage qui devient inaccessible parce que sur cette page il y a des métadatas du profil user, profil qui n’existe plus en SharePoint si le crawl des user profiles a tourné suite à la deletion de l’utilisateur dans l’AD.) Donc le manager en cliquant sur le lien dans l’email de notification recevra une erreur du type: “User not found”. Pour accèder aux listes du MySite et aux éventuels sous-sites il faut connaître et taper l’url précis (view all site content): .http://portalMySiteURL/personal/<username>/_layouts/viewlsts.aspx Cela nécessite donc une connaissance très spécifique qui ne concerne pas les managers et en plus de ça le site ne sera toujours pas effacé que par une éventuelle opération manuelle de la part du manager ou bien dépt. Infra

 Possibles solutions dans la vie réelle d’une organisation:

Alternative 1: Cocher l’option Confirmation and Automatic deletion settings pour la Web Apps MySite dans le Central Admin. Activer cette option a le grand désavantage que tous les utilisateurs vont recevoir immédiatement un message pour confirmer qu’ils utilisent leur site!!. Ensuite lors de la deletion d’un user dans l’AD, comme l’user n’existe plus, il ne peut pas recevoir d’email donc le systeme va deleter automatiquement son MySite mais alors toutes les données (éventuellement importantes) seront supprimées et son manager informé trop tard.

 Alternative 2 (que je suggère mais à voir si ok pour le département Infra): Au lieu de deleter l’utilisateur, faire seulement un disable dans l’AD pendant X jour. Suite à cette opération, le manager va recevoir l’email automatique, il pourra accèder au site en tant que secondary site owner et il pourra décider ensuite quoi faire avec. X jours après, delete user dans l’AD et delete MySite en même temps.  

Alternative 3: ne rien changer par rapport à maintenant, mais fixer X fois par an un check de coté du département Infra pour le cleanUp des MySites ou bien faire un script automatique à tourner tous les X jours.

Ces deux articles décrivent parfaitement tous les scénarios possibles:

http://philwicklund.com/whitepapers/Documents/My%20Site%20Concerning%20Scenarios%20Study%20and%20Strategy.pdf

http://blogs.technet.com/b/seanearp/archive/2009/03/04/sharepoint-profile-cleanup.aspx


Configuring crawl on a SBS 2008 – Default Content Access error

03/04/2010

I installed Microsoft Office Sharepoint 2007 (MOSS) on a Small Business Server 2008. I configured the SSP and the search but the crawling did not start. Each time I started a Full Crawl, it ended up with the following error in the crawl log:

Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has “Full Read” permissions on the SharePoint Web Application being crawled. (The item was deleted because it was either not found or the crawler was denied access to it.)

At the same time the problem was that I could not browse to my Sharepoint Portal from within the IE of my server but I could do it without any problems from any other computer or from the Internet. This behaviour started immediately after modifying the default Alternate Address Mapping for my default web application: instead of the name of the server (e.g. http://companyweb) I had put the internet address (e.g. http://www.mycompany.com). (as a detail, I had also mapped my internet address to 127.0.0.1 in the local hosts file)

After some research I found that this error comes when you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer. It seems that this security protection is in place since IIS 5.1. So if I can not browse on the server to my own portal, neither the search service can do it (running as the same admin user)

Cause and resolution are fully described here: http://support.microsoft.com/kb/896861

Method 1: Disable the loopback check

Follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

This worked fined for me but be aware that the Microsoft article proposes an alternative solution: Method 2: Specify host names

Solutions are there but nevertheless, I can not stop myself of saying that these solutions make Sharepoint server just a bit less secure, at least in he eyes of an security audit trail.

This blog post definitely help me in finding the right solution : http://svengillis.blogspot.com/2008/10/access-denied-when-crawling-moss.html