spca2013 - sharepoint insanity demystified

50

Upload: nccomms

Post on 09-May-2015

465 views

Category:

Technology


0 download

DESCRIPTION

SharePoint Insanity Demystified

TRANSCRIPT

Page 1: SPCA2013 - SharePoint Insanity Demystified
Page 2: SPCA2013 - SharePoint Insanity Demystified

SharePoint Insanity DemystifiedDan HolmeMicrosoft Technologies Analyst & EvangelistMVP, SharePoint Server

danholme http://tiny.cc/[email protected]

Page 3: SPCA2013 - SharePoint Insanity Demystified

ConsultantDan Holme

Dan Holme

INTELLIEM AuthorMAUI, HAWAIIAvePoint

danholme http://tiny.cc/[email protected]

Page 4: SPCA2013 - SharePoint Insanity Demystified

Service Accounts

Page 5: SPCA2013 - SharePoint Insanity Demystified

Directory Services PrerequisitesResourcesInitial deployment administrative and service accounts in SharePoint 2013

http://technet.microsoft.com/en-us/library/ee662513.aspxAccount permissions and security settings in SharePoint 2013

http://technet.microsoft.com/en-us/library/cc678863.aspx

Page 6: SPCA2013 - SharePoint Insanity Demystified

Service AccountsSQL Server service: SQL_Service, *SQL administrator: SQL_AdminSharePoint Administrator and Setup User: SP_AdminSharePoint Farm Service: SP_FarmApplication pool accountsUser-facing web application app pool: SP_WebApps, SP_MySiteApp, *Service application app pool: SP_ServiceApps, *

Default content access (crawl) account: SP_Crawl, *User Profile Synchronization account: SP_UserSyncObject cache accounts: SP_CacheSR, SP_CacheSU

Page 7: SPCA2013 - SharePoint Insanity Demystified

SQL_Service, SQL_Admin, *SQL Database Engine service account: SQL_ServiceSQL service ownership account: SQL_AdminResourcesSecurity Considerations for a SQL Server Installation

http://technet.microsoft.com/en-us/library/ms144228.aspxSQL Server 2012 Security Best Practice Whitepaper

http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx

SQL Agent service account: SQL_Agent

Page 8: SPCA2013 - SharePoint Insanity Demystified

SP_AdminSharePoint Administrator and Setup UserUsed by a service admin to perform bit-level changesInstall SharePoint prerequisites Install SharePoint productsConfigure SharePoint (SharePoint Products Configuration Wizard)Update, patch, add/remove servers, etc.

Unique, “generic” SharePoint administrative accountNot your “normal” user or admin accountRepresents enterprise service administrationCan be locked down (password, disabled) after installation, until needed

Delegate service to administratorsAfter setup, add your admin user accounts to Farm Administrators

Page 9: SPCA2013 - SharePoint Insanity Demystified

SP_AdminDomain user accountAdministratorAdd to the local Administrators group of each SharePoint server in the farm

SQL privilegesCreate a SQL Server login for the SP_Admin account, e.g. CONTOSO\SP_AdminAssign the securityadmin and dbcreator server roles to the login

PowerShell privilegesAssign the SharePoint_Shell_Access database role for any database against which Windows PowerShell will be used (Add-SPShellAdmin)

Page 10: SPCA2013 - SharePoint Insanity Demystified

SP_FarmSharePoint Farm Service Used for highly privileged SharePoint servicesCentral Administration application poolSTS & Topology service application poolWindows services including Timer, Workflow Timer’SharePoint services including User Profile Synchronization

Domain user accountSharePoint assigns permissions automatically

Page 11: SPCA2013 - SharePoint Insanity Demystified

SP_FarmExtra privileges: UPSBefore provisioning User Profile Synchronization Service1. Add SP_Farm to local Administrators group of the server running

UPS2. Reboot3. Provision User Profile Synchronization4. After UPS has started, remove SP_Farm from Administrators group5. Reboot

Page 12: SPCA2013 - SharePoint Insanity Demystified

Application Pool Accounts - Whiteboard

WSS_WPG groupSP_DATA_ACCESS roleWSS_CONTENT_APPLICATION_POOLS role

Collab Intranet

SharePoint Web Apps

SP_WebApps

SharePoint_

Content_Intranet

SharePoint_

Content_Collab

Extranet

SharePoint Extranet Apps

SP_ExtranetApps

SharePoint_

Content_Extranet

SharePoint Web Apps

Page 13: SPCA2013 - SharePoint Insanity Demystified

SP_ServiceApps, SP_WebAppsWeb and service application pool accountsKeeping it simple for this discussion… two accounts

Domain user accountsRegister as managed accounts in the SharePoint farmAssigned as the application pool identityFirst web application app pool: SP_WebApps

Additional web applications are added to the same, shared poolFirst service application app pool: SP_ServiceApps

Additional service applications are added to the same, shared pool

Permissions required depend on the web app or service applicationGenerally assigned automatically by SharePoint

Page 14: SPCA2013 - SharePoint Insanity Demystified

SP_MySiteApp, *My Site web applicationOften isolated in its own application pool to address security concerns

Each user is the site collection administrator of his/her My SiteDetermine security risk: perception vs. reality?

SP_MySiteApp

Account for each application pool to isolate access

Page 15: SPCA2013 - SharePoint Insanity Demystified

SP_Crawl, *SharePoint Search default content access accountCrawler account used when no specific crawl account is specified

Domain user accountRequires read permission to indexed content sourcesAutomatically given Read permission to all SharePoint content

Web application READ user policy applied to each new web appConfigure SP_Crawl before creating web apps or manually grant it Read user policy

Assign Read permission to all other indexed content sourcesDo not give the account the ability to modify any content

Create additional content access accountsFor security isolation or access to disparate systems

Page 16: SPCA2013 - SharePoint Insanity Demystified

SP_UserSyncSharePoint User Profile Synchronization Synchronizes user profile data between Active Directory and SharePoint

Domain user accountRequires Replicating Directory Changes permission on domainIf a Windows Server 2003 domain

Add account to Pre-Windows 2000 Compatible Access groupThis is not a “big deal”!

This permission is really “Detect changes to Domain NC”Does not give access to “secrets” (e.g. passwords)An educated Active Directory team should not have an issue with this

See TechNet user profile synchronization documentation for steps and details

Page 17: SPCA2013 - SharePoint Insanity Demystified

SP_CacheSR, SP_CacheSUObject cache accountsSuper UserSuper Reader

See http://technet.microsoft.com/en-us/library/ff758656.aspx

Note: this is not the same as BLOB cache or remote BLOB store. This has to do with versions & drafts

Page 18: SPCA2013 - SharePoint Insanity Demystified

Other accountsOffice Web Apps (2013)Secure Store

Page 19: SPCA2013 - SharePoint Insanity Demystified

Automation AccountSharePoint Automation: SP_AutomationRights required to perform automated tasks

PowerShell (Add-SPAdmin)Local Administrators groupFarm Administrators groupSite Collection Administrator (of each site collection)User right to log on as a batch service

Page 20: SPCA2013 - SharePoint Insanity Demystified

Über Admin AccountSharePoint Enterprise Administrator: SP_EnterpriseAdminLeast privilege not always possible

Delegate to administrators privilege to use PowerShellPatch/updateUpgrade

SQL Administrator or db_owner of all SharePoint databasesLocal Administrators group of all SharePoint serversFarm Administrators groupDisabled until needed

Page 21: SPCA2013 - SharePoint Insanity Demystified

Accounts for Multiple FarmsEach farm…Dev, test, QA, production

… needs its own “set” of accountsConsider multiple farms in your naming convention

SP_Farm – ProductionSP_Farm_DevSP_Farm_Test

Note: Managed service accounts DOMAIN\username limit is 20 characters!

Why?Least privilegeMonitoring & auditingAutomatic password management

Page 22: SPCA2013 - SharePoint Insanity Demystified

ResourcesAccount permissions and security settings in SharePoint 2013http://technet.microsoft.com/en-us/library/cc678863.aspx

Configure object cache user accounts in SharePoint Server 2013http://technet.microsoft.com/en-us/library/ff758656.aspx

Page 23: SPCA2013 - SharePoint Insanity Demystified

Automate Creation of Service AccountsImport-CSV $filename | New-ADUser -Path $ou –PassThru | Set-ADAccountPassword -Reset –NewPassword (ConvertTo-SecureString –AsPlaintext $password –Force) -PassThru | Enable-ADAccountWrite-Host "Complete"

Page 24: SPCA2013 - SharePoint Insanity Demystified

Managed Accounts

Page 25: SPCA2013 - SharePoint Insanity Demystified

Service AccountsWhat is a service account?A domain user accountUsed as the identity of a service like SQL or SharePoint

The #1 problem with service accounts is….PASSWORD CHANGESService account password is changedUpdate each location in which the service account is used

Painful!Result… Admins set Password never expiresTerrible for securityService accounts are typically highly-privileged

Page 26: SPCA2013 - SharePoint Insanity Demystified

Managed AccountsIn a nutshellAn Active Directory account that has been registered with SharePointSharePoint can then manage the password changes for the account

Register a managed accountCentral Administration Security Configure managed accountsRegister a managed account

Enter the user name and current passwordEnter user name as DOMAIN\name not user principal name ([email protected])

Use a managed accountWhen creating or configuring an application pool for service or web appsWhen managing Windows services related to SharePoint

Timer, Search, Document Conversion

Page 27: SPCA2013 - SharePoint Insanity Demystified

Password ChangesManual Password Change for a managed accountCentral Administration Security Configure managed accounts Edit

BenefitsSharePoint changes the password in Active Directory

Does not require any delegation in Active Directory because the process uses the CHANGE PASSWORD right, not the Reset Password right

SharePoint updates the logon information of componentsServicesApp Pools

Password can be randomReduces risk of an administrator leveraging the privileges of the account

Page 28: SPCA2013 - SharePoint Insanity Demystified

Automatic Password ChangesAutomatic Password Change for an individual managed accountCentral Administration Security Configure managed accounts EditSchedule

Based on scheduled date or domain password policy expiration (whichever comes first)

Notify administrators by emailThe service will be “down” while it recycles with the new password

BenefitsRemoves the management burden of service accountsImproves security and compliance

SharePoint admins don’t know the passwords to highly privileged accounts

SP_Farm (full control access to all SharePoint content)

Page 29: SPCA2013 - SharePoint Insanity Demystified

Managed AccountsUse themConfigure automatic password managementKnow the limitationsEach farm must have separate accountsSome components use “standard” service accounts, not managed accounts

Search crawlProfile syncSecure store

These must be managed using traditional methods (change password in AD and in SharePoint)

Automate with PowerShell

Page 30: SPCA2013 - SharePoint Insanity Demystified

SQL & Storage

Page 31: SPCA2013 - SharePoint Insanity Demystified

SQL aliasSQL AliasSQLSERVER01.contoso.com = NYSQL05.contoso.com today

= NYSQLCLUSTER.contoso.com tomorrow= NYSQLCLUSTER.newcompany.com next year

Configure a SQL aliasCLICONFG.exe on each SharePoint server in the farm

Do not “Fake it out” with a DNS recordKerberos

Consider “tiers” of aliases to support SQL scalingContent Databases: SQLSPCONTENTSearch Databases: SQLSPSEARCHService Application Databases: SQLSPSERVICES

All point to single SQL instance today…

Page 32: SPCA2013 - SharePoint Insanity Demystified

Documents stored in content database

workflows

security

metadata

“Document”BLOB

SQL Content Database

Binary Large Object (BLOB)

Page 33: SPCA2013 - SharePoint Insanity Demystified

Database SizingContent DatabasesInitial SizeGrowth Rate

TempDBInitial SizeGrowth Rate

Model – Monitor – Measure – Modify

Page 34: SPCA2013 - SharePoint Insanity Demystified

Content scaling support & guidanceContent Database200 GB (out-of-box)4 TB (collaboration)*Unlimited (archive)*

Site Collection 200 GB (out-of-box, only site collection in CDB)100 GB (out-of-box, multiple site collections in CDB)Up to size of CDB*

Items per CDB60 million

*Conditions apply: Performance, DR, HA

Page 35: SPCA2013 - SharePoint Insanity Demystified

Quotas

Page 36: SPCA2013 - SharePoint Insanity Demystified

QuotasConfigured per site collection (SPSite)Can be applied with a quota templateConfigured for the web applicationApplied to one or more site collections

Quota template updateApplies new settings to new sitesDoes not modify existing sties that were based on the templateUse PowerShell (scripts can be found on TechNet) to update existing sites

Page 37: SPCA2013 - SharePoint Insanity Demystified

BLOBsBinary Large Objects

Page 38: SPCA2013 - SharePoint Insanity Demystified

Default: BLOBs stored in content database

workflows

security

metadata

“Document”BLOBs

SQL Content Database

Page 39: SPCA2013 - SharePoint Insanity Demystified

BLOB externalization

SQL Content Database

SANNASShareCloud

workflows

security

metadata

“Document”

BLOBs

Page 40: SPCA2013 - SharePoint Insanity Demystified

BLOB externalization alphabet soupBLOBBinary large object: the representation of the content of a document

EBSExternal BLOB StorageSharePoint featureSupported: SharePoint 2007 – SharePoint 2010

RBSRemote BLOB StorageSQL feature – SharePoint is an RBS “client”Supported: SharePoint 2010 – SharePoint 2013

Page 41: SPCA2013 - SharePoint Insanity Demystified

Advantages of BLOB externalizationReduced storage costIncreased performanceIn a real world workload

Externalizing all BLOBs boosts performanceMicrosoft white paper: 25% performance improvementhttp://www.microsoft.com/en-us/download/details.aspx?id=14726 My experience: significant improvement

The noise about performanceTrajectory of guidance: externalize collaborative content at 1MB

Access to features of the underlying storage platformBusiness rules to determine what gets externalized

Page 42: SPCA2013 - SharePoint Insanity Demystified

Shredded Storage

Page 43: SPCA2013 - SharePoint Insanity Demystified

Shredded StorageOffice documentsClient sends updates SharePoint SQLSQL shreds the updated versionUpdate of document library metadata does not generate additional shreds

Non-Office documentsClient sends full file SharePoint SQLSQL shreds the full fileUpdate of document library metadata might generate additional shreds

Page 44: SPCA2013 - SharePoint Insanity Demystified

Shredded Storage RealityReduces I/O between web server and SQL serverFor Office document formats

Potential reduction in storage of Office document versionsAchieves something like “de-duplication” or “differential versioning” of document versionsUpdated document versions show reduced storage footprintUpdating document library metadata only (and not the document) does not generate new shreds

Non-Office document formats don’t benefit as much/at allTotal storage suggests that de-duplication is inefficient or ineffectiveUpdating document library metadata might generate additional shreds

Does not reduce storage in multiple-location scenariosSame document stored in more than one location

Page 45: SPCA2013 - SharePoint Insanity Demystified

Shredded Storage ConsiderationsShreds on new/modified document, not on upgradeCannot currently be turned offFileWriteChunkSize and FileReadChunkSize are farm-wide settings

Overall system performance may be degradedDefault shred size probably not idealGuidance is vectoring towards 1MB for both FileRead and FileWriteChunkSizeDO NOT exceed 4MB!!

Page 46: SPCA2013 - SharePoint Insanity Demystified

Storage Optimization

Page 47: SPCA2013 - SharePoint Insanity Demystified

Storage Guidance*Shredded storage means no RBS in collab scenariosOr set FileRead & FileWriteChunkSize to 1MB, and use size >1MB externalization rule

Use RBS for tiered storage management for archivesAcquire a third-party solution that manages storage: both RBS and backup/restore and archiving

Requires an RBS “Provider”FILESTREAM or, better yet, third Parties

PerformanceBusiness rulesManageability: integration with backup, recovery, high-availability solutions

Watch for Microsoft/Dell white paper

* Fresh if used by [today]

Page 48: SPCA2013 - SharePoint Insanity Demystified

Archiving – Scenarios and SolutionsMove to different location, keep in SharePointRecords management featuresUI: Send To Another LocationWorkflowPowerShellThird-party content management tools

Move to different storage tier, keep in SharePointThird-party RBS tools

Move out of SharePoint entirelyPowerShellThird-Party Tools

Page 49: SPCA2013 - SharePoint Insanity Demystified

Shout OutsRandy WilliamsJeremy ThakeGary LapointeChris GivensAndrew ConnellSpence HarbarJason HimmelsteinTodd BaginskiScot HillierSusan HanleyMatt McDermottEric ShuppsPaul Swider

Shane YoungTodd KlindtWictor WilénAsif RehmaniRob BogueAgnes MolnarSteve FoxMirjam van OlstJasper OosterveldMichael Noel

Page 50: SPCA2013 - SharePoint Insanity Demystified

MAHALO! (thank you!)http://tiny.cc/danholmepresentationshttp://tiny.cc/danholmearticleshttp://tiny.cc/danholmebooks

A HUI HO! (‘til next time!)[email protected]@danholme