Sample 1: Single Server Environment Allows organizations that wouldn’t normally be able to have a test environment to run one Allows for separation of the database role onto a dedicated server Can be more easily scaled out in the future
Sample 2: Two Server Highly Available Farm High- Availability across Hosts All components Virtualized Uses only two Windows Ent Edition Licenses
Sample 3: Mix of Physical and Virtual Servers Highest transaction servers are physical Multiple farm support, with DBs for all farms on the SQL cluster
Multiple Files for SharePoint Databases• Break Content Databases and TempDB into multiple files (MDF, NDF), total should equal number of physical processors (not cores) on SQL server.• Pre-size Content DBs and TempDB to avoid fragmentation• Separate files onto different drive spindles for best IO perf.• Example: 50GB total Content DB on Two-way SQL Server would have two database files distributed across two sets of drive spindles = 25GB pre-sized for each file.
SQL Database Optimization SQL Maintenance Plans• Implement SQL Maintenance Plans!• Include DBCC (Check Consistency) and either Reorganize Indexes or Rebuild Indexes, but not both!• Add backups into the maintenance plan if they don’t exist already• Be sure to truncate transaction logs with a T- SQL Script (after full backups have run…)
Comparison of High Availability and Disaster Recovery Options Potential Potential High Availability and Disaster Recovery Automatic Additional Data Loss Recovery Time SQL Server Solution Failover Readable Copies (RPO) (RTO)AlwaysOn Availability Groups – Synchronous (Dual-phase None 5-7 Seconds Yes 0-2commit, no data loss, can’t operate across WAN)AlwaysOn Availability Groups – Asynchronous (Latency Seconds Minutes No 0-4tolerant, cross WAN option, potential for data loss)AlwaysOn Failover Cluster Instance (FCI) – Traditional NA 30 Seconds to Yes N/Ashared storage clustering several minutes (depending on disk failover)Database Mirroring - High-safety (Synchronous) Zero 5-10 seconds Yes N/ADatabase Mirroring - High-performance (Asynchronous) Seconds Manually No N/A initiated, can be a few minutes if automatedSQL Log Shipping Minutes Manually No Not during initated, can be a restore a few minutes if automated, by typically hoursTraditional Backup and Restore Hours to Typically No Not during Days multiple hours, a restore days, or weeks
Five Layers of SharePoint Security• Infrastructure Security and Best practices• Data Security• Transport Security• Edge Security• Rights Management
Sample List of Service AccountsService Account Name Role of Service Account Special PermissionsCOMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate Local Admin on Database Server(s) admin accounts from SP accounts. (Generally, some exceptions apply)COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be N/A standard admin accounts. RBAC principles apply ideally.COMPANYABCSRV-SP-Search Search Account N/ACOMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawledCOMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and ‘Replicate Directory Changes’ rights in AD.COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint DBCreator and Security Admin on SQL. Create Central Admin. and Modify contacts rights in OU used for mail.COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the N/A Content related App Pool (Portal, MySites, etc.) Additional as needed for security.
Enable Kerberos When creating any Web Applications, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD. Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
Role Based Access Control (RBAC) Role Groups defined within Active Directory (Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc. Role Groups added directly into SharePoint ‘Access Groups’ such as ‘Contributors,’ ‘Authors,’ etc. Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires. User1 Role SharePoint Group Group User2
SQL Transparent Data Encryption (TDE) SQL Server 2008, 2008 R2, 2012 Enterprise Edition Feature Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key Encrypts the backups of the database as well
Client to Server: Using Secure Sockets Layer (SSL) Encryption External or Internal Certs highly recommended Protects Transport of content 20% overhead on Web Servers Can be offloaded via SSL offloaders if needed Don’t forget for SPCA as well!
Server to Server: Using IPSec to encrypt traffic By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted IPSec encrypts all packets sent between servers in a farm For very high security scenarios when all possible data breaches must be addressed
Forefront UAG (SSL/VPN) vs. Forefront TMGCapability TMG 2010 UAG 2010Publish Web applications using HTTPS X XPublish internal mobile applications to roaming mobile devices X XLayer 3 firewall X X*Outbound scenarios support X X*Array support X XGlobalization and administration console localization X XWizards and predefined settings to publish SharePoint sites and Exchange X XWizards and predefined settings to publish various applications XActive Directory Federation Services (ADFS) support XRich authentication (for example, one-time password, forms-based, smart card) X XApplication protection (Web application firewall) Basic FullEndpoint health detection XInformation leakage prevention XGranular access policy XUnified Portal X
Active Directory Rights Management Services (AD RMS) AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content Used to restrict activities on files AFTER they have been accessed: Cut/Paste Print Save As… Directly integrates with SharePoint DocLibs