0
Resources
http://technet.microsoft.com/en-us/library/ee662513.aspx

http://technet.microsoft.com/en-us/library/cc678863.as...
SQL Server service: SQL_Service, *
SQL administrator: SQL_Admin
SharePoint Administrator and Setup User: SP_Admin
SharePoi...
SQL Database Engine service account:
SQL_Service
SQL service ownership account: SQL_Admin
Resources
http://technet.microso...
SharePoint Administrator and Setup User
Used by a service admin to perform bit-level
changes

Unique, “generic” SharePoint...
Domain user account
Administrator

SQL privileges
PowerShell privileges
SharePoint Farm Service
Used for highly privileged SharePoint services

Domain user account
SharePoint assigns permissions...
Extra privileges: UPS
Before provisioning User Profile Synchronization Service
1. Add SP_Farm to local Administrators
Collab

Intranet

WSS_CONTENT_APPLICATION_POOLS role

Extranet
Web and service application pool accounts
Domain user accounts
Register as managed accounts in the SharePoint farm
Assigne...
My Site web application
SP_MySiteApp

Account for each application pool to isolate access
SharePoint Search default content access account
Domain user account
Requires read permission to indexed content
sources
C...
SharePoint User Profile Synchronization
Domain user account
Requires Replicating Directory Changes
permission on domain
Object cache accounts
See http://technet.microsoft.com/en-us/library/ff758656.aspx
Note: this is not the same as BLOB cach...
Office Web Apps (2013)
Secure Store
SharePoint Automation: SP_Automation
Rights required to perform automated tasks
SharePoint Enterprise Administrator:
SP_EnterpriseAdmin
Least privilege not always possible

SQL Administrator
Local Admin...
Each farm…
… needs its own “set” of accounts
naming convention
SP_Farm
SP_Farm_Dev
SP_Farm_Test

Why?
Account permissions and security settings in
SharePoint 2013
http://technet.microsoft.com/en-us/library/cc678863.aspx

Con...
Import-CSV $filename | New-ADUser -Path $ou –PassThru |
Set-ADAccountPassword -Reset –NewPassword (ConvertToSecureString –...
What is a service account?
The #1 problem with service accounts is….
PASSWORD CHANGES
Service account password is changed
...
In a nutshell
Register a managed account

Use a managed account
Manual Password Change for a managed account
Benefits
Does not require any delegation in Active Directory
CHANGE PASSWORD
Automatic Password Change for an individual
managed account

Benefits
Use them
Configure automatic password management
Know the limitations
SQL alias
SQL Alias
SQLSERVER01.contoso.com

= NYSQL05.contoso.com today
= NYSQLCLUSTER.contoso.com tomorrow
= NYSQLCLUSTE...
workflows
security
SQL Content Database

metadata

“Document”

BLOB

Binary Large Object (BLOB)
Content Databases
TempDB

Model – Monitor – Measure – Modify
Content Database

Site Collection

Items per CDB

*Conditions apply: Performance, DR, HA
workflows
security
SQL Content Database

metadata

“Document”

BLOBs
workflows

SQL Content Database

security
metadata

“Document”

BLOBs
Cloud

Share

NAS

SAN
BLOB
EBS

RBS
Reduced storage cost
Increased performance
real world workload
http://www.microsoft.com/en-us/download/details.aspx?id=147...
Office documents

Non-Office documents
Reduces I/O between web server and SQL server
Potential reduction in storage of Office document
versions

Non-Office docum...
Shreds on new/modified document, not on upgrade
Cannot currently be turned off

Overall system performance may be degraded
Shredded storage means no RBS in collab
scenarios
Use RBS for tiered storage management for
archives
Requires an RBS “Prov...
Move to different location, keep in SharePoint

Move to different storage tier, keep in SharePoint
Move out of SharePoint ...
Randy Williams
Jeremy Thake
Gary Lapointe
Chris Givens
Andrew Connell
Spence Harbar
Jason Himmelstein
Todd Baginski
Scot H...
http://tiny.cc/danholmepresentations
http://tiny.cc/danholmearticles
http://tiny.cc/danholmebooks

dan.holme@intelliem.com...
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
SPCA2013 - SharePoint Insanity Demystified
Upcoming SlideShare
Loading in...5
×

SPCA2013 - SharePoint Insanity Demystified

468

Published on

SharePoint Insanity Demystified

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
468
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Secure store accounts
  • Confirm perms assigned in 2013During farm setup: dbcreator and securityadmin fixed server rolesCreating databses: db_owner fixed db role for all SharePoint databasesAdding servers to farm: Given permissions a new server automatically
  • http://get-sharepoint.com/2013/05/the-super-reader-account-utilized-by-the-cache-does-not-have-sufficient-permissions-to-sharepoint-database/http://absolute-sharepoint.com/2012/12/sharepoint-2013-service-accounts-best-practices-is-there-a-golden-solution-for-all-farms.htmlhttp://blogs.technet.com/b/rhartskeerl/archive/2011/08/22/sql-server-code-name-denali-adds-support-for-managed-service-accounts.aspx
  • TCP/IP v Named Pipes
  • Discuss the challenges of RTM guidance: what was “guidance” and what was “support”?CONDITIONS APPLYContent databases of up to 4 TB are supported when the following requirements are met:Disk sub-system performance:0.25 IOPs per GB minimum2.00 IOPs per GB recommended for optimal performanceTTFB of 20msArchitecture and tools must support performance expectations, future capacity, backup, restore, high availability, disaster recoveryDiscussion: Does anyone have more than a terabyte of data in their farm? Does anyone have a database larger than 200GB? Are there any negative performance impacts? Does anyone have 2GB / 1GB / 500MB files stored in SharePoint? How do they perform? How fast is your SharePoint farm growing? If you haven’t deployed SharePoint, how do you know how much storage you’ll need?
  • Transcript of "SPCA2013 - SharePoint Insanity Demystified"

    1. 1. Resources http://technet.microsoft.com/en-us/library/ee662513.aspx http://technet.microsoft.com/en-us/library/cc678863.aspx
    2. 2. SQL Server service: SQL_Service, * SQL administrator: SQL_Admin SharePoint Administrator and Setup User: SP_Admin SharePoint Farm Service: SP_Farm Application pool accounts SP_WebApps SP_MySiteApp * SP_ServiceApps * Default content access (crawl) account: SP_Crawl, * User Profile Synchronization account: SP_UserSync Object cache accounts: SP_CacheSR, SP_CacheSU
    3. 3. SQL Database Engine service account: SQL_Service SQL service ownership account: SQL_Admin Resources http://technet.microsoft.com/en-us/library/ms144228.aspx http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx SQL Agent service account: SQL_Agent
    4. 4. SharePoint Administrator and Setup User Used by a service admin to perform bit-level changes Unique, “generic” SharePoint administrative account Not your “normal” user or admin account
    5. 5. Domain user account Administrator SQL privileges PowerShell privileges
    6. 6. SharePoint Farm Service Used for highly privileged SharePoint services Domain user account SharePoint assigns permissions automatically
    7. 7. Extra privileges: UPS Before provisioning User Profile Synchronization Service 1. Add SP_Farm to local Administrators
    8. 8. Collab Intranet WSS_CONTENT_APPLICATION_POOLS role Extranet
    9. 9. Web and service application pool accounts Domain user accounts Register as managed accounts in the SharePoint farm Assigned as the application pool identity Permissions required depend on the web app or service application
    10. 10. My Site web application SP_MySiteApp Account for each application pool to isolate access
    11. 11. SharePoint Search default content access account Domain user account Requires read permission to indexed content sources Configure SP_Crawl before creating web apps Assign Read permission to all other indexed content sources Create additional content access accounts
    12. 12. SharePoint User Profile Synchronization Domain user account Requires Replicating Directory Changes permission on domain
    13. 13. Object cache accounts See http://technet.microsoft.com/en-us/library/ff758656.aspx Note: this is not the same as BLOB cache or remote BLOB store. This has to do with versions & drafts
    14. 14. Office Web Apps (2013) Secure Store
    15. 15. SharePoint Automation: SP_Automation Rights required to perform automated tasks
    16. 16. SharePoint Enterprise Administrator: SP_EnterpriseAdmin Least privilege not always possible SQL Administrator Local Administrators Farm Administrators Disabled until needed
    17. 17. Each farm… … needs its own “set” of accounts naming convention SP_Farm SP_Farm_Dev SP_Farm_Test Why?
    18. 18. Account permissions and security settings in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc678863.aspx Configure object cache user accounts in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ff758656.aspx
    19. 19. Import-CSV $filename | New-ADUser -Path $ou –PassThru | Set-ADAccountPassword -Reset –NewPassword (ConvertToSecureString –AsPlaintext $password –Force) -PassThru | Enable-ADAccount Write-Host "Complete"
    20. 20. What is a service account? The #1 problem with service accounts is…. PASSWORD CHANGES Service account password is changed Painful! Result… Admins set Password never expires
    21. 21. In a nutshell Register a managed account Use a managed account
    22. 22. Manual Password Change for a managed account Benefits Does not require any delegation in Active Directory CHANGE PASSWORD
    23. 23. Automatic Password Change for an individual managed account Benefits
    24. 24. Use them Configure automatic password management Know the limitations
    25. 25. SQL alias SQL Alias SQLSERVER01.contoso.com = NYSQL05.contoso.com today = NYSQLCLUSTER.contoso.com tomorrow = NYSQLCLUSTER.newcompany.com next year Configure a SQL alias CLICONFG.exe on each SharePoint server in the farm Do not “Fake it out” with a DNS record Kerberos Consider “tiers” of aliases to support SQL scaling Content Databases: SQLSPCONTENT Search Databases: SQLSPSEARCH Service Application Databases: SQLSPSERVICES
    26. 26. workflows security SQL Content Database metadata “Document” BLOB Binary Large Object (BLOB)
    27. 27. Content Databases TempDB Model – Monitor – Measure – Modify
    28. 28. Content Database Site Collection Items per CDB *Conditions apply: Performance, DR, HA
    29. 29. workflows security SQL Content Database metadata “Document” BLOBs
    30. 30. workflows SQL Content Database security metadata “Document” BLOBs Cloud Share NAS SAN
    31. 31. BLOB EBS RBS
    32. 32. Reduced storage cost Increased performance real world workload http://www.microsoft.com/en-us/download/details.aspx?id=14726 significant improvement noise about performance externalize collaborative content at 1MB Access to features of the underlying storage platform Business rules to determine what gets
    33. 33. Office documents Non-Office documents
    34. 34. Reduces I/O between web server and SQL server Potential reduction in storage of Office document versions Non-Office document formats don’t benefit as much/at all Does not reduce storage in multiple-location scenarios
    35. 35. Shreds on new/modified document, not on upgrade Cannot currently be turned off Overall system performance may be degraded
    36. 36. Shredded storage means no RBS in collab scenarios Use RBS for tiered storage management for archives Requires an RBS “Provider”
    37. 37. Move to different location, keep in SharePoint Move to different storage tier, keep in SharePoint Move out of SharePoint entirely
    38. 38. Randy Williams Jeremy Thake Gary Lapointe Chris Givens Andrew Connell Spence Harbar Jason Himmelstein Todd Baginski Scot Hillier Susan Hanley Matt McDermott Eric Shupps Paul Swider Shane Young Todd Klindt Wictor Wilén Asif Rehmani Rob Bogue Agnes Molnar Steve Fox Mirjam van Olst Jasper Oosterveld Michael Noel
    39. 39. http://tiny.cc/danholmepresentations http://tiny.cc/danholmearticles http://tiny.cc/danholmebooks dan.holme@intelliem.com @danholme
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×