2. Author of SAMS Publishing titles “SharePoint 2013 Unleashed,” “SharePoint
2010 Unleashed”, “Windows Server 2012 Unleashed,” “Exchange Server 2013
Unleashed”, “ISA Server 2006 Unleashed”, and a total of 19 titles that have
sold over 300,000 copies.
Partner at Convergent Computing (www.cco.com) – San Francisco, U.S.A.
based Infrastructure/Security specialists for SharePoint, AD, Exchange, System
Center, Security, etc.
3.
4. Windows Server 2008 R2 SP1 or Windows Server 2012
(Preferred)
SQL Server 2008 R2 w/SP1 or SQL Server 2012
(Preferred)
Type Memory Processor
Dev/Stage/Test server 8GB RAM 4 CPU
„All-in-one‟ DB/Web/SA 24GB RAM 4 CPU
Web/SA Server 12GB RAM 4 CPU
DB Server (medium environments) 16GB RAM 8 CPU
DB Server (small environments) 8GB RAM 4 CPU
Software/Hardware Requirements
5. Office Web Apps is no longer a service application
Web Analytics is no longer service application, it‟s part of
search
New service applications available and improvements on
existing ones
App Management Service – Used to manage the new SharePoint
app store from the Office Marketplace or the Application Catalog
SharePoint Translation Services – provides for language
translation of Word, XLIFF, and PPT files to HTML
Work Management Service – manages tasks across
SharePoint, MS Exchange and Project.
Access Services App (2013) – Replaces 2010 version of Access
Services
Changes in Service Applications and New Service Applications
6. A new Windows service – the Distributed
Cache Service – is installed on each server in
the farm when SharePoint is installed
It is managed via the Services on Server page
in central admin as the Distributed Cache
service
The config DB keeps track of
which machines in the farm
are running the cache service
Distributed Cache Service
7. The purpose of the Request Management feature is to
give SharePoint knowledge of and more control over
incoming requests
Having knowledge over the nature of incoming requests
– for example, the user agent, requested URL, or source
IP – allows SharePoint to customize the response to
each request
RM is applied per web app, just like throttling is done in
SharePoint 2010
Request Management (RM)
8. Option 1 (AD Import): Simple one-way Sync (a la
SharePoint 2007)
Option 2 (SharePoint Profile Sync): Two-
way, possible write-back to AD options using small
FIM service on UPA server (a la 2010)
Option 3: (Enable External Identity Manager): Full
Forefront Identity Manager (FIM)
Synchronisation, allows for complex scenarios –
Larger clients will appreciate this
User Profile Sync – Three Options for Deployment
9. SharePoint 2013 continues to offer support for
both claims and classic authentication modes
However claims authentication is THE default
authentication option now
Classic authentication mode is still there, but can only
be managed in PowerShell – it‟s gone from the UI
Support for classic mode is deprecated and will go
away in a future release
There also a new process to migrate accounts
from Windows classic to Windows claims – the
Convert-SPWebApplication cmdlet
Claims-based Authentication - Default
10. Stores new versions of documents as „shredded
BLOBs that are deltas of the changes
Promises to reduce storage size significantly
Shredded Storage
11. New Search
architecture (FAST
based) with one
unified search
Personalised search
results based on
search history
Rich contextual
previews
Search – FAST Search now included
15. 2 SharePoint Servers running
Web and Service Apps
2 Database Servers
(AlwaysOn FCI or AlwaysOn
Availability Groups)
1 or 2 Index Partitions with
equivalent query components
Smallest farm size that is fully
highly available
Smallest Highly Available Farm
16. 2 Dedicated Web
Servers (NLB)
2 Service Application
Servers
2 Database Servers
(Clustered or
Mirrored)
1 or 2 Index Partitions
with equivalent query
components
Best Practice ‘Six Server Farm’
17. • Separate farm for
Service Applications
• One or more farms
dedicated to content
• Service Apps are
consumed cross-
farm
• Isolates „difficult‟
service apps like
User Profile Sync and
allows for patching
in isolation
Ideal – Separate Service App Farm + Content Farm(s)
18. • Multiple Dedicated
Web Servers
• Multiple Dedicated
Service App Servers
• Multiple Dedicated
Query Servers
• Multiple Dedicated
Crawl Servers, with
multiple Crawl DBs to
increase parallelisation
of the crawl process
• Multiple distributed
Index partitions (max
of 10 million items per
index partition)
• Two query components
for each Index
partition, spread
among servers
Large SharePoint Farms
19.
20. Allows organisations that wouldn‟t normally be able to have a test
environment to run one
Allows for separation of the database role onto a dedicated server
Can be more easily scaled out in the future
Sample 1: Single Server Environment
27. Can reduce dramatically the size of Content DBs, as upwards of
80%-90% of space in content DBs is composed of BLOBs
Can move BLOB storage to more efficient/cheaper storage
Improve performance and scalability of your SharePoint
deployment – But highly recommended to use third party
Remote BLOB Storage (RBS)
30. • Break Content Databases and TempDB into multiple files (MDF, NDF), total
should equal number of physical processors (not cores) on SQL server.
• Pre-size Content DBs and TempDB to avoid fragmentation
• Separate files onto different drive spindles for best IO perf.
• Example: 50GB total Content DB on Two-way SQL Server would have two
database files distributed across two sets of drive spindles = 25GB pre-sized
for each file.
Multiple Files for SharePoint Databases
31. • Implement SQL Maintenance Plans!
• Include DBCC (Check Consistency) and either Reorganize
Indexes or Rebuild Indexes, but not both!
SQL Database Optimisation
SQL Maintenance Plans
• Add backups into the
maintenance plan if they
don’t exist already
• Make sure you are doing
transaction log backups as
well to clean up the logs.
Also, note that only DBCC
SHRINKFILE recovers
whitespace
32.
33. High Availability and Disaster Recovery
SQL Server Solution
Potential
Data Loss
(RPO)
Potential
Recovery Time
(RTO)
Automatic
Failover
Additional
Readable Copies
AlwaysOn Availability Groups – Synchronous (Dual-phase
commit, no data loss, can’t operate across WAN)
None 5-7 Seconds Yes 0 - 2
AlwaysOn Availability Groups – Asynchronous (Latency
tolerant, cross WAN option, potential for data loss)
Seconds Minutes No 0 - 4
AlwaysOn Failover Cluster Instance (FCI) – Traditional
shared storage clustering
NA 30 Seconds to
several minutes
(depending on
disk failover)
Yes N/A
Database Mirroring - High-safety (Synchronous) Zero 5-10 seconds Yes N/A
Database Mirroring - High-performance (Asynchronous) Seconds Manually
initiated, can be
a few minutes if
automated
No N/A
SQL Log Shipping Minutes Manually
initated, can be
a few minutes if
automated, by
typically hours
No Not during
a restore
Traditional Backup and Restore Hours to
Days
Typically
multiple hours,
days, or weeks
No Not during
a restore
Comparison of High Availability and
Disaster Recovery Options
36. Hardware Based Load Balancing
(F5, Cisco, Citrix NetScaler – Best
performance and scalability
Software Windows Network Load
Balancing fully supported by MS, but
requires Layer 2 VLAN (all packets
must reach all hosts.) Layer 3 Switches
must be configured to allow Layer 2 to
the specific VLAN.
If using Unicast, use two NICs on the
server, one for communications
between nodes.
If using Multicast, be sure to configure
routers appropriately
Set Affinity to Single (Sticky Sessions)
If using VMware, note fix to NLB RARP
issue (http://tinyurl.com/vmwarenlbfix)
Network Load Balancing
37.
38. • Infrastructure Security and Best practices
Physical Security
Best Practice Service Account Setup
Kerberos Authentication
• Data Security
Role Based Access Control (RBAC)
Transparent Data Encryption (TDE) of SQL Databases
• Transport Security
Secure Sockets Layer (SSL) from Server to Client
IPSec from Server to Server
• Edge Security
Inbound Internet Security (Forefront UAG/TMG)
• Rights Management
Five Layers of SharePoint Security
39. Service Account Name Role of Service Account Special Permissions
COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)
COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate
admin accounts from SP accounts.
Local Admin on Database Server(s)
(Generally, some exceptions apply)
COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be
standard admin accounts. RBAC principles
apply ideally.
N/A
COMPANYABCSRV-SP-Search Search Account N/A
COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to
be crawled
COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to
read attributes from users in domain) and
„Replicate Directory Changes‟ rights in AD.
COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint
Central Admin.
DBCreator and Security Admin on SQL. Create
and Modify contacts rights in OU used for mail.
COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the
Content related App Pool (Portal, MySites, etc.)
Additional as needed for security.
N/A
40. When creating any Web Applications, USE KERBEROS. It is
much more secure and also faster with heavy loads as the SP
server doesn‟t have to keep asking for auth requests from AD.
Kerberos auth does require extra steps, which makes people
shy away from it, but once configured, it improves security
considerably and can improve performance on high-load sites.
Should also be configured on SPCA Site! (Best Practice =
Configure SPCA for NLB, SSL, and Kerberos (i.e.
https://spca.companyabc.com)
41. Role Groups defined within Active Directory (Universal
Groups) – i.e. „Marketing,‟ „Sales,‟ „IT,‟ etc.
Role Groups added directly into SharePoint „Access
Groups‟ such as „Contributors,‟ „Authors,‟ etc.
Simply by adding a user account into the associated
Role Group, they gain access to whatever rights their
role requires.
User1
User2
AD
and/or
SP Group
SharePoint
Permissions
42. SQL Server 2008, 2008
R2, 2012 Enterprise
Edition Feature
Encrypts SQL
Databases
Transparently,
SharePoint is unaware
of the encryption and
does not need a key
Encrypts the backups
of the database as well
43. External or Internal Certs
highly recommended
Protects Transport of
content
Low overhead on Web
Servers
Can be offloaded via SSL
offloaders if needed
Don‟t forget for SPCA as
well!
44. By default, traffic between
SharePoint Servers (i.e. Web
and SQL) is unencrypted
IPSec encrypts all packets
sent between servers in a
farm
For very high security
scenarios when all possible
data breaches must be
addressed
45.
46. AD RMS is a form of Digital Rights Management (DRM)
technology, used in various forms to protect content
Directly integrates with SharePoint DocLibs
Used to restrict activities on files AFTER they have been
accessed:
Cut/Paste
Print
Save As…
47. • Document all key settings in IIS, SharePoint, after
installation
• Consider monitoring for changes after installation
for Config Mgmt.
• Fantastic tool for this is the SPDocKit - can be found
at http://tinyurl.com/spdockit
SPDocKit