4. Software/Hardware Requirements
Type Memory Processor
Dev/Stage/Test server 8GB RAM 4 CPU
‘All-in-one’ DB/Web/SA 24GB RAM 4 CPU
Web/SA Server 12GB RAM 4 CPU
DB Server (medium environments) 16GB RAM 8 CPU
DB Server (small environments) 8GB RAM 4 CPU
23. Sample 1: Single Server Environment
Allows organizations that wouldn’t normally be able to have a test
environment to run one
Allows for separation of the database role onto a dedicated server
Can be more easily scaled out in the future
24. Sample 2: Two Server Highly Available Farm
High-
Availability
across Hosts
All
components
Virtualized
Uses only
two
Windows
Ent Edition
Licenses
25. Sample 3: Mix of Physical and Virtual Servers
Highest
transaction
servers are
physical
Multiple
farm
support,
with DBs for
all farms on
the SQL
cluster
33. Multiple Files for SharePoint Databases
• Break Content Databases and TempDB into multiple files (MDF, NDF), total
should equal number of physical processors (not cores) on SQL server.
• Pre-size Content DBs and TempDB to avoid fragmentation
• Separate files onto different drive spindles for best IO perf.
• Example: 50GB total Content DB on Two-way SQL Server would have two
database files distributed across two sets of drive spindles = 25GB pre-sized
for each file.
34. SQL Database Optimization
SQL Maintenance Plans
• Implement SQL Maintenance Plans!
• Include DBCC (Check Consistency) and either
Reorganize Indexes or Rebuild Indexes, but not both!
• Add backups into the
maintenance plan if they
don’t exist already
• Be sure to truncate
transaction logs with a T-
SQL Script (after full
backups have run…)
36. Comparison of High Availability and
Disaster Recovery Options
Potential Potential
High Availability and Disaster Recovery Automatic Additional
Data Loss Recovery Time
SQL Server Solution Failover Readable Copies
(RPO) (RTO)
AlwaysOn Availability Groups – Synchronous (Dual-phase None 5-7 Seconds Yes 0-2
commit, no data loss, can’t operate across WAN)
AlwaysOn Availability Groups – Asynchronous (Latency Seconds Minutes No 0-4
tolerant, cross WAN option, potential for data loss)
AlwaysOn Failover Cluster Instance (FCI) – Traditional NA 30 Seconds to Yes N/A
shared storage clustering several minutes
(depending on
disk failover)
Database Mirroring - High-safety (Synchronous) Zero 5-10 seconds Yes N/A
Database Mirroring - High-performance (Asynchronous) Seconds Manually No N/A
initiated, can be
a few minutes if
automated
SQL Log Shipping Minutes Manually No Not during
initated, can be a restore
a few minutes if
automated, by
typically hours
Traditional Backup and Restore Hours to Typically No Not during
Days multiple hours, a restore
days, or weeks
41. Five Layers of SharePoint Security
• Infrastructure Security and Best practices
• Data Security
• Transport Security
• Edge Security
• Rights Management
42. Sample List of Service Accounts
Service Account Name Role of Service Account Special Permissions
COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)
COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate Local Admin on Database Server(s)
admin accounts from SP accounts. (Generally, some exceptions apply)
COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be N/A
standard admin accounts. RBAC principles
apply ideally.
COMPANYABCSRV-SP-Search Search Account N/A
COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to
be crawled
COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to
read attributes from users in domain) and
‘Replicate Directory Changes’ rights in AD.
COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint DBCreator and Security Admin on SQL. Create
Central Admin. and Modify contacts rights in OU used for mail.
COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the N/A
Content related App Pool (Portal, MySites, etc.)
Additional as needed for security.
43. Enable Kerberos
When creating any Web Applications, USE
KERBEROS. It is much more secure and also faster
with heavy loads as the SP server doesn’t have to
keep asking for auth requests from AD.
Kerberos auth does require extra steps, which makes
people shy away from it, but once configured, it
improves security considerably and can improve
performance on high-load sites.
Should also be configured on SPCA Site! (Best
Practice = Configure SPCA for NLB, SSL, and
Kerberos (i.e. https://spca.companyabc.com)
44. Role Based Access Control (RBAC)
Role Groups defined within Active Directory (Universal
Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.
Role Groups added directly into SharePoint ‘Access
Groups’ such as ‘Contributors,’ ‘Authors,’ etc.
Simply by adding a user account into the associated
Role Group, they gain access to whatever rights their
role requires.
User1
Role SharePoint
Group Group
User2
45. SQL Transparent Data Encryption (TDE)
SQL Server 2008, 2008 R2, 2012 Enterprise
Edition Feature
Encrypts SQL Databases Transparently,
SharePoint is unaware of the encryption
and does not need a key
Encrypts the backups of the database as
well
46. Client to Server: Using Secure Sockets Layer (SSL) Encryption
External or Internal Certs highly
recommended
Protects Transport of content
20% overhead on Web Servers
Can be offloaded via SSL offloaders if
needed
Don’t forget for SPCA as well!
47. Server to Server: Using IPSec to encrypt traffic
By default, traffic between SharePoint
Servers (i.e. Web and SQL) is
unencrypted
IPSec encrypts all packets sent between
servers in a farm
For very high security scenarios when all
possible data breaches must be
addressed
48. Forefront UAG (SSL/VPN) vs. Forefront TMG
Capability TMG 2010 UAG
2010
Publish Web applications using HTTPS X X
Publish internal mobile applications to roaming mobile devices X X
Layer 3 firewall X X*
Outbound scenarios support X X*
Array support X X
Globalization and administration console localization X X
Wizards and predefined settings to publish SharePoint sites and Exchange X X
Wizards and predefined settings to publish various applications X
Active Directory Federation Services (ADFS) support X
Rich authentication (for example, one-time password, forms-based, smart card) X X
Application protection (Web application firewall) Basic Full
Endpoint health detection X
Information leakage prevention X
Granular access policy X
Unified Portal X
49. Active Directory Rights Management Services (AD RMS)
AD RMS is a form of Digital Rights Management
(DRM) technology, used in various forms to
protect content
Used to restrict activities on files AFTER they have
been accessed:
Cut/Paste
Print
Save As…
Directly integrates with SharePoint DocLibs