10174AD-ENU TrainerHandbook Vol1 PDF

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
10174A
Configuring and Administering
Microsoft SharePoint 2010
Volume 1
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
ii
Configuring and Administering Microsoft SharePoint 2010
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2010 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us
/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies.
All other marks are property of their respective owners.
Product Number: 10174A

Part Number: X17-12422
Released: 09/2010
MICROSOFT LICENSE TERMS

OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students

solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f.
Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g.
Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i.
Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j.
Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i.
either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i.
Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i.
Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii.
Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or

governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e.
Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f.
Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:
i.
Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o
You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i.
Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2010 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,

de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
Microsoft Certied Trainers and InstructorsYour instructor is a technical and

instructional expert who meets ongoing certication requirements. And, if instructors
are delivering training at one of our Certied Partners for Learning Solutions, they are
also evaluated throughout the year by students and by Microsoft.
Certication Exam BenetsAfter training, consider taking a Microsoft Certication

exam. Microsoft Certications validate your skills on Microsoft technologies and can help
differentiate you when finding a job or boosting your career. In fact, independent
research by IDC concluded that 75% of managers believe certications are important to
team performance1. Ask your instructor about Microsoft Certication exam promotions
and discounts that may be available to you.
Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer

a satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
xiii
Acknowledgment
Microsoft Learning would like to acknowledge and thank the following persons for
their contributions towards developing this title. Their efforts at various stages in
the development have ensured that you have a good classroom experience.
Dan HolmesSubject Matter Expert

A graduate of Yale University and Thunderbird, Dan has spent 15 years as a
consultant and trainer, delivering solutions to tens of thousands of IT professionals
from the most prestigious organizations and corporations around the world. Dans
company, Intelliem, is a boutique consulting and training firm with a Fortunecaliber clientele. He has deep expertise and experience in Microsoft Windows,
Active Directory, and SharePoint. From his base in beautiful Maui, Dan travels
around the globe supporting customers and delivering Microsoft technologies
training. Dan is also a contributing editor for Windows IT Pro and SharePoint Pro
Connections magazines, a Microsoft MVP (Windows Server Directory Services,
2007, and SharePoint Server, 2008-2010), and the community lead of
SharePointProConnections.com. Dans most recent two books with Microsoftthe
Windows Administration Resource Kit and the training kit for the 70-640 MCTS
examare at the top of the bestseller list of Windows books. He recently returned
from Vancouver where he built SharePoint solutions to support the broadcast of
the 2010 winter Olympics as the Microsoft Technologies Consultant for NBC
Olympics, a role he played last year in Beijing and previously in Torino.
Chris GivensSubject Matter Expert

Chris Givens is the CEO of Architecting Connected Systems, (ACS), a courseware
development company focused on advanced development topics. ACSs credits
include the top selling worldwide development course in SharePoint 2007. Chris
past experiences include Microsoft, Avanade, several technology startups in the
Seattle area and a 5-year career at IBM. Chris grew up in Oklahoma and is a
computer science graduate of the University of Tulsa in Tulsa, Oklahoma.
xiv
Enrique LimaSubject Matter Expert

Enrique Lima, a proud member of the MCT Community, has over 18 years of
experience in training, application development, database development and
management, IT solutions architecture, and project management. In his role as a
solutions architect at Apparatus, Enrique focuses on providing quality, informative,
and engaging solutions and service to clients. As a speaker and presenter, he brings
in the lessons learned from the field to provide guidance in how to best leverage
the tools clients will be using and exploring as they move forward with their
Microsoft SharePoint technologies and supporting tools. Enrique has been
involved in architecting and developing solutions that leverage the integration of
SharePoint technologies, BizTalk, Commerce Server, and Content Management
Server with other Microsoft and non-Microsoft platforms.
John FerringerSubject Matter Expert

John Ferringer is a solutions architect with Apparatus, Inc. He has more than six
years of experience administering and supporting SharePoint technologies and
more than twelve years working in the technology consulting industry. John is
certified as an MCTS on several platforms, including Windows Server 2008,
SharePoint 2007, System Center Operations Manager 2007, and Project Server
2007. He has co-authored the SharePoint 2007 Disaster Recovery Guide and is hard
at work on the forthcoming SharePoint 2010 Disaster Recovery Guide
(http://tinyurl.com/spdr2010book). You can find him at his blog at
MyCentralAdmin.com (http://www.MyCentralAdmin.com) and on Twitter at
@Ferringer (http://twitter.com/ferringer).
Ryan PowellSubject Matter Expert

Ryan Powell is an infrastructure specialist with Apparatus, Inc. He has been
administering SharePoint technologies since the very first release in 2001 and has
more than eight years experience in technology consulting. Ryan is certified as a
MCITP/MCTS in both SharePoint 2010 and SharePoint 2007. You can find him on
Twitter at @ryanpowell20 (http://twitter.com/ryanpowell20).
xv
Jason MederoTechnical Reviewer

Jason Medero, MCP, MCT, MCTS, MVP (WSS) is a systems architect with a
concentration in SharePoint Products and Technologies and its related Microsoft
technologies. Jason has been working with SharePoint Products and Technologies
exclusively since 2003 and has presented at major conferences across the United
States. His concentration within SharePoint is mainly on the infrastructure and
architecture side. He also has in-depth experience performing large scale
upgrade/migration efforts. He is currently co-authoring his third SharePoint book
in which he will be writing about upgrading from SharePoint 2007 to SharePoint
2010. He is an active member of the SharePoint Users Group in New Jersey/New
York City where he sits on the speaker selection committee. He speaks frequently
at SharePoint events across the country. He also contributes his SharePoint
knowledge as a mentor for several popular forums, such as TechNet and Yahoo
groups.
xvii
Contents
Module 1: Introducing SharePoint 2010
Lesson 1: Evaluating the Features of SharePoint 2010
Lesson 2: Preparing for SharePoint 2010
Lesson 3: Installing SharePoint 2010
Lesson 4: Advanced Installation of SharePoint 2010
Lab: Installing SharePoint 2010
1-3
1-36
1-59
1-76
1-87
Module 2: Creating a SharePoint 2010 Intranet

Lesson 1: Perform Initial Farm Configuration
Lesson 2: Configuring the SharePoint Logical Structure
Lesson 3: Exploring the SharePoint Web Application and
Physical Architecture
Lab: Creating a SharePoint 2010 Intranet
2-4
2-14
2-50
2-64
Module 3: Administering and Automating SharePoint

Lesson 1: Configuring Central Administration
Lesson 2: Administering SharePoint from the Command Line
Lesson 3: Automating SharePoint Operations with Windows PowerShell
Lab A: Automating SharePoint with Windows PowerShell
Lab B: Administering SharePoint with Stsadm
3-3
3-10
3-24
3-61
3-74
Module 4: Configuring Content Management

Lesson 1: Optimizing Content Storage and Access
Lab A: Configuring List Throttling and Remote BLOB Storage
Lesson 2: Managing Site Content Types and Site Columns
Lesson 3: Configuring the Managed Metadata Service
Lab B: Configuring Managed Metadata
4-3
4-29
4-40
4-54
4-98
xviii
Module 5: Configuring Authentication

Lesson 1: Understanding Classic SharePoint Authentication Providers
Lesson 2: Understanding Federated Authentication
Lab A: Configuring Custom Authentication
Lab B: Configuring Secure Store
5-3
5-24
5-34
5-40
Module 6: Securing Content

Lesson 1: Administering SharePoint Groups
Lesson 2: Implementing SharePoint Roles and Role Assignments
Lesson 3: Securing and Auditing SharePoint Content
Lab: Configuring Security for SharePoint Content
6-3
6-20
6-32
6-41
Module 7: Managing SharePoint Customizations

Lesson 1: Customizing Microsoft SharePoint
Lesson 2: Deploying and Managing Features and Solutions
Lesson 3: Configuring Sandboxed Solutions
Lab A: Administering Features and Solutions
Lab B: Administering Sandboxed Solutions
Lab C: Administering the Developer Dashboard
7-3
7-14
7-30
7-38
7-43
7-49
Appendix: Lab Answer Keys

Module 1 Lab: Installing SharePoint 2010
Module 2 Lab: Creating a SharePoint 2010 Intranet
Module 3 Lab A: Automating SharePoint with Windows PowerShell
Module 3 Lab B: Administering SharePoint with Stsadm
Module 4 Lab A: Configuring List Throttling and Remote BLOB Storage
Module 4 Lab B: Configuring Managed Metadata
Module 5 Lab A: Configuring Custom Authentication
Module 5 Lab B: Configuring Secure Store
Module 6 Lab: Configuring Security for SharePoint Content
Module 7 Lab A: Administering Features and Solutions
Module 7 Lab B: Administering Sandboxed Solutions
Module 7 Lab C: Administering the Developer Dashboard
L1-1
L2-17
L3-25
L3-35
L4-39
L4-53
L5-57
L5-65
L6-71
L7-83
L7-89
L7-97
About This Course
About This Course

This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
This five-day instructor-led course teaches students how to install, configure, and
administer Microsoft SharePoint and also how to manage and monitor sites and
users by using Microsoft SharePoint 2010.
Audience
This course is intended for IT professionals who are experienced Windows Server
2003 or 2008 administrators and are interested in learning how to administer
SharePoint 2010. The course is also intended for part-time Business Application
Administrators (BAAs) who are engaged in administering Line of Business (LOB)
applications in conjunction with internal business customers.
Student Prerequisites
In addition to their professional experience, students who attend this training
should have experience:
Administering Active Directory by creating and managing user and group
accounts, delegation of administration, and configuring Group Policy
Administering network infrastructureDNS and TCP/IP connectivity
General conceptual awareness of Microsoft .NET Framework as it relates to
SharePoint 2010
Administering Microsoft SQL Server 2005 or 2008 through creating logons,
assigning roles and using Microsoft SQL Server Management Studio
One years experience using Windows PowerShell cmdlets
General security and authentication practices
About This Course
Course Objectives
After completing this course, students will be able to:
Prepare for and install SharePoint 2010.
Configure the fundamental service and logical components of a SharePoint

implementation.
Administer SharePoint using the user interface, the command line, and
Windows PowerShell.
Manage content in Lists and Libraries.
Administer identities and authentication.
Secure content in SharePoint sites.
Manage customizations to a SharePoint implementation.
Configure SharePoint services and applications.
Configure SharePoint social networking features.
Manage SharePoint Search.
Configure farms, servers, service applications, and Web applications.
Install, upgrade, configure, and operate a SharePoint farm.
Configure high availability and recoverability.
Monitor and optimize SharePoint performance.
Course Outline
This section provides an outline of the course:
Module 1, Introducing SharePoint 2010, enables students to prepare for and
install the first server in a SharePoint 2010 farm.
Module 2, Creating a SharePoint 2010 Intranet, shows students how to
configure and administer the fundamental components of a SharePoint farm,
including its configuration, logical structure, user-facing features, and underlying
engine.
ii
About This Course
iii
Module 3, Administering and Automating SharePoint, covers how to apply the

full range of options for administering and automating SharePointCentral
Administration, STSADM, and PowerShell. The module also introduces students to
the logs.
Module 4, Configuring Content Management, explains to students how to
manage content (lists, libraries, items and documents).
Module 5, Configuring Authentication, describes the process of how to
administer authentication to SharePoint Web applications.
Module 6, Securing Content, details how to manage security of SharePoint
content within a Web application.
Module 7, Managing SharePoint Customizations, enables students to manage
customizations to the SharePoint environment.
Module 8, Configuring and Securing SharePoint Services and Applications,
shows students how to manage the SharePoint service as a whole, as well as
individual services and service applications.
Module 9, User Profiles and Social Networking, describes how to manage user
profiles, My Sites, and social content.
Module 10, Administering and Configuring SharePoint Search, discusses how to
administer and configure SharePoint Search.
Module 11, Implementing Office Web Apps, enables students to configure
specific service applications.
Module 12, Installing and Upgrading to SharePoint 2010, teaches students how
to install and upgrade to SharePoint 2010 in a variety of scenarios, and to keep
SharePoint 2010 current.
Module 13, Implementing Business Continuity, enables students to configure
business continuity for SharePoint.
Module 14, Monitoring and Optimizing SharePoint Performance, shows
students how to monitor SharePoint performance, health, and usage, and to
identify and remediate performance and health problems.
About This Course
iv
Course Materials
The following materials are included with your kit:
Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just
right for an effective in-class learning experience.
Lessons. Guides you through the learning objectives, and provides the key
points that are critical to the success of the in-class learning experience.
Labs. Provides a real-world, hands-on platform for you to apply the knowledge
and skills learned in the module.
Lab Answer Keys. Provides step-by-step lab solution guidance at your

fingertips, when it is needed.
Course CD. Provides additional resources pertaining to this course.
Resources. Includes well-categorized additional resources that give you

immediate access to the most up-to-date premium content on Microsoft
TechNet, MSDN, and Microsoft Press
Lab Answer Keys. Includes answer keys in digital form to use during lab time.
Virtual Machine Build Guide. Provides the step-by-step information needed

to recreate the Virtual Machine/Server images with appropriate configuration.
Send Us Your Feedback Instructions. Provides you with an opportunity to

send feedback on all aspects of the course.
Student Course Files. Includes the Allfiles.exe, a self-extracting executable file

that contains all the files required for the labs and demonstrations.
Note: To open the Web page, insert the Course CD into the CD-ROM drive, and
then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send email to

support@mscourseware.com. To inquire about the Microsoft Certification
Program, send email to mcphelp@microsoft.com.
About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
The following table shows the role of each virtual machine used in this course.
Virtual Machine
Role
10174A-CONTOSO-DC-A
Domain controller in the Contoso domain
10174A-CONTOSO-DC-B
10174A-CONTOSO-DC-C
10174A-CONTOSO-DC-D
10174A-CONTOSO-DC-E
10174A-CONTOSO-DC-F
10174A-CONTOSO-DC-FINAL
10174A-SP2007-WFE1-F
SharePoint 2007 Server
10174A-SP2007-WFE1-G
10174A-SP2010-WFE1-A
10174A-SP2010-WFE1-B
10174A-SP2010-WFE1-C
10174A-SP2010-WFE1-D
10174A-SP2010-WFE1-E
10174A-SP2010-WFE1-FINAL
About This Course
Software Configuration
The following software is installed on the virtual machines:
Windows Server 2008 R2
Microsoft SharePoint 2010
Microsoft Office SharePoint Server 2007
Microsoft Office 2010
Microsoft SQL Server 2008 R2
Course Files
There are files associated with the labs in this course. The lab files are located on
the student computers.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
vi
Introducing SharePoint 2010
1-1
Module 1
Contents:
Lesson 1: Evaluating the Features of SharePoint 2010
1-3
Lesson 2: Preparing for SharePoint 2010
1-36
Lesson 3: Installing SharePoint 2010
1-59
Lesson 4: Advanced Installation of SharePoint 2010
1-76
1-87
1-2
Module Overview
Microsoft SharePoint 2010the collection of products and technologies that

includes SharePoint Server 2010 and SharePoint Foundation 2010offers a broad
range of functionality that addresses a vast number of business collaboration
scenarios. The SharePoint platform sits on, and depends on, a number of other
Microsoft products and technologies.
In this module, you explore the role of SharePoint 2010 in delivering business
collaboration solutions in the enterprise and on the Internet. You then learn what
it takes to get SharePoint up and runningfrom preparing your infrastructure, to
configuring related technologies and products, to deploying SharePoint servers
and farms using both out of box installation wizards and scripts.
1-3
Lesson 1
Evaluating the Features of SharePoint 2010
SharePoint 2010 is the business collaboration platform for the enterprise and the
Internet. Behind this simple value proposition is a complex and powerful platform
that delivers rich functionality to address a vast range of business needs. In this
lesson, you learn just how much technology is wrapped up by those 13 words, and
you dissect the technical capabilities and features that are driving enterprises
around the world to adopt SharePoint 2010.
After completing this lesson, you will be able to:
Describe the value proposition of SharePoint 2010.
Describe the SharePoint 2010 platform.
Describe the key SharePoint products and technologies.
Describe the key SharePoint capabilities, such as sites, communities, content,

search, insights, and composites.
1-4
The Value Proposition of SharePoint 2010
The value proposition for SharePoint is, SharePoint is the business collaboration
platform for the enterprise and the Internet. Microsoft invested heavily in the
development of SharePoint Server 2010 to deliver features that enable an
enterprise to do the following:
Deliver the best productivity experience. The end-user experience of

SharePoint Server 2010 builds on familiar user interfaces and tools.
Cut costs with a unified infrastructure. SharePoint 2010 performs roles that
have been, in many enterprises, provided by other disparate systems. Now
those roles can be consolidated on to SharePoint 2010.
Rapidly respond to business needs. SharePoint 2010 provides a diverse

feature set addressing many business collaboration scenarios, with out of box
functionality, a rich collection of community-generated solutions, and
extensibility to support custom solutions.
1-5
Microsoft describes SharePoint 2010 as a series of benefits and features that

support those benefits. Features are grouped into categories called capabilities that
deliver solutions to related business scenarios.
1-6
The SharePoint Platform
SharePoint is a platform that itself extends and depends on many components of

the broader Microsoft technologies suite.
This visualization of the platform shows the dependenciesboth required and
availablebetween components of the technology stack. Each component of the
platform contributes specific features and functionality.
Windows Server 2008 or Windows Server 2008 R2 provides the core

operating system functionality, including the security subsystem.
The Microsoft .NET Framework provides the framework for SharePoint, which
is a .NET application running within Internet Information Services (IIS).
SharePoint Foundation 2010 delivers fundamental SharePoint functionality

including service management, security, integration with Microsoft Office
client applications, and core collaborative features such as lists and libraries.
1-7
SharePoint Server 2010 builds on SharePoint Foundation, adding social

networking, enterprise search, business intelligence, and other features.
The features provided by SharePoint Foundation 2010 and SharePoint Server
2010 are detailed later in this module.
SharePoint uses identity services that can include the Active Directory
directory service or other Claims-based authentication providers. Some of
these identity services, such as forms-based authentication, rely on the .NET
Framework.
SharePoint content is stored in Microsoft SQL Server.
SharePoint is a highly extensible platform. Independent software vendors

(ISVs), the community, customers, and Microsoft itself deliver solutions that
depend on SharePoint Foundation or SharePoint Server.
1-8
SharePoint Products and Technologies
There is a wide array of products and technologies that make up SharePoint.

SharePoint products and technologies include the following:
SharePoint Foundation 2010.
SharePoint Server 2010 for Intranet Scenarios, which is licensed with Standard
or Enterprise features. The features provided by SharePoint Foundation 2010
and SharePoint Server 2010 are detailed later in this module.
SharePoint Server 2010 for Internet Sites, which is licensed for access by large
numbers of users and by nonauthenticated users.
Office Web Apps, which are discussed in Module 11, Implementing Office
Web Apps.
FAST Search for SharePoint 2010.
1-9
FAST Search for SharePoint 2010 for Internet Sites, which is licensed for
access by large numbers of users and by nonauthenticated users.
Search Server 2010 and Search Server Express 2010, which provide the search
functionality of SharePoint Server.
Additionally, a vast selection of community-generated solutions and applications

by ISVs extends the capabilities and feature set of SharePoint 2010.
It is important that you understand your business requirements so that you can
choose the best mix of products and technologies.
1-10
Sites
The sites capability includes functionality that delivers and personalizes content to
users, provides manageability and scalability to administrators, enables developers
to customize and extend SharePoint, and allows an enterprise to implement
SharePoint along with other solutions or to consolidate the functionality provided
by disparate collaboration solutions into SharePoint.
Content Delivery
The sites capability offers the following components, features, and functionality to
deliver content to users:
Core content structures
Web applications, site collections, sites, lists, libraries
1-11
Services to render content
Multiple browsers
Mobile browsers
Accessibility standards (WCAG 2.0)
Rich Web experience
Ribbon user interface (UI): Familiar Office UI
Web Edit: Rich content editing
Interfaces for rich and offline client experiences
Office client applications
SharePoint Workspace
Office Web Applications
Following are some important points related to content delivery:
SharePoint Foundation 2010 delivers the core functionality of SharePoint and

provides most of the features in the sites capability.
Content structures such as Web applications, site collections, and sites, are
discussed in Module 2, Creating a SharePoint 2010 Intranet.
SharePoint 2010 features significantly expand browser support, which are

detailed in Lesson 2 of this module. Additionally, you can access content can
using mobile browsers.
SharePoint is compliant with WCAG 2.0 accessibility standards out of the box.
A number of components, services, features, and interfaces of SharePoint are

designed to deliver a unified, efficient, and familiar experience to end users.
SharePoint 2010 offers a variety of modalities through which users can interact
with content, including Office client integration, SharePoint Workspace and
other applications that provide offline access to SharePoint, and Office Web
Apps, which enable browser-based viewing, editing, and coauthoring of
documents.
1-12
Question: What important business objectives do the content delivery capabilities

in the sites capabilityits components, features, and the many ways it gives you to
interact with contentsupport?
Content Personalization
support personalizing the delivery of content:
Features that personalize the users experience with content
My Sites
User tagging
Content targeting
Multilingual support
Following are some important points related to content personalization:
One user may not need, want, or be allowed to see the same content that
another user sees. The SharePoint sites capability delivers functionality to
individualizeto personalizethe user experience.
My Site is a users individual Web page, exposing that users profile, shared
information and documents, expertise, organizational relationships, and social
activities to other users. Additionally, a users My Site can provide a
personalized navigation and view of enterprise resources.
User tagging is an important new functionality of SharePoint 2010.

Documents, lists, libraries, sites, and users can be tagged. These tags can then
be used to associate a user with content that is of interest to that person.
Content targeting is the ability of an administrator to push content to one or

more users based on those users shared characteristics, including their group
membership.
SharePoint provides multilingual support. SharePoint can support content,

services, and tags in a wide range of languages. A site can be rendered in a
particular language to a user in that users language and can be switched to
another language on the fly.
1-13
Manageability and Scalability

ensure scalable, manageable deployment in an enterprise:
Central management
Governance, security, and compliance at multiple levels of every feature
Operations management
Deploy, secure, configure, backup, monitor, audit, and update.
Central Administration (UI) and Windows PowerShell support
Tools and guidance
Enterprise scalability, manageability, and availability
Capacity
Topology
Performance
High availability
SharePoint is centrally managed using the Central Administration site and

Windows PowerShell. It supports governance, security, and compliance at multiple
levels, for almost every feature.
SharePoint Server 2010 provides greater scalability, manageability, and availability.
Customization and Extensibility

enable an organization to customize and extend SharePoint:
Theming and branding
Out of the box solutions, templates, and Web Parts
Custom solutions: From no-code to Microsoft Visual Studio
Workflow, SharePoint Designer, InfoPath Services, Microsoft Visio Services,

Microsoft Excel Services, Microsoft Access Services
Microsoft .NET, Microsoft Silverlight
Business Connectivity Services: Interact with line-of-business data
1-14
SharePoint and client object models
Web services, application programming interfaces (APIs; SharePoint and client

object models), REST
ISV and community solutions
Codeplex: http://www.codeplex.com
Manageability: Constrain, debug, manage application life cycle
Following are some important points related to customization and extensibility:
Themes and branding features support customizing the look and feel of
SharePoint sites.
You can deliver rich functional solutions using out of the box solutions,
templates, and Web Parts.
SharePoint is a platform on which you can easily create and deploy solutions
from simple, no-code solutions to more complex solutions developed with
Visual Studio.
SharePoint provides ways to interact with line-of-business applications and

data sources. One of the most important data connection and interoperability
features is Business Connectivity Services.
There is a vast ecosystem of community and ISVs who support and extend
SharePoint.
With SharePoint, an enterprise can govern and manage code customizations

and extensions.
Interoperability and Platform Consolidation

support a variety of relationships with other systems in an enterprise:
Interoperability
Platform consolidation
Replace point solutions
Integrated capabilities: One platform for intranet, extranet, and Internet
1-15
SharePoint provides a unified infrastructure that delivers a broad range of

functionality that might take several tools from other vendors to deliver, at which
point you have to know how to integrate them. This infrastructure gives you a way
to deploy, secure, manage, maintain, back up, and monitor operations.
Question: What are the business outcomes supported by interoperability?
Question: What are the business outcomes supported by platform consolidation?
Additional Reading
Microsoft SharePoint 2010 Sites (SP2010_Sites_Datasheet.pdf) at

http://go.microsoft.com/fwlink/?LinkID=197249&clcid=0x409.
1-16
Communities
The communities capability encompasses much of what people think of as business

collaboration.
Enterprise Collaboration
The communities capability offers the following components, features, and
functionality to enable collaboration between users:
Lists
Fundamental construct in which content is stored
Out of box lists: Calendar, contacts, tasks, announcements, surveys
1-17
Libraries
Fundamental construct in which documents are stored
Version control, check in, check out, document workflows
Alerts and Really Simple Syndication (RSS)
Business process automation: Workflows
Out of box workflows
Document routing
SharePoint Designer 2010
SharePoint Foundation delivers much of the out of box enterprise collaboration

functionality that makes up the communities capability.
Identity and Profile

functionality to define a user and the user profile:
My Sites
User profiles
Active Directory and other sources
Attributes: Biography, job title, location, contact information, previous projects,

interests, skills
Photos, presence, and contact card
Organizational relationships
Manager, teams, colleagues (Add a Colleague)
Expertise: Assigned or professed (Ask Me About)
Social data mining
SharePoint teams
Office Communicator contacts
E-mail communication patterns and content
1-18
Colleague and keyword suggestion

Following are some important points related to identity and profiles:
My Sites are the social networking hub for interacting with individuals in an
organization, designed to help build relationships between users and to
connect people in an organization.
User profiles are a collection of attributes that can be synchronized with Active
Directory and other sources. Users can also define their own attributes. A
users My Site exposes the users profile, and SharePoint enables the
organization and the individual to manage the visibility of profile attributes to
various audiences.
User photos, presence, and contact information is displayed throughout the

SharePoint UI.
Relationships are defined by authoritative sources, such as Active Directory, by

user membership in teams, and by users who can add their own colleagues.
Expertise can be defined centrally and by the user through the Ask Me About
section of their profile.
SharePoint can discover and suggest areas of expertise by mining the users
memberships, contacts, e-mail communication patterns, and e-mail content.
Through such mining activities, SharePoint can suggest keywords and

colleagues to help users refine their profile.
User-Generated Content and User Feedback

functionality so that users can generate unstructured content and provide feedback
regarding content of any type:
User-generated content
Blogs, wikis (with rich media), discussions, podcasting, videos
Status update My Network feed
Activity Recent Activities feed
User feedback
Share & Track tab on the ribbon
1-19
Tags
Social/content tagging and expertise tagging
Tag cloud control
Tag profiles: Communities of interest around a tag
Ratings
Note board: Comments and questions
Social bookmarking
Following are some important points related to user-generated content and user
feedback:
User-generated content typically refers to less-structured forms of content,

including blogs, wikis, and discussion forums. It also refers to microblogging
activities such as when users update their status or even simply author a
document.
User feedback encompasses activities and channels through which users give
input on content. User feedback information can help users discover and
make use of content based on what others think of the content.
The note board is similar to the wall in Facebook. A users My Site has a note
board, but any site, library, list, or document can also have a note board.
Social bookmarking is a way to share favorite sites with a community of users

and to discover new sites and resources from colleagues with similar interests.
It replaces the My Links feature in SharePoint 2007.
Business Communities
By combining the power of collaborative capabilities with social computing
technologies, SharePoint enables an organization to achieve the goals of both the
customer (user base) and manager (IT) of the technology.
1-20
Manageability and Extensibility

functionality to enable an organization to manage and extend SharePoint:
Security, privacy, and compliance
Centralized configuration and management of business policies
Monitoring, auditing, and reporting
Balance governance with empowerment
Extensibility
Enterprise social networking with SharePoint is manageable, secure, and
compliant.
1-21
Content
A fundamental output of users and business collaboration activities is content. The

content capability delivers functionality that supports the management of content
throughout its life cycle. SharePoint interoperates with or replaces other content
management systems.
Support for Content and Interaction with Content

The content capability offers the following components, features, and functionality
to support a tremendous range of content and a diverse set of modalities with
which to interact with content.
Support for a tremendous range of content
Documents
Records
1-22
Web content
Rich media: Audio, video
Interaction with content
Viewing
Editing
Coauthoring
Output (Word Automation)
Following are some important points related to support for content and interaction
with content:
Users can store just about any type of content in SharePoint, including content
that has been traditionally stored in distinct systems.
SharePoint provides numerous modalities in which users can interact with

content, including viewing (in the browser or in client applications), output,
editing, and even concurrent coauthoring, with the Office Web Apps.
Question: What business outcomes does SharePoints support for a variety of

content types and modalities of interaction with the content facilitate?
Document and Records Management

to enable an enterprise to manage documents and records:
Content Organizer: Document routing
Unique document IDs and permalinks
Document sets
In-place records management
Cross-farm content policy and rules
Access, information rights
Retention, legal holds, disposition
Location-based policy
Automatic application of metadata
1-23
Following are some important points related to document and records

management:
Document and records management features are integrated into every site.
You can specify document routing rules that allow documents to be dropped
into a library and then automatically moved to the appropriate library based
on metadata and business logic.
You can create document sets, which are collections of documents that can be
treated as a unit, with a collective version history and metadata that applies to
the collection.
You can specify metadata, retention schedules, record declarations, and legal
holds and apply them consistently. SharePoint provides for multistage
disposition of documents. Policies can be location-based.
SharePoint can automatically apply metadata based on a documents location

and other business logic.
Question: What are the business outcomes supported by SharePoints support for
a variety of content types and modalities of interaction with the content?
Definition of Content and Metadata

to define content and metadata, and thereby to create and manage content:
Structured and unstructured content
Blogs, wikis, discussion forums
Defined content types with metadata, workflows, templates, and rights

management
1-24
Managed Metadata Service
Tags: Taxonomy & folksonomy
Multilingual metadata
Enterprise content types
Use of metadata
Tagging content: Manual and automatic
Visibility of tags: Item, site, client
Metadata-driven navigation
Search refiners
Following are some important points related to definition of content and metadata:
SharePoint supports content that is unstructured and free-form, such as blogs,

wikis, and discussion forums, as well as highly structured content and
everything in between.
The Managed Metadata Service (MMS), new in SharePoint 2010, provides a

central repository and management capability for what are generally called
tags. Tags are arranged in a hierarchical structure that can be delegated to
appropriate business owners. Tags can be centrally driven (taxonomy) or user
submitted (folksonomy) or both, and tags are enabled for multiple languages.
The MMS also deploys content types across sites, site collections, Web
applications, and farms so that an enterprise can maintain better control over
the definition of and metadata associated with content, as well as information
management policies for that content.
You can use metadata (tags) in numerous ways, and SharePoint 2010 provides
a variety of methods with which to tag content and view tags. You can even
have tags applied to content automatically, based on the items location or
other rules. Additionally, you can use metadata to create dynamic navigation
and to provide search refiners.
1-25

to enable an organization to manage and extend SharePoint:
Manageability
Deploy across sites, site collections, Web applications, and farms
Secure, configure, and audit use of metadata
Remote binary large object (BLOB) storage
Integrate with other systems and legacy repositories
Open, highly documented, extensible platform
Support for interoperability standards
XML, SOAP, RSS, REST, WebDAV, and WSRP
Some important points related to manageability and extensibility of the content

capability are as follows:
The MMS and other services related to the content capability are manageable
and governable across your entire enterprise.
SharePoint can store content in remote systems, including the file system,
using remote BLOB storage.
SharePoint is a platform that you can extend in numerous ways, and it

supports many interoperability standards.
Question: What are the business outcomes supported by extensibility and

interoperability in the content capability?
Additional Reading
Microsoft SharePoint Server Content (SP2010_Content_Datasheet.pdf) at

1-26
Search
Users can browse SharePoints content structuressites, lists, and librariesfor

content, but of course searching is often a more effective means of locating content.
The search capability is self-explanatory and is detailed in Module 11.
People and Expertise Search

The search capability offers the following components, features, and functionality
to search for people and expertise:
Unlock knowledge not found in documents
Communications
Behaviors
Relationships
Organization chart browser
1-27
Search
Nickname and phonetic matching
Recently authored content
People- and expertise-specific refinement
Responsibilities, memberships, past projects, interests
Following are some important points related to people and expertise search:
You can connect with people and expertise by using search skills, tools, and
experiences that you typically apply to searching for content.
With people and expertise search, you can unlock the knowledge that is not
stored in traditional content and the value that is found in people-to-people
connections and social behavior.
SharePoint 2010 features an organization browser that exposes a visual,

navigable view of organizational relationships.
In addition to looking for people and expertise, you can use people and
expertise metadata to improve the relevance and refine the results of
traditional content searches.
Content Sources, Indexing, and Query

to make content available for effective and efficient searching:
Content sources and indexing
Support for 400+ structured and unstructured content types
Advanced content processing with strong linguistics
Eighty-five languages
Ability to build and manage connections to external content repositories
Common connector framework
Query
Search scopes
Enhanced query syntax
1-28
Thesaurus and noise words
Phonetic and nickname people search
Query suggestions (Did you mean?)
Following are some important points related to content sources, indexing, and
query:
SharePoint is able to connect to and index a staggering range of content

sources and content, and with the common connector framework, a developer
can build connections to other content sources that can then be managed and
queried like out of box content sources.
The query experience is rich and is supported with features that significantly
improve your ability to find the information you are looking for.
Results and Relevance

to produce accurate and helpful results:
Results are security trimmed.
Results are federated.
Results have improved relevance based on usage and history.
Results are presented in context to the user and the users profile.
Results have social relevance.
Click-through behavior of results from related queries
Social distance
Related searches.
Following are some important points related to results and relevance:
Users see only results for content to which they have access.
SharePoint search results are federated, meaning that you see a unified list of
results from all query services.
1-29
Search results are relevant, presented using algorithms that include clickthrough behavior, usage, history, the users own profile, and social distance.
SharePoint even lists related searches along with search results, thereby
pointing you toward search queries that may help you find the information
you need.
User Search Experience

to provide users with a rich search experience:
Results
Hit highlighting
Results summaries
Visual search
Thumbnails
Previews
View in browser
Refinement panel and sorting driven by metadata
Includes social distance, other people, and expertise metadata
Exact result counts with refiners (FAST)
Search from the desktop, browser, or Windows mobile device
Following are some important points related to user search experience:
Search results are rich, with hit highlighting, summaries, and visual search
features including thumbnails, previews, and view-in-browser.
Metadata-driven refinement including social metadata provides navigation,

sorting, filtering, and narrowing down your results. Adding FAST provides
exact result counts.
Users can search SharePoint from the desktop using Windows 7 federated
search, from one of several browsers on several platforms, or from a Windows
mobile device.
1-30

to enable an organization to manage and extend SharePoint:
Infrastructure
Scalability: Improved topology, algorithms, and performance
FAST integration
Manageability
Tune index and query behavior: Relevance, best bets
Monitor user search behavior
Extensibility
Leverage the query object model and Web Parts
Create search-driven applications to enrich platform
Integrate with and aggregate other systems and information
Following are some important points related to manageability and extensibility of

the search capability:
SharePoint search is highly scalable.
FAST enhances the out of box SharePoint search experience with numerous
performance-enhancing and value-added features.
SharePoint provides a unified administrative and management experience.
SharePoint is extensible to support federation, aggregation, integration, and

custom search applications.
Additional Reading
SharePoint Search Datasheet (SP2010_Search_Datasheet.pdf) at

1-31
Insights
The insights capability encompasses functionality that you can use to connect to
data sources and present the data in meaningful ways that support decision
making. It is the capability that most closely aligns with what the industry refers to
as business intelligence.
Information Sources
The insights capability offers the following components, features, and functionality
to connect with information from a broad range of data sources:
SharePoint
Business Connectivity Services: External data and systems
PerformancePoint Services: Interactive scorecards and dashboards
Visio Services: Browser-based rendering of Visio diagrams, including filtering,

interaction with objects, and connections to data
1-32
Excel Services
Secure, manage, and share Excel workbooks
Rendered in the browser
Embed workbooks in apps, desktop, blogs, and wikis
Programmability: JavaScript object model and REST API
PowerPivot, SQL Analysis Services
Following are some important points related to information sources:
With self-service access to information, users can discover and manage their
aspect of the business with access to the right information.
Business Connectivity Services connects you with external data and systems.
PerformancePoint Services provide interactive scorecards and dashboards.
Visio Services provides browser-based rendering of Visio diagrams and

includes filtering, interaction with objects, and connections to data sources.
With Excel Services, you can secure, manage, and use Excel workbooks as
interactive reports rendered in the browser. You can embed workbooks in
applications, blogs, and wikis and on the desktop. New programmability
features include JavaScript object model and REST API.
PowerPivot and SQL Analysis Services provide powerful reporting and analysis
of very large data sets.
Presentation and Visualization of Information

The insights capability offers the following components, features, and functionality
to aggregate information and present it in meaningful and productive ways:
Presentation of information
Dashboards
Scorecards
Chart Web Part
Generate charts from Excel workbooks, Business Connectivity Services, or

SharePoint lists
Status Indicator Lists
1-33
Key Performance Indicator (KPI) details highlighting ownership, date

stamps, and thresholds
Analytics and visualizations
Drill-down for deeper analysis and to understand issues and causality
Root cause analysis
Decomposition tree
Simplified navigation and interaction with information
Following are some important points related to presentation and visualization of

information:
Dashboards and scorecards are collections of information created from

reusable components and data from SharePoint, PerformancePoint Services,
Business Connectivity Services, Excel Services, Visio Services, PowerPivot, SQL
Server Analysis Services, chart Web Parts, status indicators, and other Web
Parts.
Chart Web Part generates charts from Excel workbooks, Business Connectivity
Services, or SharePoint lists.
Status Indicator Lists show Key Performance Indicator (KPI) details

highlighting ownership, date stamps, and thresholds.
Rich analytics and visualizations provide root cause analysis and the
decomposition tree.
You can drill-down on scorecards to understand issues and causality and to

perform deeper analysis.
Additional Reading
Microsoft SharePoint Server 2010 Insights (SP2010_Insights_Datasheet.pdf)

at http://go.microsoft.com/fwlink/?LinkID=197252&clcid=0x409.
1-34
Composites
The composites capability offers the following components, features, and

functionality to empower users to create no-code solutions that target specific
needs and to enable an enterprise to manage ad hoc solutions:
Access Services: Publish Access databases as Web apps
Business Connectivity Services
Read-write access to back-end data
Disconnected experience: Microsoft Office Outlook, Microsoft Office

Word, SharePoint Workspace
Customizations: Browser, SharePoint Designer
Workflows: Out of box, SharePoint Designer, Visio
Forms: Customized Web forms or forms-based applications
Visio: Publish diagrams, interact with objects and data
1-35
Manageability
Governance over all no-code solutions features
Control over infrastructure, data, and applications
Following are some important points related to the composites capability:

SharePoint gives you a plethora of ways to create a custom application without
writing a single line of code.
The enterprise gains control over such custom applications and can apply
governance and security measures that are not possible when applications are ad
hoc and not centrally managed.
Additional Reading
Microsoft SharePoint Composites (SP2010_Composites_Datasheet.pdf) at

1-36
Lesson 2
Preparing for SharePoint 2010
As you learned in the previous lesson, SharePoint 2010 is a platform that itself
relies on a wide range of other Microsoft technology platforms. Before you can
install SharePoint 2010, you must prepare your hardware and software
environment to support the dependencies and interactions with SharePoint
products and technologies.
Identify the roles and topologies in SharePoint farms.
Describe the infrastructure requirements for installing SharePoint 2010.
Describe the prerequisites for installing SharePoint 2010.
Install the software prerequisites for SharePoint.
Describe the interaction between SharePoint services, Active Directory, and

SQL Server.
Create the various user accounts required to install SharePoint.
Assign permissions and rights required to install SharePoint.
Describe the client browser and application requirements for installing

SharePoint 2010.
1-37
1-38
Roles and Topologies in SharePoint Farms
A SharePoint farm consists of one or more servers playing one or more roles.
The Web front-end (WFE) role renders content to users, and therefore hosts the
Web applications (Web sites) with which users interact.
The content of those Web sites is stored in a SQL Server database, which is
therefore another role, the database role.
A number of services and applications provide functionality, such as search, and
administrative and management capabilities, such as Central Administration. Each
of these is a distinct role, and a server hosting one of these back-end services or
administrative sites is referred to as playing an application server role.
The roles can be consolidated on a single server or spread across multiple servers
in a variety of topologies. These topologies are summarized on the slide and are
detailed in Module 12, Installing and Upgrading to SharePoint 2010.
1-39
Infrastructure Requirements
SharePoint Server 2010 is a powerful platform that can scale to meet the most
demanding enterprise scenarios. As such, the hardware requirements for
SharePoint begin with a minimum hardware base with at least four processor cores
running 2.5 GHz and 8 GB of RAM.
SharePoint 2010 is a 64-bit platform, and therefore you must use 64-bit versions of
the operating system on each SharePoint server and for SQL Server. Windows
Server 2008 with Service Pack 2 (64-bit) or Windows Server 2008 R2 (which is
only 64-bit) is required.
SQL Server is the required database platform. SharePoint Server 2010 requires one
of the following:
SQL Server 2005 Service Pack 3 (SP3) with Cumulative Update 3 (64-bit)
SQL Server 2008 SP1 with Cumulative Update 2 or Cumulative Update 5 or

later (64-bit)
SQL Server 2008 R2 (which is only 64-bit)
1-40
It is highly recommended that you use the latest versions of the operating system
and SQL Server to take advantage of the maximum number of features. For
example, you need SQL Server 2008 R2 to take advantage of failover, Power Pivot,
and Access Services reporting features.
If you are investing in infrastructure for Microsoft Office SharePoint Server 2007,
invest in 64-bit to reduce the number of steps required to migrate to SharePoint
Server 2010. Migration from 32-bit to 64-bit platforms is detailed in Module 12.
Additional Reading
Hardware and software requirements (SharePoint Server 2010) at

1-41
Infrastructure Options
Microsoft allows you to install SharePoint on a client operating system to support

development. The following are supported, with at least 4 GB of RAM:
The Windows Vista operating system with Service Pack 2 or later (64-bit).
The Windows 7 operating system (64-bit) client to support development. Such

a model should not be used for production purposes.
You can also access SharePoint through a hosted service such as one of several
offerings from Microsoft and its partners, including the following:
Microsoft Online, which offers the Business Productivity Online Suite (BPOS),
a per-user subscription to SharePoint as well as to Microsoft Exchange and
Microsoft Office LiveMeeting. Microsoft Online also offers dedicated
SharePoint hosting to large customers.
Microsoft will offer customers the ability to host their public-facing Web sites
on SharePoint Server 2010. Details are not available at the time of publication.
1-42
Microsofts consumer and small business services, Windows Live and Office
Live, provide some SharePoint functionality. For example, at the time of
publication Windows Live SkyDrive allows users to edit Excel and PowerPoint
documents in the browser, which is functionality provided by Office Web
Apps.
You can mix and match internally hosted farms with externally hosted services to
meet varied business requirements.
Additional Reading
Setting Up the Development Environment for SharePoint Server, at

http://go.microsoft.com/fwlink/?LinkID=164557.
Microsoft Online, at http://www.microsoft.com/online.
1-43
Overview of SharePoint Licensing
SharePoint licensing is complex because of the number of products that are

involved. It is important that you consult with your licensing representative to
ensure compliance for your SharePoint implementation.
The most typical implementation involves purchasing licenses for Windows Server
2008 or Windows Server 2008 R2 for each SharePoint server and a quantity of peruser client access licenses (CALs) for each SharePoint user. SQL Server is typically
installed with a per-processor license, which does not require CALs for users.
If you are using SharePoint Foundation 2010, no additional license is required. If
you are using SharePoint Server 2010, however, you need a server product license
for each SharePoint server and CALs for each user. SharePoint Standard CAL
provides access to the basic level of SharePoint Server 2010 functionality including
My Sites and search. With the Enterprise CAL, which is an add-on to the Standard
CAL, you can deploy features such as Excel Services and Office Web Applications.
1-44
Enterprise Client Access License

The Enterprise CAL is for organizations looking to enable advanced scenarios for
end users to locate, create, and act on data and documents in disparate sources
from within a familiar and unified infrastructure. Use the Enterprise CAL
capabilities of SharePoint to interoperate fully with external line-of-business
applications, Web services, and Microsoft Office client applications; make better
decisions with rich data visualization, dashboards, and advanced analytics; and
build robust forms and workflow-based solutions.
Standard Client Access License

The Standard CAL is for organizations looking to deploy a business collaboration
platform across all types of content. Use the core capabilities of SharePoint to
manage content and business processes, find and share information and expertise,
and simplify how people work together across organizational boundaries.
Additional Reading
SharePoint editions at http://go.microsoft.com/fwlink

/?LinkID=196255&clcid=0x409.
Role, Software, and Configuration Prerequisites
There is a long list of software and configuration prerequisites:
The following server roles: Web Server (IIS), Application Server
Hotfix for Microsoft Windows (KB976394 for Windows Server 2008 /

KB976462 for Windows Server 2008 R2)
Windows Identity Foundation (KB974405)
Microsoft Sync Framework Runtime v1.0 (x64)
Microsoft Chart Controls for Microsoft .NET Framework 3.5
Microsoft Filter Pack 2.0
Microsoft SQL Server 2008 Analysis Services ADOMD.NET
Microsoft Server Speech Platform Runtime (x64)
Windows PowerShell 2.0 (for Windows Server 2008)
1-45
1-46
Optional: Microsoft Server Speech Recognition Language
Optional: Microsoft SQL Server 2008 R2 Reporting Services Add-in for

SharePoint Technologies (SSRS)
Additional Reading
Details and links to all prerequisites can be found at Hardware and software
requirements" (SharePoint Server 2010) at
1-47
Installing Prerequisites
You must install SQL Server prior to installing other SharePoint prerequisites.
Microsoft SharePoint 2010 Products Preparation Tool

Microsoft SharePoint 2010 Products Preparation Tool, also known as the
prerequisite installer, can download and install all of the prerequisites for you,
automatically.
To run the Preparation Tool, log on as the setup user account, for example,
SP_Admin. The setup user account is further described in a later topic. Then,
launch the tool from the Install software prerequisites link on the SharePoint
Server 2010 Start page (Default.hta), shown in the following graphic, or directly by
using PrerequisiteInstaller.exe.
1-48
The Preparation Tool scans for each prerequisite. If a prerequisite is not found, the
tool downloads, installs, and configures the prerequisite.
If there is an error, for example, if downloading the prerequisite fails, the tool stops
and produces an error message that indicates which prerequisite failed. You can
find details of the failure in the error log, which is located in the %TEMP% folder.
The tool displays a link to the log. After you have remediated the problem, rerun
the tool.
Repeat the process until all prerequisites have been installed and configured
successfully.
1-49
Optional Prerequisites
Two prerequisites are optional: Microsoft Server Speech Recognition Language and
Microsoft SQL Server 2008 R2 Reporting Services Add-in for SharePoint
Technologies (SSRS). If the Preparation Tool cannot find or install these
prerequisites, it generates an error, but you can continue to the next step in
installing SharePoint Server 2010.
Question: Does your organization allow servers to access the Internet directly. If
not, why not?
1-50
Additional Prerequisites
You must install and configure several prerequisites manually. Use the information
on this slide as a checklist of prerequisites to evaluate in the context of your
enterprise and your SharePoint implementation. After class, read about these items
and determine whether they are necessary in your environment.
The ADO.NET Data Service Update is used by services like REST Web services.
If you use Claims-based authentication, you need to apply KB979917
(http://go.microsoft.com/fwlink/?LinkID=196882&clcid=0x409) for ASP.NET.
The third prerequisite is to disable loopback checking. Windows Server 2008 (and
Windows Server 2008 R2) blocks access to a Web site if the request for the Web
site originates on the server itself. This prevents you from using a browser on a
SharePoint server to browse to a site on the same server farm. Of course, it is not
recommended that you log on to a SharePoint server and use a browser in the
production environment, but this scenario may be more common in a
development, testing, or training environment.
1-51
However, the loopback checking also prevents SharePoint servicesmost notably

the search crawler that indexes SharePoint contentfrom accessing sites on the
same server farm. The crawl process will generate Access Denied events, and no
content will be indexed.
The problem is solved by removing or controlling the loopback checking.
Microsoft Knowledge Base article 896861 has the details. The article discusses two
options. Method 1 involves specifying all sites hosted on the server so that the
server allows requests to those sites to originate on the same server. Method 2
entails disabling loopback checking altogether, for all sites. Method 2 reduces the
security of the server much more than Method 1. Therefore, Method 2 is
recommended only for development and test environments.
Additional Reading
An update is available that provides additional features and improvements for

ADO.NET Data Services in the .NET Framework 3.5 SP1 on a computer that is
running Windows 7 or Windows Server 2008 R2, at
Two issues occur when you deploy an ASP.NET 2.0-based application on a

server that is running IIS 7.0 or IIS 7.5 in Integrated mode, at
You receive error 401.1 when you browse a Web site that uses Integrated
Authentication and is hosted on IIS 5.1 or a later version, at
1-52
SharePoint, SQL Server, and Active Directory
SharePoint has close relationships with and dependencies on SQL Server and
Active Directory.
Active Directory provides identity and authentication services. In other words, it
stores user accounts (user names and passwords) and validates account logons.
These services support users logging on to SharePoint sites. They also support the
accounts used by SharePoint and SQL services themselves.
SQL Server stores almost all of the configuration and content of a SharePoint farm.
SQL Server services, like all Windows services, run using an identity.
SharePoint services also run with Active Directory credentials. The credentials are
used by SharePoint to access data in SQL Server. These accounts must have SQL
logins so that SQL can authorize the access. These SQL logins are created
automatically by SharePoint during setup and the creation of Web applications.
1-53
Service Accounts
Before installing SharePoint, you must ensure that there are appropriate accounts,
logins, and permissions to support the interdependencies between SharePoint,
SQL Server, Active Directory, and the SharePoint server itself.
SQL Server Service Account: SVC_SQL

SQL Server services use identities, or accounts. Like most Windows services, you
can use a special identity such as System, Network Service, or Local Service, but it
is a highly recommended best practice to use a domain user account. If the SQL
Server is on a different computer than SharePoint is, it is required to use a domain
account.
Setup User Account (Human Being): SP_Admin

The setup user account, SP_Admin, is used by a human being to install and
configure SharePoint.
1-54
During setup and configuration, SharePoint creates SQL databases and logins, and
modifies the server itself (for example, creating local groups). SharePoint setup and
configuration uses the credentials of SP_Admin to perform such tasks, so
SP_Admin must be a securityadmin and dbcreator on the SQL server, and must be
a member of the local Administrators group.
The only SQL login that you must manually create is the login for the setup user,
SP_Admin, who actually performs the initial setup of the farm.
Server Farm Account: SP_Farm

During installation and configuration, the setup user, SP_Admin, assigns an
account to the SharePoint farm (SP_Farm), which is the service account
representing the SharePoint farm.
The SP-Farm account is used by SharePoint to configure and manage the server
farm. It is the identity used by the Central Administration sites (application pool,
and the identity used by the Timer service.
It is critical that the SP_Farm account be added to the local Administrators group
on each server on which SharePoint will be installed.
The SharePoint Products Configuration Wizard automatically assigns the account
the permissions it needs.
Web and Service Application Pool Account(s): SP_Service

Each Web application runs in an application pool. The application pool identity is
a domain user account that is functionally equivalent to a service account, with
permissions to access the content database for the Web application on the SQL
Server.
Service applications, such as Search or the Office Web Applications, are also Web
applications. Therefore, they also run in an application pool with a domain user
identity.
Web and service application pool accounts are granted the permissions they need
automatically during the provisioning of the application.
Search Crawler (Indexer) Account: SP_Crawl

The search crawler account is used to index content. It is automatically granted
permissions to read all SharePoint content. It should be a unique account that
cannot access content at any higher level. You must manually grant it permission
to read any other content source that you configure it to index, for example, shared
folders on servers.
User Profile Synchronization Account: SP_Sync

SharePoint user profile synchronization uses an account to synchronize profile
attributes between Active Directory and SharePoint. This account is detailed in
Module 9, User Profiles and Social Networking.
1-55
1-56
Client Browser and Application Requirements
SharePoint 2010 generates most of its content using Web-standard XHTML that
renders well across most browsers. Microsoft categorizes browsers into two
categoriesLevel 1 and Level 2to help customers align browser choice with the
desired level of functionality.
1-57
Level 1 browsers support ActiveX and all SharePoint functionality on user and
administrative pages.
Operating System
Browser
Windows XP
Internet Explorer 8 (32-bit)
Windows Vista
Mozilla Firefox 3.5*
Windows Server 2003

Windows Server 2008
Note: Features provided by ActiveX controls, such as

list Datasheet view and the control that displays user
presence information, do not work in Mozilla Firefox
3.5, which does not support ActiveX.
Windows 7
Mozilla Firefox 3.5*
Level 2 browsers support basic read, write, and administrative activities.

Operating System
Browser
Apple Mac OS X Snow
Apple Safari 4.x
Leopard
Mozilla Firefox 3.5
Windows XP
Windows Vista
Windows Server 2003
Windows Server 2008

Windows 7
UNIX/Linux 8.1
Mozilla Firefox 3.5
1-58
Other standards-based browsers work with SharePoint with the same limitations as
Level 2 browsers, however Microsoft has not done extensive testing on browsers
other than those listed and does not support use of other browsers. If you want to
use a browser other than one listed in the preceding tables, you should perform
testing to ensure that the browser delivers an acceptable user experience.
For published sites, page designers can apply Web Content Management features
to control markup and styling so that published sites are compatible with
additional browsers, including Microsoft Internet Explorer 6. However, it is the
page designers responsibility to create pages that target the browsers that are
designated for support. Page designers and content authors must use a standardsbased browser, such as Internet Explorer 8 or Firefox 3.5, to author content.
SharePoint-compatible applications can provide a rich, client-side interaction with
SharePoint. Microsoft Office 2003 and later are compatible with SharePoint.
Additional Reading
Plan Browser Support, at

1-59
Lesson 3
Installing SharePoint 2010
You can use several methods to install and upgrade a SharePoint 2010 farm. In this
lesson, you learn how to install SharePoint by using the wizard-driven setup and
configuration tools, which make it easy to create a simple farm. In the next lesson,
you learn about methods to automate installation, and in Module 12, you learn
about ways to upgrade an existing farm to SharePoint 2010.
Describe the process for installing and configuring SharePoint 2010.
Identify the configuration parameters required to install SharePoint.
Install SharePoint to create a single-server farm.
Configure SharePoint on a single-server farm.
1-60
Process for Installing and Configuring SharePoint 2010
Installing SharePoint is a multiphase process. The four high-level steps for

installing and configuring SharePoint are the following:
Install the prerequisites.
Install the SharePoint binaries.
Configure the SharePoint server and farm.
Configure services and applications on the farm.
You can perform each phase using user interface tools or commands or scripts. In
the following topics and lesson, you learn how to perform each of these steps.
1-61
Configuration Parameters Checklist
Before you install SharePoint Server 2010, you must collect information that is
required during the installation. Use the following items as a preinstallation
checklist:
You must know the user name and passwords for the accounts discussed in
the previous lesson.
You must know the SQL Server server name and instance name.
You will be prompted for a configuration database name, for example,

SharePoint_Config. Determine a naming strategy for SharePoint databases.
You will be prompted for a port on which to host Central Administration. You
must determine this.
1-62
You will be prompted for a farm passphrase. You must determine this.
You use the farm passphrase when making certain changes to the farm, for
example, when adding a new server to the farm. With the farm passphrase, an
administrator can perform farm-level changes without needing to know the
password for the SharePoint farm account (SP_Farm). The farm passphrase
should be long, complex, unique and should not be the same as the password
used by any of the SharePoint administrative or service accounts. Be sure to
document the password and store it in a physically secure location.
You must know the product key or trial key. You must enter the product key
during setup, but you can change it later in Central Administration.
1-63
Walkthrough: Install SharePoint to Create a Single-Server

Farm
The following steps walk you through the manual installation of SharePoint Server
2010 binaries. During this step, program files are installed, components are
registered, security settings are applied, and services are configured but not
enabled.
Installation with the user interface is wizard-driven. As long as you know the
configuration information presented earlier in this lesson, installation is very
straightforward.
1.
Log on as the setup user account (SP_Admin).
2.
Run the SharePoint Server 2010 Start Page (default.hta).
1-64
SharePoint Server 2010 installation now features a splash screen.

3.
Click Install SharePoint Server.
Installation requires administrative credentials, so a User Account Control

dialog box appears.
4.
Click Yes.
5.
Enter your product key or a trial key. You can change it later.
1-65
1-66
6.
Click I accept the terms of the agreement.
7.
Click Server Farm.
Important: It is recommended that you use the Server Farm installation.
The Standalone installation fully installs and configures SharePoint Server

2010 with all defaults, including the installation of SQL Server 2008 Express
as the database server on the same server. The result is a standalone, singleserver farm with all roles on one server. Standalone installation is not
supported on a server that is a domain controller because SQL Server Express
cannot be installed on a domain controller.
It is not possible to add servers to a farm that was installed with the
Standalone installation. Therefore, it is recommended that you use
Standalone only for the most simple testing or development environments.
In all other scenarios, you should use the Server Farm installation option. You
must have already installed SQL Server on the same server or on another
server. However, with a Server Farm installation, you have the option of, later,
moving roles to other servers in the farm.
1-67
If you select a Server Farm installation, you can specify the location of the
SharePoint binaries and the SharePoint Root (formerly known as the 12 Hive,
now the 14 Hive) in the File Location tab.
1-68
8.
Select Complete.
The Stand-alone option presented on this page of the installation wizard
creates a single-server farm with all components and roles. It is not possible to
add another server to a farm that was installed with the Stand-alone option.
This option is identical to the Standalone installation option discussed in an
earlier step.
Installation proceeds.
1-69
At the end of the installation phase, the Setup application offers you the
chance to proceed to the Configuration phase.
9.
Clear the Run the SharePoint Products Configuration Wizard now check
box.
10. Click Close.

The result is a SharePoint server that is ready to add to a farm. Until you add the
server to a farm, no SharePoint functionality is available on the server.
1-70
Walkthrough: Configure SharePoint on a Single-Server

Farm
After installing the SharePoint binaries, you can configure the server and, in the
process, create a SharePoint farm or add the server to an existing farm.
Configuration with the user interface is wizard-driven. As long as you know the
configuration information presented earlier in this lesson, installation is very
straightforward.
1.
Log on as the setup user account (SP_Admin).
2.
Run the SharePoint Products Configuration Wizard, which you can find in the
Microsoft SharePoint 2010 Products program group on the Start menu.
3.
Click Next.
You are warned that IIS and SharePoint services will be restarted.
1-71
1-72
4.
Click Yes.
5.
Select Create a new server farm.
1-73
6.
Enter the configuration for the SQL Serverthe name of the Database server
(SERVER\instance if you are connecting to a specific instance of SQL Server)
and the Database name.
7.
Enter the farm account (SP_Farm) user name and password.
1-74
8.
Enter the farm passphrase.
9.
Enter the port number on which Central Administration will be hosted.
10. Choose an authentication provider.

NTLM allows Central Administration to use Active Directory as the
authentication provider. This is typically the best option for Central
Administration.
11. Review the configuration, and then click Next.

Configuration takes several minutes.
12. Click Finish.

The SharePoint 2010 Central Administration site opens.
1-75
1-76
Lesson 4
Advanced Installation of SharePoint 2010
Manual installation and configuration, as presented in the previous lesson, is time

consuming and prone to inconsistent implementation. In this lesson, you learn
how to script the installation and configuration of SharePoint. You also learn how
to install a language pack.
Perform a scripted installation of SharePoint prerequisites.
Perform a scripted installation of SharePoint Server 2010.
Execute a scripted configuration of SharePoint and a SharePoint farm.
Install SharePoint language packs.
1-77
Overview of Scripted Installation
By scripting installation, an organization can reduce the time required to deploy a

SharePoint server. Scripting also ensures that configuration is applied consistently,
and therefore reduces the chance for errors and failure. Scripting is also required to
automate the provisioning of SharePoint.
There are three different mechanisms for scripting SharePoint installation and
configuration, one mechanism for each of the phases of installation.
1-78
Scripted Installation of Prerequisites
Many organizations do not allow servers to have direct access to the Internet. The
Preparation Tool can be directed to install prerequisites from a specific location,
rather than downloading prerequisites from the Downloads Center at
Microsoft.com.
First, you must download all prerequisites. You can find links to prerequisites by
using one of the following two options:
Links to prerequisites are listed at http://go.microsoft.com/fwlink

Run the Preparation Tool and examine the log for error messages that are
generated when the tool attempts to download each prerequisite. The URL to
the attempted download is listed.
1-79
PrerequisiteInstaller.exe supports parameters that specify the location of each

prerequisite. The syntax of each parameter is
/PrerequisiteName:PathToInstallationFile. The PrerequisiteName parameters are
listed on the slide. The path can be a local or Universal Naming Convention
(UNC) path to which the setup user (SP_Admin) account used to run the
prerequisite installer has Read permission.
The /unattended parameter causes the Preparation Tool to run in silent,
unattended mode. No prompts or messages are displayed. Use this mode only
when you are confident that prerequisite installation will be successful.
You can type PrerequisiteInstaller.exe /? to display the help documentation for
the switches.
Now that you know the parameters of PrerequisiteInstaller.exe, you can script
prerequisite installation by using one of two methods:
Open the command prompt and type a command line with

PrerequisiteInstaller.exe and all of the switches on a single command line.
Open Notepad and enter all switches on a single line. Save the file as
PrerequisiteInstallerArguments.txt in the same folder as
PrerequisiteInstaller.exe. Then, run PrerequisiteInstaller.exe. It automatically
looks for the arguments file, called PrerequisiteInstallerArguments.txt, in the
working directory.
You create a PrerequisiteInstallerArguments.txt file in the lab for this module.
1-80
Scripted Installation of SharePoint Server
You can script the installation of SharePoint binaries by specifying installation

parameters in an Extensible Markup Language (XML) file named Config.xml by
default.
Microsoft provides sample Config.xml files in the SharePoint distribution. You can
simply modify these files to match your environment. In most cases, you need only
to remove the comment tags () and enter a valid product ID.
The following Config.xml file installs a SharePoint server using the Server Farm
installation option and the Complete server type.
1-81
<Configuration>
<Package Id="sts">
<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>
</Package>
<Package Id="spswfe">
<Setting Id="SETUPCALLED" Value="1"/>
</Package>
<Logging Type="verbose" Path="%temp%" Template="SharePoint
Server Setup(*).log"/>
<PIDKEY Value="36BY2-DVVJY-6426X-PXWVQ-BM342" />
<Display Level="none" CompletionNotice="no" />
<Setting Id="SERVERROLE" Value="APPLICATION"/>
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
<Setting Id="SETUP_REBOOT" Value="Never" />
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Configuration>
The following sample Config.xml files are available in the Files folder in the
SharePoint distribution:
Configuration File
Description
Setup\Config.xml
Stand-alone server installation using Microsoft SQL

Server 2005 Express Edition3
SetupFarm\Config.xml
Server farm installation
SetupFarmSilent\Config.xml
Server farm installation in silent mode
SetupFarmUpgrade\Config.xml
In-place upgrade of an existing farm
SetupSilent\Config.xml
Stand-alone server installation using SQL Server

2005 Express Edition in silent mode
SetupSingleUpgrade\Config.xml
In-place upgrade of an existing single-server

installation
1-82
Scripted Configuration of SharePoint and the Farm
You can automate the Microsoft SharePoint 2010 Products Configuration Wizard
using a Windows PowerShell script. Windows PowerShell is discussed in Module
3, Administering and Automating SharePoint, so it is beyond the scope of this
topic to explain Windows PowerShell. The cmdlets (pronounced command-lets)
listed on this slide are for reference purposes.
However, in the lab for this module, you have the option of using a preexisting
Windows PowerShell script to automate the configuration of the farm.
Additional Reading
Quick start: Deploy single server in an isolated Hyper-V environment

(SharePoint Server 2010), at http://go.microsoft.com/fwlink
Install SharePoint Server 2010 by using Windows PowerShell, at

1-83
Language Packs
If you are working in an environment that needs to support multiple languages,

you must also install language packs for SharePoint Server 2010.
Installation Process
The process by which you install language packs is described in the following
sections.
1. Install Windows operating system language files

Before installing SharePoint language packs, you must ensure that the language
files for the Windows operating system have been installed. Windows includes
language files for many languages in its default configuration. However, if the
languages you are supporting include any of the following, you must install the
Windows language files manually:
East Asian languages, including Chinese, Japanese, and Korean
Complex script and right-to-left-oriented languages, including Arabic,

Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese
1-84
You can install Windows language files by using the Regional And Language
Settings application in Control Panel.
2. Install SharePoint
You must install SharePoint before installing a SharePoint language pack. The
language of the SharePoint installation becomes the default language for the farm
and the language of administrative interfaces such as Central Administration.
As you learned in the previous lesson, to install SharePoint you must first install
the SharePoint binaries.
3. Run the SharePoint Products Configuration Wizard

Next, run the SharePoint Products Configuration Wizard to configure the farm
with the default language.
4. Download the language pack

You can download language packs from the Microsoft Downloads Center. At the
time of publication, the following language packs are available: Chinese
(Simplified), English, French, German, Japanese, Russian, Spanish.
You must download a language pack for each language you want to support with
SharePoint.
There is no single package of all languages. It is possible that the downloads for
different languages may have the same file name. Watch out for this situation, and
if it occurs, rename the downloads or save them to separate folders so that you do
not overwrite a previously downloaded language pack.
5. Install on all Web servers so that content can be rendered

Install the language pack on all SharePoint servers that host user-facing Web
applications so that content can be rendered in the required languages. Be
prepared for the fact that the installation routine for a language pack is in the
language of the pack, so the setup wizards text and buttons will not be in the
default language of the farm.
6. Run the SharePoint 2010 Products Configuration Wizard

Run the SharePoint 2010 Products Configuration Wizard on all servers on which
language packs have been installed. This completes the installation and
configuration of the language pack.
1-85
Uninstalling SharePoint when language packs have been installed

Uninstall all language packs before uninstalling SharePoint.
What Changes Are Made by Language Packs

When you install a language pack, language-specific site definitions are added to
the language templates folder of the server, %COMMONPROGRAMFILES%
\Microsoft Shared\Web server extensions\14\template\LocaleID.
Afterward, when you create a web site, you can select the language of the new site.
The default language is the language of the SharePoint installation. The new site
uses the language for site toolbars, navigation bars, list names, and column
headings. Left-to-right orientation is also rendered according to the language. You
cannot change the language of a site after the site has been created.
Additionally, with the Managed Metadata Service, you can assign terms to term
stores in the languages that you have installed. The Managed Metadata Service is
detailed in Module 4, Configuring Content Management.
What Does Not Change

Some UI elements such as error messages, notifications, and dialog boxes do not
change, specifically those that are generated by supporting technologies, for
example, the .NET Framework, Windows Workflow Foundation, or SQL Server.
The File Not Found error page does not change. However, you can use Windows
PowerShell to modify the SPWebApplication.FileNotFoundPage property to direct
users to a single page for File Not Found errors, and you can create the custom
page to present the error in any language.
Upgrade Alert
The following issue applies in only rare and specific situations, but it is important
to raise the issue to the attention of administrators it affects.
1-86
If you are upgrading from SharePoint 2007 and you are using Group Approval
(eApproval) features with Chinese (Simplified), Chinese (Traditional), Japanese, or
Korean languages, you must do the following before running the SharePoint
Products Configuration Wizard:
1.
Install the language pack.
2.
Run psconfig.exe cmd upgrade inplace v2v.
3.
Then, run the SharePoint Products Configuration Wizard.
Additional Reading
Deploy language packs (SharePoint Server 2010) at

1-87
Scenario
You have been asked to deploy a SharePoint farm to support Contosos strategic
initiatives related to enterprise collaboration. This single-server farm will act as a
prototype, and executives, developers, and end users will use it to evaluate the new
features of SharePoint Server 2010.
Start the virtual machines

1.
Start 10174A-CONTOSO-DC-A.
2.
After CONTOSO-DC-A has completed startup, start 10174A-SP2010-WFE1-A.
1-88
Exercise 1: Creating Active Directory Accounts for

SharePoint
Although you are creating a prototype environment, you must adhere to security
best practices, including least privilege. In this exercise, you create accounts for
SharePoint administration, services, and access to SQL Server.
The main tasks for this exercise are as follows:
1.
Create Active Directory accounts.
2.
Create a SQL login for the SharePoint administrator.
3.
Delegate administration of the SharePoint server.
Task 1: Create Active Directory accounts

1.
Log on to SP2010-WFE1 as CONTOSO\Administrator with the password

Pa$$w0rd.
2.
Open Active Directory Users and Computers.
3.
Expand the contoso.com domain and then in the SharePoint OU, create the
following user accounts. For each account, set the password to Pa$$w0rd,
clear the User must change password at next logon check box, and select the
Password never expires check box.
Full Name
4.
User Logon
Name
Description
E-mail
SharePoint
Administrator
SP_Admin
SharePoint
Administrator
and Setup User
SP_Admin @contoso.com
SharePoint Farm
Service
SP_Farm
SharePoint
Farm Service
SP_Farm@contoso.com
SharePoint
Service
Applications
SP_ServiceApps
SharePoint
Service
Applications
SP_ServiceApps@contoso.com
Close Active Directory Users and Computers.
1-89
Task 2: Create a SQL Server login for the SharePoint administrator

1.
Open SQL Server Management Studio and connect to SP2010-WFE1 as

CONTOSO\SQL_Admin with the password of Pa$$w0rd.
2.
Create a login for CONTOSO\SP_Admin.
3.
Assign the login the dbcreator and securityadmin server roles.
4.
Close the Microsoft SQL Server Management Studio.
Task 3: Delegate administration of the SharePoint server

1.
Add CONTOSO\SP_Admin to the local Administrators group of SP2010WFE1.
2.
Log off of SP2010-WFE1.
Results: After this exercise, you should have accounts for SharePoint administration,
services, and database access, each of which has been delegated the least privilege
permissions required to install and configure SharePoint.
1-90
Exercise 2: Installing SharePoint Server Prerequisites

Scenario
You must install certain software components and perform specific configuration
prior to installing SharePoint 2010. You use the Prerequisites Installer to ensure
that the required elements are in place.
1.
Attempt to install SharePoint Server prerequisites.
2.
Identify prerequisite installation errors.
3.
Copy SharePoint prerequisite installation files
4.
Script the installation of SharePoint Server prerequisites.
Task 1: Attempt to install SharePoint Server prerequisites

1.
Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password

Pa$$w0rd.
2.
Run D:\Software\SharePointServer2010\default.hta.
3.
Click Install software prerequisites.
4.
Step through the Microsoft SharePoint 2010 Products Preparation Tool.

The prerequisite installer prepares the server.
The Microsoft SharePoint 2010 Products Preparation Tool displays the
message, There was an error during installation. A summary of prerequisite
installation status is also displayed.
Task 2: Identify prerequisite installation errors

1.
Click Review the log file.
2.
Find the first instance of the text 976462. Observe the lines in the log file that
indicate that the prerequisite installer checked for the existence of Hotfix for
Microsoft Windows (KB976462).
3.
1-91
Find the next instance of the text 976462. Observe the lines in the log file that
indicate that the prerequisite installer attempted to download Hotfix for
Microsoft Windows (KB976462) from microsoft.com. Observe the URL that
was used.
You can use this URL to download the prerequisite manually. Click Cancel
and then close the log file.
4.
Close the Microsoft SharePoint 2010 Products Preparation Tool and the
SharePoint Server 2010 Start page.
Task 3: Copy SharePoint prerequisite installation files
Copy and paste all of the files from D:\Software\SharePoint Prerequisites to

D:\Software\SharePointServer2010\PrerequisiteInstallerFiles.
Task 4: Script the installation of SharePoint Server prerequisites

1.
Open Notepad. Type the following, on one line, with spaces between each
switch:
/SQLNCli:PrerequisiteInstallerFiles\sqlncli.msi
/ChartControl:PrerequisiteInstallerFiles\MSChart.exe
/KB976462:PrerequisiteInstallerFiles\Windows6.1-KB976462-v2x64.msu
/IDFXR2:PrerequisiteInstallerFiles\Windows6.1-KB974405-x64.msu
/Sync:PrerequisiteInstallerFiles\Synchronization.msi
/FilterPack:PrerequisiteInstallerFiles\FilterPack.msi
/ADOMD:PrerequisiteInstallerFiles\SQLSERVER2008_ASADOMD10.msi
/ReportingServices:PrerequisiteInstallerFiles\rsSharePoint.msi
/Speech:PrerequisiteInstallerFiles\SpeechPlatformRuntime.msi
/SpeechLPK:PrerequisiteInstallerFiles\MSSpeech_SR_en-US_TELE.msi
Alternately, you can copy the contents of the file D:\Labfiles\Lab01

\PrerequisiteInstaller.Arguments.txt and paste it into your Notepad
document.
2.
Save the file as D:\Software\SharePointServer2010

\PrerequisiteInstaller.Arguments.txt.
3.
Close Notepad.
4.
Start the Command Prompt using the Run as administrator option.
1-92
5.
Type the following commands, each followed by ENTER:

D:
CD Software\SharePointServer2010
PrerequisiteInstaller.exe
The Microsoft SharePoint 2010 Products Preparation Tool appears.

In a production environment, you would also add the /unattended switch to
the PrerequisiteInstaller.Arguments.txt file to specify a silent, unattended
installation of SharePoint prerequisites. An unattended installation skips the
Welcome page and the license agreement.
For this lab, however, you did not use the /unattended switch so that you may
observe the progress of the prerequisite installer and ensure that there are no
errors in your script.
6.
Step through the Microsoft SharePoint 2010 Products Preparation Tool. When
installation has completed successfully, click Finish to close the tool.
Results: After this exercise, you should have installed and configured all SharePoint
Server 2010 prerequisites.
1-93
Exercise 3: Installing SharePoint Server

Scenario
You are ready to install SharePoint Server 2010. In this exercise, you install the
SharePoint binaries. In the next exercise, you finish the initial configuration of the
SharePoint installation.
You may choose to perform installation manually or to script the installation of
SharePoint Server.
1A. Install SharePoint Server.
or
1B. Script the installation of SharePoint Server.
Task 1A: Install SharePoint Server

1.
In the SharePointServer2010 folder, double-click default.hta. On the

SharePoint Server installation splash screen, click Install SharePoint Server.
2.
Complete the installation wizard using the following configuration

information:
For the Product Key, type 36BY2-DVVJY-6426X-PXWVQ-BM342.
On the Permissions page, select the I accept the terms of this agreement
check box, and then click Continue.
On the Choose the installation you want page, click Server Farm.
On the Server Type page, select the Complete option, and then click
Install Now.
Installation proceeds for approximately 710 minutes.
3.
When installation completes, clear the Run the SharePoint Products

Configuration Wizard now check box, and then click Close.
4.
On the SharePoint installation splash screen, click Exit, and then close the
Windows Explorer window that displays the contents of the
SharePointServer2010 folder.
1-94
Task 1B: Script the installation of SharePoint Server

1.
Edit D:\Software\SharePointServer2010\Files\SetupFarmSilent
\config.xml.
2.
Replace line 11 with the following line:

Remove the comment tags, .

3.
Replace the Display element with the following:

<Display AcceptEULA="yes"
Level="basic"
CompletionNotice="yes" />
Alternately, copy D:\Labfiles\Lab01\config.xml to the D:\Software

\SharePointServer2010\Files\SetupFarmSilent folder, overwriting the
existing file.
4.
Save the file and close Notepad.
5.
Start Command Prompt using the Run as administrator option.
6.
Type the following command on one line, and then press ENTER:
"D:\Software\SharePointServer2010\setup.exe" /config
"D:\Software\SharePointServer2010\Files\SetupFarmSilent\
config.xml"
Installation takes approximately 710 minutes.

7.
You can monitor the progress of the SharePoint installation using any of these
methods:
Click Start, type %temp%, and then press ENTER. Open the log named
SharePoint Server Setup*.log.
Open Task Manager, and then monitor processes including Msiexec.exe,

Setup.exe, Mscorsvw.exe, and Psconfigui.exe.
8.
1-95
Clear the Run the SharePoint Products Configuration Wizard now check
box and then close the Run Configuration Wizard page.
Results: After this exercise, you should have installed SharePoint Server 2010.
1-96
Exercise 4: Configuring the SharePoint Installation

Scenario
You are ready to complete the configuration of the SharePoint installation. In this
exercise, you use the SharePoint Products Configuration Wizard to configure the
server and the farm.
You may choose to perform configuration manually or to script the configuration
of SharePoint Server and of the new farm.
1A. Run the SharePoint Products Configuration Wizard.
or
1B. Perform a scripted configuration of SharePoint Server.
Task 1A: Run the SharePoint Products Configuration Wizard

1.
Open the SharePoint 2010 Products Configuration Wizard.
2.
Complete the wizard using the following configuration information:
Connect to a server farm: Create a new server farm
Database server: SP2010-WFE1
Database access username: CONTOSO\SP_Farm
Database access password: Pa$$w0rd
Farm passphrase: 10174_SharePoint_2010
Central Administration port number: 9999
The Configuring SharePoint Products page indicates the progress of

configuration, which takes approximately five minutes.
3.
When configuration has completed successfully, click Finish.

Windows Internet Explorer appears and opens the Help Make SharePoint
Better page. This is the Customer Experience Improvement survey page of the
SharePoint 2010 Central Administration Web site.
1-97
4.
Select Yes, I am willing to participate (Recommended), and then click OK.
5.
Close Internet Explorer.

You configure SharePoint in a later lab.
Task 1B: Perform a scripted configuration of SharePoint Server

1.
Start Windows PowerShell 2.0 using the Run as administrator option.
2.
Type the following command, and then press ENTER:

D:\Labfiles\Lab01\ConfigureSharePoint.ps1
The Windows PowerShell Credential Request dialog box appears.

3.
In the Password box, type Pa$$w0rd, and then press ENTER.

A prompt appears to enter the farm passphrase.
4.
Type 10174_SharePoint_2010, and then press ENTER.

Configuration proceeds for 710 minutes.
5.
When the prompt Press Enter to exit appears, press ENTER.
Results: After this exercise, you should have configured SharePoint Server 2010 as a
single-server farm with the Central Administration application on port 9999.
1-98
Exercise 5: Configuring the Farm with the Farm

Configuration Wizard
In this exercise, you use the Farm Setup Wizard to configure the SharePoint farm
and service applications with default settings.
1.
Run the Farm Configuration Wizard.
Task 1: Run the Farm Configuration Wizard

1.
Open SharePoint 2010 Central Administration and start the Farm

Configuration Wizard. For the service account, create a new managed account
using the SP_ServiceApps account with the user name
CONTOSO\SP_ServiceApps, and the password Pa$$w0rd.
2.
Observe the list of service applications that will be created by the Farm
Configuration Wizard. Clear the check box next to User Profile Service
Application and then proceed with the wizard by clicking Next.
Farm service applications are created and started. This takes several minutes.
Optionally, you can open SQL Server Management Studio to follow the
progress of the service application database creation.
When the configuration is complete, the Create Site Collection page opens.
3.
Click Skip.
You create an intranet in the following exercises.
4.
On the Initial Farm Configuration Wizard page, click Finish.
Results: After this exercise, you should have a SharePoint farm and service
applications configured with default settings.
1-99
Exercise 6 (Optional): Install a Language Pack

In this exercise, you install the French language pack.
1.
Install the French language pack.
2.
Complete the configuration of the language pack.
3.
Validate the installation of the language pack.
Task 1: Install the French language pack

1.
Run D:\Software\SharePointLanguagePackFR \ServerLanguagePack.exe.
2.
Select the Jaccepte les termes de ce contrat check box.
3.
Click Continuer.
The language pack installs.
4.
On the Excuter lAssistant Configuration page, clear the Excuter

lAssistant Configuration des produits SharePoint check box.
5.
Click Fermer.
Task 2: Complete the configuration of the language pack
Run the SharePoint 2010 Products Configuration Wizard.

After configuration is complete, SharePoint 2010 Central Administration
opens.
Task 3: Validate the installation of the language pack

1.
In SharePoint 2010 Central Administration, in the Quick Launch, click System

Settings.
2.
In the Servers section, click Manage servers in this farm.
3.
Confirm that SP2010-WFE1 has the Language Pack for SharePoint, Project
Server, and Office Web Apps 2010 - French/Franais installed.
1-100
To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To
do this, complete the following steps:
1.
On the host computer, start Microsoft Hyper-V Manager.
2.
Right-click the virtual machine name in the Virtual Machines list, and then
click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
1-101
Module Review and Takeaways
Review Questions
1.
What are the most salient benefits of SharePoint 2010 to your enterprise and
to you as an IT professional?
2.
How can you automate the installation of SharePoint prerequisites?
3.
In which scenarios would you consider a standalone installation of SharePoint

2010?
4.
What pre-requisites are required to install SharePoint Server 2010?
5.
What new configuration setting has been added to the setup of a SharePoint
Farm?
1-102
Common Issues and Troubleshooting Tips

Identify the causes of the following common issues related to SharePoint
installation and fill in the troubleshooting tips. For answers, refer to relevant
lessons in the module.
Issue
Troubleshooting Tip
The server cannot download a

prerequisite from the Microsoft Web
site.
Download the prerequisite and install it

manually, or direct the prerequisite installer to
an available copy of the prerequisite by using
a switch with the PrerequisiteInstaller.exe
command or in the
PrerequisiteInstaller.Arguments.txt file.
The prerequisite installer reports an

error.
Examine the log in the %TEMP% folder.
While running the SharePoint

Products Configuration Wizard, you
are unable to connect to the SQL
database.
Ensure that you are logged on as the setup

user account and that the account has been
given a login on the SQL server with the
dbcreator and securityadmin server roles.
Real-World Scenarios
1.
The training department wants to conduct a course in which site collection

administrators will learn skills required to manage their site collections. Each
site collection administrator in the course requires a test SharePoint farm. You
do not want the test farms to connect to the production SQL Server
environment. What type of installation will you prepare for each site collection
administrator?
2.
IT security policy dictates that servers shall have no direct connectivity to the
Internet. However, you need to be able to install SharePoint prerequisites.
What can you do to achieve your goals while maintaining compliance with
security policy?
3.
A remote office requires team sites to support its collaboration. The remote
office is connected to the datacenter with a slow connection that will not
provide adequate performance against a team site hosted on the farm at the
datacenter. How would you propose addressing the remote office
requirements while minimizing additional software costs?
1-103
Best Practices
Supplement or modify the following best practices for your own work situations:
Follow best practice, least privilege best practices in your planning and
implementation of the user accounts required for SharePoint.
Download all SharePoint prerequisites and configure the

PrerequisiteInstaller.Arguments.txt file to automate the installation of
prerequisites.
Create a Config.xml file to script the installation of SharePoint.
Document the farm passphrase and store it in a secure location.
Tools
Tool
Use for
Where to Find It
SharePoint Server
2010 Start page
Starting prerequisite
installation and
SharePoint installation
Default.hta
Prerequisite installer
Installing and
configuring SharePoint
prerequisites
SharePoint
Installation Wizard
Installing SharePoint
binaries
Setup.exe
SharePoint Products
Configuration
Wizard
Configuring SharePoint
services and features
On the Start menu or Psconfig.exe
Creating a SharePoint 2010 Intranet
2-1
Module 2
Contents:
Lesson 1: Performing Initial Farm Configuration
2-4
Lesson 2: Configuring the SharePoint Logical Structure
2-14
Lesson 3: Exploring the SharePoint Web Application and

2-50
2-64
2-2
Start the Virtual Machines
Before starting this module, start and log on to the virtual machines.
1.
Start 10174A-CONTOSO-DC-B.
2.
After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-B.
3.
Log on to SP2010-WFE1 as CONTOSO\SP_Admin with the password,

Pa$$w0rd.
2-3
Module Overview
After installing your Microsoft SharePoint farm, you are ready to begin
establishing content, such as an organizational intranet site. In this module, you
will create a SharePoint-based intranet and, as you do so, you will learn key
concepts and skills related to the logical architecture of SharePoint including Web
applications, site collections, sites, and content databases.
2-4
Lesson 1
Performing Initial Farm Configuration
After you have installed Microsoft SharePoint 2010 on your first server in the farm,
and after you have run the SharePoint Products Configuration Wizard, you still
must configure services, accounts, and settings on the farm itself. In this lesson,
you'll use the Configure Your Farm Wizard to automate the process of initial farm
configuration, and you'll begin the exploration of SharePoint's components,
technologies, and features by examining the high-level tasks that the wizard
performs.
After completing this lesson, you will be able to understand the high-level
structure, components, and functioning of the farm.
2-5
Walkthrough: Farm Configuration Wizard
Run the Farm Configuration Wizard

1.
Open SharePoint 2010 Central Administration. At the User Account

Control dialog box, click Yes.
2.
In the Central Administration Quick Launch, click Configuration Wizards.
3.
In the Farm Configuration section, click Launch the Farm Configuration

Wizard.
If the Help Make SharePoint Better page opens, click Yes, I am willing to
participate (Recommended), and then click OK.
4.
On the Configure your SharePoint farm page, click Start the Wizard.
5.
In the Service Account section, take note of the existing managed account.
6.
Observe the list of service applications that are selected or can be selected.
2-6
7.
Click Next.
Optionally, you can open SQL Server Management Studio to follow the
progress of the service application database creation.
8.
On the Create Site Collection page, click Skip.
9.
On the Initial Farm Configuration Wizard page, click Finish.
2-7
Farm Configuration Wizard
The Farm Configuration Wizard applies the default settings for services, proxies,
proxy groups, and accounts.
The wizard makes it easy to get a farm up-and-running using out of the box
defaults. It is particularly well suited to configuring a SharePoint farm for testing,
training, or development when there are no requirements for farm or service
customization.
In most production environments, however, business requirements lead to farm
topology designs and configuration that is not the same as SharePoint's out-of-box
defaults. Therefore, it is generally recommended to configure the farm manually in
a production environment.
You will learn, through the modules in this course, how to configure services,
service applications, proxies, application proxy groups, managed accounts, and
other farm components.
2-8
Service Applications: An Overview
Service applications are a very important concept to understand in SharePoint

2010. Although they perform a role similar to Shared Service Providers (SSPs) in
SharePoint 2007, there are significant differences between service applications and
SSPs.
Service Application
A service application provides specific functionality, such as search, that may be
required by a Web application. In the end, Web applications connect to and
consume the service provided by a service application.
Examples of service applications are:
The Search Service Application, which supports crawling, indexing, and

querying.
The Business Connectivity Service, which enables SharePoint to connect to

external data sources.
The Managed Metadata Service, which provides taxonomy and managed

content types.
The User Profile Service, which synchronizes user profile attributes from
Active Directory and other sources.
2-9
Application Connection (Proxy)

A service application's application connection, also called proxy, creates the
connection point for the Web application.
Application Connection Group (Proxy Group)

Typically, a Web application requires more than one service application, and
several Web applications require the same service applications. To make it easier
for you to manage the connection between Web applications and service
applications, application connection groups, also called proxy groups, create a logical
grouping of service application connections (proxies). A Web application connects
to an application connection group and, thereby, connects to all of the connections
that are members of that connection group.
The Farm Configuration Wizard sets up all service applications and creates a single
application connection group, default, that is available and can be used by any Web
app in the farm.
Architecture
Service applications are part of SharePoint Foundation 2010. This means that the
architecture is part of the platform, in contrast to SharePoint 2007 in which SSPs
were introduced by Microsoft Office SharePoint Server 2007 and not by Windows
SharePoint Services v3.
In SharePoint 2010, most new services are built on the Windows Communications
Framework (WCF), which means they have optimization built into their protocol,
using binary streams instead of XML to transfer data.
Setup and Administration

Service apps are administered in Central Administration like all Web applications.
In MOSS 2007, the SSP had a separate administrative application. Service apps can
be remotely managed and monitored. Service apps can be administered by using
Windows PowerShell.
2-10
Flexible Topology
A service application provides a single set of functionality. A Web application can,
through application connection groups, connect to one or more service
applications based on the needs of the Web app. This is in contrast to the SSP in
SharePoint 2007, which contained a bundle of services and a Web application that
was connected to the SSP and incurred the overhead of all services in the SSP.
A service app can also be published so that it can be consumed by applications on
another farm.
Whiteboard Diagram
Label the following components in the preceding diagram:
SharePoint server
Service instance, for example, the instance of the Search service
Service application, for example, the instance of the Search Service application
Application connection (proxy)
Application connection group (proxy group)
Web application
Association of the Web application to the application connection group
Additional Reading
Module 8, Configuring and Securing SharePoint Services and Service

Applications, details managed accounts.
2-11
2-12
Managed Accounts: An Overview
Service accounts are user accounts used by a service to log on to Windows. When
you configure a service, you associate an identitya user name and passwordwith
the service. When the service starts, it authenticates using that account just as a
user authenticates when logging onto a system. The service account must have
sufficient permissions for the service to perform its tasks.
Traditionally, service accounts have been difficult for enterprises to manage,
because when you change the password of the service account in Active Directory,
you must then reconfigure the service with the new password, otherwise it will be
denied logon. Because of this challenge, enterprises have typically sacrificed
security best practices and have configured service accounts with passwords that
never expire.
SharePoint 2010 introduces the concept of managed accounts. Managed accounts
are service accounts with which SharePoint services run. Unlike traditional service
accounts, however, SharePoint is able to perform password resets on the accounts
in Active Directory, and it can update the service with a new password. All of this
can be done automatically, without administrative intervention.
2-13
A managed account starts like any service account: a domain user account is
created in Active Directory.
You then register the account as a managed account using SharePoint 2010
Central Administration. At that time, you enter both the username and password of
the account.
When you configure a service application, application pool, or any other
component that requires an identity, you can specify which managed account
should be used. In this way, SharePoint is able to maintain a database of
associations between managed accounts and services.
Additionally, and in contrast to SharePoint 2007, when you assign an identity to a
service application, SharePoint 2010 configures any permissions or rights required
for the identity.
When it comes time to change the password of a managed account, you do so with
SharePoint Central Administration, rather than with Active Directory Users and
Computers. SharePoint is able to change the password of the account in the
domain, and it can reconfigure the services associated with that identity to allow
the use of a new password.
You can also configure SharePoint to change passwords automatically based on the
domain password expiration and complexity policies. In this way, the managed
account passwords are known only to the farm, and cannot be used by an
administrator, accidentally or intentionally, to cause damage to the farm.
The managed account credentials are encrypted. The encryption process begins
with the farm passphrase that is specified during SharePoint configuration. The
farm passphrase is stored in a secure key of the Registry. The farm passphrase
encrypts a private key that is stored in the SharePoint Config database. Private keys
are used to encrypt account credentials.
Additional Reading
Module 8, Configuring and Securing SharePoint Services and Service

Applications, details managed accounts.
2-14
Lesson 2
Configuring the SharePoint Logical Structure
Now that the SharePoint farm is installed and configured, you can turn your
attention to the creation of Web applications, site collections, sites, and content
databases. These are the primary components of the SharePoint logical structure.
In this lesson, you will learn how to create the architecture for a simple SharePoint
intranet and, along the way, come to understand the characteristics of and issues
related to each of these logical components.
After this lesson, you will be able to:
Identify components of a logical architecture
Manage Web applications
Manage Site collections
Delegate site collection administration
Configure quotas
Manage sites
Configure managed paths
Manage content databases
2-15
2-16
SharePoint Logical Structure
The diagram shown on the slide above represents the logical structure of
SharePoint.
A Web application is the highest level component of the logical structure within
a farm. A farm can have one or more Web applications.
Within a Web application are one or more site collections. Site collections have
a URL that is a managed path.
A site collection contains one or more sites. When you create a site collection,
you also create the top-level site in that site collection. Below that top-level site
can be one or more additional sites, often referred to as subsites or subwebs.
Within a site are pages, lists, and libraries.
Lists and libraries can contain folders.
2-17
Within lists and librariespossibly organized into foldersare items and

documents, respectively.
A site collection and all of its content is hosted in a content database. There
can be one or more content databases associated with a Web application.
An important element of the diagram shown above is that when you create a site
collection, you also create a top-level site. They are two separate components, but
they always go hand-in-hand. You cant have a site collection without a top-level
site, and you cant have a top-level site without also having a site collection.
2-18
Request a Page from a SharePoint Site
The top-level logical component within a farm is the Web application. A Web
application in SharePoint corresponds to a site and Internet Information Services
(IIS).
To understand the configuration parameters you must provide when you create a
Web application, it is helpful to understand how a clienta Web browser, for
exampleconnects to a site.
This slide illustrates the process with which a browser retrieves a page from a
SharePoint site.
With a browser opened, a user enters a URI (Universal Resource Identifier),

also called a URL (Uniform Resource Locator). This is the request that the user
makes.
The URI includes a protocol, such as http: and an address, typically specified
as a domain name system (DNS) name, such as intranet.contoso.com. Often,
the URI also includes a path or page that specifies a resource within the target
site, such as /default.aspx.
2-19
The request must be sent to the server hosting the Web site. Therefore, the
DNS name of the server must be resolved to its IP address. The client sends a
query to its DNS server requesting a lookup of the Web servers DNS name,
intranet.contoso.com.
The DNS server resolves the query and returns the IP address of the server, for
example, 10.0.0.11.
The client can now send the request to the Web server using the servers IP
address. The request is sent to a specific port on the server based on the
protocol or a port specified in the URI. For Web requests, port 80 is used
unless otherwise specified.
IIS on the server receives the request and must hand the request to the correct
site. The server knows which site should get the request based on the sites
bindings. A site can be bound to a specific IP address or port. Typically,
however, a Web server hosts multiple sites and it is not efficient or sometimes
even possible to assign a unique IP address or port to each site. Therefore, it is
typical to see a Web server hosting multiple sites all bound to the same IP
address and port.
How then can the server know which site should handle the inbound request?
While the inbound request targets a specific IP address and port, the request
itself contains the DNS name of the Web site in a field called the host header.
Sites on the server can be bound to the host headers that correspond to the
DNS name of the site. Therefore, while requests for different sites may be
coming into the same IP address and port, IIS is able to forward requests to
the correct sites based on the host header.
If a site happens to be a SharePoint site, SharePoint takes the request,

examines the URI, and retrieves the content from the appropriate content
database on the SQL Server.
At each point in the process, security controls can be applied to ensure that
users can get only to the content they need.
2-20
Create a Web Application
A Web application is a logical unit that contains one or more site collections. A
Web application is associated with an IIS Web site, but can have up to five IIS Web
sites with which it is associated. Each Web applications IIS Web site runs in the
context of an application pool.
You use Web applications to isolate content, processes, features, and users.
You can separate content that is accessible by anonymous users from content
that is accessed by authenticated users, or content that is accessible by
partners from content that is accessible by employees, by hosting the content
in separate Web applications.
Each Web application has a unique domain name, which helps to prevent
cross-site scripting attacks.
You can assign a unique application pool to a Web application, which isolates
its processes.
When you create a new Web application, you also create a new content
database that defines the authentication method used by the application pool
to connect to the database.
2-21
When you create a new Web application, you specify the authentication
method used to connect to the IIS Web site.
SharePoint Server 2010 provides a set of service applications that are available
for each Web application. You can select which service applications you want
to use for each Web application that you create by associating the Web
application with a proxy group or by specifying a custom set of service
applications for the Web application. For more information, see Module 8,
Configuring and Securing SharePoint Services and Service Applications.
Service applications are associated with Web applications.
Policy can be specified uniquely for each Web application. For more
information, see Module 6, Securing Content.

The following procedures create a Web application that uses Windows-classic
authentication, and NTLM as the authentication provider. In other words, the Web
application will use your Active Directory domain for authentication.
Create a Web Application by Using Central Administration

1.
In the Central Administration Quick Launch, click Application

Management.
2.
In the Web Applications section, click Manage web applications.
3.
On the Web Applications tab of the ribbon, click New.

The Create New Web Application page appears.
4.
In the Authentication section, select the authentication method, for example,

Classic Mode Authentication.
For more information, see Module 5, Configuring Authentication.
5.
In the IIS Web Site section, in the Port box, type 80.
Note: The default port number for HTTP access is 80, and the default port number
for HTTPS access is 443. If you want users to access the Web application without
typing in a port number, they should use the appropriate default port number.
2-22
6.
In the Host Header box, type the unique DNS name for the Web application,
for example, intranet.contoso.com.
This field is used so that a server can host more than one Web application on
the same port. If the server is hosting only one Web application on the
specified port, this field can be left blank.
7.
In the Name box, type a descriptive name for the Web application, for
example, Intranet intranet.contoso.com.
SharePoint populates the Name box automatically, based on the port and host
header. You should always use a meaningful, descriptive name for the Web
site.
Use the naming standards of your organization to determine the name.
8.
In the Application Pool section, ensure that Create new application pool is
selected.
Microsoft supports up to ten application pools per Web server, however the
limit is dependent largely upon the amount of RAM allocated to front-end
servers and the workload that the farm is serving: the user base and its usage
characteristics.
9.
In the Application Pool Name box, type SharePoint Web Applications.

You should use a meaningful, descriptive name for each application pool that
you create.
10. Under Select a security account for this application pool, in the
Configurable list, select the managed account that will be used as the identity
for the application pool, for example, CONTOSO\SP_ServiceApps.
11. In the Database Name and Authentication section, in the Database Name
box, type a name for the database, for example, WSS_Content_Intranet.
You should always use a meaningful name for your content databases.
12. Click OK.
The Web application and content database will be created. When this process
is complete, the Application Created page appears.
2-23
13. Click OK.

The new Web Application is displayed on the Web Applications Management
page.
Tip: Be sure that you have created a host record (A or AAAA) in DNS for the Web
application.
Create a Web Application by Using Windows PowerShell

The following example shows the use of the New-SPWebApplication cmdlet to
create a new Web application:
New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> ApplicationPoolAccount <ApplicationPoolAccount> -Port <Port> -URL
<URL>
Where:
<Name> is the name of the new Web application.
<ApplicationPool> is the name of the application pool.
<ApplicationPoolAccount> is the user account that this application pool will run
as.
<Port> is the port on which the Web application will be created in IIS.
<URL> is the public URL for the Web application.
Additional Reading
Create a Web Application (SharePoint Server 2010) at

2-24
Load Balancing
When you create a Web application, you specify the load balanced URL, for
example, intranet.contoso.com:80.
Load-balancing is a technology that allows the distribution of requests across more
than one Web front end.
Windows Server 2008 can provide load-balancing, but it is common for
organizations with more than one Web front end to utilize hardware-based load
balancers.
A load balancer is assigned the IP address associated with the DNS name of the
Web site. Each Web front end has a unique IP address that is known to the load
balancer. The load balancer receives the clients request, then forwards the request
to one of the Web front ends based on the logic applied by the load balancer.
2-25
Create a Site Collection
A site collection is a group of SharePoint Web sites that share common ownership
and administrators, as well as common settings, such as quotas, locks, site use
confirmation and deletion, and self-service site creation.
When you create a site collection, you also create a top-level site in the site
collection. The top-level site can be configured to use a template, also called a site
definition.
Create a Site Collection by Using Central Administration

1.

Management.
2.
In the Site Collections section, click Create site collections.
3.
In the Web Application section, ensure that you are focused on the Web
application in which you want to create a site collection.
If necessary, click the Web application picker, and then click Change Web
Application. Click the correct Web application.
2-26
4.
In the Title box, type a title for the site collection.
5.
In the Template Selection section, select the site definition you want to apply
to the top-level site of the new site collection.
6.
In the Primary Site Collection Administrator section, in the User name box,
type the user name of the site collection administrator.
7.
Click OK.
The site collection is created, and the Top-Level Site Successfully Created page
appears.
8.
Click OK.
When you create a site collection, you also create a top-level site within that site
collection. The top-level site is typically created using a site definition, for example,
Team Site or Publishing Site, but it is also possible to create a blank top-level site
that can then be customized later.
Create a Site Collection by Using Windows PowerShell

The following example shows the use of the New-SPSite cmdlet to create a new site
collection.
Get-SPWebTemplate
$template = Get-SPWebTemplate "STS#0"
New-SPSite -Url "<URL for the new site collection>" -OwnerAlias
"<domain\user>" -Template $template
Where:
<URL> is the URL of the site collection you want to create.
The -OwnerAlias parameters <domain\user> value defines the primary site

collection administrator. The -SecondaryOwnerAlias parameter defines the
secondary site collection administrator.
The -Template parameters value specifies the site definition for the top-level
sitein this example, STS#0, the Team Site template.
Delete a Site Collection

When you delete a site collection, you permanently destroy all content and user
information in the site collection, which includes the top-level site and all subsites.
2-27
Delete a Site Collection by Using Central Administration

1.
In the Central Administration Web site, in the Quick Launch, click

Application Management.
2.
On the Application Management page, in the Site Collections section, click

Delete a site collection.
The Delete Site Collection page opens.
3.
On the Delete Site Collection page, expand the Site Collection list, and then
click Change Site Collection.
Use the Select Site Collection page to select a site collection:
1.
In the Web Application drop-down list, click the down arrow, and then
click Change Web Application.
The Select Web Application dialog box appears.
2.
Click the name of the Web application that contains the site collection that
you want to delete.
Relative URLs of sites in the site collections of the Web application that
you have selected appear on the Select Site Collection dialog box.
3.
Click the relative URL of the site collection that you want to delete, and
then click OK.
4.
Read the Warning section and verify that the site collection information is
correct.
5.
On the Delete Site Collection page, click Delete.

The site collection that you select is deleted.
Delete a Site Collection by Using Windows PowerShell

The following example shows the use of the Remove-SPSite cmdlet to delete a site
collection:
Remove-SPSite -Identity "<URL>" GradualDelete
Where:
<URL> is the URL of the site collection you want to delete.
The -GradualDelete parameter specifies that you use gradual deletion, which
reduces the load on the system during the deletion process.
2-28
Additional Reading
Create a site collection (SharePoint Server 2010) at

Delete a site collection (SharePoint Server 2010) at

2-29
Site Collection Settings
After creating the site collection, you should configure site collection settings. In
Central Administration, this is done on the Application Management page.
In SharePoint 2010 Central Administration Quick Launch, click Application

Management.
Ownership, Administration, and Access

Site collection ownersthe primary and secondary site collection administrators of
a site collectionreceive quota and auto-deletion notices. In addition, they have all
the rights associated with site collection administrators.
2-30
Assign Site Collection Owners by Using Central Administration

1.
In SharePoint 2010 Central Administration Quick Launch, click Application

Management.
2.
On the Site Collection Administrators page, in the Site Collection section,

confirm that the site collection for which you want to assign ownership is
selected.
If not, expand the Site Collection drop-down list, and then click Change Site
Collection. Use the Select Site Collection page to select the site collection:
1.
Confirm that the Web Application list displays the Web application that
contains the site collection for which you want to assign ownership.
If not, expand the Web Application list, and then click Change Web
Application. On the Select Web Application page, click the Web
application.
2.
In the URL list, click the site collection.
3.
Click OK.
3.
In the Primary site collection administrator box, type the name of the
primary owner, using the format, DOMAIN\username.
4.
In the Secondary site collection administrator box, type the name of the
secondary owner, using the format, DOMAIN\username.
5.
Click OK.
Assign Site Collection Owners by Using Windows PowerShell

The following example shows the use of the cmdlet cmdlet to assign the site
collection owners:
Set-SPSite -Identity "<SiteCollection>" -OwnerAlias "<DOMAIN\User>"SecondaryOwnerAlias "<DOMAIN\User>"
Where:
<SiteCollection> is the URL of the site collection to which you want to add a site
collection administrator.
<DOMAIN\User> is the name of the user whom you want to add as a site
collection owner.
2-31
The -OwnerAlias parameter defines the primary site collection administrator.
The -SecondaryOwnerAlias parameter defines the secondary site collection

administrator.
Assign Site Collection Administrators

Site collection administrators are owners of the site collection. They are given full
control of the site collection and always have the ability to change permissions on
objects within the site collection. They also have permission to perform a wide
range of administrative tasks within the site collection.
1.
In the top-level site of a site collection, click Site Actions, and then click Site
Settings.
2.
Click Site Collection Administrators.
3.
In the Site Collection Administrators box, type the names of the site
collection administrators, separated by semicolons.
4.
Click OK.
Whereas you can assign two site collection owners in Central Administration, you
can assign more than two site collection administrators within the site collection.
Two Sets of Site Collection Administrators

Site collection owners assigned in Central Administration receive e-mail
notifications related to site usage and quotas. Otherwise, the permissions and
capabilities of the two types of site collection administrators are identical.
A farm administrator can assign the primary and secondary site collection
administrators in Central Administration. A site collection administrator can add or
remove site collection administrators in the site collection settings.
Assign Permissions to the Top-Level Site

Each SharePoint site has at least three default groups: Owners, Members, and
Visitors. These three groups have full control, contribute, and read permission
respectively.
1.
Click Site Actions, and then click Site Permissions.
2.
Click the name of a group to which you want to add members, for example,
Contoso Intranet Visitors.
2-32
3.
Click New.
The Grant Permissions page opens.
4.
In the Users/Groups box, type the name of users or groups that you want to
add to the selected SharePoint group, and then click OK.
To give all authenticated users the ability to browse a site, add the Domain Users
group to the Visitors group of the site.
Additional Reading
Add or remove site collection administrators (SharePoint Server 2010) at

Quotas
One of the important site collection settings is the quota template associated with
the site collection.
A quota template specifies the maximum storage permitted for each site in a site
collection. Quotas also define the resource utilization limits for Sandboxed
Solutions. Sandboxed Solutions are discussed in Module 7, Managing SharePoint
Customizations.
Quotas define the following:
Storage limit (in MB)
The storage warning level at which site collection owners (primary and
secondary site collection administrators) are notified that the site is
approaching its storage limit. This value must be lower than the storage limit.
Resource usage limit for Sandboxed Solutions (per day).
Resource usage warning level at which site collection owners (primary and
secondary site collection administrators) are notified that the site is
approaching its resource usage limit. This value must be lower than the
resource usage limit.
2-33
Create or Modify a Quota Template

Quota templates are defined at the farm level. When you create a quota template,
you simplify the management of storage limits on new site collections.
1.

Management.
2.

Specify quota templates.
The Quota Templates page opens.
You can create, modify, or delete a quota template from the Quota Templates
page.
3.
On the Quota Templates page, in the Template Name section, in the

Template to modify list, select the template that you want to change.
Alternately, to create a new quota template, click Create a new quota template
and then, in the New template name box, type a name for a new quota
template.
2-34
4.
5.
In the Storage Limit Values section, specify the values that you want to apply
to the template.
If you want to modify the amount of data that can be stored in the
database, select the Limit site storage to a maximum of check box, and
type the new storage limit, in megabytes, in the text box.
If you want an e-mail message to be sent to the site collection

administrator when a storage threshold is reached, select the Send
warning E-mail when Site Collection storage reaches check box, and
then type the threshold, in megabytes, in the box.
In the Sandboxed Solutions With Code Limits section, set the values for a
template for Sandboxed Solutions.
If you want to limit the resource usage of Sandboxed Solutions in the site
collection, select the Limit maximum usage per day to check box, and
then type the daily resource usage limit, in points, in the text box.
If you want an e-mail message to be sent to the site collection

administrator when a resource usage threshold is reached, select the Send
warning e-mail when usage per day reaches check box, and then type
the daily resource usage warning limit, in points, in the box.
A point is a relative measurement of resource usage, for example, CPU
cycles, memory, or page faults. Points enable comparisons between
measurements of resource usage that could not be compared otherwise.
See Module 7, Managing SharePoint Customizations, for more detail
about Sandboxed Solutions.
6.
Click OK.
Apply a Quota Template to a Site Collection

A site collection can be associated with one of the farm's quota templates. When a
new site is created in the site collection section, the properties of the quota
templates are applied to the site.
1.

Management.
2.
2-35

Configure quotas and locks.
The Site Collection Quotas and Locks page opens.
3.
If you want to change the selected site collection, in the Site Collection
section, expand the Site Collection list, and then click Change Site
Collection. Use the Select Site Collection page to select a site collection.
4.
On the Site Collection Quotas and Locks page, in the Site Quota
Information section, expand the Current quota template list, and then select
the new quota template to apply.
5.
Click OK.
Updating Quotas
If you update a quota template, or update the site collection quota, the change does
not apply to existing sites. To update quotas on existing sites, you can use
Windows PowerShells Set-SPSite cmdlet with the -MaxSize parameter.
Site Collection Locks

You can apply locks to prevent users from accessing or modifying content in a site
collection.
2-36
The following table describes the locking options that are available in Microsoft
SharePoint Server 2010.
Option
Description
Not locked
Unlocks the site collection and makes it

available to users.
Adding content prevented
Prevents users from adding new content to

the site collection. Updates and deletions
are still allowed.
Read-only (blocks additions, updates, and

deletions)
Prevents users from adding, updating, or

deleting content.
No access
Prevents access to content completely.

Users who attempt to access the site
receive an access-denied message.
To Lock or Unlock a Site Collection by Using Central Administration

1.
In Central Administration, click Application Management.
2.

The Site Collection Quotas and Locks page opens.
3.
If you want to change the selected site collection, in the Site Collection
section, on the Site Collection menu, click Change Site Collection. Use the
Select Site Collection page to select a site collection.
4.
On the Site Collection Quotas and Locks page, in the Site Lock Information
section, select one of the following options:
Not locked. To unlock the site collection and make it available to users.
Adding content prevented. To prevent users from adding new content to

the site collection. Updates and deletions are still allowed.
Read-only (blocks additions, updates, and deletions). To prevent users

from adding, updating, or deleting content.
No access. To prevent access to content completely. Users who attempt to

access the site receive an access-denied message.
5.
If you select Adding content prevented, Read-only (blocks additions,

updates, and deletions), or No access, type a reason for the lock in the
Additional lock information box.
6.
Click OK.
2-37
Lock or Unlock a Site Collection by Using Windows PowerShell

The following example shows the use of the Set-SPSite cmdlet with the -LockState
parameter to lock or unlock a site.
Set-SPSite -Identity "<SiteCollection>" -LockState "<State>"
Where:
<SiteCollection> is the URL of the site collection that you want to lock or
unlock.
<State> is one of the following values:
Unlock. To unlock the site collection and make it available to users.
NoAdditions. To prevent users from adding new content to the site

collection. Updates and deletions are still allowed.
ReadOnly. To prevent users from adding, updating, or deleting content.
NoAccess. To prevent access to content completely. Users who attempt to

access the site receive an access-denied message.
Additional Reading
Manage site collection storage limits (SharePoint Server 2010) at

2-38
Subsites, Site Collections, and Content Databases
Subsites
A site collection can contain one or more sites. Below the top-level site, you can
create additional sites, also called subsites or subwebs.
The preceding diagram shows subsites for HR and Engineering. The URL for HR
would be http://intranet.contoso.com/HR. The site hierarchy can be even deeper,
but be aware of the 260-character URL length limit.
Multiple Site Collections

A number of governance controls, including content ownership and quota
configuration, are configured at the site collection level. Governance objectives
often drive organizations to create multiple site collections that configure unique
properties for each site collection.
Multiple Content Databases

The content from all sites in a site collection is stored in the content database. A
site collection cannot span more than one content database. The content database
is the core component of storage management, including backup and restore.
2-39
Because of this relationship between content databases and storage management,

governance and service level agreements often drive an organization to create
multiple site collections so that site collections can be distributed across content
databases.
The only way to store sites in separate content databases is to put sites in separate
site collections.
2-40
Managed Paths
To create a new site collection within a Web application, there must be a managed
path at which to create the site collection.
A managed path is a portion of the URI namespace where the site collections exist.
A managed path is not directly mapped to content within the Web application.
Instead, it is used by SharePoint as a namespace (path) node where site collections
can be created.
An explicit managed path is useful for creating only a single site collection, at the
exact URL specified. For example, the default (root) managed path for our intranet
site is http://intranet.contoso.com/ and a single site collection can be created at
that exact URL.
A wildcard managed path, for example, http://intranet.contoso.com/sites/
indicates that child URLs of the path are site collections. A wildcard managed path
such as sites/ allows for unlimited number of site collections to be created directly
under the provided path. It is important to note that a site collection (and
therefore, a Web site) cannot be created at this explicit URL.
2-41
The default managed path, created when you create any new Web application, is
sites/. However, you can define managed paths with other descriptive names such
as depts (for departments), teams, clients, or projects.
Managed paths allow a SharePoint server to receive a request in the form of a URI
and to determine which part of the URI corresponds to a site collection, by looking
at the list of managed paths for a given Web Application. SharePoint can then go to
the correct content database of the site collection to retrieve the content based on
the remaining portion of the URI.
This means that SharePoint has to look at every managed path for each request. So
Microsoft only supports up to 20 managed paths per Web application.
Add Managed Paths for a Web Application by Using Central Administration

1.
On the SharePoint 2010 Central Administration Web site, in the Quick

Launch, click Application Management.
2.
On the Application Management page, click Manage web applications.
3.
Click the Web application for which you want to manage paths. The ribbon
becomes active.
4.
On the ribbon, click Managed Paths.
5.
On the Define Managed Paths page, in the Add a New Path section, type the
path you want to include.
6.
Click Check URL to confirm the path name.
7.
Use the Type drop-down menu to identify the path as either Wildcard
inclusion or Explicit inclusion.
The Wildcard inclusion type includes all URLs that are immediately
subordinate to the specified URL.
The Explicit inclusion type includes only the URL that is indicated by the
specified path.
8.
Click Add Path.
9.
When you have finished adding paths, click OK.
2-42
Remove Managed Paths for a Web Application by Using Central

Administration
1.
On the SharePoint 2010 Central Administration Web site, in the Quick

Launch, click Application Management.
2.
On the Application Management page, click Manage Web Applications.
3.
Click the Web application that you want to manage paths.

The ribbon becomes active.
4.
On the ribbon, click Managed Paths.
5.
On the Define Managed Paths page, in the Included Paths section, click the
check box next to the path that you want to remove.
6.
Click Delete selected paths.
Warning: Deletion is immediate. You will have no additional opportunity to

confirm.
7.
When you have finished removing paths, click OK.
Add a Managed Path by Using Windows PowerShell

The following example shows the use of the cmdlet named cmdlet to add a
managed path to a Web application:
New-SPManagedPath [-RelativeURL] "</RelativeURL>" -WebApplication
<WebApplication>
Where:
</RelativeURL> is the relative URL for the new managed path. The type must
be a valid partial URL, such as site or sites/teams/.
<WebApplication> is the URL of the Web application to which the managed

path will be added.
2-43
Remove a Managed Path by Using Windows PowerShell

The following example shows the use of the cmdlet cmdlet to add a managed path
to a Web application:
Remove-SPManagedPath [-Identity] <ManagedPathName> -WebApplication
<WebApplication>
Where:
<ManagedPathName> is the name of the managed path to delete.
<WebApplication> is the URL of the Web application that hosts the managed
path to delete.
Additional Reading
SharePoint 101: Managed Paths, at http://go.microsoft.com/fwlink

Define managed paths (SharePoint Server 2010) at

2-44
Content Databases
Site Collections and Content Databases

A site collection is hosted in one content database. A site collection cannot span
across content databases.
Out-of-box recovery tools require the restoration of a content database. The time
required to restore a content database should be within the service level defined by
your SharePoint governance plan. A large content database may take so long to
restore that you might fail to achieve your service level objective.
Scalability
From a logical storage management perspective, it would make sense for each site
to be a separate site collection in a separate content database. However, for
performance reasons, such an approach is often not feasible. In fact, several
scalability guidelines apply to SharePoint Server 2010.
2-45
Become aware of scalability boundaries:
300 content databases per Web application are supported.

Additionally, the RAM and performance of your SQL Server limits the total
number of content databases that should be hosted on that server.
200 GB per content database is supported.

Content database sizes up to 1 terabyte are supported only for large, single-site
repositories and archives with non-collaborative I/O and usage patterns, such
as Records Centers. Larger database sizes are supported for these scenarios
because their I/O patterns and typical data structure formats have been
designed for, and tested at, larger scales.
100 GB per site collection are supported. If a content database contains only
one site collection, then the site collection can be up to 200 GB.
250,000 Web sites per site collection are supported. Up to 2,000 subsites of a
given Web site are supported.
When designing a strategy for content databases, consider your service level
objectives. Include the recovery time objective (how quickly your deleted or
corrupted content is brought back online) and your recovery point objective (how
far back in time are your historical backups maintained)? You must also consider
performance, such as the scalability guidelines mentioned above.
Additional Reading
SharePoint Server 2010 Capacity Management: Software Boundaries and

Limits at http://go.microsoft.com/fwlink/?LinkID=192711&clcid=0x409.
Create a Content Database

When you create a Web application, you specify the name of the initial content
database. You can later create additional content databases for the Web
application.
Add a Content Database by Using Central Administration

1.

Management.
2.
In the Databases section, click Manage content databases.
2-46
3.
On the Manage Content Databases page, in the Web Application section,

ensure that you are focused on the Web application in which you want to
create a site collection.
If necessary, click the Web application picker, and then click Change Web
Application. Click the correct Web application.
4.
Click Add a content database.
5.
In the Database Name box, type a name for the database, for example,
WSS_Content_Intranet_IT.
6.
Click OK.
Add a Content Database by Using Windows PowerShell

The following example shows the use of the New-SPContentDatabase cmdlet to
create a new content database:
New-SPContentDatabase -Name <ContentDbName> -WebApplication
<WebApplicationName>
Where:
<ContentDbName> is the name of the content database that you want to create.
<WebApplicationName> is the name of the Web application to which the new

database is attached.
Additional Reading
Add a content database (SharePoint Server 2010) at

Add a Site Collection to a Content Databases

After you create a content database, you can create site collections in that content
database.
When you use Central Administration to create a site collection, Central
Administration automatically determines which content database will contain the
site collection. You cannot specify a content database in Central Administration.
2-47
Instead, each content database is evaluated to determine which content database

has the most available sites, based on the content databases maximum sites
property and the current number of sites in the content database. The content
database with the most available sites is used to host a new site collection.
Its important to mention that the size of the content database is not taken into
consideration.
In the event that more than one content database has the same number of available
sites, the content database with the lowest GUID is selected as a tie-breaker.
As you can see, the lack of fine-grained control in Central Administration can be
problematic when you are trying to manage the association of site collections to
content databases.
The -ContentDatabase parameter of the New-SPSite cmdlet can be used to create a
site collection in a specific content database.
You can move site collections between content databases by using Windows
PowerShell.
The following example shows the use of the Move-SPSite cmdlet to move a site
collection between content databases:
Move-SPSite <http://ServerName/Sites/SiteName> -DestinationDatabase
<DestinationContentDb>
Where:
<http://ServerName/Sites/SiteName> is the name of the site collection.
<DestinationContentDb> is the name of the destination content database.
2-48
Example Logical Architecture
The preceding slide presents a simple view of the logical infrastructure of a typical
intranet or collaboration Web application.
At the root of the Web application is a site collection with a top-level site that
serves as the home page, and may contain general content that applies across
divisions.
Under a managed path, each division, department, or team gets a unique site
collection. The URL to a divisional site is Web application \ [managed path \] site,
for example, http://intranet.contoso.com/depts./HR.
The divisions site collection scopes the ownership, user and group definitions,
quotas, and other configuration for the site. Site collections also impose functional
boundaries. Features can be activated or deactivated at the site collection level.
You will typically need far more site collections than you would anticipate, because
governance designs typically require more than one set of configuration at the site
collection level.
2-49
Optionally, you can put each divisions site collection in a dedicated content
database to manage storage, backup and restore. Keep in mind, however, that there
are performance-related scalability guidelines that might prevent you from putting
every division in a separate site collection in particularly large or complex
implementations.
2-50
Lesson 3
Exploring the SharePoint Web Application and

In the previous lesson, you examined the process where a browser requests and
receives content from a SharePoint site. In this lesson, you will explore in detail the
components of SharePoint, IIS, and Microsoft SQL Server that are responsible for
handling the request on the Web front end.
After this lesson, you will be able to:
Understand the SharePoint enginethe components of the Web application

and service itself.
Among the components you will explore are:
SharePoint and IIS 7.0
SharePoint Web Applications Components
web.config
SharePoint Root
SharePoint Databases
Customized vs. Uncustomized Pages
2-51
2-52
SharePoint and Internet Information Services (IIS) 7.0

and 7.5
As you learned in Module 1, Introducing SharePoint 2010, SharePoint 2010 sits

on top of IIS 7.0 and relies on Internet Information Services to process requests.
IIS 7.0 has several features that will make managing your SharePoint 2010
environment easier and increase performance:
HttpModules and HttpHandlers participate in all requests to the server

without having to be associated with the ASP.NET ISAPI filter, which improves
the performance of request processing.
ASP.NET configuration was managed directly in XML files in previous versions

of IIS. The new IIS Manager allows you to visualize configuration values and
make changes in the user interface.
Traditionally, it has been difficult to troubleshoot and debug 500 errors. Now,
with failed request tracing, you can trace the events that lead to such errors.
You can make changes to IIS configuration settings using a .NET API, which
makes it possible to configure IIS using Windows PowerShell.
2-53
IIS configuration used to be stored in the metabase. Now, configuration is

stored in the applicationHost.config file.
IIS supports more granular delegation of administration, which makes it

possible to assign roles to administrators without giving them the keys to the
entire Web server.
2-54
SharePoint Web Application Components
Key Points
When you create a new SharePoint Web application, several things happen.
A new site is created in IIS. The site is bound to the port and host header
specified by SharePoint.
An application pool is associated with the site.
As you learned in the previous lesson, an existing application pool can be

used by more than one site, which allows the sites to share a single
process and to share the overhead associated with the application pool,
leaving certain efficiencies. Alternately, you can create a new application
pool for the site, which will isolate the site in a separate process and will
incur its own app pool overhead.
Microsoft supports up to ten application pools per SharePoint server. This

number may be reduced depending primarily on the RAM of the server.
A root directory for the Web application is created as a subfolder of

c:\inetpub\wwwroot\wss\virtualdirectories.
Inside the root directory is a .NET configuration file, web.config. The

web.config file defines the application as a SharePoint application.
Virtual directories within the site point to other folders, each with its own
.NET configuration (web.config).
HttpModules add the SharePoint object model properties to the memory

space.
2-55
2-56
web.config
The web.config file is the key component that makes an IIS Web site a SharePoint
Web application. The web.config file is a typical XML-based .NET config file with
several configuration sections added to it.
Several common configuration sections are:
SafeControls. Defines what controls can be used on a SharePoint page
SafeMode. Determines whether pages are allowed to execute inline .NET code
MergedActions. Allows changes to web.config without actually modifying the

fileit merges the actions specified in selected and other files
BlobCache. Enables caching various file types in a location on the Web front
end, rather than pulling files from the database for each request
For more information, see Module 4, Configuring Content Management.
2-57
SharePoint Root
If you open the folder that acts as the root directory of a SharePoint Web
applicationthe Physical Path of the IIS Web siteyou will discover that there are
no .aspx files in the folder. Where, exactly, do SharePoint files and pages reside?
Content that is specific to the individual Web application is stored in the Web
apps content database(s) in SQL Server.
However, a significant amount of content is shared across sites and Web
applications in a SharePoint farm. These files are stored in the folder:
C:\Program Files\Common Files\Microsoft Shared\web server
extensions\14
This folder is called the SharePoint root. You'll also hear it referred to as the 14 hive,
because in SharePoint 2007, the folder was named 12 and was called the 12 hive.
However, the proper name for the folder in SharePoint 2010 is the SharePoint root.
The folder has many subfolders that drive the core functionality of the SharePoint
farm and Web applications.
2-58
Top-level folders
The top-level folders in the SharePoint root include:
ADMISAPI. Web services that manage content deployment.
BIN. Executables that manage search, timer jobs, upgrade, configuration, and
administration.
CONFIG. Configuration files that control code security, Web application

security, and extensions to stsadm.exe and Windows PowerShell.
HCCab. .cab-based help files.
Help. .chm-based Help files.
ISAPI. SharePoint .NET object model .dlls, administration application pages,

SharePoint Web services, and the SharePoint RPC .dll.
LOGS. Usage analysis processing logs and SharePoint log files.
Policy. .dll and .config files.
Resources. .resx files used to create SharePoint objects using an installed

language pack.
TEMPLATE. Site definitions, workflow settings, feature additions, and user

controls.
UserCode. Files that support sandboxed solutions.
WebClients. Configuration files used for the client object model.
WebServices. Files that support service applications.
TEMPLATE folder
The TEMPLATE folder in the SharePoint root contains files that support content
and functionality across SharePoint sites in a farm.
The TEMPLATE folder includes the following subfolders:
1033. English-language SharePoint configuration files. Other folders with

names that correspond to a specific language will exist for other installed
languages.
ADMIN. The site applications for Central Administration.
CONTROLTEMPLATES. User controls that are used across sites.
DocumentTemplates. Document templates that are used across sites.
2-59
FEATURES. Features that have been added to extend the SharePoint

functionality.
GLOBAL. A site definition that is inherited by all other site definitions.
IMAGES. Common graphic elements.
LAYOUTS. Pages that implement functionality that is available to all

SharePoint sites.
SITETEMPLATES. Site definitions.
SQL. Scripts that create configuration, search, and content databases, and to
upgrade older versions of databases.
THEMES. Styles that can be applied to change the look and feel of a
SharePoint site.
XML. XML configuration files.
Synchronization of the SharePoint Root

When the farm has more than one server, it is critical that the SharePoint root is
the same on each server in the farm. Numerous activities make changes to the
SharePoint root, including:
Adding user controls
Adding site definitions
Adding global images
Adding application pages
Adding themes
It is best to deploy files and functionality to a SharePoint farm using SharePoint

solutions. Solutions are packages, similar to Windows Installer (.MSI) files, which
deploy files and functionality. When you use a solution, the farm does the job of
ensuring that the solution is deployed to all servers.
2-60
SharePoint Databases
A SharePoint implementation consists of numerous databases stored in SQL

Server:
Each farm has a configuration, or config database. The configuration database

contains data about SharePoint databases, Internet Information Services (IIS)
Web sites, Web applications, trusted solutions, Web Part packages, site
templates, and Web application and farm settings specific to SharePoint 2010
products, such as default quota settings and blocked file types.
Each service application can have one or more databases.
Each Web application stores its content in one or more content databases, in
addition to using shared content in the SharePoint root. Content databases
include content from list and document libraries, document versions,
workflow instances, Web Part properties, audit logs, and sandboxed solutions,
in addition to user names and rights.
As you learned earlier in this module, all the data for a specific site collection
resides in one content database on only one server. A content database can be
associated with more than one site collection.
2-61
Content Database Tables

Content database tables include:
AllDocs. Stores data for all documents in the SharePoint Store.
AllDocStreams. Stores the document stream and related data for unghosted
pages and documents with content streams stored in the content database.
AllDocVersions. Stores streams for previous versions of files.
AllUserData. Stores data for all list and document libraries. The table provides
a fixed number of generic columns in various data types, affording storage for
application-defined variable schemas. A list item may be represented by more
than one row in this table, if its list's schema requires more entries of a
particular data type than are available in a single row. Application-defined
metadata for documents in document libraries also resides in AllUserData, and
it is accessed via joins with the Docs View.
RecycleBin. Deletes items from all sites in the site collection.
WebParts. Provides Available Web parts.
Webs. Provides configuration of each site (Web) in the site collection.
Additional Reading
Database types and descriptions (SharePoint Server 2010) at

Storage and SQL Server capacity planning and configuration (SharePoint

Server 2010) at http://go.microsoft.com/fwlink
MSDN, Tables and Views at http://go.microsoft.com/fwlink

2-62
Customized vs. Uncustomized Pages
Key Points
When you create a site, a special collection of files called the site definition
generates the initial, default content for the site. A subset of this content is the
pages that make up the site, for example, default.aspx, the home page.
The default.aspx page does not reside in the content database itself. Instead, it
resides in the SharePoint root on the file system of the Web front-end servers. All
sites in a SharePoint farm, by default, use the same default.aspx page. Of course,
the home page of each site is typically different. This is supported because the
default.aspx page defines content areas and Web Part zones, but the actual content
and the properties of each Web Part are specific to each site, and are stored in the
site's content database.
2-63
When a page such as default.aspx is pulled from the SharePoint root, it is said to
be uncustomized. In previous versions of SharePoint, this was called ghosted. Using
a tool such as SharePoint Designer, you can customize the page itself. When you
do so, the customized page is saved to the content database. At this point, the
uncustomized version in the SharePoint root is no longer used for that site. Thus,
your customized page is said to be customized. In previous versions of SharePoint,
this was called unghosted.
It is possible to reset a site or page to the site definition, which removes the
customized page.
It is not recommended to modify files directly in the SharePoint root. Among other
problems that could arise: SharePoint updates and service packs may overwrite
your changes.
2-64
Scenario
You have been asked to build an intranet to support communication and
collaboration requirements at Contoso, Ltd. You have recently completed the
installation of SharePoint 2010. You must now configure the farm using the Farm
Configuration Wizard, and create the logical topology to support the initial
business requirements. You are tasked with establishing a SharePoint 2010
intranet site so that business users can review the new features of the publishing
site definition. Additionally, you have been asked to configure sites to meet the
collaboration requirements of several divisions within the organization. You will
begin by creating a site for the Information Technology (IT) department.

1.
2.
2-65
Exercise 1: Creating a Web Application

Scenario
In this exercise, you will create a new SharePoint Web application for the intranet.
1.
Create a new Web Application.
Task 1: Create a new Web application

1.

Pa$$w0rd.
2.
In SharePoint 2010 Central Administration, navigate to the Web

Applications Management page.
3.
Create a new Web application with the following configuration:
Authentication: Classic Mode Authentication
Port: 80
Host header: intranet.contoso.com
Application pool name: SharePoint Web Applications
Application pool identity: CONTOSO\SP_ServiceApps
Database name: WSS_Content_Intranet
Results: After this exercise, you should have created a new Web application,
2-66
Exercise 2: Creating a Site Collection

Scenario
In this exercise, you will create a site collection for the Intranet, and you will solve
problems accessing the new Web application.
1.
Create a New Site Collection.
2.
Attempt to Open the New Site.
3.
Add a DNS Host Record for the New Web Application.
4.
Open the New Site.
5.
Create a Publishing Site Page.
6.
Configure Permissions.
Task 1: Create a new site collection
In SharePoint 2010 Central Administration, create a new site collection with

the following configuration:
Web application: http://intranet.contoso.com
Title: Contoso Intranet
Web site address: http://intranet.contoso.com/
Site definition: Publishing Portal
Primary site collection administrator: CONTOSO\SP_Admin
Task 2: Attempt to open the new site
In Microsoft Internet Explorer, in the address bar, type

http://intranet.contoso.com, and then press ENTER.
An Internet Explorer cannot display the webpage error page is displayed.
Question: What is the cause of this error?
2-67
Task 3: Add a DNS host record for the new Web application
Start DNS Manager using the Run as different user option. Enter the user
name, CONTOSO\Administrator, and the password, Pa$$w0rd.
Connect to the DNS server running on CONTOSO-DC.
Create a new host record in the contoso.com zone with the name, intranet,
and the IP address, 10.0.0.21.
Close DNS Manager.
Task 4: Open the new site

1.
In Internet Explorer, in the address bar, type http://intranet.contoso.com,

and then press ENTER.
An Internet Explorer cannot display the webpage error is displayed. If this
error does not appear on your system, continue to the next task.
2.
Open Command Prompt, and then execute the command, ipconfig

/flushdns. Then close Command Prompt.
3.

The Web site begins to load. Because this is the first time that the site has been
requested from the server, it must be compiled. This takes several seconds.
The intranet Web application opens.
Task 5: Create a publishing site page
Create a new page on the site with the name, Important Phone Numbers and
with the following page content:
In case of emergency, call 911
2-68
Task 6: Configure permissions
Add the CONTOSO\Domain Users group to the Contoso Intranet Visitors

group.
Results: Upon completing this exercise, you should have been able to successfully
create a Contoso intranet Web site.
2-69
Exercise 3: Creating a Site Collection in a New Content

Database
Scenario
In this exercise, you will create a Web site for the Information Technology (IT)
department on the Contoso intranet. To support backup and restore operations
according to Contosos SharePoint governance plan, you will create the IT intranet
Web site in its own content database. This will allow you to back up or restore the
Web site independently of the corporate intranet Web site you created in the
previous exercise.
1.
Create a Content Database.
2.
Create a Site Collection in a Specific Content Database.
3.
Examine the Information Technology Web site
Task 1: Create a content database
In SharePoint 2010 Central Administration, create a new content database

with the following configuration in the Web application,
http://intranet.contoso.com:
Database name: WSS_Content_Intranet_IT
Task 2: Create a site collection in a specific content database
In SharePoint 2010 Central Administration, create a new site collection with

the following configuration:
Web application: http://intranet.contoso.com
Title: Information Technology
Web site address: http://intranet.contoso.com/sites/IT
Site definition: Team Site
Primary site collection administrator: CONTOSO\SP_Admin
2-70
Task 3: Examine the information technology Web site
Navigate to http://intranet.contoso.com/sites/IT. Spend some time

reviewing and experimenting with the new site. You can make changes to the
site, but those changes will not persist after this Lab.
Results: After this exercise, you should have created the intranet Web site for
Contosos Information Technology department.

click Revert.
2-71
Review Questions
1.
Why would you create more than one content database in a Web application?
2.
If you were to create another site collection in the intranet Web application, in
which content database would it be created?
Administering and Automating SharePoint
3-1
Module 3
Contents:
Lesson 1: Configuring Central Administration
3-3
Lesson 2: Administering SharePoint from the Command Line
3-10
Lesson 3: Automating SharePoint Operations with Windows PowerShell
3-24
3-61
3-74
3-2
Module Overview
In previous modules, you used Central Administration to perform common

administrative tasks related to the installation and configuration of Microsoft
SharePoint.
In this module, you learn more about what it means to be an administrator of a
SharePoint farm and what it takes to administer SharePoint using both Central
Administration and command-line options.
Among the most powerful tools at your disposal as a SharePoint administrator is
Windows PowerShell. SharePoint 2010 offers rich support for Windows
PowerShell as the primary command-line interface for administering and
automating SharePoint, and in this module you learn the fundamentals of
Windows PowerShell for SharePoint.
3-3
Lesson 1
Configuring Central Administration
In this lesson, you take a high-level look at the available options for administering
SharePoint: Central Administration, Stsadm, and Windows PowerShell. You learn
to configure Central Administration and to identify the various administrative roles
in a SharePoint environment. Later lessons explore Stsadm and Windows
PowerShell in detail.
Describe the options for administering SharePoint farms.
Configure and manage the Central Administration Web application.
Describe the administrative roles that you can use to manage SharePoint farms.
3-4
Administrative Options
In addition to SharePoint 2010 Central Administration, you have at least two other
options with which to administer a SharePoint farm: Stsadm and Windows
PowerShell.
Stsadm is a command (Stsadm.exe) located in the folder C:\Program Files
\Common Files\Microsoft Shared\web server extensions\14\BIN.
Windows PowerShell is the administrative framework for SharePoint 2010 and
other Microsoft technology platforms.
SharePoint 2010 Management Shell is the preferred interface for performing taskbased commands and for running scripts. The SharePoint 2010 Management Shell
supports both Stsadm and Windows PowerShell.
In this module, you learn about all three of these administrative options.
3-5
Central Administration
Remember that Central Administration is a Web application. Every action you

perform in Central Administration is being executed using the application pool
identity for the Central Administration Web application and the timer service, for
example, SP_Farm. Actions performed in Central Administration are not executed
in the context of your administrative accounts identity.
If something is not working, be sure that the SP_Farm identity has the permissions
it requires. For example, some tasks performed in Central Administration require
that the account have the following attributes:
Local Administrators group membership on each SharePoint server
Microsoft SQL Server permissions
These permissions are assigned automatically if you follow the procedures outlined
earlier in this course. However, if something happens that removes or denies a
required permission, administrative tasks may fail.
3-6
Change the Port for Central Administration

When you run the SharePoint Products Configuration Wizard (Psconfigui.exe),
you specify the port to which the Central Administration Web site is bound.
You can change the port using one of these two methods:
Windows PowerShell. You can use the Set-SPCentralAdministration cmdlet Port parameter to modify the port to which Central Administration is bound.
Set-SPCentralAdministration -Port <PortNumber>
Where:
<PortNumber> is an available port, greater than 1023 and less than

32767.
Stsadm. You can use the setadminport operation to modify the port to which
Central Administration is bound.
stsadm o setadminport <PortNumber>
Where:
<PortNumber> is an available port.
Additional Reading
Change the Central Administration Web site port number (SharePoint Server
2010) at http://go.microsoft.com/fwlink/?LinkID=192720&clcid=0x409.
Setadminport: Stsadm operation (Office SharePoint Server) at

3-7
Administrative Roles
Farm Administrators
The Farm Administrators group represents the accounts that can use the Central
Administration application to perform administrative tasks.
Manage the Farm Administrators Group
In SharePoint 2010 Central Administration Quick Launch, click Security, and

then, in the Users section, click Manage The Farm Administrators Group.
Members of the Farm Administrators group have permissions to and responsibility

for all servers in the server farm. Members can perform all administrative tasks in
Central Administration for the server or server farm. Members of this group can
also use Windows PowerShell to create and manage configuration database objects
and can perform command-line operations, for example, Stsadm.exe. They can
assign administrators to manage service applications, which are instances of shared
services.
3-8
The Farm Administrators group does not have permissions to access individual
sites or their content, by default. However, members can take ownership of a site
collection by assigning themselves as a site collection owner in Central
Administration. For example, if a site collection administrator leaves the
organization and a new administrator must be added, a member of the Farm
Administrators group can take ownership of the site collection to make the change.
Local Administrators
Members of the Administrators group on the local server are members of the Farm
Administrators group by default. Therefore, members of the Administrators group
on the local server can perform all farm administrator actions and more, including
installing new products or applications, deploying Web Parts and new features to
the global assembly cache, creating new Web applications and new Internet
Information Services (IIS) Web sites, and starting services. Like Farm
Administrators, members of this group on the local server have no access to site
content, by default, but can take ownership of a site collection.
Service Application Administrators

Many service applications also have administrators, and the administration of these
service applications can therefore be delegated.
Farm administrators always have rights to manage all service applications. Those
rights cannot be removed.
Service application administrators are delegated by members of the Farm
Administrators group. The administrators of a service application can configure
settings for a specific service application in a farm. However, these administrators
cannot create service applications, access any other service applications in the farm,
or perform any farm-level operations, including topology changes. For example,
the service application administrator for a Search service application in a farm can
configure settings for that Search service application only.
Delegate Administration of a Service Application

1.
In Central Administration Quick Launch, click Application Management,

and then, in the Service Applications section, click Manage Service
Applications.
2.
Click the row of a service application.

Do not click the name of a service application. Most service application names
are links to the service applications management application.
3.
In the ribbon, click Administrators.
3-9
Service Application Feature Administrators

A feature administrator is associated with a specific feature or features of a service
application. These administrators can manage a subset of service application
settings but not the entire service application. For example, a feature administrator
might manage the Audiences feature of the User Profile service application.
Site-Level Administrators
The following two roles are administrative roles, but they do not have any
capability to perform tasks in Central Administration:
Site collection administrators
The Owners group of a site
The scope of their permissions is the site collection or site.

Site collection administrators have the Full Control permission level on all Web
sites in a site collection. They have access to content in all sites in that site
collection, even if they do not have explicit permissions on that site. For more
information, see Module 2, Creating a SharePoint 2010 Intranet.
By default, members of a sites Owners group have the Full Control permission
level on that site. They can perform administration tasks for the site and for any list
or library in that site. They receive e-mail notifications for events, such as the
pending automatic deletion of inactive sites and requests for site access.
Additional Reading
Choose administrators and owners for the administration hierarchy

(SharePoint Server 2010) at http://go.microsoft.com/fwlink
3-10
Lesson 2
Administering SharePoint from the Command

Line
In this lesson, you move away from the user interface of the Central Administration
Web application and turn to command-line options for administering SharePoint.
You explore Stsadm (Stsadm.exe), which is included with SharePoint 2010 to
support mixed environments, and Windows PowerShell, which is the
recommended tool for administering and automating SharePoint 2010.
Administer SharePoint from the command prompt with Stsadm.
Identify the role of Windows PowerShell for administering SharePoint.
3-11
SharePoint and Command-Line Administration
SharePoint has introduced new command-line administration interfaces with each

successive version of the product. In SharePoint 2007, Microsoft introduced
Stsadm (Stsadm.exe), which exposed 182 commands.
SharePoint 2010 aligns with other Microsoft technologies around the use of
Windows PowerShell as the primary command-line interface for administration.
SharePoint 2010 provides more than 600 Windows PowerShell cmdlets to support
administration of a SharePoint farm. PowerShell provides a superset of capabilities
found in Central Administration. Windows PowerShell 2.0 is required to install
SharePoint and is installed by the Microsoft SharePoint Products Preparation Tool
(PrerequisiteInstaller).
As you learn in the next topic, Stsadm has been deprecated but is still supported in
SharePoint 2010.
3-12
Stsadm
Stsadm is deprecated but is included to support compatibility with previous

product versions. There are, however, a small number of rarely used Stsadm
operations for which no Windows PowerShell equivalent exists.
Some Stsadm operations are no longer supported because of feature or
architectural changes in SharePoint 2010. For example, commands used to create,
enumerate, and manage Shared Service Providers (SSPs) are not supported
because SSPs have been replaced by service applications.
To use Stsadm, you must start Command Prompt on a SharePoint server with the
Run As Administrator option, and then navigate to the folder that contains
Stsadm.exe:
C:\Program Files\Common Files\Microsoft Shared\web server extensions

\14\BIN
3-13
You can avoid having to navigate to this deeply nested folder by adding the path to
the folder to the %PATH% environment variable. For example, type the following
command:
set path=%path%;C:\Program Files\Common Files\Microsoft Shared\web
server extensions\14\BIN
Alternately, use the SharePoint 2010 Management Shell, which includes the path to
the \BIN folder in its path variable.
Stsadm exposes functionality through operations. Each operation is invoked with
this syntax:
stsadm o <OperationName> [-parameter <Value> ...]
Where:
<OperationName> is the name of an Stsadm operation.
<Value> is the value for a parameter used by the operation.
To discover the operations that are supported, type the following command:
stsadm -?
To read documentation about a specific operation and the parameters it supports,

type the following command:
stsadm help <OperationName>
3-14
Introducing Windows PowerShell
Windows PowerShell is a task-based command-line shell and scripting language

designed especially for system administration. Built on the Microsoft .NET
Framework, Windows PowerShell helps IT professionals control and automate the
administration of several Microsoft technologies, including the Windows operating
system, SharePoint 2010, the Active Directory directory service, and Microsoft
Exchange Server.
With Windows PowerShell commands, called cmdlets, you can perform
management tasks from the command line. With Windows PowerShell providers,
you can access data stores, such as the registry and certificate store, as easily as you
access the file system. In addition, Windows PowerShell has a rich expression
parser and a fully developed scripting language.
Windows PowerShell includes the following features:
Cmdlets for performing common system administration tasks.
A task-based scripting language.
Support for existing scripts and command-line tools. For example, you can
perform most Cmd.exe commands with Windows PowerShell.
3-15
Consistent design. Because cmdlets and system data stores use common
syntax and naming conventions, data can be shared easily and the output from
one cmdlet can be used as the input to another cmdlet without reformatting or
manipulation.
Providers that expose system resources such as the registry, certificate store,
and directory service for simplified navigation by using the same techniques
that users employ to navigate the file system.
Powerful object manipulation capabilities. You can manipulate objects directly

or send them to other tools or databases.
Extensible interface. Independent software vendors and enterprise developers

can build custom tools and utilities to administer their software.
There is significant overlap between Stsadm and Windows PowerShell in support

for operations that are common to both SharePoint 2007 and SharePoint 2010.
However, Windows PowerShell provides unique capabilities related to the
management of all new features, including support for the following tasks:
Installation and configuration of SharePoint 2010
Management of service applications
Granular control of backup and restore
Additional Reading
About Windows PowerShell at http://go.microsoft.com/fwlink

3-16
Demonstration: Windows PowerShell Basics
Open the SharePoint 2010 Management Shell

To open the SharePoint 2010 Management Shell:
Click Start, click All Programs, click Microsoft SharePoint 2010 Products,
and then click SharePoint 2010 Management Shell.
Cmdlets
Windows PowerShell commands are called cmdlets, pronounced command-lets.
List Available Cmdlets

The Get-Command cmdlet lists cmdlets.
Type Get-Command.
3-17
Cmdlets are not case sensitive. The following cmdlets are equivalent:
Get-Command
get-command
GET-COMMAND
Cmdlets always follow the Verb-Noun, also called the Action-Object format. The
Noun is always singular.
For example, the cmdlet to list all processes running on a machine is Get-Process.
To list all processes running on a machine:
Type Get-Process.
There are a limited number of verbs, which can be listed with the Get-Verb cmdlet.
Nouns follow naming standards managed by the Windows PowerShell team. For
example, all SharePoint nouns begin with SP.
List All SharePoint cmdlets

To list all SharePoint cmdlets:
Type Get-Command -noun SP* | more.
Additional Reading
Understanding Important Windows PowerShell Concepts at

Learning Windows PowerShell Names at http://go.microsoft.com/fwlink

Tab Completion
Windows PowerShell supports tab completion, so you can type a few letters and
then press TAB to complete your typing. This applies not only to paths, which is
possible in Command Prompt as well, but also to cmdlets and their parameters.
3-18
To experience tab completion, perform the following steps in SharePoint 2010

Management Shell, which creates a new content database for a Web application:
1.
Type New-SPCont, and then press TAB.

Windows PowerShell completes the name of the cmdlet, NewSPContentDatabase.
The first parameter of the New-SPContentDatabase cmdlet is the name of the
database you want to create.
2.
Press SPACEBAR, type TestContentDB, and then press SPACEBAR.

The next parameter is the name of the database server on which to create the
content database.
3.
Type -Da, and then press TAB.

Windows PowerShell completes the name of the parameter, -DatabaseServer.
4.
Press SPACEBAR, type SP2010-WFE1, and then press SPACEBAR.

The other required parameter is the name of the Web application with which
the content database is associated.
5.
Type -W, and then press TAB.

Windows PowerShell completes the name of the parameter, -WebApplication.
6.
Press SPACEBAR, and then type http://intranet.contoso.com.
7.
Press CTRL+C to cancel the command without executing it.
Additional Reading
Using Tab Expansion at http://go.microsoft.com/fwlink

Get-Help
Windows PowerShell cmdlets are well documented with a standard
documentation format.
Get Help About a Cmdlet

To get help about a cmdlet, use the Get-Help cmdlet.
Type Get-Help <cmdlet>, where cmdlet is the name of the cmdlet about which
you want help.
3-19
The Get-Help cmdlet has the following syntax:

Get-Help cmdlet [-examples | -detailed | -full ]
Where optional parameters produce various types and levels of detail.
-examples. Shows examples of the cmdlet.
-detailed. Shows detailed information about the cmdlet and each of its
parameters. Also shows examples.
-full. Shows all documentation of the cmdlet.
Without a parameter, the Get-Help cmdlet shows a synopsis, a more detailed

description, and the syntax of the cmdlet.
For example, to get help, including examples, about the New-SPContentDatabase
cmdlet, type the following:
Get-Help New-SPContentDatabase detailed
Additional Reading
Getting Information About Commands at http://go.microsoft.com/fwlink

Getting Detailed Help Information at http://go.microsoft.com/fwlink

Objects
Unlike Command Prompt, in which commands return text that then must be
parsed and processed as text, Windows PowerShell returns objectsrepresentations
of the component itself.
For example, the Get-Process cmdlet returns objects representing processes on a
computer. Type the following to retrieve all processes on a computer:
Get-Process
To limit the processes, use a parameter of the Get-Process cmdlet. For example, the
-Name parameter limits processes returned based on their name. The following
command retrieves all processes on a computer named iexplore:
Get-Process Name iexplore
3-20
The -Name parameter is the default parameter for the Get-Process cmdlet, so it can
be omitted:
Get-Process iexplore
In these examples, Windows PowerShell outputs several properties of each process

it returns. You are not doing anything with the objects other than showing
properties.
However, objects returned by a cmdlet can be stored in variables for later use or
piped to a subsequent cmdlet as input for the cmdlet.
Pipeline
Windows PowerShell features a pipelinea channel through which the output of a
cmdlet can be passed to the following cmdlet. The pipeline is represented by the
pipe character (|).
For example, type the following to stop all processes named iexplore on a
computer:
Get-Process iexplore | Stop-Process
The Get-Process cmdlet gets running processes on a machine. The Stop-Process

cmdlet stops processes. In this example, the Get-Process cmdlet gets processes
named iexplore, and then passes the processes through the pipeline to the StopProcess cmdlet.
As you learn later in this lesson, one of the most important differences between
Windows PowerShell and Command Prompt is that cmdlets return objects, not
text. In Command Prompt, commands return text, and the text can be piped to
another command. In Windows PowerShell, cmdlets return objects, which can be
manipulated in much more powerful ways further down the pipeline. For example,
the Get-Process cmdlet returns objects representing processes named iexplore. The
next command in the pipeline stops those processes, but it could just as easily be a
cmdlet that changes the priority of the processes or that returns specific
information about the processes, such as their memory and processor utilization.
Additional Reading
Understanding the Windows PowerShell Pipeline at http://go.microsoft.com

/fwlink/?LinkID=192732&clcid=0x409.
3-21
Aliases
Windows PowerShell allows a cmdlet to have aliases, which are alternate names for
the cmdlet. For example, gps and ps are aliases for Get-Process. Also, kill is an alias
for Stop-Process.
List Available Aliases

The Get-Alias cmdlet lists aliases.
Type Get-Alias.
List Aliases for a Specific Cmdlet

To list aliases for a specific cmdlet:
Type Get-Alias -definition <cmdlet>, where cmdlet is the cmdlet for which you
want to list aliases.
For example, type the following to list aliases for Stop-Process:

Get-Alias definition Stop-Process
If you see a cmdlet that is not following the Verb-Noun syntax, it is certain that the
cmdlet is using an alias. Sometimes it can be difficult to interpret what a command
is doing when an alias is used.
List the Cmdlet Associated with an Alias

To list the cmdlet for a specific alias:
Type Get-Alias <Alias>, where Alias is the alias you want to define.
For example, type the following to list the cmdlet for the alias kill:
Get-Alias kill
Additional Reading
Using Familiar Command Names at http://go.microsoft.com/fwlink

3-22
Variables
As you begin to find and create Windows PowerShell scripts, theres one more
concept you must understand: variables. Variables are memory locations that store
a value or object and are represented in Windows PowerShell by a name that starts
with a dollar sign ($).
To assign a variablethat is, to create and define a variablesimply use the
following syntax:
$variable = value
For example, the following script stops all processes named iexplore:
$process = "iexplore"
Get-Process $process | Stop-Process
The result is the same as the one-liner shown earlier. However, by separating the
name of the process from the line that performs the action of finding and stopping
the process, you can more easily modify the script. Or you could use the Read-Host
cmdlet to prompt a user for the name of a process, instead of hard-wiring the name
of the process into the script.
To assign a string value to a variable, enclose the value in single or double
quotation marks, as shown earlier.
Variables can also store one or more objects. Examine the following script:
$process = Get-Process "iexplore"
$process | Select ID, name, description
$process | Stop-Process
In this example, the variable $process is set to the collection of processes named
iexplore. The variable is then used in two following commands. The first reports
the ID, name, and description of each process in $process. The second stops each
process.
$_
The special variable $_ represents the current object in the pipeline. You see
examples of this later in the module.
3-23
For now, simply imagine that you are looping through a collection of objectsfor
example, each site collection in a Web applicationand you want to do something
to each objectfor example, list the site collection administrators. As you loop
through the collection, you can use the $_ variable to represent the current site
collection.
Again, you learn more about $_ and put it to use later in the module.
Additional Reading
Using Variables to Store Objects at http://go.microsoft.com/fwlink

Windows PowerShell on Microsoft TechNet at http://go.microsoft.com

Windows PowerShell Scripting Center at http://go.microsoft.com/fwlink

3-24
Lesson 3
Automating SharePoint Operations with

Windows PowerShell
Now that you have learned some of the fundamental concepts of Windows
PowerShell, you can turn your attention to how you can use Windows PowerShell
to administer and automate SharePoint 2010.
Describe the SharePoint 2010 management shell.
Delegate permissions to use Windows PowerShell
Examine the SharePoint logical structure.
Create a SharePoint intranet by using Windows PowerShell.
Describe objects, members, properties, and methods in Windows PowerShell.
Describe how to select, sort. and format output in Windows PowerShell.
Describe how to filter objects.
Describe Iteration and iteration in scipts.
Automate SharePoint operations with Windows PowerShell.
3-25
3-26
SharePoint 2010 Management Shell
SharePoint 2010 Management Shell vs. Windows PowerShell

There are two ways to manage SharePoint with Windows PowerShell: the
Windows PowerShell console and SharePoint 2010 Management Shell.
SharePoint 2010 Management Shell loads a Windows PowerShell profile located in
the SharePoint root: SharePointRoot\CONFIG\POWERSHELL\Registration
\SharePoint.ps1. A Windows PowerShell profile is a script that configures the
initial user environment for Windows PowerShell. In the case of SharePoint 2010
Management Shell, the profile does three important things:
Loads the SharePoint snap-ins. The SharePoint 2010 Management Shell

profile loads the SharePoint snap-ins.
If you run Windows PowerShell, you cannot actually perform any SharePoint
tasks because the snap-ins are not loaded. To load snap-ins, you must run the
following command:
Add-PSSnapin Microsoft.SharePoint.PowerShell
3-27
Another way to add SharePoint functionality to Windows PowerShell is to use

a process called reflection, through which you load the SharePoint .dll files
directly. This was required in SharePoint 2007 but is not recommended in
SharePoint 2010 now that the SharePoint snap-in is available.
Sets the PSThread option to ReuseThread. This is a setting that improves the
utilization of memory in Windows PowerShell and reduces the likelihood of
memory leaks. In Windows PowerShell, each lineeach commandis started
in its own thread, or process. When ThreadOptions are set to Reuse Thread,
each command is run in the same thread. If you use Windows PowerShell, you
must run the following command:
$Host.Runspace.ThreadOptions = "ReuseThread"
Adds the Stsadm (SharePoint Root/BIN folder) to the path. SharePoint

Management Shell adds the path to the Stsadm.exe command to its path. This
allows you to use Stsadm to perform tasks, in addition to Windows
PowerShell.
Additional Reading
PS Thread Options at http://go.microsoft.com/fwlink/?LinkId=183145.
3-28
Delegate Permissions to Use Windows PowerShell
Requirements to Use Windows PowerShell to Administer SharePoint

To use Windows PowerShell to administer SharePoint 2010, an administrator
must be assigned the SharePoint_Shell_Access role on any databases against which
Windows PowerShell will be used. For example, to perform tasks that read or
manipulate data in the configuration database, an administrator must have the
SharePoint_Shell_Access role for the configuration database. Likewise, to work
with a specific site collection, the administrator must have the
SharePoint_Shell_Access role for the appropriate content database.
Additionally, the administrators account must be a member of the
WSS_ADMIN_WPG local group on all servers in the farm.
To assign these two roles, and thereby to delegate permission to use Windows
PowerShell, you can and should use the Add-SPAdmin cmdlet. The process is
straightforward.
3-29
Delegate Permissions with Add-SPShellAdmin

1.
Open SharePoint 2010 Management Console.
2.
Use the Add-SPAdmin cmdlet to grant a user the ability to use Windows
PowerShell against that content database. Use the following example:
Add-SPShellAdmin -username <DOMAIN\user> -database
(Get-SPContentDatabase <Content Database Name>)
So, with just one command, youve given the user the SharePoint_Shell_Access role
on the database and added the user to the WSS_ADMIN_WPG local group on each
server in the farm. If the user is currently logged on, the user will of course have to
log off and log back on for the new local group membership to take effect.
To perform this delegation, your account must have the Security_Admin server role
for the SQL Server instance and the db_owner role for the database, and you must
be in the Administrators group of each server in the farm. In other words, you
must be a high-level administrator to delegate to another user the ability to use
Windows PowerShell. Practically speaking, youll likely be administrator of the
SQL Server and of each server in the farm, though technically speaking you dont
need quite that much power.
Site Collection Ownership

You must also be a site collection owner, as defined in Central Administration, to
use Windows PowerShell against a site collection in the content database.
To assign a site collection owner by using Windows PowerShell, follow this
example:
Set-SPSiteAdministration <SiteCollectionURL> -OwnerAlias <DOMAIN\user>
-SecondaryOwnerAlias <DOMAIN\user>
Where:
<SiteCollectionURL> is the URL of the site collection.
The -OwnerAlias parameters <DOMAIN\User> is the primary site collection

administrator.
The -SecondaryOwnerAlias parameters <DOMAIN\User> is the secondary site

collection administrator.
3-30
Run SharePoint 2010 Management Shell with the Run As Administrator

Option
Finally, many cmdlets require that you are an administrator of the computer on
which the cmdlet is being executed. These cmdlets fail unless you use the Run As
Administrator option when opening SharePoint 2010 Management Shell.
Additional Reading
SharePoint 2010 Products administration by using Windows PowerShell at

3-31
Examine the SharePoint Logical Structure Using Windows

PowerShell
Examine the SharePoint Logical Structure with Get

You can use the Get verb to retrieve objects from the SharePoint object model.
Retrieve a Reference to the Farm

To retrieve a reference to the farm:
Type Get-SPFarm.
Retrieve a Collection of Web Applications in the Farm

To retrieve a collection representing the Web applications:
Type Get-SPWebApplication.
3-32
The Get-SPWebApplication cmdlet leaves out Central Administration by default as

a measure of protection against scripts that are designed to perform actions against
every Web application in a farm. To include the Central Administration Web
application, include the parameter -IncludeCentralAdminsitration.
Retrieve a Collection of All Site Collections in the Farm

To retrieve a collection of site collections in the farm:
Type Get-SPSite.
To prevent runaway memory and processing, the Get-SPSite cmdlet limits the
number of site collections it returns to 20, by default. Add the -limit parameter to
increase this limit, or add -limit all to return all site collections. The Get-SPSite
cmdlet always excludes the Central Administration site collection.
Retrieve a Collection of Web Sites

The Get-SPWeb cmdlet retrieves a collection of Web sites in a scope specified by
the cmdlets parameters. The -Site parameter specifies a site collection as the scope,
and the -Filter parameter specifies a filter as the scope.
For example, the following command retrieves the Web sites in the intranet site
collection:
Get-SPWeb Site http://intranet.contoso.com
The Get-SPWeb cmdlet limits the number of objects it returns to 200 by default.
Like the Get-SPSite cmdlet, use the -limit parameter to increase this limit, or use limit all to return all Web sites in a site collection.
User Interface Terminology vs. Object Model Terminology

As youve no doubt noticed in this discussion, terminology used to describe the
logical hierarchy of SharePoint is different in Windows PowerShell from
terminology in the user interface. Thats because the SharePoint object model,
which drives terminology used by developers and by the .NET Framework, has a
legacy that dates back to the beginning of SharePoint time.
3-33
The terminology is particularly tricky around the word site. Notice the different
ways in which the word site is used both in describing the components of
SharePoint as shown in the user interface and in the object model.
User Interface and Documentation
Object Model
Farm
SPFarm
Web application
SPWebApplication
Site collection
SPSite
Site, Web site, Web, subweb, subsite
SPWeb
It gets even more tricky when users say something like, I cant access my site. Is
that a site collection (SPSite), Web site (SPWeb), or are they really saying that
theyre typing http://intranet.contoso.com and getting an error, in which case it
may even be the Web application (SPWebApplication) that needs to be examined?
Its recommended that when you discuss SharePoint and particularly when you are
gathering information for troubleshooting that you avoid the word site by itself.
Clarify: Web application, site collection, or subweb.
Using the Pipeline

As you learned earlier, the Get-SPWeb cmdlet uses a -Site parameter to specify the
site collection in which Web sites should be returned:
Get-SPWeb -Site "http://intranet.contoso.com"
The Get-SPSite cmdlet, also presented earlier, retrieves all site collections. If you
use an Identity parameter, it retrieves only matching site collections.
For example, the following command retrieves only one site collection:
Get-SPSite "http://intranet.contoso.com"
You can use the site collection returned by Get-SPSite instead of the -Site parameter
of Get-SPWeb:
Get-SPSite "http://intranet.contoso.com"| Get-SPWeb -limit all
3-34
Question: How can you get a list of all site collections in the farm, including
Central Administration, when the Get-SPSite cmdlet always excludes Central
Administration?
Question: How can you get a list of all Web sites in the farm, including Central
Administration, when the Get-SPSite cmdlet always excludes Central
Administration?
Additional Reading
Understanding the Windows PowerShell Pipeline at http://go.microsoft.com

3-35
Create a SharePoint Intranet Using Windows PowerShell
You can use Windows PowerShell to create logical components of SharePoint, just
as you did by using Central Administration in Module 2.
Delete a Web Application

To delete a Web application, use the Remove-SPWebApplication cmdlet. For
example, the following command deletes the intranet Web application, including
the IIS Web site and the content databases:
Remove-SPWebApplication http://intranet.contoso.com -DeleteIISSite RemoveContentDatabase -Confirm:$false
Note the use of the -Confirm:$false parameter. The -Confirm parameter is common
to all Windows PowerShell commands that have potentially detrimental effects. By
default (-Confirm:$true), the cmdlet will prompt for confirmation. Specifying
Confirm:$false suppresses such prompts.
3-36
You can also use the -WhatIf parameter to simulate a command and report its
effects. The -WhatIf parameter is particularly helpful when you are performing a
command on a variable or collection of objects so that you know exactly what is
being done to which objects.

New-SPWebApplication -Name <Name> -Port <Port> -HostHeader
<HostHeader> -URL <URL> -ApplicationPool <ApplicationPool> ApplicationPoolAccount <ApplicationPoolAccount> -DatabaseName
<DatabaseName>
Where:
<Name> is the name of the new Web application.
<Port> is the port on which the Web application will be created in IIS.
<HostHeader> is the host header, in the format server.domain.com.
Note that the Get-Help documentation for the cmdlet states that the format for
<HostHeader> is http://server.domain.com. The documentation is incorrect.
<URL> is the public (load-balanced) URL for the Web application.
<ApplicationPool> is the name of the application pool.
<ApplicationPoolAccount> is the managed account that the application pool will

use. This is required if you are specifying an <ApplicationPool> that does not
already exist. Use the Get-SPManagedAccount cmdlet as shown in the
following example.
<DatabaseName> is the name for the first content database for the Web
application.
For example, the following command creates the intranet Web application with
configuration similar to the intranet that was created by using Central
Administration in Module 2.
New-SPWebApplication -Name "Contoso Intranet" -Port 80 -HostHeader
"intranet.contoso.com" -URL "http://intranet.contoso.com:80" ApplicationPool "SharePoint Web Applications" -ApplicationPoolAccount
(Get-SPManagedAccount "CONTOSO\SP_Service") -DatabaseName
"WSS_Content_Intranet
3-37
Create a Site Collection

The following example shows the use of the New-SPSite cmdlet to create a new site
collection.
New-SPSite -Url "<URL for the new site collection>" ContentDatabase
<Content Database Name> -OwnerAlias "<domain\user>" -Template
<Template>
Where:
<URL> is the URL of the site collection you want to create.
<Content Database Name> is the name of the content database within which the
site collection should be created. This parameter is optional.
The -OwnerAlias parameters <domain\user> value defines the primary site

collection administrator. The -SecondaryOwnerAlias parameter is used to
define the secondary site collection administrator.
<Template> specifies the site definition for the top-level sitefor example,
BLANKINTERNET#1, the Publishing Site, or STS#0, the Team Site.
For example, the following command creates a site collection at the root of the
intranet Web application and creates a top-level site with the Publishing site
definition.
Create a Content Database

The following example shows the use of the New-SPContentDatabase cmdlet to
create a new content database:
New-SPContentDatabase -Name <ContentDbName> -WebApplication
<WebApplicationName>
Where:
<ContentDbName> is the name of the content database to create.
<WebApplicationName> is the name of the Web application to which the new

database is attached.
3-38
For example, the following command creates a content database for the Sales
departments intranet site collection:
New-SPContentDatabase -Name WSS_Content_Intranet_Sales -WebApplication
http://intranet.contoso.com
Create a Site Collection in a Specific Content Database

Use the -ContentDatabase parameter of the New-SPSite cmdlet to create a new site
collection in a specific content database. For example, the following command
creates a site collection for the Sales departments intranet site in the content
database created in the previous example:
New-SPSite -Url "http://intranet.contoso.com/sites/Sales" ContentDatabase WSS_Content_Intranet_Sales -Name "Sales" -OwnerAlias
"CONTOSO\SP_Admin" -Template "STS#0"
The command also creates a top-level site in the site collection based on the Team
Site site definition.
List Available Site Definitions

Type the following command for a list of available site definitions:
Get-SPWebTemplate
Create a Web Site

New-SPWeb <Identity> -Name <Name> -Template "STS#0"
Where:
<Identity> is the URL of the new Web site.
<Name> is the name of the Web site.
<Template> specifies the site definition for the Web site, for example,
BLANKINTERNET#1, the Publishing Site, BLOG#0, the Blog Site, or STS#0,
the Team Site.
3-39
For example, the following command creates a subweb for blogs beneath the Sales
Web site:
New-SPWeb "http://intranet.contoso.com/sites/Sales/Blogs" -Name "Sales
Blogs" -Template "BLOG#0"
3-40
Objects, Members, Properties, and Methods
As you learned in the previous lesson, Windows PowerShell returns objects

representations of the component itself. You can store objects returned by a cmdlet
in variables for later use or pipe them to a subsequent cmdlet as input for the
cmdlet.
Objects have members: properties and methods. Methods are actionsthings you
can do with or to the object. Properties are attributes. A special kind of property is
a collection, which can contain zero, one, or more items.
Discover Members (Methods and Properties)

The Get-Member cmdlet exposes the members of an object. Get-Member takes an
object as input. The following commands list the methods and properties,
respectively, of an object:
object | Get-Member MemberType Methods
object | Get-Member MemberType Properties
3-41
For example, the following command lists the properties of the Sales site
collection:
Get-SPSite "http://intranet.contoso.com/sites/sales" | Get-Member MemberType Properties
Additional Reading
Viewing Object Structure (Get-Member) at http://go.microsoft.com/fwlink

3-42
Select, Sort, and Format Output
Write-Output
If you type the following command:
Get-SPWeb "http://intranet.contoso.com/sites/sales"
the URL of the Web site is returned. As you know, Windows PowerShell works
with objects, but when a command completesat the end of the pipelinean
implicit Write-Output cmdlet displays the default properties of the object(s) at the
end of the pipeline. In the example shown, the default property is a URL, and the
default display format is a table.
Select-Object (Alias: Select)

You can change what is displayed at the end of the pipeline. For example, you can
use the Select-Object cmdlet, the alias of which is Select, to display specific
properties.
3-43
Display All Properties of Pipeline Objects
Add Select * to the end of the pipeline.
For example, the following command displays all properties of the sales Web site:
Get-SPWeb "http://intranet.contoso.com/sites/sales"| Select *
Display Specific Properties

You can limit the properties that are displayed by adding property names to the
Select cmdlet.
For example, the following command displays the URL and template of the sales
Web site:
Get-SPWeb "http://intranet.contoso.com/sites/sales"| Select-Object
URL,WebTemplate
Additional Reading
Selecting Parts of Objects (Select-Object) at http://go.microsoft.com/fwlink

/?LinkID=192739&clcid=0x409.aspx.
Sort-Object (Alias: Sort)

If you type the following command:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -limit
all | Get-SPWeb -limit all | Select-Object URL,WebTemplate
the URL and template of all Web sites in the intranet Web application are
displayed. If you want to sort the results by template, you can use the Sort-Object
cmdlet, the alias of which is Sort.
For example, the following command displays the URL and template of the all
Web sites in the intranet Web application, sorted by template name:
all | Get-SPWeb -limit all | Select-Object URL,WebTemplate | Sort
WebTemplate
You can add the -Descending parameter to the Sort cmdlet to sort in descending
order. The default is ascending order, and there is no -Ascending parameter.
3-44
Additional Reading
Sorting Objects at http://go.microsoft.com/fwlink

Format-Table and Format-List (Aliases: ft and fl)

The format of the output of cmdlets depends somewhat on how many properties
of how many objects are returned. Some of the examples shown earlier return
properties as lists, and others return properties as tables.
You can specify a particular display format using the Format-List (alias fl) and
Format-Table (alias ft) cmdlets.
For example, the following command displays the URL and template of the all
Web sites in the intranet Web application, sorted by template name and formatted
as a list:
WebTemplate | Format-List
Note: Using Format-List (or fl) at the end of the pipeline adds an implicit Select *. All
properties are returned. If you want to limit properties returned, add the properties
to the Select cmdlet.
Additional Reading
Using Format Commands to Change Output View at

Other Output Formats

Windows PowerShell can save, export, and convert objects to a wide variety of
formats. Some of the most useful include the following:
Comma-separated value (CSV) files
Extensible Markup Language (XML) files
The GridView
3-45
Export-CSV
To save output to a CSV file, add | Export-CSV <filename> to the end of the
pipeline.
ConvertTo-XML
Add | ConvertTo-XML to the end of the pipeline to convert output to an XML
object. An XML object is not immediately viewable because it is an object, not the
text output of an XML file. Therefore, you must save the pipeline, and thereby save
the XML file.
Follow this example:
( command | ConvertTo-XML ).Save("filename")
For example, the following command creates an XML file consisting of the URL
and template of all the Web sites in the intranet Web application, sorted by
template name:
(Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite limit all | Get-SPWeb -limit all | Select-Object URL,WebTemplate |
Sort WebTemplate | ConvertToXML).Save("C:\Users\SP_Admin\Desktop\SharePointWebSiteTemplates.xml")
Out-GridView
Windows PowerShell 2.0 includes an Integrated Scripting Environment (ISE),
which provides a datagrid view application. You must make sure that the ISE
feature is installed.
The following example outputs to the datagrid view application:
WebTemplate | Out-GridView -Title "Web Site Templates Report"
Additional Reading
Redirecting Data with Out-* Cmdlets at http://go.microsoft.com/fwlink

3-46
Filtering Objects
Where-Object (Aliases: Where, ?)

Sometimes, you need to work with a subset of objects. In the previous topic, for
example, the Get-SPWeb cmdlet returned all Web sites. What if you wanted to
return only Web sites that were based on the Blog site definition?
The Where-Object cmdlet filters objects in the pipeline. Subsequent cmdlets in the
pipeline operate on only the objects that made it through the filter.
For example, the following retrieves the Web sites that are based on the Blog site
definition, by using the WebTemplate property of the Web object:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -Limit
ALL | Get-SPWeb -Limit ALL | Where-Object { $_.WebTemplate -eq "BLOG"}
3-47
Notice the use of the $_ variable, which you learned in Lesson 2 represents the
current object in the pipeline. The Where-Object cmdlet operates on each object in
the pipeline, checking each against the filter defined by the expression, which itself
is surrounded by braces. As each object in the pipeline is examined, it is
represented by the $_ variable, and the objects WebTemplate property must be
equal to BLOG for the object to successfully continue down the pipeline.
A limited number of cmdlets support a -Filter parameter, which uses server-side
filtering. In the example shown previously, all objects are retrieved by the GetSPWeb cmdlet, and then the Windows PowerShell client must filter the objects.
You can reduce the burden on the server by using server-side filtering whenever
possible.
The SPWeb object can be filtered server-side for the Title and Template properties.
The SPSite and SPSiteAdministration objects can be filtered server-side for Owner,
SecondaryContact, and LockState.
Because, in this example, you have the option of using server-side filtering, it is
recommended you do so.
For example, the following retrieves the Web sites that are based on the Blog site
definition by using server-side filtering of the SPWeb object:
Get-SPSite -Limit All | Get-SPWeb -Limit All -Filter {$_.Template -eq
"BLOG#0"}
Operators
In the filter expressions shown earlier, you might have noticed the -eq comparison
operator, which means equals. The following operators are commonly used in
expressions:
Comparison Operators
-lt. Less than
-le. Less than or equal to
-gt. Greater than
-ge. Greater than or equal to
-eq. Equal to
-ne. Not equal to
-like. Like; uses wildcards for pattern matching
3-48
Logical Operators
-and
-or
Additional Reading
Removing Objects from the Pipeline (Where-Object) at

3-49
Typical Pipeline
As objects are passed through the pipeline of a Windows PowerShell command or

script, there is a common approach and order to working with those objects:
Get. Use the Get verb to retrieve objects.
Filter. Use the Where cmdlet to filter objects so that the only objects
remaining in the pipeline are those with which you want to work.
Manipulate. Do something to the objects by using cmdlets appropriate to the

type of objects in the pipeline.
Select. Use the Select cmdlet to select the properties of objects that you want
to output.
Sort. Use the Sort cmdlet to sort the results, before output.
Output. Use the Format, Export, Out to produce output in the desired format.
If you want to convert the pipeline object(s) to a specific format, you can use
the Convert cmdlet to do so, and then use the Save method of the pipeline to
save an object to a file. An example is shown earlier in which pipeline output is
converted to an XML object, and then saved to an XML file.
3-50
Examine the following example:

Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite -Limit
ALL | Get-SPWeb -Limit ALL | Where-Object { $_.WebTemplate -eq "BLOG"}
| Select URL,Title,WebTemplate, LastItemModifiedDate, Created | Sort
LastItemModifiedDate |
Export-CSV desktop\StaleBlogs.csv
This command does the following:
Gets Web sites in the intranet Web application
Filters the pipeline so that only Web sites with the Blog site definition remain
Selects properties of the Web sites
Sorts the results by the date at which the last item in the Web site was
modified
Exports the results to a CSV file
3-51
Variables
As you work toward reading and writing more complex scripts, you undoubtedly
begin working with variables.
As you learned already, all variable names are prefixed with the dollar sign ($).
To assign a variable, use this syntax:
$variable = value
To return the current value of a variable, simply type the variable name and press
ENTER.
For example, the following command assigns the value CONTOSO\SP_Admin to
the variable $username:
$username = CONTOSO\SP_Admin"
The following command prompts you to enter the password for the account:
$password = Read-Host "Enter the password: " AsSecureString
3-52
Windows PowerShell cmdlets that require a password do not accept plain text.
Passwords must be contained in a secure string, the contents of which cannot be
displayed.
Windows PowerShell also has built-in variables, including the following:
$true. Boolean true
$false. Boolean false
$error. Contains the error object of the last error
Additional Reading
Using Variables to Store Objects at http://go.microsoft.com/fwlink

3-53
Iteration (Looping)
ForEach-Object (%, ForEach)

One of the strengths of Windows PowerShell is the ease with which you can
perform an operation on multiple objects. One of the most important cmdlets for
working on multiple objects is the ForEach-Object cmdlet, commonly used by its
alias, ForEach, or its superabbreviated alias, %.
The ForEach-Object cmdlet iterates through each object in the pipeline, performing
one or more actions that are contained in a script block. The script block is enclosed
in brackets.
For example, the following command enables the Ratings feature for all sites in the
intranet Web application:
Get-SPWebApplication "http://intranet.contoso.com" | Get-SPSite |
ForEach-Object { Enable-SPFeature "Ratings" -url $_.url }
3-54
Sometimes, iteration is done implicitly by a cmdlet on the receiving side of the

pipeline. Earlier, you learned that the Where-Object cmdlet applies a filter to all
objects in the pipeline. You also saw that each object in a collection of site
collection objects retrieved by Get-SPSite was processed by Get-SPWeb, resulting in
a list of all Web sites in all site collections.
For-Each is helpful where a cmdlet does not do its own iteration. In the previous
example, the Enable-SPFeature cmdlet does not do its own iteration.
Additional Reading
Repeating a Task for Multiple Objects (ForEach-Object) at

3-55
Iteration in Scripts
Examine the following script, which creates intranet sites for HR and Marketing in
their own site collections and content databases:
$i = ("HR", "Marketing")
ForEach($url in $i)
{
New-SPContentDatabase -Name WSS_Content_Intranet_$url -WebApplication
New-SPSite -Url http://intranet.contoso.com/sites/$url ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin
-Template "STS#0"
}
This topic examines this script line by line.

3-56
This line creates an arraya collection of multiple items. In this case, the items are
string values. The array items are separated by commas. The parentheses around
the items are optional, but make it easier to read.
ForEach($url in $i)
This line starts the iteration. For each item in the array variable $i the script block
that follows, enclosed in braces, is executed. The current object in the array during
each iteration is assigned to the variable $url. During each iteration, $url contains
the current item.
{
The left brace begins the script block.

New-SPContentDatabase -Name WSS_Content_Intranet_$url -WebApplication
The $url variable is used to create a unique content database name for each
departmentit is the last component of the content database name.
New-SPSite -Url http://intranet.contoso.com/sites/$url ContentDatabase WSS_Content_Intranet_$url -OwnerAlias CONTOSO\SP_Admin
-Template "STS#0"
The $url variable is used to create a unique URL for the site collection and to
assign the site collection to the content database created by the previous
command.
}
The right brace ends the script block.

There is a blank line at the end of the script. If you are entering the script directly
in the Windows PowerShell console, you must enter a blank line to begin the
execution of the script.
3-57
Local, Global, and Remote Commands
There are two categories of SharePoint cmdlets: local and global:
Local cmdlets affect something on a single SharePoint server. For example, to

start a service on a server, use the Start-SPServiceInstance cmdlet. To connect a
new SharePoint server to a farm, use the Connect-SPConfigurationDatabase
cmdlet. To perform a command on multiple servers in a farmfor example, to
start a service on multiple serversyou need to iterate through the servers in
the farm.
Global cmdlets affect the farm as a whole, generally by making changes to the
SQL Server database. For example, when you set the property of a Web
application using Set-SPWebApplication, the property affects all servers
hosting that Web application. You do not need to touch each server. Similarly,
when you create a new site collection with New-SPSite, the site collection is
available to all SharePoint servers.
3-58
Windows PowerShell introduces remoting, with which you can perform Windows
PowerShell commands on remote systems. Remoting is a Windows PowerShell
feature, rather than a feature specific to SharePoint, so it is beyond the scope of this
course.
Additional Reading
Running Remote Commands at http://go.microsoft.com/fwlink

3-59
Windows PowerShell Scripts
Windows PowerShell scripts are text files saved with a .ps1 file name extension.
Reading and Creating Scripts

As you discover Windows PowerShell scripts that others have written, youll find
that many are not written in ways that make them easy to read or interpret. Some
people make a sport out of creating one-liners, which can actually be a complex
script in which each command line is separated by a semicolon (;).
Semicolon (;) is used to combine separate commands into a single line.
Combining lines makes a script difficult to read. It is a best practice to keep

commands on separate lines.
Some people overuse aliases, making it difficult for others to make sense of the
script. This is particularly true for single- and double-character aliases such as %
(ForEach-Object), ? (Where-Object).
3-60
Executing Scripts
By default, Windows PowerShell scripts are not allowed to run. This is done to
prevent malicious scripts from damaging your environment.
The Windows PowerShell ExecutionPolicy determines which scripts are allowed to
run. The default ExecutionPolicy is Restricted.
To Allow All Windows PowerShell Scripts to Execute

You can remove all restrictions by setting ExecutionPolicy to Unrestricted.
Type Set-ExecutionPolicy -unrestricted, and then press ENTER.
There are, of course, significant security risks by doing so. However, in a test
environment, you may decide that such risks are acceptable.
You can also configure Windows PowerShell to allow the execution of scripts with
specific characteristics, including scripts signed with a trusted digital signature. In
a production environment, you should sign scripts. Code signing is beyond the
scope of this course, but you can learn more in the resources listed in the
Additional Reading section.
Scheduling Windows PowerShell Scripts

You can use Task Scheduler to schedule a Windows PowerShell script. This topic
is revisited in Module 13, Implementing Business Continuity, to schedule
SharePoint backup operations. Of course, the scripts run only if the execution
policy allows.
Additional Reading
Running Windows PowerShell Scripts at http://go.microsoft.com

Stop Malicious Code in Windows PowerShell with Execution Policies at

Using Windows PowerShell to Sign Scripts with Digital Certificates at

3-61
Lab A: Automating SharePoint with Windows

PowerShell
You are responsible for ensuring that the SharePoint farm can be built consistently
in both lab and production environments, and that the farm can be rebuilt in the
event of a catastrophic failure. Additionally, you are required to produce weekly
reports showing the webs and storage utilization of each site collection in the
production farm. To meet these goals, you must build Windows PowerShell scripts
that can automate SharePoint management tasks.

1.
Start 10174A-CONTOSO-DC-C.
2.
After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-C.
3-62
Exercise 1: Adding SharePoint Functionality to Windows

PowerShell
Scenario
To automate SharePoint management, you must use Windows PowerShell. But
Windows PowerShell does not load SharePoint .dll files or snap-ins by default. In
this exercise, you learn several ways to add SharePoint management functionality
to Windows PowerShell.
1.
Load SharePoint .dll files using .NET reflection.
2.
Add the SharePoint snap-in using the Add-PSSnapin cmdlet.
3.
Open the SharePoint 2010 Management Shell.
Task 1: Load SharePoint .dll files using .NET reflection

Pa$$w0rd.
In the Windows Quick Launch, click Windows PowerShell.
To identify the assemblies that are currently loaded, type the following
command and then press ENTER:
[AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {
Split-Path $_.Location -Leaf } | Sort
Microsoft.SharePoint.dll is not in the list. To use the SharePoint object model,

you must load the SharePoint .dll files.
Type the following command and then press ENTER:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Share
Point")
The output displays GAC, version, and location information for the assembly.
3-63
Repeat step 3 to display the loaded assemblies.
Tip: You can press the UP key to scroll through previously executed commands.
The listing includes the Microsoft.SharePoint.dll.
Task 2: Add the SharePoint snap-in using the Add-PSSnapin cmdlet

Get-PSSnapin
The output lists the snap-ins that have been added to the current session. The
SharePoint snap-in is not listed.

Get-PSSnapin Registered
The output lists the snap-ins that are registered on the system, except for those
that are installed with Windows PowerShell.


Get-PSSnapin
SharePoint snap-in is now added.
3-64
The listing includes numerous SharePoint assemblies.

Rather than loading each assembly one by one, use the Add-PSSnapin cmdlet
to load them all at once.
Close Windows PowerShell.
Task 3: Open SharePoint 2010 Management Shell
Type the following command and press ENTER:

Get-PSSnapin
SharePoint snap-in is already added to the session.
command and press ENTER:
The listing demonstrates that SharePoint 2010 Management Shell preloads the
SharePoint .dll files.
Results: After this exercise, you will have learned how to run Windows PowerShell
with the ability to administer SharePoint.
3-65
Exercise 2: Delegating the Ability to Use Windows

PowerShell to Manage SharePoint
You have been asked to report the storage utilization of SharePoint site collections.
In this exercise, you discover that, without a delegation, you cannot use Windows
PowerShell to manage SharePoint. You perform the appropriate delegation, and
then, in the next exercise, you continue with the task of producing reports of
SharePoint storage utilization.
1.
Attempt to use Windows PowerShell to enumerate webs.
2.
Configure least privilege rights to manage SharePoint with Windows

PowerShell.
Task 1: Attempt to use Windows PowerShell to enumerate webs
In SharePoint 2010 Management Shell, type the following command and then
press ENTER:
$spsite = Get-SPSite "http://intranet.contoso.com"
To enumerate all of the webs in the site collection, type the following
command and press ENTER:
$spsite | Get-SPWeb
An error appears indicating that login failed. The SP_Admin user account does
not have the permissions required to access the information about the intranet
site collection with Windows PowerShell.
3-66
Task 2: Configure least privilege rights to manage SharePoint with

Windows PowerShell
Start SharePoint 2010 Management Shell using the Run as different user
option. Enter the user name, CONTOSO\Administrator, and the password,
Pa$$w0rd.
Type the following commands each followed by ENTER:

$spcdb = Get-SPContentDatabase WSS_Content_Intranet
Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database $spcdb
Close Administrator SharePoint 2010 Management Shell.
Results: After this exercise, you will have delegated SP_Admin the ability to manage
SharePoint with Windows PowerShell.
3-67
Exercise 3: Reporting Web and Site Collection Properties

You have been asked to produce a weekly report of the webs and storage
utilization of SharePoint site collections. In this exercise, you use Windows
PowerShell to list all the webs in a site collection and to produce reports of site
collection properties.
1.
Use Windows PowerShell to report web properties.
2.
Attempt to use the grid-view to report site collection properties.
3.
Install the Windows PowerShell Integrated Scripting Environment.
4.
Use the grid-view to report site collection properties.
Task 1: Use Windows PowerShell to report Web properties
Switch to SharePoint 2010 Management Shell.
List all of the sites in the site collection, http://intranet.contoso.com. Include

the LastItemModifiedDate, URL, and Created properties, and sort the results
by Created.
Tip: You need to use the Get-SPSite, Get-SPWeb, and Select cmdlets.
Task 2: Attempt to use the Grid-View to report site collection

properties
To enumerate all of the site collections in the farm, except Central

Administration, type the following command and then press ENTER:
Get-SPSite
3-68

Get-SPSite | Select URL, @{Name="Storage"; Expression={"{0:N2} MB"
-f ($_.Usage.Storage/1000000)}}, @{Name="Quota";
Expression={"{0:N2} MB" -f ($_.Quota.StorageMaximumLevel/1000000)}
}
The listing displays various properties of each site collection.

} | Out-GridView -Title "Sites with Usage"
An error indicates that the Windows PowerShell Integrated Scripting

Environment feature is not installed.
Task 3: Install the Windows PowerShell Integrated Scripting

Environment
Type the following two commands each followed by ENTER:

Import-Module ServerManager
Add-WindowsFeature PowerShell-ISE
An error indicates that you must run the command with elevated permissions.
Start Windows PowerShell using the Run as administrator option.

Close Administrator: Windows PowerShell.
3-69
Task 4: Use the Grid-View to report site collection properties
In SharePoint 2010 Management Shell, press the UP arrow several times until
you see the command you typed in Task 2, and then press ENTER to rerun the
command.

Environment feature is not installed. This occurs because you must close and
reopen SharePoint 2010 Management Shell to load the component.
Close SharePoint 2010 Management Shell.
Open SharePoint 2010 Management Shell.
Type the following command and then press ENTER, which is the same as the
command you executed in the beginning of this task:
A Grid-View window appears displaying the output of the command.
Close the Sites With Usage window.
Results: After this exercise, you will have used Windows PowerShell to produce
reports of your SharePoint environment.
3-70
Exercise 4: Creating Site Collections Using Windows

PowerShell
You have been asked to create sites on the intranet for Sales, Marketing, and HR.
To create the site collections and webs consistently in both the lab and production
environments, you must create Windows PowerShell scripts to create the new
sites.
1.
Create a single site collection using Windows PowerShell.
2.
Create multiple site collections using Windows PowerShell.
Task 1: Create a single site collection using Windows PowerShell
In SharePoint 2010 Management Shell, type the following commands:

New-SPContentDatabase -Name WSS_Content_Intranet_Sales WebApplication http://intranet.contoso.com
$spsite = New-SPSite -Url
"http://intranet.contoso.com/sites/Sales" -ContentDatabase
WSS_Content_Intranet_Sales -OwnerAlias CONTOSO\SP_Admin -Template
"STS#0"
A site collection and top-level web for the Sales department is created using the
Team Site site definition.
Open the Sales site with Windows Internet Explorer.
3-71
Task 2: Create multiple site collections using Windows PowerShell
In SharePoint 2010 Management Shell, create a script with a loop that creates
two new sites called HR and Marketing.
Tip: Refer to the commands from the previous task and the following example of a
loop.
$i = ("A", "B")
foreach($s in $i)
{
Write-Host $s
}

Get-SPSite
The output lists the new site collections.
Results: After this exercise, you will have used Windows PowerShell cmdlets and
scripts to create new content databases, site collections, and sites.
3-72
Exercise 5: Creating and Updating Items

You want to modify the default announcement that is created on a new team site
when you provision a new site with your Windows PowerShell scripts.
The main task for this exercise is as follows:
1.
Modify a list item using Windows PowerShell.
Task 1: Modify a list item using Windows PowerShell
Open your newly created Sales site.
Open the Announcements list, and then observe the title of the only item in
the list.

$gc = Start-SPAssignment
$spsite = $gc | Get-SPSite
"http://intranet.contoso.com/sites/Sales"
$splist = $spsite.rootweb.lists["Announcements"]
$splistitem = $splist.items[0]
$splistitem["Title"] = "Our SharePoint 2010 Sales site is now
live!"
$splistitem.update()
$gc | Stop-SPAssignment
The list item will be updated. Notice that you did not use a cmdlet to update a
list item. There are things that will require direct access to the object model
and, as such, you need to be careful to dispose of objects you create.
Switch to Internet Explorer and then refresh the Announcements list, and
then observe that the title of the list item has been updated.
Close all Internet Explorer and Windows PowerShell windows.
Results: After this exercise, you will have updated a list item using a Windows
PowerShell script.
Do not shut down the virtual machines
Leave the virtual machines running. You will use them for Lab B.
3-73
3-74
Contosos policies encourage and in some cases mandate the automation of

common tasks. As such, your Microsoft Office SharePoint Server 2007
environment had several Stsadm scripts that were used to create site collections
and webs.
Exercise 1: Executing Stsadm Commands

You have just finished setting up the new SharePoint Server 2010 farm and you
have been tasked with testing some of the scripts to determine whether changes
have been made to Stsadm that might break the scripts.
1.
Display Stsadm Help documentation.
2.
Enumerate site collections in a Web application using Stsadm.
3.
Create an Operations site collection using Stsadm.
4.
Create an Operations Maintenance site using Stsadm.
5.
Configure the site collection administrator using Stsadm.
3-75
Task 1: Display Stsadm Help documentation
Start SharePoint 2010 Management Shell using the Run as administrator

option.

stsadm
Examine the output of the command, which includes a list of the numerous
operations supported by Stsadm. Also notice the examples displayed at the
end of the Help documentation.
To display Help documentation for the enumsites operation, type the

following command and then press ENTER:
stsadm help enumsites
Task 2: Enumerate site collections in a Web application using Stsadm
Use the enumsites operation of Stsadm to list the site collections in the Web
application, http://intranet.contoso.com.
Observe the amount of time that the operation takes to complete.
Review the XML response that you get from the command, and note that this
can be used in a Windows PowerShell script to iterate through all your site
collections.
Type the following command, and observe the amount of time it takes for the
command to execute:
Get-SPSite "http://intranet.contoso.com" | Get-SPWeb
Repeat steps 1 and 2, and observe the amount of time it takes for each
command to execute.
3-76
Task 3: Create an Operations site collection using Stsadm
Use the createsite operation of Stsadm to create a site collection and top-level
web for the Operations department, with the URL
http://intranet.contoso.com/sites/Operations. Assign
CONTOSO\SP_Admin as the site administrator with the e-mail address
sharepoint@contoso.com.
In Internet Explorer, browse to http://intranet.contoso.com/sites

/Operations. Select the Team Site template and accept the default group
configuration.
Task 4: Create an Operations Maintenance site using Stsadm
Use the createweb operation of Stsadm to create a web for the Maintenance
department with the URL http://intranet.contoso.com/sites/Operations
/Maintenance.
In Internet Explorer, browse to the new site and select the Team Site template.
Task 5: Configure the site collection administrator using Stsadm
Attempt to sign in to the Maintenance site as CONTOSO\Administrator with

the password Pa$$w0rd.
Access is denied.
Use the siteowner operation of Stsadm to assign CONTOSO\Administrator

as the site administrator of the Operations site collection.
Confirm that you can open the Maintenance web as

CONTOSO\Administrator.
Results: After this exercise, you will have executed several Stsadm commands to
create a new Operations site collection and web with a specific site collection
administrator.
3-77

click Revert.
3-78
Review Questions
Question: What are the advantages of using Windows PowerShell to manage
SharePoint?
Question: In what scenarios would it be preferable to use Stsadm instead of
Windows PowerShell cmdlets to manage SharePoint?
Question: By default, who can use Windows PowerShell to manage SharePoint?
Question: By default, will Windows PowerShell scripts be allowed to run on a
system?
Configuring Content Management
4-1
Module 4
Contents:
Lesson 1: Optimizing Content Storage and Access
4-3
4-29
Lesson 2: Managing Site Content Types and Site Columns
4-40
Lesson 3: Configuring the Managed Metadata Service
4-54
4-98
4-2
Module Overview
As you learned in Module 1, Introducing SharePoint 2010, one of the six

capabilities of Microsoft SharePoint 2010 is content. After you have built your
SharePoint farm and the logical components of SharePointWeb applications, site
collections, sites, lists, and librariesyour users will begin to populate SharePoint
with content.
Although many content management features of SharePoint 2010 are considered
end-user features, and are therefore out of scope for this course, several features
warrant coverage because they require configuration by farm, service application,
and site collection administrators: list throttling, remote binary large object (BLOB)
storage (RBS), site content types and columns, and managed metadata service
applications.
4-3
Lesson 1
Optimizing Content Storage and Access
In this lesson, you explore the administrative tasks related to lists and libraries, the
two most important containers for content in sites. You then learn about two
important new features of SharePoint Server 2010 with which you can better
manage and govern both the performance and storage of SharePoint content: list
throttling and RBS.
Describe the content structure in a site collection.
Configure and optimize the performance of large lists.
Configure and manage storage of document libraries.
4-4
Lists and Libraries
In Module 2, Creating a SharePoint 2010 Intranet, you examined a diagram of

the logical hierarchy of SharePoint. A piece of that diagram, shown in the slide,
illustrates the hierarchical structure of content-related objects in a SharePoint farm:
In a site collection, content is collected into lists and document libraries, also called,
simply, libraries. Lists are collections of items, which can optionally be grouped in
folders. Libraries are a specialized form of list designed to hold files, called
documents, which can also be grouped in folders.
Create a List or Library

The steps to create a list or library are straightforward and well documented. But it
is important that you create a document library or list that is easy to find, with a
user-friendly URL, and navigation hooks so that users can quickly browse to locate
the list or library.
1.
4-5
Determine an easy, user-friendly URL.

Users read and sometimes type the URL to a list or library, so it should be easy
to read, remember, and type. Use the following best practices when
determining the URL for a list or library:
2.
Use a consistent style of capitalization, such as MixedCase. Although

Internet Information Services (IIS) Web site addresses are not case
sensitive, thoughtful use of capitalization can create a consistent
environment and can facilitate readability. Some organizations use a
standard of all-lowercase URLs; however, mixed-case URLs, such as
HumanResources, are more popular because they provide readability for
multiword URLs.
Keep URLs short. A shorter URL is easier to remember and type.

Additionally, remember that URLs are limited in length, to 260 characters,
so short URLs reduce the risk of overrunning that limit for content nested
in this list or library.
Avoid spaces. Spaces in URLs are escaped by browsers and become %20,
for example, http://intranet.contoso.com/Shared%20Documents. The
escaped space is difficult to read and interpret and can be problematic in
certain access scenarios. Avoid spaces in your URLs.
When creating the list or library, configure the Name field to be the URL.
When you create a list or library in the user interface, you are prompted to
enter a value for the Name. Unfortunately, the value you enter in the Name
box is used to create the Tile and the URL of the list or library. If you use bad
practicesfor example, if you include a space in the Namethe space becomes
part of the URL.
The URL is somewhat challenging to change after it has been createdyou
must use Windows PowerShell or SharePoint Designer to change it. The
name can easily be changed.
Therefore, follow these steps when creating a list or library:
1.
Configure the Name so that the result is a URL that follows the rules
discussed previously.
2.
Do not add the list or library to the Quick Launch when creating the list or
library.
4-6
3.
After creating the list or library, change the Title.

Immediately after creating the list or library, navigate to the List Settings or
Library Settings page and click Title, Description And Navigation. Enter a value
for the Name. In this interface, the name is used only for the list or library Title
property, not for the URL. Therefore, you can use any nameincluding a long
name with spacesand thereby configure navigation controls such as the
Quick Launch and navigation breadcrumb to display a more descriptive,
viewer-friendly name.
4.
Configure list and library settings.

When you create a list or library, you should consider the following:
Enforce check-out. For document libraries, it is highly recommended to

enforce check out if users have the ability to modify documents in the
library. Click the Versioning link on the Library Settings page.
Consider versioning and approval. Consider implementing versioning

and approval based on the business requirements for the list or library.
Click the Versioning link on the Library Settings page.
Add columns. To modify the metadata of a list or library, add list

columns. First, check to see whether an existing site column meets your
needs and, if so, add the site column to the list. Otherwise, create a new
column.
Manage Navigation to Lists and Libraries

Users can type the URL to a list or library to navigate to it, but as the administrator
of a SharePoint environment, you should ensure that there are easier options for
users to navigate to commonly used lists, libraries, and sites.
Deploy Favorites Using Group Policy Preferences

Users can navigate to a site, list, or library by using Windows Internet Explorer.
Of course, a user can add the location as a Favorite manually. But you can also
deploy, or push, Favorites into users Internet Explorer Favorites.
Use Group Policy Preferences to deploy Favorites. Group Policy Preferences is a
component of Group Policy, and therefore of Active Directory Domain Services
(AD DS). The details of how to configure preferences are beyond the scope of this
course, but you can find information in the resources listed under Additional
Reading.
4-7
The following graphic shows a Group Policy shortcut properties setting that is
configured to create a link to the SpecialProjects document library on the
consulting site:
The configuration elements of the properties are the following:
Action: The Update action creates a Favorite if one does not exist and updates
the Favorite if it has changed.
Name: The Name is the user-friendly name of the Favorite, as it will appear in
the users Favorites folder. Using the foldername\Favorites Name format creates
a folder in the Favorites folder. In the preceding figure, a folder named
SharePoint Sites is created or updated with a Favorite called Consulting
Special Projects.
Target Type: This is URL.
Location: Explorer Favorites.
Target URL: The URL for the SharePoint content.
4-8
Additional Reading
Deploying Shortcuts and Favorites to SharePoint Sites at

Deploy Network Locations for Quick Access to SharePoint Sites Using

Windows Explorer
Users dont always access SharePoint libraries by using Internet Explorer. They
also navigate to libraries when opening and saving documents from Microsoft
Office client applications and other SharePoint-aware applications.
You should make it easier for users to navigate to commonly used libraries when
they are using Windows Explorer interfaces, including Open and Save dialogs.
The Windows Vista operating system and later clients provide such functionality
using network locations. A network location is a node in the Windows Explorer
interface that behaves like a mapped drive but that has a name rather than a drive
letter.
To create a network location, complete the following steps:
1.
Open the Computer folder.
2.
Right-click in a blank area of the window, and then click Add a Network
Location.
3.
Complete the wizard by providing a path to the library and a user-friendly

name for the network location.
After you create a network location, you can navigate to the library from the
Computer folder. The network location appears in the Network Locations folder.
In the Open and Save dialogs, click Computer in the Favorite Links bar.
It is easy to deploy network locations to users as long as you know that a network
location is a collection of objects in a folder in the following path: %appdata%
\Microsoft\Windows\Network Shortcuts, for example, c:\users\username
\AppData\Roaming\Microsoft\Windows\Network Shortcuts.
You can copy network locations that you have created to a shared folder on the
network, and then copy the network locations to the Network Shortcuts folders of
other users profiles. You can use Robocopy.exe in a logon script, for example, to
update users Network Shortcuts folders.
4-9
The Windows XP operating system provides identical functionality using network

places. Network places are created in the Network Places folder, instead of the
Computer folder. They are stored in %userprofile%\NetHood. You can copy
network places created on one Windows XP system into the NetHood folder of
other Windows XP user profiles. Unfortunately, you cannot copy Windows XP
network places to a client running Windows Vista or later operating system, and
you cannot copy network places to a Windows XP client.
4-10
What Is New in Lists and Libraries?
SharePoint 2010 lists expose important functionality that was not available in
previous versions of SharePoint:
Large lists. SharePoint 2010 lists are supported for up to 50 million items.
This is possible because of performance enhancements and new features such
as multicolumn lists.
Multicolumn indexes. You can create an index that contains more than one
column.
List relationships. SharePoint 2010 lists support relationships. Related lists

can enforce referential integrityboth cascade delete and prevent delete. For
example, if you have a list of customers that is related to a list of orders, you
can configure SharePoint so that you cannot delete a customer for whom
orders exists (prevent delete) or so that when you delete a customer, related
orders are deleted (cascade delete).
4-11
Related lists also support projected fields. These are fields from the parent list
that can be shown on the child list. For example, an order item that is related
to a customer item can display the customers name, address, email address,
and telephone number.
Data validation. You can perform simple data validation in an out of box
SharePoint list. A list column can have data validation, which ensures that a
columns value meets specified rules. A list can also have unique columns,
which ensures that no two items have the same value in the columns. For
example, you can set the email address column of a contacts list to be unique
so that no two contacts are created with identical email addresses.
Document sets. A Document set is a collection of documents with its own

metadata and versions. With Document sets, you can manage an entire
collection of documents, worksheets, presentations, or other types of
document content as an entire end-to-end work product.
Metadata is applied to each document in a Document set, and additional
metadata is applied to the Document set as a whole. For documents inside of a
Document set, administrators can select columns that they want marked as
read-only. The property can be edited only on the Document set. Any changes
to the column that are marked as read-only are applied to all of the documents
inside.
A Document set includes a Welcome page that acts as a customizable home
page for the Document set, displaying the properties of the Document set.
Document sets support templates and versioning. You can create templates in
Microsoft Visual Studio 2010. Versioning makes it possible to capture the
state of the Document set at different points in its life cycle, view its history,
and restore previous versions of the Document set.
Content organizer. The content organizer uses an advanced routing engine

and administrator-defined routing rules to route documents from a drop
library to a specific location, based on document metadata, and can apply
metadata automatically to a document based on its location.
Digital asset management. SharePoint lists now provide capabilities for

managing audio, video, and image content types.
Document IDs. The Document ID service is a new feature at the site-collection

level that adds a unique identifier (ID) to all documents throughout the site
collection. This feature enables retrieval of documents by document ID
regardless of their current or future location.
4-12
Location-based metadata defaults. Library administrators can specify

different default column values for each folder in a document library.
Metadata navigation and filtering. Metadata navigation creates a folder

hierarchy based on metadata. Each folder is effectively a filter. This provides a
dynamic and effective way for users to discover documents. Filtering produces
a multiselect list of filters based on metadata values that allow users to filter a
view further.
Additional Reading
What's New: List Enhancements at http://go.microsoft.com/fwlink

4-13
Large Lists
SharePoint 2010 can handle tens of millions of items in a list or library. However,
operations involving large numbers of items can reduce performance, limit access
to data, and cause timeouts.
Examples of such operations include the following:
Query with no item limit
Query with a filter or sort on a column that is not indexed
Deleting large lists or sites with large lists
Adding a column to a large list
SharePoint 2010 introduces large list throttling, which protects a SharePoint farm
and users accessing the farm from the effects of large operations by other users.
4-14
Configuring List Throttling

To configure list throttling, complete the following steps:
1.
In Central Administration, in the Application Management section, click

Manage web applications.
The Web Applications Management page opens.
2.
Click the Web application for which you want to configure list throttling.
3.
On the ribbon, click the General Settings drop-down arrow, and then click
Resource Throttling.
The Resource Throttling page opens.
It is important to understand the following points about list throttling:
List throttling is enabled and configured per Web application in Central

Administration.
If list throttling is enabled at the Web application level, you can enable or
disable throttling per list through the object model. Lists and libraries have an
EnableThrottling property.
List throttling is configured separately for what is done in the user interface
versus what is done using the object model.
List throttling is applied differently depending on whether the user is a typical

user or a super user.
4-15
List Throttling Settings

The following graphic shows the list throttling settings on the Resource Throttling
page.
The most commonly configured settings are as follows:
List View Threshold. This value configures the maximum number of items
that can be queried by standard users.
The default is 5,000 items. It is strongly recommended that you do not change this
default. If poor-performing queries are used on lists with more than 5,000
items, overall throughput may significantly decrease when raising this limit.
Object Model Override. You can apply a second level of throttling to super
users. The override allows a super user to retrieve a larger number of items. To
configure super user override, you must configure both of the following:
List View Threshold For Auditors And Administrators. This value

configures the maximum number of items that can be queried by super
users. The default is 20,000 items.
Object Model Override. This option specifies that the list view threshold
for auditors and administrators is in effect.
4-16
Super user override does not allow large list viewsaccess must be through the
object model. Developers can set the QueryThrottleMode property of SPQuery
and SPSiteDataQuery objects to retrieve up to the number of items specified in
the list view threshold for auditors and administrators.
Daily Time Window For Large Queries. You can specify a period of time
during which large queries can be executed. You should ensure that the time
window is configured to minimize the risk of affecting users based on your
usage patterns.
There are exemptions to list throttling in the following two scenarios:
If the user is a member of the Administrators group of Web front end (WFE)
with Read permissions, all items are returned.
If the EnableThrottling property of the SPList object is set to false, all items are
returned. You can do this using the object model, including by using Windows
PowerShell. Doing so allows you to set list throttling settings for a Web
application, and then exempt specific large lists and libraries from throttling.
Several other list throttling settings are available on the Resource Throttling page.
Warning level for administrators. This value configures the warning level
shown on the List Settings page. The default value is 3,000. You can configure
the warning level by using Windows PowerShell, as in the following example:
$sitecol = Get-SPSite http://intranet.contoso.com/sites/IT
$sitecol.WebApplication.MaxItemsPerThrottledOperationWarningLevel
= 2500
List View Lookup Threshold. This value, 6 by default, specifies the number of
Lookup, Person/Group, or Workflow Status fields that a database query can
involve at one time.
4-17
List Unique Permissions. If a list contains too many unique permissions, the
system can experience performance degradation. The default value for this
setting is 50,000. As the number of unique permissions in a list increases,
performance degrades. Reconsider any design in which all or most content in a
large list must be uniquely secured. The throughput difference for operations on
a list between 0 and 1,000 unique permissions is around 20 percent. There is a
configurable default of 50,000 unique permissions per list; however, Microsoft
recommends that you consider lowering this limit to 5,000, and for large lists
consider using a design that uses as few unique permissions as possible. This
aids not only performance but also manageability.
If you are upgrading to SharePoint 2010, and you have a list in SharePoint 2007
that has a default view with a number of items greater than 5,000, after upgrade
the large list will not be available until a new default view is created that returns a
number of items lower than the threshold.
Another upgrade consideration is related to code that returns large numbers of
items. Developers should update their code to account for list throttling. The
EnableThrottling property on the list and the RequestThrottleOverride on the
query must be specified. Developers can find more information about list throttling
on MSDN.
Additional Reading
Designing Large Lists and Maximizing List Performance at

4-18
Remote BLOB Storage
Binary large objects (BLOBs) are used to store large binary data such as documents
and media. By default, BLOBs are stored in the Microsoft SQL Server content
database. With Remote BLOB Storage, you can move storage of BLOBs to a
different data store.
BLOBs
BLOBs are fields that contain binary data. Following are examples of BLOBs:
Unstructured data with no schema, such as encrypted data
Large amounts of binary data with simple schema, such as a document or

digital asset
SQL Server stores BLOB data in databases by default. But as BLOB data expands, it
consumes server storage. Additionally, BLOBs use server resources, for example,
cache, that are optimized for database access patterns, not for storing large files.
Therefore, performance can be degraded.
4-19
Remote BLOB Storage

Remote BLOB Storage (RBS) moves the storage of BLOBs to commodity storage
solutions that can be less expensive and that are configured to handle simple
storage. The benefits of RBS include the following:
Database server resources, for example, cache, are freed for database
operations.
Integration with third-party technologies and data stores.
RBS is a library application programming interface (API) that is integrated into

SQL Server 2008. RBS works on a provider model. An RBS provider connects SQL
Server and the RBS APIs of the BLOB store. RBS ships with RBS FILESTREAM
provider. Therefore, you can immediately start to use the RBS FILESTREAM
provider to move BLOBs from the database to a folder on a local NTFS volume.
RBS and SharePoint 2010

SharePoint 2010 supports RBS FILESTREAM provider with the following
constraints:
Local hard disks only. SharePoint does not support RBS remote storage, such
as network attached storage (NAS).
Content databases only. Other databases cannot use RBS.
SQL Server versions. SharePoint 2010 supports RBS on SQL Server 2008
with Service Pack 1 (SP1) and Cumulative Update 2 or SQL Server 2008 R2.
RBS version. You must use the version of RBS that is included with the SQL
Server Remote BLOB Store installation package from the Feature Pack for
Microsoft SQL Server R2.
SharePoint also supports third-party RBS providers.
Additional Reading
Overview of Remote BLOB Storage (SharePoint Server 2010) at

4-20
Guidance: Should I Use RBS?

When you determine whether RBS is appropriate for a particular content database,
you should balance considerations of storage, performance, and manageability.
You should evaluate the following three questions:
What kind of content is being accessed? RBS is likely to be beneficial for

large content databasesfor example, content databases greater than 500
gigabytes (GB) in size. RBS is also likely to be beneficial when BLOBs average
greater than 256 kilobytes (KB), such as digital media. Smaller BLOBs, such as
those greater than 80 KB, may benefit from RBS if monitoring suggests that the
database server is a bottleneck.
How is content being accessed? RBS is well suited for BLOBs that are less
frequently or infrequently accessed, such as document archives. Frequent
access to many small files in a library can lead to increased latency if RBS is in
place.
What are the characteristics of the RBS provider? You should familiarize
yourself with both the performance and management features of an RBS
provider. For example, the FILESTREAM provider is a simple provider that
effectively moves BLOB storage out of the database to a local folder on the
computer running SQL Server; however, it is not a high-performance provider.
Therefore, it is well suited for infrequently accessed content, such as archives,
but would not be well suited for use in a high-activity environment.
Additional Reading
FILESTREAM Storage in SQL Server 2008 at http://go.microsoft.com

4-21
Configure RBS for SharePoint 2010
Configuring RBS for SharePoint 2010 is a multistep process. In this topic, each step
is detailed. To perform these procedures, you must log in with an account with the
following characteristics:
Account must be a member of the Administrators group on the Web servers

and application servers.
Account must be a member of the Farm Administrators group for the

SharePoint Server 2010 farm.
Account must log in with the Dbcreator and Securityadmin fixed server roles
on the computer running SQL Server.
Enable FILESTREAM
First, you must enable FILESTREAM by using SQL Server Configuration Manager.
4-22
Enable FILESTREAM
1.
Start SQL Server Configuration Manager.
2.
Click SQL Server Services.
3.
Right-click SQL Server (MSSQLServer), and then click Properties.
4.
Click the FILESTREAM tab.
5.
Select the Enable FILESTREAM for Transact-SQL access check box.
6.
Select the Enable FILESTREAM for file I/O streaming access check box.
7.
Select the Allow remote clients to have streaming access to FILESTREAM

data check box.
8.
Click OK.
Configure FILESTREAM Access Level to Full

Next, configure the access level for FILESTREAM to full by using SQL Server
Management Studio.
Configure FILESTREAM Access Level

1.
Start SQL Server Management Studio.
2.
In Object Explorer, right-click the SQL Server, and then click Properties.
3.
In the Select a page section, click Advanced.
4.
Click Filestream Access Level, click the drop-down arrow, click Full access
enabled, and then click OK.
A message appears indicating that you must restart SQL Server.
5.
In Object Explorer, right-click the computer running SQL Server, and then
click Restart.
A confirmation dialog appears.
6.
Click Yes.
Alternately, you can execute the following query to set the FILESTREAM access
level:
EXEC sp_configure filestream_access_level, 2
RECONFIGURE
4-23
Additional Reading
How to: Enable FILESTREAM at http://go.microsoft.com/fwlink

Provision a BLOB Store

The next step is to provision the BLOB store that, in this case, is a folder on a local
storage volume, for example, C:\Blobstore.
IMPORTANT: Do not create the folder by using Windows Explorer. Use the
following procedure, and SQL Server will create the folder automatically.
1.
Start SQL Server Management Studio.
2.
Select the content database for which you want to provision a BLOB store, and
then click the New Query button on the toolbar.
The Query Editor opens a new query in the details pane.
3.
To set the database master key, type the following query into the Query Editor:
use [ContentDBName]
if not exists (select * from sys.symmetric_keys where name =
N'##MS_DatabaseMasterKey##')create master key encryption by
password = N'EncryptionKeyPassword'
Where:
ContentDBName is the name of the content database for which Remote

BLOB Store will be provisioned.
EncryptionKeyPassword is a password used to generate an encryption key.

It should be a unique, complex passphrase.
4.
Click the Execute button in the toolbar.
5.
Click the New Query button on the toolbar.

4-24
6.
To enable a new filegroup for your RBS provider, type the following query into
the Query Editor:
use [ContentDBName]
if not exists (select groupname from sysfilegroups where
groupname=N'RBSFilestreamProvider')alter database [ContentDBName]
add filegroup RBSFilestreamProvider contains filestream
Where:

7.
Click the Execute button in the toolbar.
8.

9.
To add a file system mapping for your RBS provider, type the following query
into the Query Editor:
use [ContentDBName]
alter database [ContentDBName] add file (name = RBSFilestreamFile,
filename = 'BlobStorePath') to filegroup RBSFilestreamProvider
Where:

BlobStorePath is the path to the BLOB store folder you want to create, for
example, D:\Blobstore. For best performance, simplified troubleshooting,
and as a general best practice, you should create the BLOB store on a
volume that does not contain the operating system, paging files, database
data, log files, or the Tempdb file.
10. Click the Execute button on the toolbar.

Repeat the procedure for each content database for which RBS should be
provisioned.
4-25
Install RBS on All SharePoint Servers

Next, you must install RBS on all SharePoint servers in the farm. Start on a server
that is a front-end server. Then, install all other servers, including dedicated
application servers.
Install RBS on a Front-End Server

1.
Download RBS.msi from http://go.microsoft.com/fwlink/?LinkID=177388.

You must install the version of RBS that is included in the SQL Server Remote
BLOB Store installation package from the Feature Pack for SQL Server 2008
R2. The version of RBS must be 10.50.xxx. No earlier version of RBS is
supported for SharePoint Server 2010.
2.
Use the following command to install RBS. Do not simply double-click the
package.
msiexec /qn /lvx* <InstallLogFile> /i RBS.msi
TRUSTSERVERCERTIFICATE=true FILEGROUP=PRIMARY
DBNAME="<ContentDbName>" DBINSTANCE="<DBInstanceName>"
FILESTREAMFILEGROUP=RBSFilestreamProvider
FILESTREAMSTORENAME=FilestreamProvider_1
Where:
InstallLogFile is the name and optional path of a log file that will be
generated by the installation, for example, rbs_install_log.txt.

BLOB Store has been provisioned.
DBInstanceName is the server and instance name of SQL Server.
Installation takes a few minutes. You can monitor installation by using Task
Manager. You can also monitor the log file for the text Installation completed
successfully. For example, use the following command:
type rbs_install_log.txt | find "successfully" /i
4-26
Install RBS on Other Servers in the Farm

After installing the first SharePoint front-end server, continue with all other servers
in the farm. Use the following command to install RBS on the additional servers:
msiexec /qn /lvx* <InstallLogFile> /i RBS.msi DBNAME="<ContentDbName>"
DBINSTANCE="<DBInstanceName>"
ADDLOCAL="Client,Docs,Maintainer,ServerScript,FilestreamClient,Filestr
eamServer"
Where:
ContentDBName is the name of the content database for which Remote BLOB
Store has been provisioned.
DBInstanceName is the server and instance name of SQL Server.
Confirm RBS Installation

You can confirm the installation of RBS by examining the content database for
tables that begin with mssqlrbs. You can use the following query to determine
whether the tables exist:
USE [ContentDBName]
SELECT * from dbo.sysobjects
WHERE name like 'mssqlrbs%'
Enable RBS Using Windows PowerShell

You must enable RBS on one Web server in the SharePoint farm. It does not matter
which Web server you choose for this activity, as long as RBS was installed on it by
using the previous procedure.
$cdb = Get-SPContentDatabase "<ContentDBName>"
$rbss = $cdb.RemoteBlobStorageSettings
$rbss.Installed()
$rbss.Enable()
$rbss.SetActiveProviderName($rbss.GetProviderNames()[0])
$rbss
Where:
4-27
Configure BLOB Size Threshold Using Windows PowerShell

You can configure the BLOB size threshold above which BLOBs are stored in the
RBS provider. If a BLOB is below the threshold, it is stored in the SQL Server
database.
$cdb = Get-SPContentDatabase "<ContentDBName>"
$rbss.MinimumBlobStorageSize = 1048576
$cdb.update()
Where:
Additional Reading
Install and configure Remote BLOB Storage (RBS) with the FILESTREAM
provider (SharePoint Server 2010) at http://go.microsoft.com/fwlink
Set a content database to use Remote Blob Storage (RBS) (SharePoint Server
2010) at http://go.microsoft.com/fwlink/?LinkID=197211&clcid=0x409.
Migrate content into or out of Remote BLOB Storage (RBS) (SharePoint

Server 2010) at http://go.microsoft.com/fwlink
4-28
How Remote BLOB Storage Works
BLOB objects stored with the FILESTREAM provider are stored on the file system
with globally unique identifier (GUID)-based names that provide a unique link
from the RBS tables.
BLOB content is not encrypted. Transparent Data Encryption (TDE), which can
encrypt the content of BLOBs in SQL Server, is not applied to the FILESTREAM
provider. However, you can use NTFS Encrypting File System (EFS): Configure the
Blobstore folder to be encrypted after the folder has been created by SQL Server.
NTFS EFS is transparent to components accessing the NTFS file system.
If you are using RBS, it is important that you consider how you will back up and
restore the BLOB store. If you use the SharePoint built-in tools for backup, RBS
BLOB stores are included in the backup. You can even restore such a backup to a
computer running SQL Server without RBSthe BLOBs will be restored into the
database itself.
The SQL Server backup command does not back up BLOBs in RBS. However, the
procedure for properly backing up both a database and the BLOB store is
straightforward. First, back up the database. Then, back up the file store. To
perform a restore, first restore the file store, and then restore the database.
4-29
Lab A: Configuring List Throttling and Remote

BLOB Storage
Scenario
You have just installed a new SharePoint 2010 server farm at Contoso, Ltd. Your
previous SharePoint 2007 environment included some very large lists that
performed poorly for end users and large document libraries that increased the
size of content databases and therefore the time required to perform backup and
restore operations. Your revised governance policy for SharePoint 2010 requires
that large lists have controls to manage performance and that the size of content
databases be more carefully managed. To support these requirements, you have
been tasked with implementing list throttling and Remote BLOB Storage.
Log on to the virtual machine for this lab

1.
Start 10174A-CONTOSO-DC-D.
2.
After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-D.
4-30
Exercise 1: Configuring List Throttling

In this exercise, you experience latency problems when performing operations on
very large lists. You apply list throttling to ensure that such operations do not
cause excessive stress on the SharePoint farm.
1.
Create a computer inventory list.
2.
Configure least privilege rights to manage SharePoint using Windows

PowerShell.
3.
Create a large list using Windows PowerShell.
4.
Observe the list view threshold.
5.
Add items to exceed the list threshold.
6.
Experience list throttling.
7.
Configure list throttling.
Task 1: Create a computer inventory list
Log on to SP2010-WFE1 as CONTOSO\SP_Admin using the password

Pa$$w0rd.
Open Internet Explorer, and then browse to http://intranet.contoso.com

/sites/IT.
Create a custom list named ComputerInventory. After creating the list, change
its name and description to Computer Inventory (with a space).
Create two single-line text columns named Computer Name and Serial
Number.
Task 2: Configure least privilege rights to manage SharePoint using

Windows PowerShell
Start SharePoint 2010 Management Shell using the Run as different user
option. Enter the user name CONTOSO\Administrator and the password
Pa$$w0rd.
4-31

Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database (GetSPContentDatabase "WSS_Content_Intranet_IT" )
Close the Windows PowerShell window.
Task 3: Create a large list using Windows PowerShell
In SharePoint 2010 Management Shell, create 4,000 items in the new list by
typing the following commands:
$site = Get-SPSite "http://intranet.contoso.com/sites/IT"
$web = $site.rootweb
$list = $web.Lists["Computer Inventory"]
$i = 1
do {
#add item
$newitem = $list.items.Add()
$newitem["Title"] = "Client-" + $i.ToString().PadLeft(4, "0");
$newitem["Computer Name"] = "Client-" + $i.ToString().PadLeft(4,
"0");
$newitem["Serial Number"] = $i.ToString().PadLeft(8,"0");
$newitem.Update()
$i++
}
while ($i -le 4000)
$web.dispose()
$site.dispose()
You can watch the progress of the script by refreshing the Computer Inventory
list page in the IT Web.
Task 4: Observe the list view threshold
Open the List Settings of the Computer Inventory list, and then verify that
the List view threshold message indicates that the list contains 4,000 items.
4-32
Task 5: Add items to exceed the list threshold
In SharePoint 2010 Management Shell, create 5,000 additional items in the

Computer Inventory list by typing the following commands:
$i = 4001
do {
#add item
"0");
$newitem.Update()
$i++
}
while ($i -le 9000)
$web.dispose()
$site.dispose()
Task 6: Experience list throttling
Switch to Internet Explorer and refresh the view of the Computer Inventory
list.
Open the List Settings of the Computer Inventory list, and then verify that
the List view threshold message indicates that the list contains 9,000 items.
Attempt to delete the list.

An Error page appears that indicates the operation is prohibited because it
exceeds the list view threshold.
Return to the Computer Inventory list, point at the Title column header, and
then click the drop-down arrow that appears.
A message appears: Cannot show the value of the filter. The field may not be
filterable, or the number of items returned exceeds the list view threshold enforced by
the administrator.
4-33
Task 7: Configure list throttling
Open SharePoint 2010 Central Administration. In Central Administration,

change the resource throttling settings for the SharePoint
intranet.contoso.com80 Web application. Configure the List View Threshold
to 10000.
Switch back to the Computer Inventory list. In the Computer Inventory list,
point at the Title column header, and then click the drop-down arrow that
appears. Verify that the Show Filter Choices command is now available.
In Central Administration, change the resource throttling settings for the

SharePoint intranet.contoso.com80 Web application. Configure the List
View Threshold to 7000, with a daily time window for large queries from
11pm to 4am.
Open the List Settings of the Computer Inventory list, and then observe the
List view threshold. Verify that the new list threshold of 7,000 items has been
applied.
Results: After this exercise, you should have modified list throttling settings for a
site collection.
4-34
Exercise 2: Enabling FILESTREAM and Provisioning the RBS

Data Store
In this exercise, you enable FILESTREAM and configure RBS on the computer that
is running SQL Server 2008.
1.
Enable FILESTREAM on the computer running SQL Server.
2.
Provision a BLOB store.
Task 1: Enable FILESTREAM on the computer running SQL Server
Start SQL Server Configuration Manager using the Run as a different user
Pa$$w0rd.
Click SQL Server Services, and then open the properties of SQL Server
(MSSQLServer). In the FILESTREAM tab, select all three check boxes, and
then close SQL Server Configuration Manager.
Start SQL Server Management Studio using the Run as a different user
Pa$$w0rd.
Open the properties of SP2010-WFE1, and then configure Filestream Access

Level so that full access is enabled. Then, restart SQL Server services.
Task 2: Provision a BLOB store
In SQL Server Management Studio, select the WSS_Content_Intranet_IT

content database. Set the database master key by executing the following
query:
use [WSS_Content_Intranet_IT]
password = N'Master Key Pa$$w0rd'
Add a filegroup for the RBS provider by executing the following query:
groupname=N'RBSFilestreamProvider')alter database
[WSS_Content_Intranet_IT]
Add a file system mapping for the RBS provider by executing the following
query:
alter database [WSS_Content_Intranet_IT] add file (name =
RBSFilestreamFile, filename = 'c:\Blobstore') to filegroup
RBSFilestreamProvider
Results: After this exercise, you should have enabled FILESTREAM and configured
RBS on the computer running SQL Server.
4-35
4-36
Exercise 3: Installing RBS on All SharePoint Web and

Application Servers
In this exercise, you install RBS on all Web and application servers in the
SharePoint farm.
1.
Install RBS on the first Web server.
2.
Confirm the installation of RBS.
3.
Enable RBS for a content database.
4.
Test the RBS provider.
Task 1: Install RBS on the first Web server
Start Command Prompt using the Run as administrator option. Change to

the D:\Labfiles\Lab04 folder, type the following command, and then wait
one minute for the operation to complete:
msiexec /qn /lvx* rbs_install_log1.txt /i RBS.msi
DBNAME="WSS_Content_Intranet_IT" DBINSTANCE="SP2010-WFE1"
Task 2: Confirm the installation of RBS
Open D:\Labfiles\Lab04\rbs_install_Log1.txt, and then confirm that you

see the following line within the last 20 lines of the end of the file:
Product: SQL Server 2008 R2 Remote Blob Store -- Installation
completed successfully.
In SQL Server Management Studio, refresh the view of the Object Explorer
tree, and then verify that several tables exist in the WSS_Content_Intranet_IT
database that have names that begin with the letters mssqlrbs.
4-37
Task 3: Enable RBS for a content database
In SharePoint 2010 Management Shell, enable RBS for the

WSS_Content_Intranet_IT database by typing the following commands:
$cdb = Get-SPContentDatabase "WSS_Content_Intranet_IT"
$rbss.Installed()
$rbss.Enable()
$rbss
Task 4: Test the RBS provider
Open the C:\Blobstore folder, and then observe the number of items in the
folder.
Open Internet Explorer, and then browse to http://intranet.contoso.com

/sites/IT. Navigate to the Shared Documents document library, and then
upload the file D:\LabFiles\Lab04\rbs_install_log1.
Switch to Windows Explorer and verify that the file has been added to the
Blobstore folder.
Results: After this exercise, you should have configured RBS on the SharePoint farm
and tested its functionality.
4-38
Exercise 4: Configuring the BLOB Size Threshold for RBS

You have discovered that, by default, RBS stores all BLOBs in the Blobstore folder.
After testing in your lab, you determined that optimal performance is achieved on
your infrastructure when BLOBs of less than 1 Megabyte (MB) are stored in the
content database, and BLOBs greater than 1 MB are stored in the file system. In
this exercise, you configure RBS so that only files greater than 1 MB are stored in
the file system.
1.
Configure the minimum blob storage size.
2.
Validate the behavior of minimum blob storage size.
Task 1: Configure the minimum BLOB storage size
In SharePoint 2010 Management Shell, configure the

MinimumBlobStorageSize property to 1 MB by typing the following
commands:
$cdb.update()
4-39
Task 2: Validate the behavior of minimum BLOB storage size
Switch to Internet Explorer, and then upload the

D:\LabFiles\Lab04\SharePoint_2010_Walkthrough_Guide.pdf to the IT
document library.
Upload the D:\LabFiles\Lab04\SharePoint_2010_Datasheet.pdf to the IT

document library.
Switch to Windows Explorer, open the C:\Blobstore folder, and, by

examining file sizes and timestamps, verify that
SharePoint_2010_Walkthrough_Guide.pdf was moved to Blobstore
whereas SharePoint_2010_Datasheet.pdf was not moved to Blobstore.
Results: After this exercise, you should have modified the RBS configuration to store
files larger than 1 Mbyte in the file system.
Leave the virtual machines running. You use them for Lab B.
4-40
Lesson 2
Managing Site Content Types and Site Columns
In lists and libraries, users create content. SharePoint Server 2010 offers impressive
content management functionality, which begins with the ability to describe
content with metadata using columns and to define content types. In this lesson,
you learn how to manage site content types and such columns. Although power
users can perform these tasks in certain environments, IT professionals must know
how to support these tasks.
Furthermore, you must have a solid understanding of columns and content types
at the site level before you can take advantage of the managed metadata service, the
topic of the next lesson.
Describe the purpose of content types and site columns.
Configure content types.
Configure templates for document libraries.
Configure site columns.
4-41
Content Types
Content types are definitions of types of content that can be stored in lists and
libraries. They are, in effect, a schema for the types of objects that can exist in a site.
Content types are an important component of your information architecture (IA),
which typically refers to both the content type hierarchy and taxonomy.
The sites content type gallery lists available content types and exposes content
type management functionality.
To open to the site content type gallery, complete the following steps:
1.
Click Site Actions, and then click Site Settings.
2.
In the Galleries section, click Site Content Types.
Content types are scoped to the site in which they are created and all subsites. You
can create content types in any site. However, it is a best practice, when possible, to
create content types in the top-level site of a site collection so that the content types
are available to all sites in the site collection.
4-42
To deploy content types across multiple site collections, you can use Visual Studio
to define and package the content type as a solutions package (.wsp file). This is
possible in both SharePoint 2007 and SharePoint 2010.
SharePoint 2010 introduces the managed metadata service application, which
publishes content types and columns from one site collection across site
collections, Web applications, and farms. You learn more about the managed
metadata service application in the next lesson.
There are two basic steps to make use of content types in a Web site:
1.
Create a site content type.
2.
Use a content type in a list or library.
These two steps are covered in detail in the next two topics.
4-43
Create a Site Content Type
To work with content types in a site, you first create the content type, and then
associate it with a list or library.
1.
Click Site Actions, click Site Settings, and then click Site Content Types.
2.
Click Create.
3.
Configure the following:
Name. The content type name.
Description. A description of the content type.
Parent content type. A content type is derived fromis the child of

another content type. For example, when you create a custom document
content type, you typically want to make it a child of the built-in
Document content type. A content type inherits its properties from its
parent content type.
Content types are grouped for organizational purposes. The Document
content type is in the Document Content Types group.
4-44
Group. When you create a content type, you can put it in a content type
group to make it easier to locate the content type. The group has no
technical impact whatsoeverit is purely organizationalbut it is
recommended to keep custom content types that you create separate from
content types that are built-in or that are created by third-party tools.
Document template. If you create a document content type, you can

associate a template with the content type. On the Site Content Type
Information page for the content type, click Advanced Settings. Use the
Upload option to upload the appropriate template. The template can be
any file format.
4-45
Using Content Types in a List or Library
By default, a list contains one type of item, and a library contains one content type:
Document. To use content types in a list or library, you must first enable the
management of content types in the list or library.
Enable the Management of Content Types in a List or Library

1.
On the list or library Settings page, in the General Settings section, click
Advanced settings.
2.
In the Content Types section, click Yes, and then click OK.
Then, you can add content types to the list or library.
Add Content Types to a List or Library

1.
On the list or library Settings page, in the Content Types section, click Add
from existing site content types.
2.
Select the content type, click Add, and then click OK.
4-46
If you have more than one content type in a list or library, you can change the
order in which the content types appear on the New menu of the ribbon. Click
Change New Button Order And Default Content Type.
The content type that is listed first is the default content type used if a user clicks
the New button. Other content types appear if a user clicks the New buttons dropdown arrow.
If you are using custom content types and no longer require the default Document
or item content type, you can delete it. In the Content Types list, click Document.
Click Delete This Content Type, and then click OK when prompted to confirm.
Create a Document from a Template

When you click the New button on the ribbon of the list or library, or you click its
drop-down menu, you create a new document based on the template specified by
the content type.
When you save the document to the content library, you do not overwrite the
template. In the case of Microsoft Office documents, the Office client application
remembers the library from which the document was created so that when you
save the document, the library is the default location automatically.
4-47
Content Type Properties
Content types expose many properties, in addition to the document template

property for document content types. Content types define the following:
Workflows. You can associate workflows with content types.
Document Information Panel (DIP). The DIP is a form that appears above
the document in some Microsoft Office client applications, such as Microsoft
Office Word. The DIP displays the properties of the document, giving users a
way to read and modify properties in the client application instead of or in
addition to using the SharePoint Web user interface. The DIP can be
customized by using InfoPath to include business logic, access to other data
sources, and rich interaction.
Information management policy settings. You can configure document and

record policies including retention, auditing, bar codes, and labels.
Columns. You can define columns, also called attributes, properties, or

metadata, for a content type. For example, a content type for contracts might
be given a date column that specifies the expiration date of the contract.
4-48
Content types are an important component of your enterprise information

architecture (IA). IA, which also includes taxonomythe subject of the next lesson
defines how users identify, locate, and search for content. You can implement IA by
classifying content based on content typesfor example, being able to identify
contracts versus proposals, and then to be able to bubble up properties such as
contract expiration dates.
4-49
Columns
As you discovered in the previous topic, columns are used to define pieces of
information that can be associated with a document or list item. Synonyms for
columns include fields, attributes, properties, and metadata.
Columns describe content and can thus be used to organize and manage content
in views, reports, and alerts. Columns can also be used as search attributes,
allowing users to locate content more efficiently.
A column is scoped to the site in which it is created and to all subsites. As with
content types, it is recommended you create site columns at the top-level site of a
site collection whenever possible so that it is available to all sites in the site
collection.
To deploy a column across multiple site collections, you can use Visual Studio to
define and package the column as a solutions package (.wsp file). This is possible
in both SharePoint 2007 and SharePoint 2010.
4-50
SharePoint 2010 introduces the managed metadata service application, which

publishes content types and columns from one site collection across site
collections, Web apps, and farms. You learn more about the managed metadata
service application in the next lesson.
Site Columns
There are two basic steps to make use of content types in a Web site:
1.
Create a site column.
2.
Use a column in a content type, list, or library.
Create a Site Column

To create a site column, perform the following steps:
1.
2.
In the Galleries section, click Site Columns.
3.
Click Create.
4-51
4-52
4.
Configure the following:
Name. The column name, which must be unique at the site level.
Description. A description of the column. Once a site column is defined, it

can be incorporated into lists, libraries, and content types. If the column
should be reserved for a specific purpose, or if its role is not selfexplanatory based on the columns name, be certain to provide a thorough
description.
Group. Columns are grouped for organizational purposes. When you

create a content type, you can put it in a column group to make it easier to
locate the column. The group has no technical impact whatsoeverit is
purely organizationalbut it is recommended that you keep custom
columns that you create separate from columns that are built-in or that are
created by third-party tools.
Add Site Columns to a Content Type

To add a site column to a content type, perform the following steps:
1.
2.
Click the content type you want to modify.
3.
Click Add from existing site columns.
Add Site Columns to a List or Library

To add a site column to a list or library, perform the following steps:
1.
2.
Click the content type you want to modify.
3.
Click Add from site columns.
4-53
Content Type and Column Inheritance
Content types are a hierarchy, beginning with a limited number of top-level

content types such as item. When you create a site content type, you must specify
the parent. When you add the site content type to a list or library, you are actually
creating a child content type, called a list content typea content type scoped only
to the list.
A child content type has the same properties as its parent, initially, but because it is
an independent object, you can modify and thus override the properties that it
obtained from its parent.
The same applies to columns. When you add a site column to a list or library, you
create a list or library column that is a child of the site column, and it inherits its
initial property set from the parent. You can then modify properties of the list or
library column.
When you update a content type or column at the site level, you have the option to
propagate updates to child content types or columns. The change you have made
is then copied to child objects, overwriting whatever was the previous state of the
object. This is done on a property by property basis, so only properties that you
change at the site level are propagated to child objects.
4-54
Lesson 3
Configuring the Managed Metadata Service
In the previous lessons, you learned how to define metadata and content types at
the list and site levels. In this lesson, you learn how to configure an important new
service application in SharePoint Server 2010, the managed metadata service,
which makes terms and content types available across site collections, Web
applications, and even farms.
Describe the roles of the managed metadata service.
Configure taxonomy.
Configure managed content types.
4-55
Managed Metadata Service
The managed metadata service is an important new feature of SharePoint Server

2010. It plays a critical role in enterprise content management because it supports
the two primary components of information architecture: enterprise metadata
management (taxonomy), and content type syndication.
In this lesson, you learn how to use the managed metadata service to manage
enterprise taxonomy, and then you learn how to syndicate content types.
Understanding Managed Metadata Service Terminology

Managed metadata is a hierarchical collection of centrally managed terms that you
can define and then use as attributes for items in SharePoint Server 2010.
A term is a word or a phrase that can be associated with an item in SharePoint
Server 2010. A term set is a collection of related terms. You can specify that a
SharePoint Server column must contain a term from a specific term set.
Managed metadata is a way of referring to the fact that terms and term sets can be
created and managed independently from the columns themselves.
4-56
Managed terms, which are usually predefined, can be created only by users with the
appropriate permissions and are often organized into a hierarchy.
Enterprise keywords are words or phrases that have been added to SharePoint
Server 2010 items. All enterprise keywords are part of a single, nonhierarchical
term set called the keyword set.
Local term sets are created in the context of a site collection. For example, if you
add a column to a list in a document library and create a new term set to bind the
column to, the new term set is local to the site collection that contains the
document library.
Global term sets are created outside the context of a site collection. For example, the
term store administrator could create a term set group called Human Resources and
designate a person to manage the term set group. The group manager would create
term sets that relate to human resources, such as job titles and pay grades in the
Human Resources term set group.
4-57
Create and Use Terms: The Big Picture
First, take a look at managing and using terms, from beginning to end, at a very
high level. This topic focuses on the main tasks involved with creating and using
terms.
Term Store Management Tool

A managed metadata service application maintains a database that contains the
term store for the service application. The Term Store Management Tool is the
administrative interface with which you manage terms in the term store.
Open the Term Store Management Tool

1.
On the Central Administration site, in the Application Management section,

click Manage service applications.
2.
Click the Managed Metadata Service link.

You can click the link of either the service application or the service
application connection. Both open the same Term Store Management Tool.
The Term Store Management Tool opens.
4-58
3.
Confirm that the tool is focused on the metadata application that you want to
administer. In the Available Service Applications list, select the correct
metadata application.
An Introduction to the Term Store Hierarchy

The term store contains terms in a hierarchical structure consisting of term set
groups, term sets, and terms. (See the following graphic.) Web applications that
connect to the service application can use any of the terms in the term store.
You learn more about the term store hierarchy as this lesson progresses.
Create Terms in a Term Set

In a term set, you can create terms.
Create a Term
To create a term, complete the following steps:
1.
Open the Term Store Management Tool.
2.
Expand the term store.
3.
Expand the term group and the term set in which you want to create the term.
4.
Point at the term set or term beneath which you want to create the term, and
then click the drop-down arrow that appears.
5.
Click Create Term.
6.
Type the term, and then press ENTER.
Use Managed Metadata in Content

After a term set has been established, you can begin to use the terms in the term set
as tags for items and documents. To do this, you must add a managed metadata
column to a list, library, or content type.
The managed metadata column type is new to SharePoint Server 2010. When you
create a managed metadata column, you specify a single term set from which the
columns valid values come. Create a new content type or modify an existing
content type, and add the managed metadata column to the content type.
Important: A managed metadata column can be associated with only one term set.
4-59
Add a Managed Metadata Column to a Site as a Site Column

1.
Open the site in which you want to use managed metadata.
2.
3.
In the Galleries section, click Site columns.
4.
Click Create.
5.
In the Column name box, type a name for the column.
6.
In the list of column types, click Managed Metadata.
7.
In the Group section, select a column group or create a new column group.
8.
In the Term Set Settings section, expand the term store, expand the term
group that contains the term set, and then click the term set.
9.
Optionally, configure other settings for the column. For example, you can
specify that the column allows multiple values. Also, if the term set is an open
term set, you can configure the column to allow fill-in choices. Click OK.
Add a Managed Metadata Site Column to a Site Content Type

1.
2.
In the Galleries section, click Site content types.
3.
Click the site content type to which you want to add managed metadata.
4.
5.
In the Select columns from list, select the column group that contains the
managed metadata column.
6.
In the Available columns list, click the managed metadata column, and then
click Add.
7.
Click OK to add the column.
8.
Click OK to close the content type.
4-60
Pick Terms
After adding a managed metadata column to a list, library, or content type, users
can apply terms from the term set as values for the column.
The new and edit forms of an item or document display the managed metadata
control for a managed metadata column, and the user interacts with this control to
enter the columns value.
With the managed metadata control, the user can either type a value or select a
value by hierarchically navigating the term set that is associated with the column. If
the user begins typing a value, the AJAX-driven control displays all terms in the
associated term set that begin with the characters the user has typed. The name of
the term set and the terms position in the hierarchy are indicated along with the
term itself.
If the columns definition allows multiple values, the user can select more than one
term. If both the term set and the columns definition allow new terms to be added,
the user can also create a new term and insert it at the appropriate place in the
term sets hierarchy.
It is important to note the following about the control:
The control consists of a text box, a browse button, and a term selection page.
You can type a term into the text box.
As you type, the control provides suggestions. If the highlighted suggestion is

appropriate, you can press ENTER. Alternately, you can select any suggestion
by using the arrow keys to select the suggestion and then pressing ENTER or
by clicking the suggestion.
If you type a term that does not exist in the term store, your entry is displayed
in red with a red dashed underline. You cannot save the change until you
correct the entry.
Click the Browse For A Valid Choice button. The term selection page opens.
The term selection page shows all terms in the term set.
4-61
To select a term, click the term, click Select, then click OK, as shown in the
following graphic:
If the term set has an email address in the term sets Contact property, the
term selection page displays a Send Feedback link. The link is a simple
<mailto:> link that opens the users email client with the To: address
prepopulated with the term set contacts email address.
If the term set is an open term set, the Add New Item link appears. Click the
link, and a new, blank term appears. Type the label for the term, and then
press ENTER.
Here is a review of some important points about terms:
Terms are stored in a term set in a term group.
A managed metadata service application can contain multiple term sets.
Typically, terms are tightly managed. Most term sets are usually closed,
meaning that only term set managers and contributors can add, modify, or
delete terms in the term set.
A managed metadata column can expose terms from only one term set.
4-62
Keywords
Often, enterprises want to allow folksonomythe development of terms and
metadata that is driven by users adding tags to content and people. Terms in a
folksonomy are typically unmanagedusers can tag content or people with
whichever words and phrases they want to apply.
Folksonomy in SharePoint Server 2010 is supported by keywords. Keywords are
terms that are stored in a single, nonhierarchical term set called the keyword set.
When content is tagged and a term does not exist, it is added to the keyword set.
There is very little difference, really, between keywords and terms. Both are terms
that can be used to tag content. Both are stored in the term store. The primary
differences are the following:
Terms are highly managed. They have numerous properties, about which you
learn later in this lesson. Terms are structured in term sets and term groups
and can be reused across term sets and term groups.
Term sets are typically closed. The keyword set is typically openusers can
add keywords to the keyword set when they tag content with words or phrases
that do not already exist in the keyword set.
Add an Enterprise Keywords Column to a Site Content Type

1.
2.
In the Galleries section, click Site content types.
3.
Click the site content type to which you want to add managed metadata.
4.
5.
In the Select columns from list, select the column group that contains the
6.
Click Enterprise Keywords, and then click Add.
7.
Click OK to add the column.
8.
Click OK to close the content type.
Tag Content Using Keywords

After adding an enterprise keywords column to a list, library, or content type, users
with permission to modify the content type can apply terms from the keyword set
to content.
4-63
The EditForm.aspx page of an item or document displays the managed keyword

control for enterprise keyword columns.
It is important to note the following about the control:
The control consists of a text box, a browse button, and a term selection page.
As you type, the control provides suggestions. If the highlighted suggestion is

appropriate, you can press ENTER. Alternately, you can select any suggestion
by using the arrow keys to select the suggestion and then pressing ENTER or
by clicking the suggestion.
You can type a word or phrase that does not already exist as a keyword, and it
will be added to the keyword set. This is the default behavior of the enterprise
keywords column; however, SharePoint can be configured to prevent adding
new keywords to the keyword set.
Create a Keyword
Keywords are often created by users when they tag content with a word or phrase
that is not already in the keyword set. However, if you want to add a keyword
directly to the keyword set, you can do so by following this procedure:
1.
2.
Expand System, and then expand Keywords.
3.
Point at the Keywords, and then click the drop-down arrow that appears.
4.
Click New Keyword.
5.
Type the term, and then press ENTER.
4-64
Manage Terms
Now that you understand the end resulthow terms are incorporated into items
and documentsyou can learn how to administer managed metadata, from the
bottom up, starting at the terms themselves.
Term Properties
Terms are more than simply words or phrases. They are objects with a variety of
properties.
Modify a Term
To modify the properties of a term, follow this procedure:
1.
Open Term Store Management Tool.
2.
Select the term.
3.
Modify one or more properties of the term.
4.
Click Save.
4-65
The term properties that you can modify include the following:
Sort order. By default, terms are sorted alphabetically in the parent term set or
term. However, you can manually specify the sort order by completing the
following steps:
1.
Click the Custom Sort tab.
2.
Click Use custom sort order.
3.
Modify the sort order.
Available for tagging. By default, terms are available to be used for tagging.
Why would you create a term and then not make it available? Terms
themselves are hierarchical in a term set. That is, a term can have one or more
terms as child objects. For example, you might have terms for teams or
departments in the IT group. If you have a term hierarchy in a term set, you
might want nodes that have child terms to be unavailable for tagging.
Language. If you have a language pack installed, and the term store has the
language specified as a working language, you can select each language and
modify the Default Label and Other Labels.
Description. Use a description to help users understand when to use the term
and to disambiguate among similar terms.
Default label. This is the default label for the term for the selected language.
The default label is what is referred to as the term. However, as you are
learning, the term is more than just the label. In fact, behind the scenes,
everything is managed with unique identifiers.
Other labels. These are synonyms and abbreviations for the term for the
selected language. When other labels are configured for a term, users can enter
any of the synonyms or abbreviations in a managed metadata control, and
their entry will be changed into the default label for the term. The other labels
even appear as suggestions when a user begins to type in a managed metadata
control.
Member of. A term can be reused in multiple locations. The Member Of list is
a list of locations in which the term exists.
Source. When a term exists in more than one location, the terms properties
can be edited in only oneits source. The permissions that apply to the source
location affect who can modify the terms properties.
4-66
Term Tasks
Use the drop-down menus in the term store hierarchy of the Term Store
Management Tool to perform actions. You can perform the following actions
related to terms in a term store:
Create term. Create a new term in a selected term set or as a child of a selected
term.
Copy term. Create a new term that is a copy of an existing term. The source
terms properties are copied to the new term, and then the new term is a
unique object with no relationship or linkage to its original source.
Move term. Move a term to another location in the term hierarchy.
Delete term. Remove a term from the term store.
Deprecate term. Disable the term so that it no longer can be used as a valid
term but stays part of the system.
Merge term. To merge terms, select a source term, click Merge Term, and then
select a target term. The result is that the source term and its synonyms are
added as synonyms of the target term.
Reuse term. A term can be placed in more than one location in the taxonomic
hierarchy. To use a term in a new locationin a term set or as a child of
another termselect the target location, click Reuse Term, and then select the
source term. The source term is added as a kind of link to the selected target
location. Changes to a terms properties affect every instance of the term. The
terms Source property defines the location in the hierarchy in which the term
can be modified, and the permissions on that location determine which users
can modify the term. The terms source can be changed to any of its locations
by a user who currently has permission to modify the term.
Enterprise Keywords
As you learned in a previous topic, keywords are stored in a flat, nonhierarchical
keyword set. Keywords have only one property: Available For Tagging. You can
perform only three actions. The first two are New Keyword and Delete Keyword,
which are self-explanatory.
The third action is Move Keyword. With this option, you can move a keyword into
a term set, where it becomes a managed term and acquires all of the additional
properties associated with terms. This process is how an organization can
organically grow a folksonomy and migrate resulting terms into a taxonomy.
4-67
Manage Term Sets
A term set is a collection of related terms.
Term Set Properties

A term set has a Term Set Name and Description. It also has an Available For
Tagging property. A term set also has the following properties:
Contact. An email address for a contact for the term set. If an email address is
entered in the Contact property, the managed metadata control displays a
Submit Feedback link in the term picker. A user who wants to submit feedback
or request a change to the term set can click the link and an email message is
started with the To address populated by the value of the term set contact.
4-68
Submission Policy. The submission policy determines whether users can add
terms to the term set from the managed metadata control. If a submission
policy is open, the managed metadata control displays an Add New Item link.
So, if a user wants to tag content with a term that is not already in the term set
for a managed metadata column, the user can add a new term on the fly. This
allows for folksonomy in the context of a managed term set. The newly added
term is available to other managed metadata columns that reference the same
term set.
Note: For a user to add a new item to a term set, the term set must have an open
submission policy, the managed metadata column must allow fill-in choices, and the
user must have permission to change an item or document that contains the
Owner, Stakeholders. These two propertiesas well as Contactare

informational only. They are used to document individuals or groups who are
associated with the term set. These two properties do not assign any
permissions to the term set whatsoever.
Term Set Tasks

From a design perspective, the most important point to remember is that a term
set is used as the source of terms for a managed metadata column. A managed
metadata column can use only one term set, and all terms that are available for
tagging in that term set can be applied as values to the column.
Therefore, any time you need a column with managed metadata, you should check
to see whether a term set already exists that meets your needs exactlyhas the
appropriate labels and propertiesand, if not, create a new term set. Remember
that terms can be reused in more than one term set.
Create a Term Set

1.
In Term Store Management Tool, point at the term group in which you want
to create a term set, click the drop-down menu of the term group, and then
click New Term Set.
2.
Type a name for the term set, and then press ENTER.
3.
4-69
Using the term sets drop-down menu, you can perform the following actions:
Delete Term Set. This option deletes the term set and its terms.
Move Term Set. This option moves a term set to another term group.
Copy Term Set. This option creates a new term set with the same
properties as the source term set. All terms in the source term set are
added, as reused terms, to the new term set. This allows you to create
variations on a term set for scenarios in which a managed metadata
column needs to contain a superset, subset, or other variation of terms
that are already in use in another term set.
4-70
Manage Term Groups
A term group is a collection of one or more term sets. A term group has a Group
Name and a Description. Most important, the term group defines two roles:
Contributors. Contributors have full permission to edit terms and term set
hierarchies in the term group.
Group Managers. Group Managers have Contributor permissions plus the

ability to import term sets. Group Managers can also add users to the
Contributors role.
You can create a term group from the term store.
Create a Term Group

To create a term group, complete the following steps:
1.
Point at the term store, click the drop-down menu, and then click New Term
Group.
2.
Type a name for the term group, and then press ENTER.
4-71
The following options appear on the term groups drop-down menu:
New Term Set. You can use this option to create a new term set in the term
group.
Delete Term Group. You can use this option to delete the term group.
Import Term Set. You can use this option to import a term set using a commaseparated values (.csv) file. You can find a sample import file in the root of the
term store. In Term Store Management, click the term store, and then click
View A Sample Import File.
Additional Reading
Managed metadata input file format (SharePoint Server 2010) at

4-72
Manage the Term Store
Each managed metadata service application has one term store. Metadata service
applications cannot share term stores.
The term store properties define the following:
Term Store Administrators. Term Store Administrators have full control over
the term store. Term Store Administrators can perform all actions of Group
Managers, can create and delete term groups, and can assign users to the
Group Managers role. Term store administrators can also modify the default
and working languages of a term set.
Default Language. Each term store must have a default language specified,
and every term must have a label defined in the default language.
Working Languages. After you have installed a language pack, you can add
installed languages as a working language for a term set. Then, you can select a
term and specify the default label and other labels for each working language.
Unlike the default language, you are not required to have a label for every term
in a working language.
4-73
Terms are not added to a term store by default when you add a language pack.
There is no automatic translation service. You must manually configure the
labels for terms in each language that you want a term set to expose.
When a term has labels in multiple languages, the language of the site
determines which labels are visible. For example, if the Department term set
has terms defined in both French and English, an English-language team site
allows users to use English terms from the term set in a managed metadata
column, and a French team site allows users to use French terms from the
term set.
To create a term store, you must create a managed metadata service application.
The steps for this procedure are listed later in this lesson. To delete a term store,
you must delete the managed metadata service application.
Assign Term Set Administrators

A farm administrator must assign term set administrators. In fact, when you create
a new managed metadata service application, even though you created the
application, you are not a term set administratoryou must give yourself
permission.
1.
2.
In the Term Store Administrators box, type the names of term set
administrators separated by semicolons.
3.
Click Save.
4-74
Term Store Design
Term Store Hierarchy

Now you have explored each component in the term store hierarchy shown in the
following graphic.
4-75
Here is a review of the characteristics of each component from the perspective of

term store design:
One or more terms are contained in a term set. Terms can also be created as
child objects of other terms.
A term set is a group of related terms and is the scope of a managed metadata
column. When you add a managed metadata column to a content type, list, or
library that will use tags, you specify the term set that is used in the column.
Each managed metadata column can use terms from only one term set, and all
terms in the term set are available.
One or more term sets are contained in a term group.
A term group is a security container that manages who can modify term sets
and terms. You can specify, for a term group, who has permission to modify
the term sets and terms in the term group.
One or more term groups are contained in a term store.
A term store is the database that contains the terms for a managed metadata
service application. The scalability of a managed metadata service application
is related to performance, but the following guidelines should be used:
1,000 term sets per term store
30,000 terms per term set
1 million terms per term store
The keyword set is a flat, nonhierarchical term set that is used to apply terms to
enterprise keyword columns. The managed keyword control displayed by an
enterprise keyword column exposes terms from the keyword set as well as all
other term sets that are available to the Web application.
Term sets can be global or local. A global term set is what you have been
examining thus fara term set that is maintained using the Term Store
Management Tool and available to all Web applications that connect to the service
application.
4-76
A local term set is maintained in the term store, but it is created and managed in a
site collection, rather than in the Term Store Management Tool. The resulting term
set is available to all sites in the site collection but not to other site collections.
Using a local term set has advantages over legacy methods for tagging datafor
example, choice and lookup fieldsbecause the local term set is maintained by the
managed metadata service, so you can define synonyms and manage terms just as
you would a global term set. Users who are site collection administrators have
permissions to create local term sets.
Term Store Design

Because permissions to modify terms are applied at the term group level, and
because SharePoint 2010 supports multitenancy for the managed metadata service
application, most organizations need only one term store.
Most organizations maintain only one managed metadata service application, and
therefore one term store. However, it is possible to deploy more than one metadata
application. For example, the Research and Development department may want to
maintain a separate term store to contain terms related to R&D and to products
under development. Web applications that do not connect to the R&D term store
do not have any visibility into those terms. The R&D department can connect to its
own term store and to the enterprise term store so that its content can be tagged
both with terms that are common to the entire organization and with terms unique
to R&D. A Web application can connect to zero or more managed metadata service
applications.
The key point is that a separate managed metadata application creates a completely
partitioned term store. In other words, separate term stores create security isolation
of data. Farm administrators give Web applications visibility into appropriate term
stores when they connect Web applications to managed metadata service
applications.
An alternative to separate term stores hosted by separate managed metadata
service applications is to implement multitenancy. Multitenancy is beyond the
scope of this course, but in sum it allows a single database to be partitioned
between customers.
Perhaps a more important driver toward multiple term stores is the fact that
separate metadata applications and term stores provide various levels of scalability.
Web applications in the farm and from other farms connect to the term store, so if,
for example, you need a term set to span multiple farms but other term stores are
used only within one farmand perhaps contain terms that you do not want visible
to enterprise keyword fields in the other farmyou should create a separate
metadata application and term store to publish to both farms.
Additional Reading
Plan terms and term sets (SharePoint Server 2010) at

4-77
4-78
Benefits of the Managed Metadata Service
Terms
You can use the managed metadata service to practice enterprise metadata
management. As discussed in a previous topic, metadataalso known as attributes,
properties, fields, columns, terms, tags, and keywordsis a critical component of
taxonomy and therefore of information architecture.
Terminology About Terms

The term you hear most in relation to the managed metadata service is term. A term
is a word or phrase that can be used as an attribute for content. When people refer
to taxonomy, they are generally referring to structured, centralized, and managed
terms. A closely related concept is folksonomy, which is used to refer to usergenerated tags.
Terms can be managed and controlled in a variety of ways so that an enterprise can
expose a managed taxonomy while allowing user-generated tags (folksonomy). A
taxonomy and folksonomy that are designed and managed to support the
requirements of a business can allow information architecture to grow organically
and change over time.
4-79
Applying Terms (Tagging)

Once you have tagswhether structured or user-drivenyou must be ready to
support taggingthe task of assigning descriptors (metadata) to content.
SharePoint refers to tagging with several terms, each of which are somewhat
ambiguous and are therefore used differently in different contexts.
Content tagging or social tagging is the addition of terms to content to describe what
it is, what it contains, and what it does. This is in contrast to expertise tagging,
which is the association of terms with a person, to describe what the person does,
what projects the person works on, and what skills the person has.
Tags in SharePoint can be public or private. They can be assigned manually by a
user or automatically.
Using Terms
Tags are everywhere in SharePoint Server 2010. You can tag items, documents,
pages, and sites from the SharePoint Web interface or by using SharePoint-aware
applications such as Microsoft Office 2010.
One of the primary reasons to tag content is to make it easier to locate by browsing
or by searching. SharePoint uses tags to provide metadata-driven navigation and
filtering and to produce a tag cloud control. Tags can be used as search refiners,
and tags can be used by the routing rules of the Content Organizer to route
content to the appropriate location.
Benefits of the Managed Metadata Service

The managed metadata service offers features that are important for creating an
enterprise information architecture:
Managed metadata separates the management of terms themselves from the

columns that use the terms.
You can delegate term management to librarian roles, represented by the term
groups Contributor and Group Manager roles.
You can support multiple languages. After you have installed a language pack,
you can add installed languages as working languages for a term set. Then, you
can select a term and specify the default label and other labels for each
working language. Unlike the default language, you are not required to have a
label for every term in a working language.
4-80
Managed terms encourage more consistent use of terminology. Terms are

available across content types, site collections, Web applications, and even
farms. Terms are findable, thanks to the term suggestions and term picker that
are inherent in the managed metadata control. Finally, terms are used more
accurately because they are presented in the context of their term set and can
be found using synonyms and abbreviations.
Terms are dynamic. As soon as a keyword or term is added to the term store, it
is available to all enterprise keyword or managed metadata columns in all Web
applications that connect to the managed metadata service application.
Changes to terms, including new labels, synonyms, and merged terms, cascade
through the system.
Managed metadata can be used to refine search results and provide metadatabased navigation so that users can locate content more efficiently.
Extensibility
There is no out of the box feature that connects the managed metadata service to
external data sources or term stores.
However, the managed metadata service is extensible. You can expect numerous
solutions to be developed by independent software vendors and by the
community. Tools will be available to migrate enterprise taxonomy from other
sources into the managed metadata service and to integrate the managed metadata
service with other taxonomy management tools.
Additional Reading
Managed metadata overview (SharePoint Server 2010) at

4-81
Content Type Syndication
It is common that sites in different site collections require similar content

types. For example, the Legal department at Contoso creates a template for
nondisclosure agreements (NDAs) and a content type for NDAs that uses the
template and declares all new NDAs as records. Each of Contosos business
units has SharePoint site collections with document libraries in which NDAs are
maintained. The content type can be published, in a manner of speaking, from the
Legal department to all Contoso business units.
Sharing content types across site collections, Web applications, and farms is quite
challenging in SharePoint 2007. The managed metadata service makes it easy in
SharePoint 2010.
Each managed metadata service application has a Content Type Hub property that
specifies the URL of a site collection from which to publish content types. All other
Web applications that connect to the managed metadata service receive copies of
the content type from the content type hub, and updates made at the hub can be
propagated.
You must complete several steps to publish content types. They are described in
the sections that follow.
4-82
Configure the Service Application

Each managed metadata service application has a Content Type Hub property that
specifies the URL of a site collection from which to publish content types.
Configure the Content Type Hub of a Managed Metadata Service Application

1.

Manage service applications.
2.
Click the row of the managed metadata service application.

Do not click the name of the service application. The name is a link that opens
the Term Store Management Tool.
3.
On the ribbon, click Properties.
4.
In the Content Type hub box, type the URL of the site collection from which
the service application will consume content types.
5.
Select the Report syndication import errors from Site Collections using this
service application check box, and then click OK.
When a Web application tries to import the content types from its managed
metadata service applications and encounters an error, the error is always
logged to that Web application. This option creates a second error associated
with the content type hub site collection so that import errors from all
subscriber sites are centralized and can be viewed in one place: the hub.
Configure the Service Application Connection

Whereas the service application controls whether content types are published, and
from which site collection, the application connection controls whether Web
applications using that connection subscribe to the content types that are being
published.
Configure Content Type Subscription for a Managed Metadata Service

Application Connection
1.

2.
Click the row of the managed metadata service application connection.

Do not click the name of the service application connection. The name is a link
that opens the Term Store Management Tool.
3.
4.
Select the Consumes content types from the Content Type Gallery check
box.
4-83
Publish the Content Type

After a site collection has been designated as a content type hub, content types in
the site collection can be published to the managed metadata service application,
and thereby made available to other Web applications that use that managed
metadata service application.
Publish a Content Type

1.
In the content type hub site collection, click Site Actions, and then click Site
Settings.
2.
Click Site content types.
3.
Click the content type that you want to publish.
4.
Click Manage publishing for this content type.
5.
Click Publish, and then click OK.
You can use the same Manage Publishing For This Content Type command to
republish, or update, a content type and to unpublish a content type.
Run the Timer Jobs

Two timer jobs are responsible for content type syndication. The Content Type
Hub job finds new content types in the designated content type hub. The Content
Type Subscriber jobthere is one for each Web application in the farmimports
content types from the content type hub of each managed metadata service
application to which the Web application subscribes.
Manually Run Timer Jobs for Content Type Syndication

If you do not want to wait for content type syndication jobs to run, you can run
them manually by completing the following steps:
1.
In Central Administration, click Monitoring.
2.
Click Review job definitions.
3.
Click Content Type Hub.
4-84
4.
Click Run Now.
5.
Wait a few moments for the job to complete.

Optionally, you can click Content Type Hub to return to the job definition.
Refresh the page and monitor the Last run time property. When it updates to
the current time, the job is complete.
6.
Click Content Type Subscriber on the row for the subscriber Web
application.
7.
Click Run Now.
8.
Wait a few moments for the job to complete.

Optionally, you can click Content Type Hub to return to the job definition.
Refresh the page and monitor the Last run time property. When it updates to
the current time, the job is complete.
4-85
Manage Managed Metadata Service Applications
Create and Configure a Managed Metadata Service Application

You can use the Farm Configuration Wizard to create a managed metadata service
application, if the farm does not already have one.
Create a Managed Metadata Service Application Using Central

Administration
Farm administrators can create a managed metadata service application by
following this procedure:
1.

2.
On the ribbon, click New, and then click Managed Metadata Service.
The Create New Managed Metadata Service dialog appears.
4-86
3.
In the Name box, type the name for the service application.
The service application created by the Farm Configuration Wizard is Managed
Metadata Service. If you are manually creating the first metadata application in
your farm, you can use the same name so that the result looks familiar to
SharePoint administrators.
Alternately, you can consider using a name such as Managed Metadata Service
Application, which is more accurateit is a service application, after all.
4.
In the Database Name box, type a name for the database.

The database created by the Farm Configuration Wizard is Managed Metadata
Service_GUID. If you are manually creating the first metadata application in
your farm, you can use a similar name, perhaps without the GUID component,
so that the result looks familiar to SharePoint administrators.
5.
In the Application Pool section, select an existing application pool.

Alternately, create a new application pool and select or create a managed
account for the application pool identity.
6.
Optionally, in the Content Type hub box, enter the URL to the site collection
that will serve as the content type hub.
7.
It is recommended that you select the Report syndication import errors from
Site Collections using this service application check box.
When a Web application tries to import the content types from its managed
metadata service applications and encounters an error, the error is always
logged to that Web application. This option creates a second error associated
with the content type hub site collection so that import errors from all
subscriber sites are centralized and can be viewed in one place: the hub.
8.
When you create a new managed metadata service application, a connection to

the newly created managed metadata service is automatically created in the
same Web application as the service. If you want that connection to be added
to the default application connection group, select the Add this service
application to the farms default list check box. Click OK.
4-87
Create a Managed Metadata Service Application Using Windows PowerShell

Use the New-SPMetadataServiceApplication cmdlet to create a managed metadata
service application:
New-SPMetadataServiceApplication -ApplicationPool
"<ApplicationPoolName>" -Name "<ServiceName>" -DatabaseName
"<DatabaseName>" -DatabaseServer "<DatabaseServerName>" -HubUri
"<HubURI>"
Where:
<ApplicationPoolName> is the name of an existing application pool in which

the new managed metadata service should run.
<ServiceName> is the name of the new managed metadata service.
<DatabaseName> is the name of the database that will host the term store. Each
managed metadata service must use a unique term store.
<DatabaseServerName> is the name of the database server that will host the
term store.
<HubURI> is the URL of the site collection that contains the content type
library that the new managed metadata service will provide access to.
A connection to the newly created managed metadata service is automatically

created in the same Web application as the service.
Update a Managed Metadata Service Application Using Central

Administration
1.
In Central Administration, in the Application Management section, select

2.
Select the row that corresponds to the service to update.
Note: Do not select the row by clicking in the Name column. Clicking the name of
the managed metadata service opens the Term Store Management Tool. Instead,
click in another column in the same row.
4-88
3.

You can then change any properties of the service application.
Update a Managed Metadata Service Application Using Windows PowerShell

Use the Set-SPMetadataServiceApplication cmdlet to update properties of a
managed metadata service application:
Set-SPMetadataServiceApplication -Identity "<ServiceApplication>" HubURI "<HubURI>"
Where:
<ServiceApplication> is the name of the managed metadata service application

that you are modifying.
<HubURI> is the URL of the site collection that contains the content type
library that the new managed metadata service will provide access to.
Delete a Managed Metadata Service Application

You can delete a managed metadata service application by using the Manage
Service Applications page. Click Delete on the ribbon.
Publish and Connect to Managed Metadata Service Applications Across Farms

SharePoint 2010 supports publishing some service applications across farms. The
managed metadata service is one such application. See Module 8, Configuring and
Securing SharePoint Services and Service Applications, for more details.
Additional Reading
Create, update, publish, and delete a managed metadata service application

Configure a Managed Metadata Service Application Connection

Web applications must connect to a managed metadata service application to have
the opportunity to use term sets in the term store and to subscribe to content types
from the content type hub.
4-89
Previously, you learned that application connections provide a way for a Web
application to connect to a service application. Application connections, also called
proxies, are grouped into connection groups, also called proxy groups. Typically, Web
applications connect to services using connections that are part of a defined
connection group that can be used by other Web applications. The farm has a
default connection group, and you can create additional connection groups. You
can also define a custom connection group for a single Web application, and this
custom connection group will not be available for other Web applications.
To use managed metadata, a Web application must have a connection to a
managed metadata service. A Web application can have connections to multiple
services, and the services can be local to the Web applicationthat is, in the same
farm as the Web applicationor remotethat is, in another farm.
When you create a managed metadata service, a connection to the service is
created automatically in the same Web application as the service. As you learned in
a previous section, when you create a managed metadata service, the connection is
added to the default connection group unless you clear the Add This Service
Application To The Farms Default List check box.
You do not need toand cannotcreate additional connections to a managed
metadata service in the local farm. However, if you want to connect to a managed
metadata service in a remote farm, you must create a connection. In Central
Administration, on the Manage Service Applications page, click Connect, and then
click Managed Metadata Service. The process of connecting to service applications
in remote farms is detailed in Module 8.
After a connection to a managed metadata service has been created, you can
configure the following four options:
Default keyword location. If selected, Web applications using this connection

store new enterprise keywords in the keyword set in the term store associated
with this managed metadata service.
IMPORTANT: For a given Web application, do not make more than one connection
the default keyword location. If no connection is specified as the default keyword
location, users cannot create new enterprise keywords.
4-90
Default term set location. Web applications using this connection store local
term setscustom term sets created for site columns in site collections in the
Web applicationin this managed metadata services term store.
IMPORTANT: For a given Web application, do not define more than one
connection as the default term set location. If no connection is specified as the
default term set location, users can specify only an existing term set when they
create a site column whose data type is managed metadata.
Use of content types. You can use this option to decide whether to make the
content types that are associated with this managed metadata service (if any)
available to users of sites in this Web application. This option is available only
if the service has a hub defined to share content types.
Pushing down content type publishing updates from the content type
gallery to subsites and lists using the content type. Use this option to
update existing instances of the changed content types in subsites and
libraries.
Update a Managed Metadata Service Application Connection Using Central

Administration
1.
In Central Administration, in the Application Management section, select

2.
Select the row that corresponds to the service application connection to

update.
Do not select the row by clicking in the Name column. Clicking the name of
the managed metadata service opens the Term Store Management Tool.
Instead, click in another column in the same row.
3.

You can then change any properties of the service application connection.
4-91
Additional Reading
Create, update, and delete a managed metadata service connection

Plan to share terminology and content types (SharePoint Server 2010) at

Multiple Managed Metadata Service Applications

The design of managed metadata service applications is beyond the scope of this
course; however, it is worth remembering that each managed metadata service
application provides a distinct term store, giving the opportunity to delegate
administration distinctly. Each managed metadata service application also
publishes one content type hub.
Most enterprises use one managed metadata servicethe primary managed
metadata serviceto provide enterprise taxonomy services to every Web
application. The primary managed metadata service supports the default keyword
set and is the term set location for all site-specific (local) term sets.
You can deploy additional managed metadata service applications to publish
content types from additional hubs. Occasionally, you might deploy additional
managed metadata service applications to provide specific term stores.
Additional Reading

Managed metadata service application overview (SharePoint Server 2010) at

4-92
Roles, Capabilities, and Permissions
A number of roles, capabilities, and permissions determine a users ability to

modify or use terms in a term store.
A managed metadata service application and its term store can be modified
directly, with Central Administration or the Term Store Management Tool, and by
site administrators and end users on a site.
Modify the Term Store from Central Administration

Farm and service application administrators can perform tasks related to managed
metadata service applications by using the Manage Service Applications page of
Central Administration.
4-93
Modify the Term Store with the Manage Service Applications Page
The following roles can perform tasks related to managing managed metadata
service applications and connections:
Farm Administrators. Farm administrators can create and connect to

managed metadata service applications and term stores, can delete a managed
metadata service application or connection, can assign permissions to the
service, and can manage the Term Store Administrators role.
Service Application Administrators. A farm administrator can delegate

administration of a managed metadata service application to users who are not
farm administrators. A service application administrator for a managed
metadata service application has full control over the application and therefore
can modify any property of the managed metadata service application and can
even delete the application.
Modify the Term Store with the Term Store Management Tool
The following roles can perform tasks on the term store by using the Term Store
Management Tool:
Contributors. A term groups Contributors have full permission to edit terms

and term set hierarchies in the term group. Contributors can do the following
within a term group:
Create, rename, copy, reuse, move, and delete term sets.
Modify all term set properties.
Create, rename, copy, reuse, merge, deprecate, move, and delete terms.
Modify all term properties
Group Managers. A term groups Group Managers have Contributor

permissions plus the ability to import term sets. Group Managers can also add
users to the Contributors role.
Term Store Administrators. Term Store Administrators have full control over
the term store. Term Store Administrators can perform all actions of Group
Managers, can create and delete term groups, and can assign users to the
Group Managers role. Term Store Administrators can also modify the default
and working languages of a term set.
4-94
Modify the Term Store from a Site

You can modify a term store from a site as well.
Modify the Term Store with Managed Metadata and Keyword Controls
All users can make changes to the term store in the context of a task by interacting
with the managed metadata and managed keyword controls.
Presuming that a user has permission to change an item or document that uses a
managed metadata column or an enterprise keywords column, the user can do the
following:
Add terms to a term set. By using the managed metadata control, a user can
add a term to a term set. The term set must have an open submission policy,
the managed metadata service application must allow writes to the term store
(part of the Restricted connection permission), and the column must allow fillin choices.
Add keywords to the keyword set. By using the managed keyword control, a
user can add a keyword to a keyword set. The Web application must have a
managed metadata service application connection that designates the managed
metadata service application as the default storage location for keywords. The
managed metadata service application must allow writes to the keyword set
(part of the Restricted connection permission), and the column must allow fillin choices.
Modify the Term Store with the Managed Column Properties Page
A user with permission to add or modify columns can do the following:
Create a local term set. An administrator of a site can create a local term set
that is available only to sites in the site collection. This local term set, also
called a site collection term set or a column-specific term set, is stored in the
managed metadata service term store specified by the Web applications
connections as the default term set location. The default term set location must
be specified, and the user must have permission to create or modify columns
in the site.
4-95
Informational Roles
The term set Owner, Contact, and Stakeholders properties are informational only.
They are used to document individuals and groups that have an interest in the
term set. The properties do not convey any permission of any kind.
However, the Contact email address is used to create a Submit Feedback link in the
managed keyword control so that users can propose changes or request new terms
by email.
Use Terms
Numerous tasks can be performed that use managed metadata. These tasks are
performed in the user interface and security context of the task.
Create new managed metadata columns. Users with permission to create

columns can create a managed metadata column that validates its terms
against a local or global term set.
Add managed metadata columns to content types. Users with permission to

create content types can create a content type that includes a managed
metadata column or an enterprise keywords column.
Add managed metadata to SharePoint documents and items. Users with

permission to create or modify content can use the managed metadata control
and managed keyword control in managed metadata columns and enterprise
keyword columns, respectively, to tag content.
Add enterprise keywords to non-SharePoint items. If social tagging is

allowed, users can add tags from the keyword set to non-SharePoint items,
such as external Web sites or blog posts.
Create and refine queries based on term sets. Users can use terms in term
sets in search queries, and, when a list of search results is returned, they can
use terms in term sets to create refinersfilters that narrow down search
results.
Connection Permissions
A managed metadata service application, by default, allows all Web applications
that connect to it to have full access to the term store. With this default, all Web
applications connecting to the managed metadata service application can perform
all of the activities listed previously.
4-96
Some scenarios may require restricting the capabilities of specific Web

applications. To support these scenarios, a managed metadata service application
has connection permissions.
Configure Connection Permissions

Connection permissions are configured in Central Administration on the Manage
Service Applications page.
1.
In Central Administration, click Application Management.
2.
Click the row of the managed metadata service application.

Do not click the name of the service application. The name is a link that opens
the Term Store Management Tool.
3.
On the ribbon, click Permissions.
By default, the Local Farm group has Full Access To Term Store permission. The
Local Farm group includes all app pools for all Web applications in the farm. To
restrict permissions, you must first remove the permission assigned to Local Farm.
You can then add individual Web application app pool accounts and assign
permissions to the accounts.
Connection permissions are as follows:
Read Access To Term Store. This permission grants read access to the term
store and content types that are associated with the managed metadata service.
A Web application with this permission to the managed metadata service can
use terms and content types from the managed metadata service but cannot
make any changes.
Read And Restricted Write Access To Term Store. This permission grants
Read access to the term store and content types that are associated with the
managed metadata service. Additionally, this permission grants the ability to
create local term sets and to add terms to open term sets, and permission to
create enterprise keywords. A Web application with this permission can allow
users to create local term sets, to add keywords, and to add terms to open
global term sets.
Full Access To Term Store. This permission grants Read and Write access to
the term store and Read access to content types that are associated with the
managed metadata service. A Web application with this permission can
publish content types to the content type hub and can manage terms and term
sets.
4-97
To reiterate, the default permission for all Web applications is Full Access To Term
Store. With this permission in place, a users capabilities are governed by
permissions on the term store, on the site collection, and on content in the site.
Any permission more restrictive than this limits the activities that were listed earlier
in this topic.
The following table summarizes connection permissions.
Action
Read
Restricted
Full
View terms and term sets
Yes
Yes
Yes
Add existing terms and existing enterprise keywords to

documents and list items
Yes
Yes
Yes
Bind columns to existing term sets
Yes
Yes
Yes
View and use content types from the content type hub (if
the service provides a hub)
Yes
Yes
Yes
Add new terms to open term sets
Yes
Yes
Create new enterprise keywords (if the connection is

configured to enable this)
Yes
Yes
Create local term sets (if the connection is configured to

enable this)
Yes
Yes
Add and modify content types in the content type hub (if
the service provides a hub)
Yes
Manage terms and term sets (if the user is authorized to

do this)
Yes
Additional Reading

Managed metadata service application overview (SharePoint Server 2010) at

4-98
Scenario
The knowledge management team at Contoso is excited about the ability of
SharePoint 2010 to support an enterprise taxonomy. They have asked you to
prototype the functionality of the managed metadata service and of terms.
Exercise 1: Configuring and Implementing Managed

Metadata
In this exercise, you create a term set of departments at Contoso. You use the term
set as metadata in a list that helps you keep track of help desk support requests.
1.
Assign Term Set Administrators.
2.
Create a group, a term set, and terms.
3.
Add a managed metadata column to a list.
4.
Add items with managed metadata.
5.
Configure metadata navigation.
4-99
Task 1: Assign Term Store Administrators
In Central Administration, assign CONTOSO\SP_Admin as a Term Store

Administrator.
Task 2: Create a group, a term set, and terms
In Term Store Management, create a new group named Organization.
Create a new term set named Department. Configure the term set with a
closed submission policy.
Add terms for the following departments: Marketing, Finance, IT, and Sales.
Task 3: Add a managed metadata column to a list
Open Internet Explorer, and then browse to

http://intranet.contoso.com/sites/IT.
Create a new custom list named SupportRequests.
Create a single-line text column named User Name.
Create a managed metadata column named Department using the

Department term set.
Create a managed metadata column named Request Type using a custom

term set. Configure the custom term with an open submission policy.
4-100
Task 4: Add items with managed metadata
Add the following items to the Support Requests list:

Title
User Name
Department
Request Type
Create a new account for

Andy Ruth
AndyR
Finance
New User
Reset password for

Christa Geller
ChristaG
IT
Password Reset
Problem starting
computer
FrankM
Marketing
Desktop
Support
Create a new account for

Sean Chai
SeanC
Sales
New User
Reset password for Lola

Jacobsen
LolaJ
Sales
Password Reset
Tip: To add a new term you must add it to the term store by clicking the Browse For
A Valid Choice icon, and then clicking the Add New Item link.
Tip: Use the Suggestions list to enter departments without having to type the entire
department name.
4-101
Task 5: Configure metadata navigation
Configure the metadata navigation settings of the SupportRequest list so that

Department and Request Type are the selected hierarchy fields.
Observe the tree view below the Quick Launch. Click the terms in the
Department and Request Type term sets to filter the list.
Results: After this exercise, you should have created term sets and a SupportRequest
list with managed metadata columns, and you should have configured metadata
navigation to filter the list.

click Revert.
In the Revert Virtual Machine dialog, click Revert.
4-102
Review Questions
1.
Why does list throttling benefit the users of a SharePoint farm?
2.
What are the advantages of using RBS with SharePoint?
3.
What advantage does the managed metadata service provide to an enterprise

that is implementing an information architecture.
4.
What are the advantages of using metadata navigation?
Configuring Authentication
5-1
Module 5
Contents:
Lesson 1: Understanding Classic SharePoint Authentication Providers
5-3
Lesson 2: Understanding Federated Authentication
5-24
5-34
5-40
5-2
Module Overview
Authentication is the process of verifying the identity of a user making a request to

an application. The application must be assured that the user is authentic before
the system performs authorization, which is the process of verifying that the user
has permission to make the request, and personalization, which determines how
the application interacts with the user.
Objectives
After completing this module, you will be able to:
Describe Microsoft SharePoint Server 2010 authentication.
Describe SharePoint Server 2010 federated authentication.
Lesson 1
Understanding Classic SharePoint

Authentication Providers
Classic-mode authentication is one of two types of authentication supported by

SharePoint 2010. Classic-mode authentication supports one authentication
providerWindowsand several methods of Windows authentication, each of
which are described in this lesson.
You can use classic-mode authentication in simple environments that do not
require the benefits of claims-based authentication.
Objectives
Describe identity and classic-mode authentication.
Configure classic-mode authentication.
Describe integrated Windows authentication.
5-3
5-4
Configure Kerberos authentication.
Describe additional Windows authentication methods.
Configure the Secure Store Service.
5-5
Identity and Authentication in SharePoint
SharePoint Server 2010 is a distributed application that is logically divided into

three tiers: the front-end Web server tier, the application server tier, and the backend database tier. Each tier is a trusted subsystem, and authentication can be
required, and by default is required for access to each tier. Controlling access to
each tier requires an authentication provider. Authentication providers are software
components that support specific authentication methods.
In SharePoint Server 2010, there are two types of authentication:
Classic-mode authentication. Classic-mode authentication is the same type of

authentication that was used in Microsoft Office SharePoint Server 2007.
Classic-mode authentication uses Microsoft Windows as the authentication
provider.
Claims-based authentication. Claims-based authentication is a new

authentication mode, built on the Windows Identity Framework (WIF). It
supports Windows authenticationjust as classic-mode doesas well as formsbased authentication (FBA) and Security Assertion Markup Language (SAML)
token-based authentication.
5-6
If you are upgrading from Microsoft Office SharePoint Server 2007, consider using
classic-mode authentication if you have no plans to implement forms-based
authentication or SAML token-based authentication in the future. If you ever plan
to use forms-based authentication or SAML token-based authentication, claimsbased authentication is a requirement because classic-mode authentication only
supports the Windows authentication provider. FBA is not supported by classicmode authentication, even though FBA was supported in SharePoint 2007. You
must use claims-based authentication to use FBA.
The table below summarizes the authentication modes, providers, and methods.
You will learn about each as this lesson progresses.
Type
Classic
Claims-based
Provider
Methods
Windows
Anonymous, Basic, Digest, Certificates, NTLM,

Negotiate (Kerberos or NTLM)
Windows
Anonymous, Basic, Digest, Certificates, NTLM,

FBA
LDAP, SQL database, Other DB, Custom
SAML
ADFS 2.0, Windows Live ID, Third Party
5-7
Configure Classic-Mode Authentication
You can configure classic-mode authentication (CMA) when creating a new Web
application or subsequently by editing the authentication option as listed below for
both situations.
Create a New Web Application

When you create a Web application, you can specify authentication settings on the
Create New Web Application page. At the authentication section of the page, you
will be able to select classic-mode authentication.
Edit Authentication
After a Web application is created, you can modify authentication settings on the
Edit Authentication page. You will then be able to change the settings for Security
Configuration, and review the settings under Authentication Type.
You can access the Edit Authentication page from the Web Applications
Management or the Authentication Providers page.
5-8
To configure authentication settings from the Web Applications Management page,

follow these steps:
1.

Management.
2.
3.
Select the Web application that you want to modify.
4.
On the ribbon, click Authentication Providers.
5.
Click the link to the zone that you want to modify.

By default, each new Web application has a single zone, called Default. You
will learn more about zones later in this module.
The Edit Authentication page appears.
6.
Make your changes, and then click Save.
To configure authentication settings from the Authentication Providers page,

follow these steps:
1.
In the Central Administration Quick Launch, click Security.
2.
In the Web Applications section, click Specify authentication providers.
3.
Click the Web Application menu to select the Web application that you want
to modify.
4.
Click the link to the zone that you want to modify.

The Edit Authentication page appears.
5.
Make your changes, and then click Save.
5-9
Integrated Windows Authentication
Windows authentication is available in both classic-mode and claims-based

authentication. However, when a Web application is using classic-mode
authentication, only the Windows authentication provider is supported.
Windows authentication supports the following authentication methods:
Integrated Windows authentication. Can use either NT LAN Manager

(NTLM) or Negotiate (Kerberos or NTLM) authentication methods.
Basic. In the same fashion as Windows authentication, basic authentication

relies on a set of credentials for the user in Active Directory. However, basic
authentication enables a Web browser to submit credentials while making an
HTTP request, and so the credentials are sent in plaintext, and unencrypted, to
the server.
Anonymous. Anonymous authentication enables users to connect to a Web

application without providing credentials.
5-10
Digest. Digest authentication provides the same functionality as basic

authentication, but with increased security. User credentials are encrypted
instead of being sent over the network in plain text.
Client certificates. Client-certificate authentication supports the exchange of

public key certificates using Secure Sockets Layer (SSL) encryption over HTTP.
NTLM
NTLM is the most established form of authentication in Microsoft products, as it
was introduced more than a decade ago.
The Process Behind NTLM Authentication

When a user logs on to a computer, the user is prompted for a user name and
password. The user name is sent to the domain controller, but the password is
never sent over the network. Instead, a hash of the password is passed through a
one-way hashing algorithm (the challenge) by both the client and the domain
controller through an encrypted challenge/response protocol. The client sends the
result (the response) to the domain controller. If the result matches what the
domain controller obtained as a result, then the password entered by the user must
have been correct, and the user is authenticated.
It gets more complicated when a user connects to a server, such as a SharePoint
server. If the SharePoint server is a member servernot a domain controllerthen it
has no way of knowing the users password. Therefore, when the user connects to
the server, the server has to pass the authentication request to a domain controller.
If the domain controller responds to the server that the user is valid, then the
authentication succeeds.
NTLM Summary
While NTLM is not the most efficient authentication method, and while it is
slightly less secure than Kerberos, it is often chosen as the authentication method
for SharePoint Web applications because it is easy to set up.
Kerberos
Kerberos is the default authentication method for Windows clients and servers in
an Active Directory domain.
5-11
The Process Behind Kerberos Authentication

Kerberos uses a process that involves encrypted tickets to verify authenticity.
When a user logs on and authenticates with the domain, the domain controllers
Key Distribution Center (KDC) issues the user a ticket-granting-ticket (TGT) that
effectively represents that the user has been authenticated. For the lifetime of the
TGTten hours by defaultthe user no longer needs to be authenticated.
When the user wants to connect to a service, such as a SharePoint Web application
that uses Kerberos authentication, the client application returns to a domain
controllers KDC, presents the TGT, which confirms that the client has already
been authenticated, and requests from a domain controller a service ticket for the
specific service to which the client will connect. The client then goes to the service
and presents the service ticket.
Because the entire process is encrypted with keys unique to each requestor (the
client, the service, and the domain), the service is able to examine the service ticket
and determine that it is being presented by an authenticated client. The service
ticket contains the clients identity and roles; the session is established.
Summary of Kerberos Authentication

One of the benefits of Kerberos is that when the client connects to the service, the
service does not have to send back to the server and back to the client for the
authentication to happen to a domain controller, as in NTLM. Instead, the clients
ticket for the service ensures the client has been authenticated. This results in
improved authentication performance for Kerberos as compared with NTLM.
Another benefit is that Kerberos tickets can be delegatedforwarded or proxied
between tiers. For example, a client connecting to a Web site provides a Kerberos
ticket, and the Web site can pass the ticket to a back-end data source that can
authenticate the user for data access. The Web tier does not need to know the
users password to achieve this double-hop authentication. The Web tier also does
not need permissions to the back-end data source, since it is all done by using the
authentication of the client.
Kerberos is considered by many organizations to be a preferable authentication
mechanism because of the following advantages:
More secure than NTLM. Kerberos protocols ensure mutual authentication,

which prevents what are called man in the middle attacks whereby a rogue
service could pretend to be a domain controller and intercept authentication
requests from clients. Kerberos tickets also contain timestamps that reduce the
likelihood of replay attacks in which an authentication token can be
intercepted and used later for malicious purposes.
5-12
More scalable than NTLM. Kerberos supports authentication across trusted

realms and, because it is an industry standard, is supported by platforms other
than Windows.
Supports delegation. Delegation was explained previously. It allows a service

to impersonate a user without knowing the users password. Windows Server
2003 and later support constrained delegation as well, which adds a further
level of security to the implementation of Kerberos in a Windows enterprise.
Reduced load on domain controllers. Kerberos requires fewer trips to a

domain controller for authentication than NTLM.
The disadvantage of Kerberos is that it requires additional steps to configure. For

example, the process of setting the SPN entries for services.
Kerberos Constrained Delegations

Kerberos Constrained Delegations is used on many implementations of
SharePoint, PerformancePoint, Reporting Services, and so forth. It is required when
you do a double-hop such as between a SharePoint server and a Microsoft SQL
Server Reporting Services server.
Constrained delegation is not required for Kerberos to work with SharePoint 2010,
but it is highly recommended. Constrained delegation restricts which services are
allowed to delegate user credentials. This prevents unauthorized applications from
logging into remote services on behalf of the user.
If you choose to configure constrained delegation, we recommend that you test
your Kerberos configuration with unconstrained delegation and resolve any issues
you might encounter prior to configuring constrained delegation.
To configure constrained delegation, you must specify which services trust the
application pool identity to present credentials. For constrained delegation to work
properly, each application pool identity must be trusted for delegation for the
specific services associated with the data source.
Considerations and Known Issues
Web applications that will use Kerberos should be running on an application

pool that uses a domain account. If you have used local accounts to install and
configure SharePoint, then you would need to change the account through
Central Administration (not through IIS).
Service Principal Name (SPN) has to be registered in the domain controller

being used.
5-13
Kernel-mode authentication has to be disabled in order to use the app pool

account to receive the ticket from the KDC.
Crawl has problems with communication and ticket handling when the site is
running on non-default ports (HTTP: 80 and HTTPS: 443) and configured for
Kerberos authentication.
Kerberos authentication requires the creation of SPNs in Active Directory

Domain Services (AD DS). If the services to which these SPNs correspond are
listening on non-default ports, the SPNs should include port numbers.

To use Kerberos authentication, select the Negotiate (Kerberos or NTLM)
authentication method. Negotiate tries to use Kerberos authentication. However, if
Kerberos authentication is not supported in the deployed environment, or if the
client does not support Kerberos, authentication falls back to NTLM.
IIS passes the Negotiate security header when Windows Integrated authentication
is used to authenticate client requests. The Negotiate security header lets clients
select between Kerberos authentication and NTLM authentication. The Negotiate
process selects Kerberos authentication unless one of the following conditions is
true:
One of the systems involved in the authentication cannot use Kerberos

authentication.
The calling application does not provide enough information to use Kerberos
authentication.
If the Negotiate process cannot use the Kerberos protocol, the Negotiate process
selects the NTLM protocol.
5-14
Configure Kerberos Authentication
Configuring Kerberos authentication requires that you create service principal

names, or SPNs, for your SharePoint services, Web applications, and SQL Server.
To summarize the process of Kerberos Authentication, it is important to keep in
mind that when a client wants to connect to a Web application that uses Kerberos
authentication, the client requests a service ticket from a domain controllers KDC.
The request indicates the service to which the client will connect by specifying the
services SPN.
The SPN is made up of the following three components:
1.
The service class for the request, which is always HTTPthe HTTP service class
includes both the HTTP and HTTPS protocols.
2.
The host name.
3.
The port (if not port 80) of the Web application.
5-15
For example, a request to http://intranet.contoso.com on port 80 equates to an

SPN of HTTP/intranet.contoso.com. Note that the SPN syntax uses a single
forward slash between the service class and host name portions of the name. A
request to http://sp2010-wfe1:9999 for Central Administration equates to an SPN
of HTTP/sp2010-wfe1:9999.
A security principala user or computer account in Active Directorycan have one
or more associated SPNs.
When a domain controllers KDC receives the service ticket request from a client, it
looks up the requested SPN. The KDC then creates a session key for the service
and encrypts the session key with the password of the account with which the SPN
is associated. The KDC issues a service ticket containing the session key, to the
client. The client presents the service ticket to the service. The service, which
knows its own password, decrypts the session key and authentication is complete.
If a client submits a service ticket request for an SPN that does not exist in the
identity store, no service ticket can be established, and the client will cause an
access denied error to occur.
For this reason, each component of a SharePoint infrastructure that uses Kerberos
authentication requires at least one SPN. For example, the intranet Web
application app pool account must have an SPN of HTTP/intranet.contoso.com.
Note that it is the app poolnot the serverthat is associated with the SPN because
the app pool is the security context within which the servicethe Web application
in this caseis running. It also makes sense if you consider that each SPN can be
associated with only one security principal. Therefore, if a Web app is load
balancedrunning on several serversit is the one app pool account that is
constant across all servers and therefore must have the SPN.
For each Web application, you should assign two SPNsone with the fully
qualified domain name for the service, and one with the NetBIOS name of the
service. Thats why the intranet Web application pool account should also be
assigned an SPN of HTTP/intranet.
In many environments, a single application pool may be used by multiple Web
applications. The app pool account should be given a pair of SPNs for each of its
Web applications that use Kerberos authentication.
5-16
Configure Service Principal Names for a Service or Application Pool Account

Using ADSI Edit
To configure an SPN for a service or application pool account, you must have
domain administrative permissions or a delegation to modify the
servicePrincipalName property.
1.
Start ADSI Edit.
2.
In the console tree, right-click ADSI Edit, and then click Connect To.
The Connection Settings dialog box appears.
3.
Click OK.
4.
In the console tree, expand Default naming context, expand the domain, and
then expand the nodes representing the OU(s) in which the account exists.
Click the OU in which the account exists.
5.
In the details pane, right-click the service or application pool account, and
then click Properties.
The Properties dialog box appears.
6.
In the Attributes list, double-click servicePrincipalName.

The Multi-Valued String Editor dialog box appears.
7.
In the Value to Add field, type the SPN, and then click Add.
Repeat Step 7 for additional SPNs. Remember that an app pool account should
have two SPNs, in the form HTTP/site.domain.com and HTTP/site, for each
Web application that uses Kerberos authentication in the app pool. Remember
also to add the port number if the site runs on a port other than port 80, for
example, HTTP/site.contoso.com:9999 and HTTP/site:9999.
8.
Click OK.
9.
Click OK.
5-17
Configure Service Principal Names for a Service or Application Pool Account

Using SetSPN
You can also use the command line tool Setspn.exe to add SPNs to an account. The
following example adds the SPNs for the intranet Web application to the app pool
account:
setspn CONTOSO\SP_Service a HTTP/intranet.contoso.com
setspn CONTOSO\SP_Service a HTTP/intranet
Type Setspn.exe /? for more information.
Configure Service Principal Names for SQL Server

To configure Kerberos authentication for SQL Server, you will need to add SPNs to
the SQL Server service account, for example, CONTOSO\SVC_SQL. By default,
SQL Server communication is over port 1433, so the two SPNs for a SQL Server
running on a server named SQLSERVER01 would be the following:
MSSQLSvc/sqlserver01:1433
MSSQLSvc/sqlserver01.contoso.com:1433
Additional Reading
Configure Kerberos Authentication (SharePoint Server 2010) at

Kerberos (Windows Server 2008 and Windows Server 2008 R2 Technical

Library) at http://go.microsoft.com/fwlink/?LinkID=197060&clcid=0x409.
Kerberos Authentication Technical Reference (Windows Security Collection)

at http://go.microsoft.com/fwlink/?LinkID=197061&clcid=0x409.
Windows Authentication at http://go.microsoft.com/fwlink

Kerberos Explained at http://go.microsoft.com/fwlink

How to use SPNs when you configure Web applications that are hosted on
Internet Information Services at http://go.microsoft.com/fwlink
5-18
SETSPN at http://go.microsoft.com/fwlink/?LinkID=198479&clcid=0x409.
How to create a SharePoint farm with Kerberos authentication, see

Configure Kerberos authentication (SharePoint Server 2010) at
5-19
Additional Windows Authentication Methods
Although NTLM or Negotiate (Kerberos or NTLM) are the most commonly-used

authentication methods, classic-mode and Windows authentication also support
anonymous, basic, digest, and client certificate authentication methods.
Anonymous
You can enable anonymous authentication on either the Create New Web
Application or Edit Authentication pages.
Anonymous authentication does not provide anonymous users with permission to
view content within a Web application. Anonymous access must be granted at the
securable object level. You can grant anonymous users permission to an entire site
or to specific lists and libraries.
Basic
Because basic authentication relies on the exchange of plaintext, unencrypted
credentials if you choose to use basic authentication, it is recommended to enable
Secure Sockets Layer (SSL) encryption to provide a secure implementation.
5-20
Digest
User credentials are sent as an MD5 message digest in which the original user
name and password cannot be deciphered. Digest authentication uses a
challenge/response protocol that requires the authentication requestor to present
valid credentials in response to a challenge from the server. To authenticate against
the server, the client has to supply an MD5 message digest in a response that
contains a shared secret password string.
Digest authentication for SharePoint is not particularly common. To implement
digest authentication, you must:
1.
Select Windows authentication in Central Administration.
2.
Configure the IIS Web site for digest authentication.
Client Certificates
Client certificates are issued by a Certificate Authority (CA), and they must
conform to the Public Key Infrastructure (PKI). To implement client certificate
authentication, you must:
1.
Select Windows authentication in Central Administration.
2.
Configure the IIS Web site for certificate authentication.
3.
Enable SSL.
4.
Obtain and configure certificates from a CA.
5-21
Secure Store Service
Secure Store Service, or SSS, is the replacement to Microsoft Single Sign On. An
important point: SSO and SSS are an enterprise single sign on solution. This means
that it only stores the user name and passwords. It is not the responsibility of the
SSS to do any logging on. An application must make a call to SSS, and then based
on the application or services that make the call, a set of credentials are returned.
The new SSS has improved APIs and more integration across the SharePoint farm
through various service applications. BCS, Excel Services, and PerformancePoint
are examples of this. They require credentials for users that execute reports when
they do not explicitly have access to those data sources.
How Does SSS Work?

An application or user requests credentials for an application, via an application
ID. The SSS will then respond with credentials if there is a mapping for the user
making the request.
5-22
Secure Store Service Preparation

When you prepare to deploy the Secure Store Service, be aware of the following
important guidelines:
Run the Secure Store Service in a separate application pool that is not used for
any other service.
Run the Secure Store Service on a separate application server that is not used
for any other service.
Create the Secure Store database on a separate application server running SQL
Server. Do not use the same SQL Server installation that contains content
databases.
Back up the Secure Store database before generating a new encryption key.
You should also back up the Secure Store database after it is initially created,
and again each time credentials are re-encrypted. When a new key is
generated, the credentials can be re-encrypted with the new key. If the key
refresh fails, or the passphrase is forgotten, the credentials will not be usable.
Back up the encryption key after initially setting up the Secure Store Service,
and back up the key again each time it is regenerated.
Do not store the backup media for the encryption key in the same location as
the backup media for the Secure Store database. If a user obtains a copy of
both the database and the key, the credentials stored in the database could be
compromised.
Application IDs
Each Secure Store Service entry contains an application ID that is used to retrieve a
set of credentials from the Secure Store database. Each application ID can have
permissions applied so that only specific users or groups can access the credentials
that are stored for the application ID. Applications use application IDs to retrieve
credentials from the Secure Store database on behalf of a user. The application can
then use the retrieved credentials to access a data source.
Application IDs map your users IDs to credential sets. Mappings are available for
groups or individuals. In a group mapping, every user that is a member of a
specific domain group is mapped to the same set of credentials. In an individual
mapping, each individual user is mapped to a unique set of credentials.
5-23
Secure Store Service Mappings

The Secure Store Service supports individual mappings and group mappings. The
Secure Store Service maintains a set of credentials for the application IDs of
resources stored in the Secure Store database. The application ID retrieves
individual credentials. Individual mappings are useful when you need logging
information about individual user access to shared resources. For group mappings,
a security layer checks group credentials for multiple domain users against a single
set of credentials for a resource identified by an application ID that is stored in the
Secure Store database. Group mappings are easier to maintain than individual
mappings and can provide improved performance.
Secure Store Service and Claims Authentication

The Secure Store Service is a claims-aware service. It can accept security tokens and
decrypt them to get the application ID, and then perform a lookup. When a
SharePoint Server 2010 Security Token Service (STS) issues a security token in
response to an authentication request, the Secure Store Service decrypts the token
and reads the application ID value. The Secure Store Service uses the application
ID to retrieve credentials from the Secure Store database. The credentials are then
used to authorize access to resources.
5-24
Lesson 2
Understanding Federated Authentication
Federated authentication provides a unified approach to combining credentials

from a heterogeneous environment where multiple methods for authentication
exist and different authentication databases play a role.
While this lesson does not focus on setting a standard, it does cover the process of
unifying an enterprise and giving access to the SharePoint Server resource.
Objectives
Describe federated identity.
Describe Active Directory Federated Services (ADFS).
Describe how claims authentication works.
Understand the federated sign-in process.
Describe SharePoint identity normalization.
List the forms-based authentication changes.
Compare claims with the Windows token service.
5-25
5-26
Overview of Federated Identity
Key Points
Federated identity allows you to use credentials hosted in select external
authentication systems. This results in lower costs from not having to manage your
own authentication provider. In addition, usability increases because users have
only one user name and password that they can use with any application. There
are many large identity providers in the world; for example, the largest is Windows
Live ID and OpenID.
In most cases, your users are not located in a single authentication system, which
means you must set up a gateway to map each of those external users into a
gateway with a single integration point for your own applications to use. This is an
alternative to implementing your own gateway in each of your applications.
When we talk about federating these attributes, we call them claims. Since the
authentication system is external, these claims are not known to contain valid facts
about the users until further identified.
5-27
What Are Claims?

A claim is the process of establishing a mechanism as proof or having privileges
that allow a transaction to be completed and accepted. For example, when
presenting a credit card to complete a purchase transaction, the store requires a
validation for the identity of the individual making the purchase.
Claims Providers
Claim providers are the entities that do all the work. They implement the WS-*
standards and provide the claims back to the calling clients (in this case,
SharePoint). Keep in mind that a system can be a consumer and provider at the
same time. SharePoint implements its own claims provider for forms-based identity
in 2010. Claims providers perform the following tasks:
Augmentation of Claims
Add application-specific claims
Authorize over the claims
Search and Resolve
Enumerate and select claims
Use the claims in SharePoint applications
Federated identity uses the following three industry standard specifications:
WS-Federation 1.1. Provides the architecture for a clean separation between

trust mechanisms, security tokens formats, and the protocols for obtaining
tokens.
WS-Trust 1.4. Requests and receives security tokens.
SAML Token 1.1. XML vocabulary represents claims in an interoperable way.
5-28
Active Directory Federated Services (ADFS)
Key Points
ADFS is a platform for integrating external authentication stores and trusting them
with federated authentication. This means that instead of creating a user name and
password database for external users or creating a new domain, you can simply
point to an external authentication store and allow users to continue to use their
own user name and password. As part of any authentication system, users have
attributes.
ADFS implements industry standards of the WS-* stack which means that it can
integrate with any authentication system in the world that implements these global
standards.
ADFS has a simple to use interface that allows you to build rules around the target
systems and the claims that will be trusted. You can build rules to use these claims
and allow or disallow requests based on claims information.
5-29
Claims Authentication Process and Normalization
Key Points
When authenticating to an external system, a token is generated that contains the
information about the user. This token can be used by the target application to
make decisions about what you will let the user do in the system.
A key element about a claims-based system is trust. An external system can claim
many things about a user, but you have to determine if your systems trust what
that external system claims about that user. Advanced claims-based authentication
systems may pull claims from more than one system and aggregate them together
to make an authorization decision.
The following describes the federated sign-in process for a user to perform an
action that requires authentication:
As a user, you will request to access the SharePoint site you are interested in
visiting.
You are then redirected to the Identity Provider (IP) and after that, the external
Secure Token Service (STS) generates the requested token.
5-30
You are given a token, which will then be forwarded to the application (in this
case, SharePoint).
SharePoint uses the token to authorize you for the actions requested.
For example, most Microsoft sites require you to have a Live ID to log in. When
you click login on the Microsoft system, it will redirect you to Live ID where Live
ID will let the user logon. Then the user will be redirected to the application with
claims data, for example, a token. The site then uses that token to allow the user to
access its resources.
SharePoint Identity Normalization

NTLM works by passing NT Tokens, commonly known as credentials. In
SharePoint 2007, a NT Token is translated to SPUser, and then access to resources
is determined based on that SPUser object.
In SharePoint 2010, at logon, all identities are converted to ClaimsIdenties. These
claims identities are then translated to the SPUser.
That is what happens behind the scenes, but we see it represented by an identity
(or user name claim) and it being translated to a valid and recognized (therefore
validating the claim) SharePoint user.
SharePoint and the Security Token Service

An Identity Provider-STS (IP-STS) is a Web service that handles requests for trusted
identity claims. IP-STS uses a database called an identity store to store and manage
identities and their associated attributes. For example, IP-STS can use a SQL
database table to store and manage identities. IP-STS can also use a complex
identity store. For example, IP-STS can use Active Directory Domain Services or
Active Directory Lightweight Directory Service (AD LDS).
There are two parts in this process, IP-STS and the relaying party STS. There is a
federated trust relationship between each IP-STS and the federated partner RP-STS
Web applications. Clients can create managed information cards that will represent
the identities registered and known by the IP-STS. An example of this information
card system is Windows CardSpace.
After authentication, the IP-STS issues a trusted security token that the client can
present to a relying party application. Relying party applications can establish trust
relationships with an IP-STS. This enables them to validate the security tokens
issued by IP-STS. After the trust relationship is established, relying party
applications can examine security tokens presented by clients to determine the
validity of the identity claims they contain.
5-31
Forms-Based Authentication Changes
Key Points
Forms-based authentication has changed in SharePoint Server 2010. It is no longer
based on ASP.NET Generic Identities, but rather a claims identity is created. This is
accomplished by the SecurityToken.svc service and a custom Microsoft Identity
Framework Token Service Host Factory. You must also enable your forms
membership and role providers in this SecurityToken service or your Web
application will not be able to use forms-based authentication.
Forms-based authentication is an identity management system that uses the
ASP.NET membership and role provider authentication. In SharePoint Server
2010, FBA is only available when you use claims-based authentication.
FBA is used for authentication purposes. The process accounts that connect to
Microsoft SQL Server database software and run the farm must be Windows
accounts, even when using alternative methods of authentication to authenticate
users.
5-32
SharePoint Server 2010 supports SQL Server authentication and local computer
process accounts for farms that are not running Active Directory Domain Services.
For example, you can implement local accounts by using identical user names and
passwords across all servers within a farm.
To use FBA to authenticate users against an identity management system that is
not based on Windows, or that is external, you must register the custom
membership provider in the Web.config file. In addition to registering a
membership provider, you can register a role manager. SharePoint Server 2010
uses the standard ASP.NET role manager interface to gather group information
about the current user. Each ASP.NET role is treated as a domain group by the
authorization process in SharePoint Server 2010. You register role managers in the
Web.config file the same way you register membership providers for
authentication.
When you want to manage membership users or roles from the Central
Administration site, you can register the membership provider and the role
manager in the Web.config file for the Central Administration site. You would do
this in addition to registering those membership users in the Web.config file for
the Web application that hosts the content.
Ensure that the membership provider name and role manager name that you
registered in the Web.config file is the same as the name that you entered in
Central Administration. If you do not enter the role manager in the Web.config file,
the default provider specified in the Machine.config file might be used instead. For
example, the following string in a Web.config file specifies a SQL membership
provider: <membership defaultProvider="AspNetSqlMembershipProvider">.
Integrating with FBA places additional requirements on the authentication
provider. In addition to registering the various elements in the Web.config file, the
membership provider, role manager, and HTTP module must be programmed to
interact with SharePoint Server 2010 and ASP.NET methods.
5-33
Claims to Windows Token Service
Key Points
Since SharePoint uses claims identities, SharePoint must convert that identity to
the corresponding NT Token in order for a user to access Windows-only
authenticated resources.
In SharePoint 2010, claims to Windows Token Service (C2WTS) are responsible
for converting the claims identity to the NT Token. C2WTS is a Windows service
that monitors requests and then creates the mappings and token (NT Token)
creation.
If this service is not running, then calls to Windows authenticated resources will
not succeed.
5-34
Scenario
The Client Services department at Contoso, Ltd. has asked you to establish a
SharePoint site with which employees and clients can collaborate. Your
organizational IT Policy states that only employees shall have an Active Directory
account. Therefore, you must configure a custom authentication mechanism using
forms based authentication, so that user accounts for clients can be maintained in a
separate database.

1.
2.
5-35
Exercise 1: Creating and Configuring an ASP.NET

Membership Database
In this exercise, you will create a membership and role database using the schema
and tools provided with ASP.NET. You will configure the .NET framework and
SharePoint Central Administration to connect to the database, and then you will
create user accounts in the database.
1.
Create an ASP.NET membership database.
2.
Configure the connection to the database.
3.
Create users.
4.
Enable the Secure Token Service to use forms-based authentication.
Task 1: Create an ASP.NET membership database

Pa$$w0rd.
Start Command Prompt with the Run as administrator option.
Type the following commands:

cd c:\windows\microsoft.net\framework\v2.0.50727
aspnet_regsql.exe
Accept all of the defaults in the ASP.NET SQL Server Setup Wizard.
Task 2: Configure the connection to the database
With Notepad, open c:\windows\microsoft.net\framework

\v2.0.50727\config\machine.config. Modify the connectionStrings element
of the XML file to match the following, and then save and close the file.
<connectionStrings>
<clear/>
<add name="LocalSQLServer"
connectionString="Server=.;Database=aspnetdb;uid=sa;pwd=Pa$$w0rd;"
providerName="System.Data.SqlClient"/>
</connectionStrings>
5-36
Repeat the previous step for the file, c:\windows\microsoft.net

\framework64\v2.0.50727\config\machine.config.
Task 3: Create users
Start SharePoint 2010 Management Shell with the Run as administrator

option, and then type the following commands:
$member = New-Object System.Web.Security.SQLMembershipProvider
$vals=New-Object
System.Collections.Specialized.NameValueCollection
$vals.Add("name", "sql")
$vals.Add("connectionStringName", "LocalSQLServer")
$vals.Add("applicationName", "/")
$member.Initialize("sql", $vals);
$status = New-Object System.Web.Security.MembershipCreateStatus
$member.CreateUser('SiteAdministrator', 'Pa$$w0rd',
'SharePoint@contoso.com', 'first person kissed', 'mom', $true,
$id, [ref] $status)
Ignore the error message that indicates the membership provider name
specified is invalid.
Type the following command:

$status
Verify that the last message you see is Success.

$vals=New-Object
$member.CreateUser('JamesF', 'Pa$$w0rd',
'JamesF@tailspintoys.com', 'favorite pet', 'Spot', $true, $id,
[ref] $status)
5-37

$status
Task 4: Enable the secure token service to use forms-based

authentication
With Notepad, open the file, c:\program files\common files\microsoft

shared\web server extensions\14\webservices\root\web.config.
Remove the <clear> statements within system.web\membership\providers

and roleManager\providers xpath elements. Then save and close the file.
Results: After completing this exercise, you should have a new custom database to
support forms-based authentication for SharePoint, and you should have two user
accounts in the database.
5-38
Exercise 2: Creating a Web Application That Uses ClaimsBased Authentication

In this exercise, you will create a Web application to support collaboration with
external clients. You will provide Windows authentication for employees and
forms-based authentication for clients.
1.
Create a Web Application that uses both Windows and forms-based

authentication.
2.
Add a DNS host record for the new Web application.
3.
Test claims-based authentication.
Task 1: Create a Web application that uses both Windows and formsbased authentication
In Central Administration, click the Manage web applications link and

create a new Web application with the following settings:
Authentication: Claims Based Authentication
Port: 80
Host Header: clients.contoso.com
Claims Authentication Types: Integrated Windows Authentication

(NTLM) and Forms Based Authentication
ASP.NET Membership provider name: AspNetSqlMembershipProvider
ASP.NET Role manager name: AspNetSqlRoleProvider
Application Pool: SharePoint 80 (CONTOSO\SP_ServiceApps)
Database name: WSS_Content_Clients
Create a site collection in the new Web application with the following settings:
Title: CONTOSO Client Portal
Template Selection: Publishing Portal
Primary Site Collection Administrator: CONTOSO\SP_Admin
Secondary Site Collection Administrator: SiteAdministrator
5-39
Start DNS Manager using the Run as different user option. Enter the user
name, CONTOSO\Administrator, and the password, Pa$$w0rd.
In the contoso.com forward lookup zone, create a new host record named
clients with the address 10.0.0.21.
Close DNS Manager.
Task 3: Test claims-based authentication
Open Internet Explorer, and then browse to http://clients.contoso.com.
Sign in using Forms Authentication with the user name SiteAdministrator

and the password, Pa$$w0rd.
Click Sign in as Different User and then sign in with Windows

Authentication as SP_Admin with the password, Pa$$w0rd.
Results: After completing this exercise, you should have created a Web application
that is accessible both by employees, using Windows authentication, and by clients,
using forms-based authentication.
5-40
Lab B: Configure Secure Store
Scenario
Information workers at Contoso, Ltd. have started using the new intranet portal
site and would like to start using SharePoint Designer 2010 to add Business
Connectivity Services applications to pages. Organizational IT policy states that
under no circumstances shall credentials be stored in an unencrypted manner in
applications. Because of this policy, users will not be allowed to embed credentials
in the ASP.NET pages. You have been tasked with configuring Secure Store Service
to facilitate the authentication for these information workers.
5-41
Exercise 1: Creating User Accounts for Access to External

Data
Scenario
In this exercise, you will establish user accounts in Active Directory that will be
assigned to target applications in the Secure Store in the next exercise.
1.
Create Active Directory accounts.
On SP2010-WFE1, start Active Directory Users and Computers using the

Run as different user option. Enter the user name,
CONTOSO\Administrator, and the password, Pa$$w0rd.
In the Users container, create the user accounts listed in the table below. For
each account, set the password to Pa$$w0rd, clear the User must change
password at next logon check box, and select the Password never expires
check boxes.
Full name
User logon name
Excel Unattended Service Account
SP_Excel_USA
PerformancePoint Unattended Service Account
SP_PerfPoint_USA
Visio Graphics Unattended Service Account
SP_Visio_USA
5-42
Exercise 2: Configuring Secure Store Services

In this exercise, you will configure Secure Store Services to store credentials that
can be used by service applications to access data.
1.
Initialize an instance of a Secure Store Service application.
2.
Create a target application for Excel Services.
3.
Configure the Secure Store credentials for Excel Services.
4.
Create a target application for Visio Graphics.
5.
Configure the Secure Store credentials for Visio Graphics
Task 1: Initialize an instance of a Secure Store Service application
In Central Administration, navigate to the Manage Service Applications

page, and then click the Secure Store Service link on the Secure Store Service
Application row.
Generate a new key with the pass phrase, 10174_SSS_2010.
Task 2: Create a target application for Excel Services
Create a target application with the following configuration:
Target Application ID: ExcelUnattendedSA
Display Name: Excel Unattended Service Account
Contact E-mail: sharepoint@contoso.com
Target Application Type: Group
Target Application Page URL: None
Target Application Administrators: CONTOSO\SP_Admin
Members: Domain Users
5-43
Task 3: Configure the Secure Store credentials for Excel Services
Set the credentials of the ExcelUnattendedSA application.
Enter the user name, CONTOSO\SP_Excel_USA, and the password,

Pa$$w0rd.
Task 4: Create a target application for Visio Graphics
Create a target application with the following configuration:
Target Application ID: VisioUnattendedSA
Display Name: Visio Unattended Service Account
Contact E-mail: sharepoint@contoso.com
Target Application Type: Group
Target Application Page URL: None
Target Application Administrators: CONTOSO\SP_Admin
Members: Domain Users
Task 5: Configure the Secure Store credentials for Visio Graphics
Set the credentials of the VisioUnattendedSA application.
Enter the user name, CONTOSO\SP_Visio_USA, and the password,

Pa$$w0rd.
Results: After completing this exercise, you should have fully configured the Secure
Store Service and created two target applications.
5-44
Exercise 3: Configuring Secure Store Unattended Accounts

In this exercise, you will configure three service applications to use credentials in
the Secure Store.
1.
Configure Excel Services Secure Store account.
2.
Configure Performance Point Secure Store account.
3.
Configure Visio Graphics Secure Store account.
Task 1: Configure Excel Services Secure Store account
Configure the Excel Services Application global settings to use the

Application ID, ExcelUnattendedSA, to access external data.
Excel Services can now use the credentials in Secure Store to render
spreadsheets and connect to external data connections.
Task 2: Configure Performance Point Secure Store account
Configure the Performance Point Service Application settings so that the

Secure Store and unattended service account is the user name,
CONTOSO\SP_PerfPoint_USA, and the password, Pa$$w0rd.
Task 3: Configuring Visio Graphics Secure Store account
Configure the Visio Graphics Service global settings to use the application ID,
VisioUnattendedSA, to access external data.
Visio can now execute diagrams, and data connection refreshes using the
unattended account.
Results: After completing this exercise, you should have configured Excel Services,
PerformancePoint and Visio to have an Unattended Secure Store account.
5-45

When you finish the lab, reset the virtual machines back to their initial state. To do
this, complete the following steps:
click Revert.
5-46
Review Questions
1.
Why must you remove the <clear/> elements from the Web.config file?
2.
If you are familiar with the configuration of forms-based authentication on

Microsoft Office SharePoint Server 2007, what is different about the number
and type of Web applications required to support forms-based authentication
in SharePoint Server 2010 in the client extranet scenario presented in this lab?
3.
How would you describe the role of the Secure Store Service?
Securing Content
6-1
Module 6
Securing Content
Contents:
Lesson 1: Administering SharePoint Groups
6-3
Lesson 2: Implementing SharePoint Roles and Role Assignments
6-20
Lesson 3: Securing and Auditing SharePoint Content
6-32
6-41
6-2
Module Overview
Many organizations must store sensitive or confidential information. Microsoft

SharePoint 2010 includes a complete set of security features. You can use these
features to ensure that users can access the information they need, can modify the
data they are responsible for, but cannot view or modify confidential information.
The SharePoint 2010 security model is highly flexible and adaptable to your
organizations needs.
In this module, you explore the objects you can use to authorize users in
SharePoint 2010, including users, groups, permissions, and roles. You also
experience the integration with Active Directory Domain Services (AD DS) users
and groups and set up and test an authorization scheme.
Securing Content
6-3
Lesson 1
Administering SharePoint Groups
In SharePoint 2010, you can grant permissions and roles directly to user accounts
in AD DS in addition to other identity providers. However, if you have more than a
small number of users, or if you plan to have more users in the future, you should
organize users into groups and grant those permissions and roles to the groups. By
using groups, you can manage large numbers of users in single operations and
help to ensure that permissions oversights do not occur. In this lesson, you learn
about SharePoint groups and AD DS groups, how they integrate together, and how
you should use them to organize your user accounts for authorization.
Describe the SharePoint 2010 security model.
Implement security by using default groups.
Administer SharePoint custom groups.
Compare SharePoint groups with AD DS groups.
6-4
Implement security with AD DS groups.
Understand how to use SharePoint administrative groups.
Describe the user information list.
Securing Content
6-5
Overview of Site Security
In SharePoint 2010, there is a flexible model for organizing users and authorizing
them to access content. This consists of security principals, permission levels, and
securable objects such as lists or libraries.
Security Principals
A security principal is an object to which you can assign permissions. You can
organize user accounts into groups to ease administration. For example, if you
place all Sales staff into a single group, you can authorize them all to access the
Sales Team Site in a single operation by assigning permissions to the group.
Furthermore, when a new member of staff starts work you do not need to assign
that user permission individually. By placing the new member in the Sales group,
you implicitly grant the user permission to the Sales Team Site and all the other
resources to which you have granted the Sales group permission. By grouping
users in this way, you can significantly reduce administrative overhead.
In SharePoint 2010, you can create SharePoint groups to assign permissions and
permission levels. Alternatively, you may use AD DS groups that you already have
to secure access to computers and Microsoft Windows resources.
6-6
Permissions and Permission Levels

In SharePoint 2010, a permission grants a security principal the ability to perform
a certain operation. For example, you can use the following permissions:
View Items
Open Items
Edit Items
A permission level is a combination of permissions that grants a range of

operations that are commonly required. For example:
The Read permission level includes the View Items and Open Items
permissions but not the Edit Items permission.
The Full Control permission level includes all the permissions.
You can use the five permission levels included with SharePoint 2010 or create
your own by assembling a combination of permissions.
Securable Objects
A securable object is an object in the SharePoint hierarchy on which you can assign
permission levels for a user account or group. These include the following:
Sites
Lists
Libraries
Folders
Documents
Items
You can assign permission level at a very granular level, right down to single items,
but consider that these many permissions granted at low levels can make access
confusing for users and difficult to administer and troubleshoot. Instead, place
items with similar sensitivity in lists or libraries and assign permission levels on the
list or library.
Securing Content
6-7
Using Default Groups
SharePoint 2010 creates some SharePoint groups by default whenever you create a
new site. In many cases, these default groups may satisfy all your authorization
requirements and render custom groups unnecessary. Before you plan to create
extra groups, understand the membership and permission levels applied to the
default groups.
Common Default Groups

Some default groups are created no matter which site template you chose at site
creation. You can find these groups throughout your SharePoint organization in
different site collections and farms.
Visitors. This group is assigned the Read permission level that allows
members to view site contents, open items, and open documents but not make
any changes.
Members. This group is assigned the Contribute permission level that grants
all the permissions of the Read level and adds the ability to add, edit, and
delete items and documents.
6-8
Owners. This group is assigned the Full Control permission level that grants
all permissions to members. Owners can therefore assign permission levels,
change content, read content, and take other actions.
Default Groups Added by Site Templates

Some site templates add extra default groups to the site that reflect the roles users
take in that specific kind of site. For example, if you create a site based on the
Publishing Site template, you will notice the following default groups:
Viewers. Members can view pages, list items, and documents.
Approvers. Members can approve new and changed items for publishing.
Designers. Members can alter page designs in the browser and by using
SharePoint Designer.
Hierarchy Managers. Members can create and manage folders, lists, and
libraries.
Restricted Readers. Members can read items in certain parts of the site and
have limited access to specific lists.
Style Resource Readers. Members can read only master pages and the style
library.
Other site templates create different default groups.
Securing Content
6-9
Using Custom Groups
When default groups are not sufficient for your needs, you can choose to create
custom SharePoint groups. You should consider custom groups in the following
situations:
When you have more user roles in your site than you can model with the
default groups.
When you want to use names different from the default groups. For example,
in your organization those people who design sites may be referred to as
Interface Managers or some other name. In this case, rename the Designers
group to Interface Managers.
When you want to preserve a one-to-one relationship between SharePoint

groups and AD DS groups.
6-10
Permissions and Custom Groups

When you create a custom group you are prompted to assign a permission level to
it, but you can choose not to do this. These permission levels are applied at the site
level and propagate down to lower objects such as folders and items. If you do not
assign a permission level to a custom group at creation, you use the custom group
to assign more granular permissions by setting them at list or item level.
Using Hierarchical Membership Management

In some cases, you might want to delegate group membership to users. For
example, where each site relates to a single project, the project manager may need
to grant team members access without involving an IT administrator. You can
model this situation by using a group, for example Project Managers, whose
membership is assigned by IT administrators. A second group, for example,
Project Members, is owned by the Project Managers group and they can assign
membership in it. Members of Project Members have the required permission level
to the site content.
Group Membership Visibility

For each SharePoint group, you can control whether the membership is visible to
other users who are not members. This can be useful in security-sensitive
situations in which it should not be generally known who has what level of access.
Securing Content
6-11
Group Management Comparison
AD DS has a rich and flexible set of features for grouping users, and in SharePoint,
you can assign permissions and permission levels directly to AD DS groups.
However, this approach limits some SharePoint capabilities. This topic compares
AD DS and SharePoint groups to help you understand when to use each.
AD DS Groups
AD DS groups are managed outside SharePoint. Therefore:
You must use Active Directory Users and Computers to set up membership;
this tool is designed for technically able IT personnel and other users may not
find it easy.
SharePoint cannot provision group membership. For example, the members of

the Site Managers group cannot assign members to the Site Members group if
it is stored in AD DS.
You centrally manage AD DS groups. If you want only one set of groups for all
systems in your organization, place them in AD DS.
6-12
SharePoint Groups
By contrast, the following points are true of SharePoint groups:
SharePoint has a membership user interface for SharePoint groups that is easy
for nontechnical authors to use and appears in the relevant site.
SharePoint can provision group membership. For example, a workflow can

add a member to a SharePoint group.
You can view SharePoint groups and users for a site in a single Web page.
You can use SharePoint groups only in SharePoint.
Securing Content
6-13
Using Active Directory Domain Service Groups
You can choose from several approaches for using groups in SharePoint.
Using AD DS Groups Without SharePoint Groups

In this approach, AD DS administrators set up groups and manage membership.
SharePoint administrators grant permissions directly to AD DS groups. If you use
this configuration, you must use AD DS in classic or claims-mode authentication
because the authentication provider for Web applications and the AD DS groups
must be security groups, not distribution groups. The AD DS groups should also
be email-enabled so that SharePoint can send alerts.
Using SharePoint Groups Without AD DS Groups

Another approach is to place AD DS user accounts directly in SharePoint groups
without using AD DS groups. Again, this requires the AD DS authentication
provider. Full SharePoint functionality is preserved by this approach. For example,
each site to which you grant a user access automatically appears in that users My
Sites list. However, when the number of users in a site is large, SharePoint groups
can soon become unmanageable.
6-14
Nesting AD DS Groups in SharePoint Groups

You can nest AD DS groups in SharePoint groups and grant permissions to
SharePoint groups. Members of the AD DS groups automatically inherit the access
granted. This approach is recommended as the most flexible and scalable.
Advantages
AD DS administrators remain in control of group membership and structure.
SharePoint administrators remain in control of SharePoint resources.
AD DS membership changes are automatically reflected in SharePoint access.

For example, if a user moves to another role, and AD DS administrators move
their account to another AD DS group, their access to SharePoint resources
changes automatically, without any action from SharePoint administrators.
Disadvantages
SharePoint administrators cannot see the individual members of a group in the

SharePoint user interface (UI). They must trust AD DS administrators to assign
membership correctly.
Sites to which you grant the group access do not automatically appear in My
Sites. However, the user can manually add them.
The User Information List does not show individual users until they have
contributed to the site.
AD DS groups with deep nesting or contacts as members can cause issues in

SharePoint.
Securing Content
6-15
Administrative Groups
SharePoint 2010 also has built-in groups for system administration, and Windows
administrators can configure SharePoint settings.
Note: In a small or medium-sized company, or in a larger organization with a single

administration team, a user may be a member of more than one of the following
groups.
Site Collection Administrators

When you create a SharePoint site collection, you must specify a security principal
(a user account or group) as primary Site Collection Administrators. Optionally,
you can also specify secondary Site Collection Administrators. Site Collection
Administrators have the following characteristics:
Have Full Control access to a site collection and all the sites in it.
Have access to all the content in a site collection. This overrides any
permissions assigned by site owners.
6-16
Can create and configure subsites.
Are the administrative contacts for the site collection.
Receive administrative alerts for the site collection.
Can configure permissions, permission levels, and SharePoint groups in the

site collection.
Can configure auditing in the site collection.
Can use all the tools under Site Collection Administration on the Site Settings
page at the site collection level.
You can also add new users or groups to the Site Collection Administrators after
the site collection has been created.
SharePoint Farm Administrators

When you create the SharePoint farm, that is, when the first server in the farm is
installed, you must specify a user or group to be Farm Administrators. A group is
recommended so that administration can be performed by more than one person,
but membership of this group should be carefully controlled. These administrators
have the following characteristics:
Are responsible for the configuration of the farm as a whole.
Have access to all settings in Central Administration.
Can create and configure site collections.
Can control which users can manage server and farm settings.
Have no access to site collections and their content by default.
Can take ownership of any site collection to get access to content if necessary.
Windows Administrators
Members of the local Administrators group on the SharePoint server also take a
role in SharePoint administration. A user account can be a direct member of this
account, such as the local Administrator account, or inherit membership from an
AD DS group, such as the Domain Admins group. Windows Administrators have
the following characteristics:
Can perform all the actions of a SharePoint Farm Administrator.
Can install new products and applications on the server, such as antivirus
packages.
Securing Content
6-17
Can deploy Web Parts and other custom components to the global assembly
cache (GAC).
Can create Web sites, Web applications, and control other Internet
Information Services (IIS) settings.
Can stop and start Windows Services on the SharePoint server.
Can run Stsadm.exe commands.
6-18
User Information List
For every site collection, SharePoint maintains a User Information List to store
details of current users and their activities. This differs from the People and Groups
list because the users it displays are dynamic. When SharePoint displays who last
modified a file, for example, it takes the information from the User Information
List.
People and Groups

In Site Settings, click People And Groups to view a list of user accounts and groups
that have been granted permissions on this site. This list is not dynamic; for
example, if you grant access to a group, the members receive authorization to the
site, but they are never displayed individually on this list.
Securing Content
6-19
User Information List

Like People and Groups, the User Information List also displays a list of user
accounts and groups that have been granted permissions on this site. However,
individual user accounts are added to this list in the following circumstances:
When their user account is granted access individually
When they contribute to the site content, for example, by adding or editing a
file
When they set up an alert to be notified about events in the site collection
Only Site Collection Administrators can view the User Information List. The list is
at the following location:
http://sharepointserver/sitecollection/_catalogs/users/simple.aspx.
6-20
Lesson 2
Implementing SharePoint Roles and Role

Assignments
SharePoint permission levels are also referred to as roles. Now that you understand
how SharePoint uses user accounts, AD DS groups, and SharePoint groups, you
can study how to assign permissions and roles to those security principals.
Plan for and enable anonymous access to SharePoint sites.
Assign permissions to lists and libraries.
Assign permissions to folders and items.
Understand permission inheritance in the SharePoint hierarchy.
Assign the Override Checkout permission to appropriate users.
Securing Content
6-21
Configuring Anonymous Access
In scenarios with sensitive data, anonymous access presents a security concern.

Therefore, it is disabled in SharePoint 2010 by default. However, in many scenarios
you need users to be able to access SharePoint Server anonymously. For example,
if you host your organizations Internet-facing Website in SharePoint, most users
need anonymous access to the majority of the content. You can authenticate them
for access to certain parts of the site if you wish.
To enable anonymous access you must make two administrative changes.
Configuring Anonymous Access in Central Administration

Start your configuration by enabling anonymous access on the Web application
that hosts your site.
1.
Start Central Administration.
2.
Click Manage Web Applications.
3.
Click the Web application that you want to configure.
4.
On the ribbon, click Authentication Providers.
6-22
5.
Click the zone you wish to configure.
6.
Select Enable anonymous access.
7.
Click Save.
Configuring Anonymous Access in Site Settings

Complete your configuration by enabling anonymous access for the site collection.
1.
Navigate to the top-level site of the site collection.
2.
3.
Click Site Permissions.
4.
On the ribbon, click Anonymous Access.
5.
Select the level of access you want to grant to anonymous users, and then
click OK.
Note: The Anonymous Access button on the ribbon is disabled until you have
configured anonymous access in Central Administration.
Securing Content
6-23
Site, List, and Library Security
In many cases, with careful planning and good use of permissions levels at the site
collection level, you can avoid assigning permissions to users at the site, list, or
library levels. Such a permissions scheme is easy for users to understand because
the level of access they receive is consistent throughout a site collection. It also
eases troubleshooting because administrators have a single location where all
permissions are assigned. However, in other cases, you may have to assign more
granular permissions at the site, list, or library levels.
Site-Level Permissions
When you create a new site, permissions are inherited by default from the parent
site and you cannot set extra permissions on the site. However, if you wish not to
use this inheritance model, click More Options in the Create dialog. Then, under
User Permissions, click Use Unique Permissions. You can also break inheritance at
any subsequent time on the Site Permissions page for a subsite by clicking Stop
Inheriting Permissions on the ribbon.
When you break permissions inheritance in this way, the initial permissions for the
site are those that would have been inherited from the parent. However, you can
now remove these or configure additional permissions.
6-24
List and Library Permissions

As for sites, permissions on lists and libraries are inherited from the parent site,
and, by default, you cannot modify them. However, you can break inheritance
either when you create the list or library or at any later time. This enables you to
remove or add permissions independently of permissions on the site.
Note: For site, list, and library permissions, if you choose to break inheritance, you
can later reestablish permissions inheritance and remove any customized
permissions you applied.
The Check Permissions Tool

When you view a Site Permissions or List Permission page, the Check Permissions
tool is displayed on the ribbon. With this tool, you can check the effective
permissions for a user account, and it is useful when users complain of
permissions that are too restrictive or when you suspect that a user has too much
access.
When you click Check Permissions, a dialog prompts you to enter a user name.
When you click Check Now, all the permissions that apply to the user account at
different levels are displayed. You can easily see the effective permissions in a
single view and diagnose problems.
Securing Content
6-25
Folder and Item Security
You can also control permissions at the level of individual items, documents, and
folders.
Inheritance
Permissions on items, documents, and folders are inherited from the parent by
default. You should maintain inheritance whenever possible as a best practice for
the following reasons:
Users can easily understand their level of access because it is consistent

throughout the site.
You can manage permissions more easily because they are set at a single level
in the hierarchy.
You can maximize performance because multiple levels of permissions need

not be evaluated.
6-26
However, when required, you can break inheritance on folders and items. If you
break inheritance, you can remove inherited permissions and configure additional
permissions to create an entirely independent level of access. Subsequently, you
can reestablish inheritance if your requirements change.
Indexing and Item Permissions

SharePoint 2010 includes advance search and indexing functionality that is
useful in all deployment scenarios. When the SharePoint crawler indexes an
item, document, or other content, it stores the permissions in the search service
properties database; it does this so that permissions can be evaluated when users
run searches. Any items to which the user does not have Read access are removed
from the results and security is maintained.
However, when the crawler indexes an ASPX page, security issues may arise. This
is because the page is run in the security context of the search user account. Web
Parts and other user interface components display all the items and resources the
search account has access to, and the search account usually has Read access to all
resources.
When users run searches, because they have permission to read the ASPX page, the
result is returned to them. However, the page title or summary may include text
about resources to which they do not have permission because the crawler does
have permission.
For this reason, the Search service in SharePoint is configured not to crawl ASPX
pages by default. If you wish to enable this functionality and have considered the
security implications fully, you can do so by clicking Site Settings, Search And
Offline Availability, and then configuring Indexing ASPX Page Content.
Securing Content
6-27
Permission Levels
SharePoint 2010 eases the administration of authorization by providing

permission levels. You can define permission levels at the site collection level. Each
permission level consists of a set of individual permissions that apply to items,
sites, and other objects. These permissions are inherited by objects in the site
collection. When users access SharePoint resources, the permissions they receive
are determined by the permission level assigned to their user account or groups.
Default Permission Levels

You can examine the permission levels that exist in a site collection on the site
permission page:
1.
2.
On the ribbon, click Permission Levels.
3.
Click a permission level to examine the individual permissions that it includes.
6-28
Some permission levels, such as Read and Full Control, exist by default in every
site collection. Other default permission levels are added by certain site templates.
For example, when you create a site using the publishing template, the Approve
and Manage Hierarchy permission levels are added.
The Read permission level, for example, consists of the following permissions:
List Permissions
View Items
Open Items
View Versions
Create Alerts
View Application Pages
Site Permissions
View Pages
Browse User Information
Use Remote Interfaces
Use Client Integration Features
Open
Creating and Customizing Permission Levels

Site collection administrators can customize the default permission levels to create
the appropriate level of access. You can use the following methods to do this:
By customizing the default site permissions. This is not recommended as a

best practice.
By copying default site permissions and customizing the copy.
By creating new permission levels from scratch.
Securing Content
6-29
It is a recommended best practice to define permission levels and allow inheritance

to determine access to resources instead of applying permissions at lower levels. By
using permission levels in this way you ensure that the following occur:
Administrators can troubleshoot permissions rapidly without having to

investigate permissions at multiple levels.
Users understand their level of access because it is consistent throughout sites.
Performance is maximized because multiple levels of permissions need not be

evaluated for every access.
6-30
Override Check Out Permission
In SharePoint sites that use version control, users must check out documents and
other items before they can make changes. While the document is checked out,
other users cannot make changes; this ensures that proper version control is
maintained so that no two users can simultaneously make changes to the same
document, thereby overriding one anothers edits.
Sometimes, however, a user forgets to check a document back in. If this happens,
other users cannot be productive until the check-out is removed. To prevent
productivity barriers like this, you should ensure that you grant users the Override
Check Out permission.
Override Check Out Permission

With the Override Check Out permission, a user can check a document back in or
discard the check-out even if another user checked the document out. In this way,
you can remove the barrier to productivity even if the user who checked out the
document is unavailable.
Securing Content
6-31
Overriding a check-out is usually a last resort because it can result in lost changes.
Consider the situation where a user has checked out a document and taken a
vacation:
If the user saved the document to SharePoint but forgot to check the
document in, you can check it in and no changes are lost.
If the user saved some changes to SharePoint but did not upload the last
version, you can check the document in and lose the latest changes.
If the user uploaded no changes and instead changes the local copy, you can
check the document in or discard the check-out and lose all the changes.
Override Check Out Permission and Permission Levels

The Override Check Out permission is included by default in the Full Control
permission level usually granted to site collection administrators. However, this
may not be the most appropriate arrangement. For example, in a project site,
project managers may need this permission because they manage the content the
team develops. Therefore, consider who has this permission carefully whenever
version control is in place. You should ensure that you do the following:
Grant the powerful Override Check Out permission to only a restricted set of
users.
Explain the implications of overriding check-out to those users and provide

guidance on how to use this feature.
Ensure that there is always at least one person available to override check-outs.
You should consider creating a new permission level that includes only the
Override Check Out permission so that you can carefully manage the assignment
separately from other permissions. A separate permission also reduces the chance
that you accidentally grant Override Check Out to users who should not have it.
6-32
Lesson 3
Securing and Auditing SharePoint Content
SharePoint also provides a range of settings at the Web application level; as a

farm administrator, you can use these to impose restrictions on site collection
administrators and set policies that govern users, anonymous access, and
permissions. You can also set up auditing to record user actions and ensure that
you can always determine who made a particular change.
Set up user policies for a Web application.
Manage permissions that are available in a Web application.
Configure auditing for a site collection.
Securing Content
6-33
Web Application Security
In the SharePoint Central Administration site, when you manage a Web

application, you can set a range of security options. These settings determine, for
example, default permission levels that appear in every site collection in the Web
application. Farm administrators can use Web application security settings to
restrict the capabilities of site collection administrators.
User Policy
With user policies, you can grant user accounts or groups permission levels that
apply to all site collections in the Web application. These policies override any
permissions set at lower levels by site collection administrators.
To configure a user policy, first select the Web application you wish to administer,
and then click User Policy. When you add a policy you can select the zone to
which it applies. In this way, you can apply a different policy to a user depending
on the authentication mechanism the user used to connect.
6-34
Anonymous Policy
The anonymous policy for a Web application restricts what anonymous users can
do. You can use anonymous policies to deny users Write access or prevent any
access at all. As for user policies, you can apply different anonymous policies to
users depending on the zone through which they connect.
Permission Policy
In the permission policy for a Web application, you can create permission levels
just as you do in site collections. The permission levels in the Web application
policy appear as default permission levels for all site collections in that application.
Also, these permission levels are those selectable in the user policy.
Note: Site templates may add extra default permissions to sites as you create them.
Securing Content
6-35
Managing Web Application Permissions
You can also restrict the permissions that are available in the site collections in a
Web application. This is an unusual step, but you might find it useful when you
need to place boundaries on user actions throughout a site collection.
Web Application User Permissions

In Central Administration, click Manage Web Applications, and then select the
Web application you want to configure. On the ribbon, click the Web Application
User Permissions button.
The User Permissions For Web Application dialog appears and displays all the
permissions available for lists, sites, and personalization. If you wish to prevent any
user in the Web application from performing an action, you can remove the
corresponding permission from this list, and then click Save.
When you remove a permission in this way it is no longer available to add to
permission levels or to apply to sites, lists, or items anywhere in the site collections
in that Web application.
6-36
Configuring Auditing
You can use auditing to create a record of the actions of users. Use this record to
examine who is doing what in your SharePoint farm. By examining audit reports
regularly, you can be confident that permissions are appropriate, users are viewing
information appropriate to their role, and sensitive documents are not being seen
by unauthorized personnel. Auditing is thus essential for good security.
Configuring SharePoint Auditing

In SharePoint 2010, auditing is configured at the site collection level:
1.
In a site collection top-level site, click Site Settings.
2.
Under Site Collection Administration, click Site collection audit settings.
With the Audit Log Trimming settings, you can ensure that audit logs are stored
for a limited time and so do not consume large amounts of disk space. Specify the
number of days to keep audit logs and a location to store audit log reports.
Securing Content
6-37
Viewing Audit Reports

After auditing is configured and running, you should examine audit logs regularly
to spot unauthorized or inappropriate access.
1.
In a site collection top-level site, click Site Settings.
2.
Under Site Collection Administration, click Audit log reports.
A large range of audit reports is available to display different events in your site
collection, and you can also create custom reports. Only site collection
administrators can view audit reports.
6-38
Information Rights Management
Permissions and permission levels provide administrators with a secure and

flexible system of authorization on the server. However, they do not restrict the
actions a user can take on a document after download to the client computer or
another location. For example, by granting Read Items permission only, you can
ensure that users cannot make changes to the copy of a document on the server.
However, users could download that document and make changes to their local
copy. Information Rights Management (IRM) can prevent such actions regardless
of the location where a document is stored.
When you enable and configure IRM on a SharePoint list, SharePoint encrypts
each document and adds an IRM license to it before it serves the document to a
user. The license lists the permitted actions.
Securing Content
6-39
SharePoint Permissions and IRM Permissions

The IRM permissions that are included in the license map to the SharePoint
permissions on the document in the library. In the following table, you can see
how SharePoint assigns these permissions.
SharePoint Permissions
Manage Permissions
Manage Web
Edit List Items

Manage List
Add and Customize Pages
IRM Permissions
Full control of the documents, as defined by the
client application. This generally permits the user
to read, edit, copy, save, and modify permissions
of the document.
Edit, copy, and save permissions. The user can
print the document only if the document library
IRM settings are configured to allow document
printing.
View List Item
Read permissions. The user can read the document

but not copy or edit its content. The user can print
the document only if the document library IRM
settings are configured to allow document
printing.
All other SharePoint permissions,

such as Edit User Info
Not applicable; no corresponding IRM

permissions.
Active Directory Rights Management Services

Before you can use IRM in SharePoint lists and libraries you must set up the Active
Directory Rights Management Services in your organization. To do this, install the
Active Directory Rights Management Services (AD RMS) server role in Server
Manager. You can configure a single AD RMS server to handle all requests.
However, it is recommended that you install several servers in a load-balanced
configuration to enable greater scalability and stability.
Configuring IRM in SharePoint

When the AD RMS are available to SharePoint servers, you can enable and
configure IRM for your SharePoint lists and libraries. To do this, complete the
following steps:
1.
In the browser, open the list or library you want to secure.
2.
On the ribbon, click the Library tab.
3.
On the ribbon, click Settings, and then click Library Settings.
6-40
4.
In the Permissions and Management section, click Information Rights

Management.
5.
On the Information Rights Management Settings page, select the Restrict

permission to documents in this library on download check box to apply
restricted permission to documents that are downloaded from this list or
library, and then click OK.
Securing Content
6-41
Lab: Configuring Security for SharePoint

Content
Scenario
You have created an intranet on a new SharePoint 2010 farm at Contoso, Ltd.
You have been tasked with helping set up users, groups, and permissions on the
intranet until governance and training are in place, at which point permission
management will be delegated to site collection administrators. Additionally, you
must configure SharePoint to support the business requirement that the internal
security and compliance audit team has the ability to access all information stored
on the intranet.

1.
2.
6-42
Exercise 1: Managing SharePoint Groups

The IT site collection must be secured so that users in the IT department can make
changes and users from other departments can view but not modify content.
Additionally, you have been asked to add a group to each team site that assigns the
Design permission level to its members.
1.
Add a user to a sites Members group.
2.
Verify that the member can sign in.
3.
Add a user to a sites Visitors group.
4.
Verify that the visitor can sign in.
5.
Create a new group and assign it the Design permission level.
Task 1: Add a user to a sites Members group

Pa$$w0rd.
Open Windows Internet Explorer, and then browse to

Add the user CONTOSO\SanjayS to the site, assigning him to the

Information Technology Members [Contribute] group.
You have now added Sanjay Shah, the Contoso chief technology officer (CTO),
as a contributor to the IT intranet Web, which gives him Read and Write
permissions.
Task 2: Verify that the member can sign in
Browse to http://intranet.contoso.com/sites/IT. Sign in to the site as

CONTOSO\SanjayS with the password Pa$$w0rd. Add a new task to the
Tasks list titled Select SharePoint Governance Team.
Securing Content
6-43
Task 3: Add a user to a sites Visitors group
Sign in to the site as CONTOSO\SP_Admin with the password Pa$$w0rd.
Observe the membership of the Information Technology Dept Visitors

group, and then add the user CONTOSO\JeffL to the group.
You have now added Jeff Low, the Contoso vice president of finance, as a
visitor to the IT intranet Web, which gives him Read permission.
Task 4: Verify that the visitor can sign in

CONTOSO\JeffL with the password Pa$$w0rd. Verify that you do not see the
Add new item link in the Tasks list.
Task 5: Create a new group and assign it the Design permission level
Sign in to the site as CONTOSO\SP_Admin with the password Pa$$w0rd.
Create a new group named Information Technology Dept Designers, and

give it the Design permission level. Configure the groups description to read
as follows: Use this group to grant people Design permissions to the
SharePoint site: Information Technology Dept.
Results: After this exercise, you should have added users to the Members and
Visitors groups and created a new SharePoint group.
6-44
Exercise 2: Creating Custom Permission Levels

Lola Jacobsen has been tasked with monitoring the usage of the IT Web and all
other intranet Webs. You must configure the least privilege permissions required
for her to access the out of the box Web Analytics reports. You want to implement
best practice, role-based management, so you will create a group with which to
assign her the required permissions.
1.
Create a custom permission level to allow viewing Web analytics reports.
2.
Attempt to view Web analytics reports.
3.
Add a permission to the custom permission level.
4.
Validate the functionality of the custom permission level.
Task 1: Create a custom permission level to allow viewing Web

analytics reports
Create a custom permission level named View Usage with the description Can
see only usage data about this site. Assign the View Web Analytics Data
permission. Additional permissions will be selected automatically.
Create a group named Usage Monitors with the description Use this group to
grant people permission to view Web Analytics data for the SharePoint
site: Information Technology Dept. Assign the group the View Usage
permission level.
Add the user, CONTOSO\LolaJ to the group.
Task 2: Attempt to view Web analytics reports
Browse to http://intranet.contoso.com/sites/IT, and then sign in as

CONTOSO\LolaJ with the password Pa$$w0rd. You will be denied access.
Browse to the usage reports page http://intranet.contoso.com/sites/it
/_layouts/usageDetails.aspx. Again, you will be denied access because,
although you have permission to access Web analytics data, you do not yet
have permission to view the default application pages that present that data.
Securing Content
6-45
Task 3: Add a permission to the custom permission level
Sign into the IT site as CONTOSO\SP_Admin with the password Pa$$w0rd.

Edit the View Usage permission level, adding the View Application Pages
permission.
Task 4: Validate the functionality of the custom permission level
Browse to http://intranet.contoso.com/sites/IT, and then sign in as

CONTOSO\LolaJ with the password, Pa$$w0rd. You will be denied access.
Browse to the site settings page, http://intranet.contoso.com/sites/it
/_layouts/settings.aspx. Examine the Site Web Analytics reports and the
Site Collection Web Analytics reports.
Results: After this exercise, you should have created a new custom permission level
assigned to a custom group that gives users the ability to view Web Analytics
reports.
6-46
Exercise 3: Managing Permissions and Inheritance

You want to create a folder in which Lola Jacobsen can save usage reports she
generates. Because Lola is not in the IT department itself, she should not have
Contribute permission to the entire IT Web. In this exercise, you manage
permissions and experience the behavior of the security-trimmed SharePoint
interface.
1.
Add a document and a folder to a library.
2.
Assign permissions to a folder.
3.
Verify the behavior of SharePoint permissions.
Task 1: Add a document and a folder to a library

CONTOSO\SP_Admin with the password Pa$$w0rd.
Open the Shared Documents document library. Upload the document

D:\Labfiles\LAB06\ IT Policies and Procedures for SharePoint 2010.
Create a new folder in the document library named Usage Reports.
Task 2: Assign permissions to a folder
Configure permissions on the Usage Reports folder so that the only

permission on the folder is one that gives CONTOSO\LolaJ the Full Control
permission level.
Securing Content
6-47
Task 3: Verify the behavior of SharePoint permissions

CONTOSO\LolaJ with the password Pa$$w0rd. You will be denied access
because LolaJ does not have permission to the home page. Browse to the URL
of the Shared Documents document library. You are able to see the Usage
Reports folder but not the policies document.
Close all open Internet Explorer windows.
Results: After this exercise, you should have configured a list and list item with
custom permissions.
6-48
Exercise 4: Creating a Web Application Policy

The SharePoint governance plan at Contoso specifies that a group of internal
auditors will have the ability to view all content to ensure compliance with
information security and information management policies. This group will have
Read access to content. Additionally, a group must have the ability to access all
content with Full Control permission in the event that noncompliant content must
be removed, but the group with this level of access will not include any user
accounts unless and until action must be taken. Finally, the environment must
support the ability to deny one or more users access to SharePoint, in the event of a
security incident.
1.
Add a user to a group.
2.
Create groups.
3.
Create a Read Web application policy.
4.
Create a Full Control Web application policy.
5.
Create a deny Web application policy.
6.
Verify the behavior of SharePoint Web application policies.
Task 1: Add a user to a group
On SP2010-WFE1, start Active Directory Users and Computers with the Run
as different user option. Enter the user name CONTOSO\Administrator and
the password Pa$$w0rd.
Open the Users container. Create a new group named SharePoint Content
Auditors. Add CONTOSO\JimD to the SharePoint Content Auditors group.
Task 2: Create groups
Create a group named SharePoint Full Control Policy.
Create a group named SharePoint Deny Policy, and then close Active
Directory Users and Computers.
Securing Content
6-49
Task 3: Create a Read Web application policy
Open Central Administration.
In the User Policy for the intranet Web application, add a user policy that
gives CONTOSO\SharePoint Content Auditors the ability to read all content
from all zones.
Task 4: Create a Full Control Web application policy
Add a user policy that gives CONTOSO\SharePoint Full Control Policy full
control of all content from all zones.
Task 5: Create a Deny Web application policy
Add a user policy that denies CONTOSO\SharePoint Deny Policy any access
from all zones.
Task 6: Verify the behavior of SharePoint Web application policies

CONTOSO\JimD with the password Pa$$w0rd. Verify that you do not see
the Add new item link in the Tasks list.

click Revert.
6-50
Review Questions
1.
What differences exist between the available permissions and the behavior of
inheritance in SharePoint in contrast to a folder on an NTFS volume?
2.
Describe scenarios, other than auditing, in which a Web application policy

would be useful.
Managing SharePoint Customizations
7-1
Module 7
Contents:
Lesson 1: Customizing Microsoft SharePoint
7-3
Lesson 2: Deploying and Managing Features and Solutions
7-14
Lesson 3: Configuring Sandboxed Solutions
7-30
7-38
7-43
7-49
7-2
Module Overview
Microsoft SharePoint 2010 provides a number of facilities to support

customization by a variety of users; these rich capabilities encompass both the
simple and the complex. For example, a user can apply a new theme to her own
My Site, or a developer can create a custom solution, built on SharePoint, that
includes custom Web Parts, forms, workflows, timer jobs, and Microsoft
Silverlight applications. This model makes SharePoint extremely flexible but,
importantly, it also includes features to retain control of server resources and to
ensure stability and flexibility.
In this module, you learn how to make customizations and control customizations
made by both users and developers.
Objectives
After completing this module, you will be able to:
Customize SharePoint installations to suit your organizational needs.
Deploy and manage SharePoint features and solutions.
Configure sandboxed solutions.
7-3
Lesson 1
Customizing Microsoft SharePoint
You can use several different tools to customize SharePoint to meet your
requirements. For example, in the browser you can apply themes and add Web
Parts to pages. To make more extensive changes, you may need to use Microsoft
SharePoint Designer 2010. For advanced customization, developers commonly use
Microsoft Visual Studio 2010, which includes advanced integration with the
SharePoint platform. As a SharePoint administrator, you should understand the
changes developers can make so you can ensure the SharePoint farm remains
stable and secure when it runs custom code.
Describe the different methods available for SharePoint 2010 customization.
Customize SharePoint pages in the browser.
Use SharePoint Designer 2010 to make custom changes to a SharePoint site.
Describe customizations that developers can make with code.
7-4
Discussion: Customizing SharePoint
Key Points
How do you currently customize SharePoint?
In your organization, who makes custom changes to SharePoint?
How long does it take to design, create, and publish a customization?
How do you ensure that customizations do not affect stability and security?
Are your users permitted to use SharePoint Designer?
7-5
Methods for Customizing SharePoint
Some SharePoint customizations are quick and easy to use and make simple
changes; you can make these changes in the browser. Others require extensive
expertise but are very powerful; you need specialist tools to make these changes.
Note: The customizations that each user can complete are restricted by their
permissions and permission levels. For example, contributors cannot, by default,
choose or modify master pages.
Customizing SharePoint Sites in a Web Browser

Many customizations to SharePoint can be completed in the browser and require
no special tools. Any user or administrator can complete these tasks provided they
have sufficient permissions. Site owners, for example, can make many of these
changes.
7-6
In the browser, you can:
Choose a site theme.
Choose a different master page.
Create a new Web Part page.
Change the Web Parts on a Web Part page.
Create lists and libraries.
Create content types.
Customizing SharePoint Sites in SharePoint Designer

If you cannot complete a customization task in the browser, you will often find it is
possible with Microsoft SharePoint Designer 2010. SharePoint Designer is
intended for use by power users and administrators who want to customize
SharePoint sites to closely target the needs of their teams. SharePoint Designer
requires no custom code or .NET framework knowledge; in other words, you need
not be a developer to use SharePoint Designer.
In SharePoint Designer, you can complete all the customizations that are possible
in the browser. In addition, you can:
Create new master pages.
Create new forms or customize default forms.
Create new workflows to manage business processes.
Make connections to external databases or systems to integrate them with

SharePoint. These are Business Connectivity Services (BCS) connections.
Customizing SharePoint with Visual Studio

Microsoft Visual Studio 2010 enables the broadest array of customization to
SharePoint 2010. You can build any custom SharePoint solution with this tool and
deploy it to multiple SharePoint farms throughout your organization or in other
organizations. Developers will find tight integration between SharePoint and Visual
Studio for development, deployment, and debugging.
With Visual Studio, developers can create:
Custom Web Parts to be used on SharePoint pages.
Custom master pages and style sheets.
Custom timer jobs to take actions on a schedule defined by administrators.
Workflows with custom code or custom activities.
Silverlight applications.
Custom BCS connection types.
7-7
7-8
Customizing SharePoint in the Browser
You can begin customizing a SharePoint site in the browser user interface you
already use to access SharePoint.
Browser Customization Scenarios

When an administrator or user creates a SharePoint site, they select a site template.
Built-in site templates include the Team Site template, the Wiki template, and the
Publishing Site template amongst others. The template you choose determines the
default lists, libraries, pages, and other features of the site, but you can add to these
when the site is created.
Consider, for example, a company in which a new site is created, based on the
Publishing Site template, for each new publishing project. This arrangement works
well but in the latest project, the project manager wants to manage customer
contacts as well as documents. To do this she can add a contacts list to the site. She
can also use a Web Part to display the contacts on the site home page.
7-9
Browser Customizations
In the browser interface, the customizations you can make include the following:
Change the site theme. A theme applies a set of colors and fonts to a site. In
addition, you can upload a theme from a Microsoft Office PowerPoint slide
deck and use it as a SharePoint theme. This is a simple way to apply corporate
colors and fonts to a SharePoint site.
Change the master page. A master page is an ASP.NET Web page with a set of
common controls and other common features. For example, in SharePoint, the
Quick Launch control is part of the master page. SharePoint includes several
master pages and your organization can create more by using SharePoint
Designer or Visual Studio. In the browser, you can choose the master page
from the existing list but you cannot create new master pages.
Add lists and libraries. You can choose from various types of lists and
libraries, such as calendars and asset libraries.
Add content types. A content type describes a new kind of item and
document.
Edit text. For example, users can edit the "Wake Up Call Service Control" text
in the slide screenshot.
Add images. You can insert images to illustrate a point or enliven the page.
Add rich graphs. You can visualize data by using the Chart Web Part.
7-10
SharePoint Designer
Microsoft SharePoint Designer 2010 is designed to enable advanced customization

in SharePoint sites and farms. Power users, administrators, and developers use
SharePoint Designer to create and configure sites, modify their look-and-feel, create
lists and libraries, assign permissions, and so forth. You can use all the features of
SharePoint Designer without writing any .NET code.
SharePoint Designer Customizations

All the customizations that are possible in the browser are also possible in
SharePoint Designer. For example, you can create content types by using either the
browser or SharePoint Designeruse whichever tool you prefer. However some
tasks are possible in SharePoint Designer that are not possible in the browser.
These include:
Creating custom workflows to model and manage business processes.
Editing HTML in site pages.
Creating and editing master pages and page layouts.
7-11
Connecting to external data by creating BCS connections and external content

types.
Customizing default forms for list items and workflows.
Displaying external data in SharePoint sites, and enabling SharePoint users to

edit it, by creating external lists.
7-12
Custom Code Projects
Microsoft Visual Studio 2010 provides the greatest array of possibilities for
customizing SharePoint 2010. In many cases, where a customization cannot be
completed in SharePoint Designer, you may need to work with a developer who
uses Visual Studio.
Visual Studio Customizations

The following are examples of customizations that you can build only in Visual
Studio:
Custom Web Parts to be used on SharePoint pages.
Custom timer jobs to take actions on a schedule defined by administrators.
Workflows with custom code or custom activities.
Silverlight applications.
Custom BCS connection types.
7-13
Custom feature receivers that run code when features are activated or
deactivated.
Custom event receivers that run code when a SharePoint event occurs. When a
user creates a new item in a SharePoint list, for example, an event receiver can
respond.
Use Visual Studio for any solution that requires custom compiled code.
Administrating Custom Code Projects

Developers should not use your production SharePoint farm to run custom code
until it is complete, stable, and thoroughly tested as documented and
recommended in standard software development lifecycle processes. Instead, it is
recommended that developers use a development SharePoint farm to test and
validate their solutions. For example, developers can install SharePoint on a
Microsoft Windows 7 computer specifically for this purpose or implement a
virtual environment that closely represents the target production environment.
When a custom code project is complete, you must deploy it to the production
SharePoint farm that you administer. Developers should be encouraged to package
their customizations into SharePoint features or solution packages for ease of
deployment and management. Administrators must therefore install these features
or solution packages into the production farm and activate them. At that point, the
custom functionality becomes available for users. These administration tasks are
described in Lesson 2.
7-14
Lesson 2
Deploying and Managing Features and

Solutions
A SharePoint feature is a set of functionality that administrators can activate or

deactivate at any time. SharePoint includes many features out of the box and
developers can add more by creating them in Visual Studio. Multiple features can
be packaged with other components, into a solution package. A solution package is
a complete set of customizations to SharePoint that can be installed in a single
operation, but may make changes across your SharePoint organization.
Administrators commonly must install, activate, upgrade, deactivate, and remove
features and solution packages, so it is essential to understand these SharePoint
objects.
Describe features and how administrators enable them.
Explain the content of features created by developers and third parties.
Deploy and activate features in a SharePoint farm.
Describe farm solutions and contrast them with features.
Add and install farm solutions in a SharePoint farm.
Understand the Developer Dashboard and describe the information it

presents.
Enable the Developer Dashboard.
7-15
7-16
Features
A SharePoint feature is a set of functionality that an administrator can enable or

disable. Features can include many types of objects, for example (Web Parts,
workflows and forms). When an administrator enables a feature, all the
functionality that is part of it is enabled and becomes available to users.
Feature Scope
A SharePoint feature is installed into one of four possible scopes depending on
where its functionality is relevant and who should administer the feature. These
include the following:
Server Scope
These features can include customizations to a single Web front end or service
application server. Server scope features are enabled and disabled by farm
administrators.
7-17
Web Application Scope

These features can include customizations to all servers that host a Web
application. Web application scope features are enabled and disabled by farm
administrators.
Site Collection Scope

These features can include customizations to a single site collection and its
subsites. Site collection scope features are enabled and disabled by site
collection administrators.
Site Scope
These features can include customizations to a single SharePoint site only. Site
scope features are enabled and disabled by site administrators, site collection
administrators, and site owners.
Built-In Features
Much of the out of the box SharePoint functionality is encapsulated into features.
These features allow you to enable the functionality that you need and disable the
functionality that you consider unnecessary. For example, in the slide, you can see
the Content Organizer feature, which is currently enabled. If you dont use the
Content Organizer to file content automatically, you can disable this feature in
your site.
Keep built-in features in mind when troubleshooting SharePoint: if users cannot
find a tool or facility in SharePoint that they know is included in the product, it
may be because a built-in feature must be enabled.
Custom Features
Custom functionality is usually encapsulated in features. Therefore, the features
you see in your SharePoint system depend on the customizations you have
installed. Custom features may be created by any of the following:
Third parties. If you purchase and install a SharePoint customization, it is

likely to add one or more features. These features may appear in different
scopes.
Your own developers. Developers in your organization usually build their

customizations into features. You must install and activate these features to
make the custom functionality available to users.
7-18
Example Feature Scenarios
To understand features more deeply, consider the following scenarios.
Scenario 1A Third-Party Feature

You purchase a custom SharePoint package from a third partyAdventure Works.
The package includes three changes to the SharePoint user interface: two custom
Web Parts and a Custom Action, which adds a new shortcut to the Site Actions
menu.
You install the package and notice a new feature at the site collection level called,
AdWorks Tools. A site collection administrator enables the feature and users start
adding the new Web Parts to pages.
As you can see, each feature can include multiple custom objects of different types.
This feature was installed at the site collection level, so you can only modify a
single site collection and its subsites. Also, a site collection administrator must
enable the feature. Site owners, for example, do not have the required permissions.
7-19
Scenario 2An In-House Feature

Your project managers use SharePoint sites to manage publishing projects. They
have requested new functionality that will better manage the process and you have
worked with your developers to create the custom functionality. Project sites
should have a new workflow, custom content types, and an instance of the
deliverables document library.
Your developers build a feature called Contoso Project that encapsulates all the
custom objects. You install the feature on SharePoint servers. Project managers
notice the new feature at the site level and, as site owners, they can enable it and
use the workflow, content types, and deliverables list to manage their project.
Possible Feature Contents

Features can contain many types of objects to customize SharePoint. For example:
Web Parts and Visual Web Parts. Users can add these to Web Parts pages.
ASP.NET User Control or Server Controls. Users cannot modify these user
interface components.
Custom Actions. These shortcuts appear on a menu in SharePoint, for

example, the Site Actions menu.
List Instances. These ensure that when the feature is activated, a new list is
created.
List Templates. Users can use these templates to create new lists.
Modules. These are files that are automatically added to SharePoint by the
feature.
Feature Receivers. These contain code that runs when a feature is activated.
Content Types. These define new types of items or documents.
Field. These can be assembled into content types.
Workflows. These model and manage a business process.
7-20
Deploying and Activating Features
When a developer has created a SharePoint feature to encapsulate the

customizations they have programmed, you must install and activate it to make the
custom functionality available to users.
Deploying Features
A feature consists of a folder hierarchy. The top folder name is the name of the
feature and it contains a file called Feature.xml and other files and folders. To
begin deploying your feature, copy this folder to the following location:
C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\14\TEMPLATE\FEATURES
Now that the feature is in the right location, you must install it. To do this you can
use Windows PowerShell:
Install-SPFeature Path "ContosoProjects"
7-21
Alternatively, you can install the feature by using Stsadm.exe:

Stsadm o installfeature filename ContosoProjects\feature.xml
When you have installed the feature, it is visible in the list of features at the correct
scope. The scope is determined by the developer when they create the feature.
Activating Features
Although you have installed your feature, its functionality is not available to users
until you activate it. You can do this in the browser interface. For example, if the
feature is site-scoped:
1.
In the site where you want to use the feature, click Site Actions, and then click
Site Settings.
2.
Click Site Features.
3.
Locate the feature and then click its Activate button.
You can also activate features by using PowerShell:

Enable-SPFeature Identity ContosoProjects
Alternatively, you can activate a feature with Stsadm.exe:

Stsadm o activatefeature name ContosoProjects
When you have installed and activated a feature, users can begin to employ its
custom functionality.
Note: If you have multiple Web front-end servers in your SharePoint farm, you must
install each feature on every Web front-end server to ensure its availability.
In many cases, you do not install features manually but as part of solution
packages, which are described later.
7-22
If you want to deactivate and remove features, similar PowerShell commands and
Stsadm.exe options are used.
Note: If a feature is incorporated into a solution package, administrators need not

deploy the feature to each Web front-end server in the farm. For more information
about deploying solution packages, see the topic that follows.
7-23
Farm Solutions
As you have seen, a SharePoint feature is a set of functionality that administrators

can enable or disable in a single operation. By contrast, a SharePoint solution
package is a set of functionality that administrators can install in a single operation.
Solution packages make administration and distribution of SharePoint
customizations significantly easier than with features alone.
Characteristics and Creation

A solution package consists of a single file with a .wsp extension. Because it is a
single file, it is very easy to distribute a solution package, and administrators do not
need to copy them to the Templates folder.
In fact, the .wsp file is a cabinet file that is a compressed file with all the files and
information needed for the custom functionality. Developers can create .wsp files
by using the solution package designer tool in Visual Studio 2010 or alternate tools
such as MAKECAB, when they are ready to distribute their custom project.
7-24
Package Content
A solution package can contain any number of the following:
Features
Site Definitions
Assemblies
Files
Updates to Web.config files
Notice, for example, that you could include two featuresone with site scope and
one with Web application scope, into a single solution package for easy
deployment.
Note: When you have multiple Web front-end servers, you must install each feature
on each one. However, this is not necessary with solution packages. SharePoint
automatically installs the contents of your package on all front-end servers.
Most third-party SharePoint customizations are distributed as solution packages,

not individual features. You do not have to install these features manually, because
they install with the solution package, but you might have to activate these
features.
7-25
Adding and Installing Solutions
You must be a farm administrator to add a solution to a farm and deploy it. If you
are a farm administrator, you can use PowerShell or Stsadm.exe for both these
operations. You can also use the browser to deploy a solution you have previously
added.
Adding Solutions
When you add a solution package, you upload the package to the SharePoint
solution store so that it is ready for installation. Use the following command to add
a solution in PowerShell:
Add-SPSolution LiteralPath "c:\custom\contososolution.wsp"
Notice that you do not need to copy the solution package into the SharePoint
Templates folder before you add it. Instead, you supply the path to the .wsp file.
Use the following command to add a solution in the Stsadm.exe:
Stsadm o addsolution filename c:\custom\contososolution.wsp
7-26
Installing Solutions
When you deploy a solution, you install all the features and other objects it
contains, and the functionality becomes available to users. Once a solution package
has been added, you can view and deploy it in the browser. To do this, follow these
steps:
1.
Start Central Administration.
2.
Click System Settings.
3.
Click Manage Farm Solutions.
4.
Click the solution you wish to deploy and then click Deploy.
You can deploy a solution by running this PowerShell command:

Install-SPSolution Identity ContosoSolution
Alternatively, you can also deploy a solution by running this Stsadm.exe command:
Stsadm o deploysolution name ContosoSolution
Upgrading Solution Packages

When developers create a new version of an existing solution, they should create a
solution package with a new filename, but retain the same solution ID as the
original version. When you add and deploy such a solution package, SharePoint
automatically upgrades the solution instead of installing a new solution.
Removing Solution Packages

To retract a solution package that you have installed, you must retract it and then
remove it from the SharePoint solution store. To do this by using PowerShell, run
the following commands:
Uninstall-SPSolution Identity ContosoSolution
Remove-SPSolution Identity ContosoSolution
To uninstall and remove a solution package by using Stsadm.exe, run the following
commands:
Stsadm o retractsolution name ContosoSolution
Stsadm o deletesolution name ContosoSolution
7-27
Developer Dashboard
The Developer Dashboard is a new feature in SharePoint Server 2010 designed to

provide detailed information about the execution of all the components on a
SharePoint page. Developers can use the information on the dashboard to
troubleshoot and optimize the speed of their code. Administrators may also find
the information helpful. For example, they can use it to diagnose slow performance
in a third-party component, such as a Web Part. Administrators should also know
how to enable the Developer Dashboard in their farm for their developers.
The Developer Dashboard displays the following kinds of information:
Execution time. This is the time in milliseconds that each component on the
page took to complete. Slow components take many milliseconds and delay
the page load.
Call stack. This is the hierarchy of objects that were involved in page
rendering.
7-28
Database query time. This is the time in milliseconds that any request to the
content database took.
Web Part execution time. This the time, in milliseconds, that each Web Part
took to render its user interface.
Use PowerShell or Stsadm.exe to enable and disable the Developer Dashboard.

You can set the mode to one of three possible values:
On. The dashboard is always displayed. Do not use this mode in production
environments.
Off. The dashboard is never displayed. This is the default.
OnDemand. For site administrators, an icon is added to the top right of

SharePoint pages. Click that icon to show or hide the Developer Dashboard.
Using the Developer Dashboard
If you wish to use the Developer Dashboard, or if any developers wish to use it,
you must enable it.
In Stsadm.exe, you can use the following command to enable the Developer
Dashboard:
stsadm o setproperty pn developer-dashboard pv "On"
In PowerShell, you must use several commands to enable the Developer

Dashboard. You may prefer to create a PowerShell script that includes all the
following commands:
$service = [SPWebService]::ContentService;
$addsetting = $service.DeveloperDashboardSettings;
$addsetting.DisplayLevel = [SPDeveloperDashboardLevel]::OnDemand;
$addsetting.Update();
7-29
7-30
Lesson 3
Configuring Sandboxed Solutions
Farm solutions, as created by developers in your own organization or by third

parties, are powerful and can add rich functionality to your SharePoint farm.
However, poorly written or untested solutions can cause problems. They can
reduce stability and security and cause interruptions in service. They can consume
server resources indiscriminately and reduce server responsiveness.
SharePoint 2010 introduces the sandbox as an isolated and controlled
environment in which you can run code. Solutions in the sandbox are still
powerful but cannot take actions that compromise stability. Administrators can set
quotas on sandboxed solutions to eliminate contention and ensure the farm
responds quickly. SharePoint users can also create their own sandboxed solutions
or install third party solutionsadministrators remain in control of the farm.
Describe how the sandbox ensures stability.
Configure the user code service application.
Configure quotas and points for controlling resource usage.
7-31
7-32
Sandboxed Solutions
The SharePoint 2010 sandbox is an isolated and restricted environment in which

to run solution packages. Solutions in the sandbox cannot affect stability and
administrators can set strict quotas on the resources they consume.
The Sandbox Environment

The sandbox places the following restrictions on the solutions that run within it:
Solutions run in a separate process called SPUCWorkerProcess.exe. This

protects other SharePoint and Microsoft Windows services and processes.
Solutions run a version of the SharePoint Object Model with some classes
removed. These classes that may affect security and stability if poorly used.
Solutions run under a strict code access security policy. This increases
protection against malicious code.
7-33
Solutions are governed by resource quotas set by administrators. You can use
these quotas to ensure that solutions do not over-consume resources and
cause contention and slow responses.
Note: Although the sandbox is a restricted environment, solutions within it can still
access most of SharePoints facilities and remain powerful.
Sandboxed solutions are sometimes called user solutions. They are stored in the
Solution Gallery in a site collection, which you can access from the Site Settings
page. Site collection administrators can upload new solutions to the sandbox at
any time and enable them without involving farm administrators or developers.
SharePoint Composites and the Sandbox

SharePoint composites are custom applications created by users in SharePoint
sites. The browser interface, SharePoint Designer and Windows InfoPath forms
can all be used to create custom applications, adapted to the needs of a team or
department, without any code or developer involvement. SharePoint composites
can include:
Custom lists, libraries, and content types.
Custom workflows.
BCS connections to external data sources.
Custom InfoPath forms for items and workflows.
When a SharePoint composite is complete, a user can save it as a user solution.

This packages the site as a .wsp file and stores it in the Solution Gallery. You can
download the .wsp file from the gallery and use it to install the composite
application in other site collections or SharePoint farms. This enables users and
power users to distribute their custom applications to other parts of your
organization.
7-34
Configuring the User Code Service
The sandbox relies on the user code service to provide the restricted environment
in which to run solutions. As an administrator, you must understand this service
application and configure it in Central Administration.
User Code Service Processes

The following processes are required to support the sandbox and provide the
isolated and restricted environment:
SPUCHostService.exe. This is the user code service itself. This process

manages worker processes and enforces quotas. In the services list, this
process is labeled SPUserCodeV4.
SPUCWorkerProcess.exe. This is the process in which sandboxed solutions

run, isolated from other SharePoint and Windows services.
7-35
SPUCWorkerProcessProxy.exe. This process enables the user code service to

partake in the service application infrastructure.
Note: You can find these processes in the Task Manager and the SharePoint 2010
User Code Host service in the services application. However, you should not start
and stop the processes and services in these tools. Instead, use Central
Administration to determine where the user code service runs.
Configuring the User Code Service in Central Administration

Use the following steps to configure which servers run the user code service and
support the sandbox:
1.
In Central Administration, under System Settings, click Services on Server.
2.
At the top of the service list, choose the SharePoint server you want to
administer.
3.
In the list of services, click Microsoft SharePoint Foundation Sandboxed

Code Service.
4.
Click Start or Stop to enable or disable the service on this server.
7-36
Configuring Quotas and Blocking Solutions
A key feature of the sandbox is the way it restricts the server resources that each
solution can consume in a day. When a solution runs, an algorithm calculates
points that reflect the processor time, memory usage, database queries, and other
server resources that it uses. Farm administrators set a maximum number of points
that each sandboxed solution can consume in a day. Administrators can also tune
the algorithm to adapt it more closely to the available resources on their servers.
Setting Quotas
To set quotas for a site collection, take the following steps:
1.
In Central Administration, click Application Management, and then click

2.
At the top of the window, select the Site Collection you wish to administer.
3.
Under Site Quota Information, you can specify the Maximum usage per day
in points.
4.
You can also specify a warning level. Administrators receive an e-mail alert
when a solution exceeds this limit.
7-37
Points Calculation
SharePoint uses 14 metrics to calculate points. These include the following values:
CPU Cycles. When the processor uses a predefined number of cycles on the
sandboxed solution, a point is logged.
Percentage Processor Time. When the sandboxed solution uses more than a
predefined percentage of the processing time, a point is logged.
Critical Exception Count. When a predefined number of exceptions occur in

a sandboxed solution, a point is logged.
Thread Count. When the solution exceeds a predefined number of threads in

the SPUCWorkerProcess process, a point is logged.
SharePoint Database Queries. When a solution initiates more than a

predefined number of queries to the SharePoint content database, a point is
logged.
As you can see, there is a predefined number involved in each metric. The
administrator can influence the algorithm by setting these numbers in PowerShell.
Blocking a Sandboxed Solution

Farm administrators can also block any sandboxed solution. Usually an
administrator does this when the solution consumes resources too heavily or poses
a security issue. To block a solution, follow these steps:
1.
Start Central Administration and then click System Settings.
2.
Under Farm Management, click Manage user solutions.
3.
In the File box in the Solution Restrictions section of the Sandboxed

Solution Management page, either type the full path of the file that contains
the solution to block, or use the Browse button to browse for the file to block.
4.
Optionally, type a message in the Message box. This message will be displayed
when a user tries to use the solution.
5.
Click Block and then click OK.
7-38
Scenario
You have just installed a new SharePoint 2010 farm at Contoso, Ltd. Several
developers would like to test the functionality of features and solutions they
created for SharePoint 2007. Corporate IT policy states that only administrators
may modify the production environments, so it is your job to install these features
and solutions.
7-39
Exercise 1: Administering Features

The CEO has asked you to add a calendar to the intranet site. Although you have
given her permissions to create lists on the intranet, she mentions that there is no
option to create a calendar. Additionally, you have been asked to add a custom
feature to the intranets Site Actions menu. In this exercise, you will install, activate,
deactivate, and uninstall SharePoint features.
1.
Activate a built-in feature.
2.
Install a custom feature.
3.
Activate and test a custom feature.
4.
Deactivate a feature.
Task 1: Activate a built-in feature

Pa$$w0rd.
Open Microsoft Internet Explorer, and then browse to

http://intranet.contoso.com.
From the Site Actions menu, attempt to create a calendar list.

Observe that you cannot create a calendar, task, or contact list.
Activate the Team Collaboration Lists feature.
Re-attempt to create a calendar list.

Observe that you can now create a calendar, task, or contact list.
Task 2: Install a custom feature
Open Windows Explorer and copy the folder, D:\LabFiles

\Lab07\CustomAction, to the folder, C:\Program Files
\Common Files\Microsoft Shared\web server extensions
\14\Template\Features.
Each folder in the features folder represents a feature on the SharePoint server.
Close all open Windows Explorer windows.
7-40
Open the SharePoint 2010 management shell and use the installfeature
operation of Stsadm.exe to install the feature.
Tip: The installfeature operation is focused, by default, on the features folder. The
path to the feature can be entered as a path that is relative to the Features folder.
This will install a new feature into SharePoint that enables a simple custom
action in the Site Actions menu.
Task 3: Activate and test a custom feature
On the intranet site, activate the feature JavaScript Dropdown Item.
Click the Site Actions menu, and then click the new item on the menu, A
Custom Action.
A Message from webpage window appears with the message, Hello World.
Click OK.
Task 4: Deactivate a feature
Deactivate the JavaScript Dropdown Item feature.
Confirm that the item, A Custom Action, no longer appears on the Site
Actions menu.
Results: After completing this exercise, you should have installed, activated and
deactivated SharePoint features.
7-41
Exercise 2: Administering Solutions

You want to track bugs and issues with the new SharePoint farm, and you have
decided to use the SharePoint bug database application template to do so. In this
exercise, you will install and deploy the solutions that enable the bug database
application.
1.
Install a solution.
2.
Deploy a solution.
3.
Confirm the deployment of a solution.
Task 1: Install a solution
Use the addsolution operation of Stsadm.exe to add the following two solutions
to the farm:
D:\Labfiles\Lab07\ApplicationTemplateCore.wsp
D:\Labfiles\Lab07\BugDatabase.wsp
Open SharePoint 2010 Central Administration, and then from System

Settings open the Manage farm solutions page.
Observe that the two solutions are installed, but are not deployed.
Task 2: Deploy a solution
Deploy the two solutions, applicationtemplatecore.wsp and

bugdatabase.wsp.
Task 3: Confirm the deployment of a solution
Create a new Web site named Bug Tracking, with the URL
http://intranet.contoso.com/sites/IT/Bugs and with the Bug Database site
definition.
7-42
Open the new bug tracking Web site. Then close all open Internet Explorer
windows.
Results: After completing this exercise, you should have installed and deployed
SharePoint solutions to your farm.
7-43
Scenario
Developers have started testing their solutions on your SharePoint farm, and some
users have complained that the new solutions seem to be causing performance
problems. Your manager has tasked you with examining the resource usage of the
solutions and with changing the resource point settings of sandboxed solutions for
the time being to prevent database queries made by custom solutions from causing
problems.
Exercise 1: Administering Sandboxed Solutions

In this exercise, you will upload and test a custom solution, and examine the
resource usage of that solution.
1.
Ensure that the code service is running.
2.
Upload a sandboxed solution.
3.
Test a sandboxed solution.
7-44
Task 1: Ensure that the code service is running
In the Services console, confirm that the SharePoint 2010 User Code Host
service is not started, and that it is disabled.
In SharePoint 2010 Central Administration, start the Microsoft SharePoint

Foundation Sandboxed Code Service.
In the Services console, confirm that the SharePoint 2010 User Code Host
service is started, and is set to start automatically.
Task 2: Upload a sandboxed solution
Browse to the IT intranet site, http://intranet.contoso.com/sites/IT. Upload

the solution, D:\Labfiles\Lab07\BadReceiver.wsp, and then activate the
solution.
Activate the site feature, BadReceiver Feature1.
Task 3: Test a sandboxed solution
From the All Site Content page, create a new announcement in the
Announcements list, with the title My Announcement.
An error message appears.
In the Webs Solutions Gallery, observe that the BadReceiver solution shows
no resource usage. That is because the timer job has not yet calculated
resource usage for the solution.
Results: After completing this exercise, you should have deployed and tested the
BadReceiver solution.
7-45
Exercise 2: Modifying Sandboxed Solutions Timer Jobs

In this exercise, you will launch the timer jobs that calculate resource usage.
1.
Run sandboxed solution timer jobs.
2.
Monitor resource usage.
Task 1: Run sandboxed solution timer jobs
In SharePoint 2010 Central Administration, locate the timer job, Solution

Resource Usage Update, for SharePoint intranet.contoso.com80. Run the
job now.
Note: Be sure to run the Solution Resource Usage Update and not the Solution
Daily Resource Usage Update timer job. Running the latter will cause resource
usage points to be reset.
Run the timer job, Solution Resource Usage Log Processing, for the site
SharePoint intranet.contoso.com80.
Task 2: Monitor resource usage
Browse to the Solutions Gallery for the IT Web, and then refresh the page.
The resource usage for the solution should now be updated. If you do not see
the updated resource usage, then you may need to wait for up to 5 minutes for
the timer jobs to execute.
Results: After completing this exercise, you should have updated and executed one
of the sandboxed solutions timer jobs.
7-46
Exercise 3: Configuring Sandbox Points

In this exercise, you will report the default resource point settings for sandboxed
solutions, and then you will modify the points assigned to database queries.
1.
Review default resource measures.
2.
Change default resource measure points.
3.
Test modified sandboxed resource measures.
4.
Deactivate the bad solution.
Task 1: Review default resource measures
Run SharePoint 2010 Management Shell as Administrator.
To export a list of default point values, type the following command:

$spusercodeservice =
[Microsoft.SharePoint.Administration.SPUserCodeService]::Local
$spusercodeservice.ResourceMeasures > c:\ResourceMeasures.txt
Open the file C:\ResourceMeasures.txt.

This file contains a listing of the resource measures that are monitored for
sandboxed solutions.
Find the section for SharePointDatabaseQueryCount, and then record the

current values of ResourcesPerPoint and AbsoluteLimit. Close the file.
7-47
Task 2: Change default resource measure points
In Administrator: SharePoint 2010 Management Shell, type the following

commands:
$obj =
$spusercodeservice.ResourceMeasures["SharePointDatabaseQueryCount"
]
$obj.ResourcesPerPoint = 1
$obj.Update()
$obj | Select-Object Name,ResourcesPerPoint
This script sets the ResourcesPerPoint property for

SharePointDatabaseQueryCount to 1 and will cause SharePoint database
queries to increase the resource usage point count very quickly.

iisreset
IIS restarts and enables the new resource settings.
Close Administrator: SharePoint 2010 Management Shell.
Task 3: Test modified sandboxed resource measures
Switch to the instance of Internet Explorer that displays the IT intranet Web.
It will take a few seconds to load the Web, because you recently reset IIS.
From the All Site Content page, create a new announcement in the
Announcements list, with the title My Next Announcement.
In the Webs Solutions Gallery, observe that the BadReceiver solution shows
no resource usage. That is because the timer job has not yet calculated
resource usage for the solution.
If you see resource usage of 2.00, then you were lucky! The timer jobs
executed just in time. Skip to Step 6.
Repeat Task 1 of Exercise 2 to run the sandboxed solutions timer jobs.
7-48
Refresh the view of the IT intranet Web Solutions Gallery.
Observe that the resource usage of the solution is increasing more rapidly.
If you do not see the updated resource usage, then you may need to wait for
up to 5 minutes for the timer jobs to execute.
Task 4: Deactivate the bad solution
In the Solutions Gallery, deactivate the BadReceiver solution.
Results: After completing this exercise, you should have updated the default
sandboxed solution resource measures.
Leave the virtual machines running. You will use them for Lab C.
Question: What was the value of ResourcesPerPoint for

SharePointDatabaseQueryCount? Explain the relationship between this number
and one resource usage point.
7-49
Scenario
You have installed a new SharePoint 2010 farm for your developers. Recently the
development manager fielded several performance issues from end users and has
mandated that applications are designed with performance as top priority. One of
the developers has asked you to enable the Developer Dashboard for debugging
and instrumentation purposes to support this new initiative.
Exercise 1: Configuring the Developer Dashboard

In this exercise, enable and disable the Developer Dashboard.
1.
Enable the Developer Dashboard.
2.
Review the Developer Dashboard.
3.
Disable the Developer Dashboard.
7-50
Task 1: Enable the Developer Dashboard
In the SharePoint 2010 Management Shell, type the following commands:

$svc=[Microsoft.SharePoint.Administration.SPWebService]::ContentSe
rvice
$ddsetting=$svc.DeveloperDashboardSettings
$ddsetting.DisplayLevel=[Microsoft.SharePoint.Administration.SPDev
eloperDashboardLevel]::OnDemand
$ddsetting.Update()
This script enables the Developer Dashboard in OnDemand mode.
Task 2: Review the Developer Dashboard
Open Internet Explorer, and then browse to

Click the small icon in the top right next to SharePoint Administrator.
This will enable the Developer Dashboard for the page.
Observe the information that is available on the page:
Http Handler Events for Http Request
Web Server stats
Asserts and Critical events
Database Queries
Service Calls
SPRequest Allocations
WebPart Events Offsets
7-51
Task 3: Disable the Developer Dashboard
In the SharePoint 2010 Management Shell, type the following commands:

rvice
eloperDashboardLevel]::Off
$ddsetting.Update()
This script disables the Developer Dashboard.
Results: After completing the exercise, you should have enabled and disabled the
Developer Dashboard on the IT intranet Web.

click Revert.
7-52
Review Questions
1.
You want to create a workflow that models an authoring process in one of

your SharePoint sites. The workflow will not contain any custom code. Would
you use the browser, SharePoint Designer, or Visual Studio to create this
workflow?
2.
You want to connect your SharePoint farm to a SQL Server database and
display external data in a SharePoint list. Would you use the browser,
SharePoint Designer, or Visual Studio to make this connection?
3.
A developer gives you a solution package to install on the production

SharePoint server farm. The farm has 3 Web front-end servers and a dedicated
database server. How many times must you install the solution?
4.
A user contacts you and asks you to test a sandboxed solution that he has
downloaded from a third party. He says he wants to ensure the solution does
not over-consume resources on the SharePoint servers. What advice do you
give him?
L1-1

1.
Start 10174A-CONTOSO-DC-A.
2.
After CONTOSO-DC-A has completed startup, start 10174A-SP2010-WFE1-A.
Exercise 1: Creating Active Directory Accounts for

SharePoint
1.
Log on to SP2010-WFE1 as CONTOSO\Administrator with the password

Pa$$w0rd.
2.
On SP2010-WFE1, click Start, point to Administrative Tools, and then click

Active Directory Users and Computers.
3.
Expand contoso.com, and then click SharePoint.
4.
Right-click SharePoint, point to New, and then click User.

a.
In the Full name box, type SharePoint Administrator.
b.
In the User logon name box, type SP_Admin.
c.
Click Next.
d. In the Password and Confirm password boxes, type Pa$$w0rd.

e.
Clear the User must change password at next logon check box.
Select the Password never expires check box.
g.
Click Next.
h.
Click Finish.
i.
Right-click SharePoint Administrator, and then click Properties.
L1-2
5.
6.
7.
j.
In the Description box, type SharePoint Administrator and Setup User.
k.
In the E-mail box, type SP_Admin@contoso.com.
l.
Click OK.
Repeat steps a-l to create an account with the following configuration:
Full name: SharePoint Farm Service
User logon name: SP_Farm
Description: SharePoint Farm Service
E-mail: SP_Farm@contoso.com
Repeat steps a-l to create an account with the following configuration:
Full name: SharePoint Service Applications
User logon name: SP_ServiceApps
Description: SharePoint Service Applications
E-mail: SP_ServiceApps@contoso.com
Close Active Directory Users And Computers.
Task 2: Create a SQL Server login for the SharePoint administrator

1.
Click Start, click All Programs, click Microsoft SQL Server 2008 R2, hold the
SHIFT key and right-click SQL Server Management Studio, and then click
Run as different user.
The Windows Security dialog box appears.
2.
In the User name box, type CONTOSO\SQL_Admin.
3.
In the Password box, type Pa$$w0rd.
4.
Click OK.
Microsoft SQL Server Management Studio opens.
5.
Click Connect.
6.
Expand Security.
7.
Right-click Logins, and then click New Login.
8.
In the Login name box, type CONTOSO\SP_Admin.
9.
L1-3
In the Select a page panel, click Server Roles.
10. Select the dbcreator check box.

11. Select the securityadmin check box.
12. Click OK.
13. Close Microsoft SQL Server Management Studio.
Task 3: Delegate administration of the SharePoint server

1.
In the taskbar, click Server Manager.
2.
Expand Configuration, expand Local Users and Groups, and then click
Groups.
3.
In the details pane, double-click Administrators.
4.
Click Add.
5.
In the Enter the object names to select box, type CONTOSO\SP_Admin, and
then click OK.
6.
Click OK.
7.
Close Server Manager.
8.
Log off of SP2010-WFE1.
L1-4
Exercise 2: Installing SharePoint Server Prerequisites

Task 1: Attempt to install SharePoint Server prerequisites
1.

Pa$$w0rd.
2.
Open D:\Software\SharePointServer2010.
3.
Double-click default.hta.
The SharePoint Server 2010 Start page opens.
4.
Click Install software prerequisites.

The User Account Control dialog box appears.
5.
Click Yes.
6.
Click Next.
7.
Select the I accept the terms of the License Agreement(s) check box.
8.
Click Next.
The prerequisite installer prepares the server.
The Microsoft SharePoint 2010 Products Preparation Tool displays the
message, There was an error during installation. A summary of prerequisite
installation status is also displayed.
Task 2: Identify prerequisite installation errors

1.
Click Review the log file.

The PrerequisiteInstaller log file opens.
2.
Press CTRL+F.
The Find dialog box appears.
3.
Type 976462, and then click Find Next.
4.
Observe the lines in the log file that indicate that the prerequisite installer
checked for the existence of Hotfix for Microsoft Windows (KB976462).
5.
Click Find Next.
6.
L1-5
Observe the lines in the log file that indicate that the prerequisite installer
attempted to download Hotfix for Microsoft Windows (KB976462) from
microsoft.com. Observe the URL that was used.
You can use this URL to manually download the prerequisite.
7.
Click Cancel and then close the log file.
8.
Click Finish in the Microsoft SharePoint 2010 Products Preparation Tool.
9.
Click Exit on the SharePoint Server 2010 Start page.
Task 3: Copy SharePoint prerequisite installation files

1.
Open D:\Software\SharePoint Prerequisites.
2.
To select all files in the folder, press CTRL+A.
3.
To copy all files, press CTRL+C.
4.
Open D:\Software\SharePointServer2010\PrerequisiteInstallerFiles.
5.
To paste all files, press CTRL+V.
Task 4: Script the installation of SharePoint Server prerequisites

1.
Open Notepad.
2.
Type the following, on one line, with spaces between each switch:
/SQLNCli:PrerequisiteInstallerFiles\sqlncli.msi
/ChartControl:PrerequisiteInstallerFiles\MSChart.exe
/KB976462:PrerequisiteInstallerFiles\Windows6.1-KB976462-v2x64.msu
/IDFXR2:PrerequisiteInstallerFiles\Windows6.1-KB974405-x64.msu
/Sync:PrerequisiteInstallerFiles\Synchronization.msi
/FilterPack:PrerequisiteInstallerFiles\FilterPack.msi
/ADOMD:PrerequisiteInstallerFiles\SQLSERVER2008_ASADOMD10.msi
/ReportingServices:PrerequisiteInstallerFiles\rsSharePoint.msi
/Speech:PrerequisiteInstallerFiles\SpeechPlatformRuntime.msi
/SpeechLPK:PrerequisiteInstallerFiles\MSSpeech_SR_en-US_TELE.msi
Alternately, you can copy the contents of the file,

D:\Labfiles\Lab01\PrerequisiteInstaller.Arguments.txt and paste it into your
Notepad document.
L1-6
3.
Click File, and then click Save.

The Save As dialog box appears.
4.
Type D:\Software\SharePointServer2010, and then press ENTER.

The SharePointServer2010 folder opens.
5.
Type PrerequisiteInstaller.Arguments.txt, and then press ENTER.
6.
Close Notepad.
7.
Start the Command Prompt using the Run as administrator option.

8.
Click Yes.
9.
Type the following commands, each followed by ENTER:

D:
CD Software\SharePointServer2010

In a production environment, you would also add the /unattended switch to
the PrerequisiteInstaller.Arguments.txt file to specify a silent, unattended
installation of SharePoint prerequisites. An unattended installation will skip
the Welcome page and the license agreement.
For this lab, however, you did not use the /unattended switch, so that you may
observe the progress of the prerequisite installer and ensure that there are no
errors in your script.
10. Click Next.
11. Click I accept the terms of the License Agreement(s).
12. Click Next.
SharePoint prerequisites are installed.
13. On the Installation Complete page, confirm that installation completed
successfully.
14. Click Finish.
L1-7
Exercise 3: Installing SharePoint Server

Task 1A: Install SharePoint Server
1.
In the SharePointServer2010 folder, double-click default.hta.

The SharePoint Server 2010 Start page opens.
2.
On the SharePoint Server installation page, click Install SharePoint Server.

3.
Click Yes.
4.
Type 36BY2-DVVJY-6426X-PXWVQ-BM342, and then click Continue.
5.
Select the I accept the terms of this agreement check box.
6.
Click Continue.
7.
Click Server Farm.
8.
On the Server Type page, click Complete, and then click Install Now.
Installation proceeds for approximately 7-10 minutes.
9.
On the Run Configuration Wizard page, clear the Run the SharePoint
Products Configuration Wizard now check box.
10. Click Close.

11. On the SharePoint installation page, click Exit.
12. Close the Windows Explorer window that is displaying the contents of the
SharePointServer2010 folder.
Task 1B: Script the installation of SharePoint Server

As an alternate to this procedure, you can copy D:\Labfiles\Lab01\config.xml to
the D:\Software\SharePointServer2010\Files\SetupFarmSilent folder,
overwriting the existing file.
1.
Open D:\Software\SharePointServer2010\Files\SetupFarmSilent.
2.
Right-click config.xml, and then click Edit.
L1-8
3.
Perform one of the following two tasks:

1.
Replace line 11the PID elementwith the following line:

Remove the comment tags, <!- and -->.

2.
Replace the Display element with the following:

<Display AcceptEULA="yes"
Level="basic"
CompletionNotice="yes" />
In a production environment, you would leave the Display element with its
default values (Level=none and CompletionNotice=no) for a completely
unattended installation.
In this lab, you change the values of the Display element so that installation
can be monitored.
4.
5.
Click File, and then click Exit.
6.
Start Command Prompt using the Run as administrator option.

7.
Click Yes.
8.
Type the following command on one line, and then press ENTER:
"D:\Software\SharePointServer2010\setup.exe" /config
"D:\Software\SharePointServer2010\Files\SetupFarmSilent\
config.xml"
Installation takes approximately 7-10 minutes. A progress bar is displayed.

In a production environment in which you have configured the DisplayLevel
value to none, you can monitor the progress of the SharePoint installation
using any of these methods:
Click Start, then type %temp% and then press ENTER. Open the log
named SharePoint Server Setup*.log.
Open Task Manager, and then monitor processes including msiexec.exe,

setup.exe, mscorsvw.exe, and psconfigui.exe.
9.
On the Run Configuration Wizard page, clear the Run the SharePoint
Products Configuration Wizard now check box.
10. Click Close.
L1-9
L1-10
Exercise 4: Configuring the SharePoint Installation

Task 1A: Run the SharePoint Products Configuration Wizard
1.
and then click SharePoint 2010 Products Configuration Wizard.
2.
Click Yes.
After a few minutes, the SharePoint Products Configuration Wizard appears.
3.
On the Welcome to SharePoint Products page, click Next.

A message appears to inform you that services may have to be started or reset.
4.
Click Yes.
5.
On the Connect to a server farm page, click Create a new server farm, and
then click Next.
6.
In the Database server box, type SP2010-WFE1.
7.
In the Username box, type CONTOSO\SP_Farm.
8.
9.
Click Next.
10. On the Specify Farm Security Settings page, type 10174_SharePoint_2010

in the Passphrase and Confirm passphrase boxes, and then click Next.
11. On the Configure SharePoint Central Administration Web Application
page, select the Specify port number check box.
12. In the Specify port number box, type 9999, and then click Next.
13. On the Completing the SharePoint Products Configuration Wizard page,
click Next.
The Configuring SharePoint Products page indicates the progress of
configuration, which takes approximately five minutes.
14. On the Configuration Successful page, click Finish.
Windows Internet Explorer appears and opens the Help Make SharePoint
Better page. This is the Customer Experience Improvement survey page of the
SharePoint 2010 Central Administration website.
L1-11
15. Click Yes, I am willing to participate (Recommended).

16. Click OK.
17. Close Internet Explorer.
You configure SharePoint in the next exercise.
Task 1B: Perform a scripted configuration of SharePoint Server

1.
In the task bar, hold the SHIFT key and right-click Windows PowerShell, and
then click Run as administrator.
2.
Click Yes.
3.

D:\Labfiles\Lab01\ConfigureSharePoint.ps1
The Windows PowerShell Credential Request dialog box appears to prompt

you for the credentials of the CONTOSO\SP_Farm account.
4.

A prompt appears to enter the farm passphrase.
5.
Type 10174_SharePoint_2010, and then press ENTER.

After a few moments, configuration status will be displayed. Configuration
proceeds for 7-10 minutes.
The following warning is expected during the configuration of SharePoint:
The local farm is not accessible. Cmdlets with FeatureDependencyId

are not registered. The local farm does not yet exist. It will be created by
the configuration script.
You can monitor the progress of the SharePoint installation by performing

these steps:
a.
Open Task Manager, click the Processes tab, and then select the Show
processes from all users check box.
b.
Monitor processes including powershell.exe, sqlservr.exe, and

owstimer.exe.
L1-12
6.
When prompted Press Enter to exit, press ENTER.
7.
You will configure SharePoint in a later lab.
L1-13
Exercise 5: Configuring the Farm with the Farm

Configuration Wizard
Task 1: Run the Farm Configuration Wizard
1.
Start SharePoint 2010 Central Administration:

a.
Click Start, click All Programs, click Microsoft SharePoint 2010

Products, and then click SharePoint 2010 Central Administration.
A User Account Control message appears.

2.
Click Yes.
After a few moments, Central Administration opens.
3.
In the Central Administration Quick Launch, click Configuration Wizards.
4.
In the Farm Configuration section, click Launch the Farm Configuration

Wizard.
5.
On the Configure your SharePoint farm page, click Start the Wizard.
6.
In the Service Account section, click Create new managed account.
7.
In the User name box, type CONTOSO\SP_ServiceApps.
8.
9.
In the Services section, observe the list of service applications that will be
created by the Farm Configuration Wizard.
10. Clear the User Profile Service Application check box.

11. Click Next.
Optionally, you can open SQL Server Management Studio and refresh the view
of the Databases node to monitor the creation of service application databases.
12. On the Create Site Collection page, click Skip.
You will create an intranet in the following exercises.
13. On the Initial Farm Configuration Wizard page, click Finish.
L1-14
Exercise 6 (Optional): Installing a Language Pack

Task 1: Install the French language pack
1.
Double-click D:\Software\SharePointLanguagePackFR
\ServerLanguagePack.exe.
2.
Click Yes.
3.
Select the Jaccepte les termes de ce contrat check box.
4.
Click Continuer.
The language pack installs.
5.
On the Excuter lAssistant Configuration page, clear the Excuter

lAssistant Configuration des produits SharePoint check box.
6.
Click Fermer.
Task 2: Complete the configuration of the language pack

1.
Click Start, then click All Programs, then click Microsoft SharePoint 2010
Products, and then click SharePoint 2010 Products Configuration Wizard.
2.
Click Yes.
After a few minutes, the SharePoint 2010 Products Configuration Wizard
appears.
3.
On the Welcome to SharePoint Products page, click Next.

A message appears to inform you that services may have to be started or reset.
4.
Click Yes.
The farm is configured.
5.
On the Configuration Successful page, click Finish.

SharePoint 2010 Central Administration opens.
L1-15
Task 3: Validate the Installation of the language pack

1.
In SharePoint 2010 Central Administration, in the Quick Launch, click

System Settings.
2.
In the Servers section, click Manage servers in this farm.

The Servers in Farm page appears.
3.
Confirm that SP2010-WFE1 has the Language Pack for SharePoint, Project
Server, and Office Web Apps 2010 - French/Franais installed.

1.
2.
click Revert.
3.
L2-17
Lab: Creating a SharePoint 2010

Intranet
1.
2.
Exercise 1: Creating a Web Application

Task 1: Create a new Web application
1.

Pa$$w0rd.
2.
Open SharePoint 2010 Central Administration.

3.
Click Yes.
4.

Management.
5.
6.
On the Web Applications tab of the ribbon, click New.

The Create New Web Application page opens.
7.
In the Authentication section, select Classic Mode Authentication.

Microsoft SharePoint can now use Claims Based Authentication, which is
discussed in Module 5.
8.
In the IIS Web Site section, in the Port box, type 80.
9.
In the Host Header box, type intranet.contoso.com.
10. Make no changes to the Security Configuration and Public URL sections.
L2-18
11. In the Application Pool section, ensure that Create new application pool is
selected.
12. In the Application pool name box, type SharePoint Web Applications.
You should use a meaningful, descriptive name for each application pool that
you create.
13. In the Application Pool section, under Select a security account for this
application pool, in the Configurable list, select
CONTOSO\SP_ServiceApps.
14. In the Database Name and Authentication section, in the Database Name
box, type WSS_Content_Intranet.
You should always use a meaningful name for your content databases.
15. Click OK.
The Web application and content database will be created. When it is
complete, the Application Created page opens.
16. Click OK.
The new Web application is displayed on the Web Applications Management
page.
L2-19
Exercise 2: Creating a Site Collection

Task 1: Create a new site collection
1.

Management.
2.
3.
In the Web Application section, confirm that http://intranet.contoso.com is

selected.
If not, click the button, then click Change Web Application, and then click
4.
In the Title box, type Contoso Intranet.
5.
In the Web Site Address section, confirm that the address is

http://intranet.contoso.com/.
6.
In the Template Selection section, click the Publishing tab, and then click
Publishing Portal.
7.
type CONTOSO\SP_Admin.
8.
Click OK.
The site collection is created, and the Top-Level Site Collection page opens.
9.
Click OK.
Task 2: Attempt to open the new site
In Windows Internet Explorer, in the address bar, type

http://intranet.contoso.com and then press ENTER.
An Internet Explorer cannot display the webpage error page is displayed.

Answer: The browser cannot resolve the name intranet.contoso.com. There is no
DNS record for intranet.contoso.com.
L2-20
1.
Click Start, then point to Administrative Tools, then hold the SHIFT key and
right-click DNS and then click Run as different user.
2.
In the User name box, type CONTOSO\Administrator.
3.
4.
Expand CONTOSO-DC, then expand Forward Lookup Zones, and then click
contoso.com.
5.
Right-click contoso.com and then click New Host (A or AAAA).

The New Host dialog box appears.
6.
In the Name box, type intranet.
7.
In the IP address box, type 10.0.0.21.
8.
Click Add Host.
9.
Click OK.
10. Click Done.

11. Close DNS Manager.
Task 4: Open the new site

1.
In Internet Explorer, in the address bar, type http://intranet.contoso.com

An Internet Explorer cannot display the webpage error is displayed. If this
error does not appear on your system, continue to the next task.
Answer: The DNS client has cached the negative resolution of
2.
Click Start, and then click Command Prompt.
3.
Type ipconfig /flushdns, and then press ENTER.
L2-21
4.
Close Command Prompt.
5.

The Web site begins to load. Because this is the first time that the site has been
requested from the server, it must be compiled. This takes several seconds.
The intranet Web application opens.
Task 5: Create a publishing site page

1.
On the Contoso intranet site, click Site Actions, and then click New Page.
The New Page page opens.
2.
In the New page name box, type Important Phone Numbers.
3.
Click Create.
4.
In the Page Content area, type In case of emergency, call 911.
5.
In the ribbon, click Save & Close.

The page is displayed.
Task 6: Configure permissions

1.
2.
In the Groups list, click the Contoso Intranet Visitors link.
3.
Click the New arrow, and then click Add Users.
4.
In the Users/Groups box, type CONTOSO\Domain Users and then click

OK.
All users with Active Directory accounts in the CONTOSO domain can now
access the intranet site.
L2-22
Exercise 3: Creating a Site Collection in a New Content

Database
Task 1: Create a content database
1.
Switch to SharePoint 2010 Central Administration.
2.

Management.
3.
In the Databases section, click Manage content databases.
4.

selected.
5.
Click Add a content database.
6.
In the Database Name box, type WSS_Content_Intranet_IT, and then click

OK.
Task 2: Create a site collection in a specific content database

1.

Management.
2.
3.

selected.
4.
In the Title box, type Information Technology.
5.
In the Web Site Address section, ensure that sites is selected in the Site Prefix
list, and then type IT in the Site Name text box.
The result will be the URL for the site collection: http://intranet.contoso.com
/sites/IT.
L2-23
6.
In the Template Selection section, ensure that the Team Site site definition is
selected.
7.
type CONTOSO\SP_Admin.
8.
Click OK.
The Top-Level Site Successfully Created page appears.
9.
Click OK.
Task 3: Examine the information technology Web site

1.
Open a new tab of the browser, and then type http://intranet.contoso.com

/sites/IT in the address bar. Press ENTER.
The Information Technology site opens.
2.
Spend some time reviewing and experimenting with the new site. You can
make changes to the site, but those changes will not persist after this lab.

1.
2.
click Revert.
3.
L3-25
Module 3: Administering and Automating

SharePoint
Lab A: Automating SharePoint with

Windows PowerShell
1.
Start 10174A-CONTOSO-DC-C
2.
After CONTOSO-DC has completed startup, start 10174A-SP2010-WFE1-C.
Exercise 1: Adding SharePoint Functionality to Windows

PowerShell
Task 1: Load SharePoint .dll files using .NET reflection
1.

Pa$$w0rd.
2.
In the Windows Quick Launch, click Windows PowerShell.

Windows PowerShell opens.
3.
Microsoft.SharePoint.dll is not in the list. To use the Microsoft SharePoint

object model, you must load the SharePoint .dll files.
4.

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Share
Point")
The output displays global assembly cache (GAC), version, and location
information for the assembly.
L3-26
5.
Repeat step 3 to display the loaded assemblies.
Tip: You can press the UP ARROW to scroll through previously executed commands.
The listing includes the Microsoft.SharePoint.dll.
Task 2: Add the SharePoint snap-in using the Add-PSSnapin cmdlet

1.

Get-PSSnapin
SharePoint snap-in is not listed.
2.

Get-PSSnapin Registered
The output lists the snap-ins that are registered on the system, except for those
that are installed with Windows PowerShell.
3.

4.

Get-PSSnapin
SharePoint snap-in is now added.
5.
L3-27
The listing includes numerous SharePoint assemblies.

Rather than loading each assembly one by one, the Add-PSSnapin cmdlet loads
them all at once.
6.
Task 3: Open SharePoint 2010 Management Shell

1.
2.

Get-PSSnapin
SharePoint snap-in is already added to the session.
3.
The listing demonstrates that SharePoint 2010 Management Shell preloads the
SharePoint .dll files.
L3-28
Exercise 2: Delegating the Ability to Use Windows

PowerShell to Manage SharePoint
Task 1: Attempt to use Windows PowerShell to enumerate webs
1.
In SharePoint 2010 Management Shell, type the following command and the
press ENTER:
2.
$spsite | Get-SPWeb
An error appears, indicating that login failed. The SP_Admin user account does
not have the permissions required to access the information about the intranet
site collection with Windows PowerShell.
Task 2: Configure least privilege rights to manage SharePoint with

Windows PowerShell
1.
hold down the SHIFT key and right-click SharePoint 2010 Management
Shell, and then click Run as different user.
2.
3.
4.
Click OK.
5.
Type the following commands each followed by ENTER:

$spcdb = Get-SPContentDatabase WSS_Content_Intranet
Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database $spcdb
6.
Close the Administrator SharePoint Management Shell.
L3-29
Exercise 3: Reporting Web and Site Collection Properties

Task 1: Use Windows PowerShell to report Web properties
1.
2.

3.
$spsite | Get-SPWeb
4.
To enumerate all of the webs in the site collection using the AllWebs
collection, type the following command and then press ENTER:
$spsite.AllWebs
5.
To list specific properties of the webs, type the following command and then
press ENTER:
$spsite.AllWebs | Select LastItemModifiedDate, Url, Created | Sort
Created
Task 2: Attempt to use the Grid-View to report site collection

properties
1.

Get-SPSite
2.

}
The listing displays various properties of each site collection.
L3-30
3.


Environment feature is not installed.
Task 3: Install the Windows PowerShell Integrated Scripting

Environment
1.

An error indicates that you must run the command with elevated rights.
2.
Right-click the Windows PowerShell icon in the Windows taskbar, and then
click Run as Administrator.
A User Account Control message appears.
3.
Click Yes.
4.

5.
Close Administrator: Windows PowerShell.
L3-31
Task 4: Use the Grid-View to report site collection properties

1.
In SharePoint 2010 Management Shell, press the UP ARROW several times

until you see the command you typed in Task 2, and then press ENTER to
rerun the command:

Environment feature is not installed. This occurs because you must close and
reopen SharePoint 2010 Management Shell to load the component.
2.
3.
4.
Type the following command and then press ENTER, which is the same as the
command you executed in step 1:
A Grid-View window appears displaying the output of the command.

5.
Close the Sites With Usage window.
L3-32
Exercise 4: Creating Site Collections Using Windows

PowerShell
Task 1: Create a single site collection using Windows PowerShell
1.

New-SPContentDatabase -Name WSS_Content_Intranet_Sales WebApplication http://intranet.contoso.com
$spsite = New-SPSite -Url
"http://intranet.contoso.com/sites/Sales" -ContentDatabase
WSS_Content_Intranet_Sales -OwnerAlias CONTOSO\SP_Admin -Template
"STS#0"
A site collection and top-level web for the Sales department is created using the
Team Site site definition.
2.
Open Windows Internet Explorer.
3.
In the address bar, type http://intranet.contoso.com/sites/Sales, and then

press ENTER.
The Sales site opens.
4.
Minimize Internet Explorer.
Task 2: Create multiple site collections using Windows PowerShell

1.
In SharePoint 2010 Management Shell, type the following script. On the last
line, press ENTER to create a blank line. This causes the script to execute.
ForEach($url in $i)
{
New-SPContentDatabase -Name WSS_Content_Intranet_$url WebApplication http://intranet.contoso.com
New-SPSite -Url http://intranet.contoso.com/sites/$url ContentDatabase WSS_Content_Intranet_$url -OwnerAlias
CONTOSO\SP_Admin -Template "STS#0"
}
Two new content databases, site collections, and top-level webs are created.
2.

Get-SPSite
The output lists the new site collections.
L3-33
L3-34
Exercise 5: Creating and Updating Items

Task 1: Modify a list item using Windows PowerShell
1.
Switch to Internet Explorer.
2.
In the Sales site Quick Launch, click All Site Content, and then click
Announcements.
3.
Observe the title of the only item in the list.
4.
Switch to SharePoint 2010 Management Shell, and then type the following
commands:
$gc = Start-SPAssignment
$spsite = $gc | Get-SPSite
"http://intranet.contoso.com/sites/Sales"
$splist = $spsite.rootweb.lists["Announcements"]
$splistitem = $splist.items[0]
$splistitem["Title"] = "Our SharePoint 2010 Sales site is now
live!"
$splistitem.update()
$gc | Stop-SPAssignment
The list item will be updated. Notice that you did not use a cmdlet to update a
list item. There are things that will require direct access to the object model
and, as such, you need to be careful to dispose of objects you create.
5.
Switch to Internet Explorer, and then press F5 to refresh the view of the
Announcements list.
6.
Observe the updated title of the announcement.
7.
L3-35
Lab B: Administering SharePoint

with Stsadm
Exercise 1: Executing Stsadm Commands
Task 1: Display Stsadm Help documentation
1.
right-click SharePoint 2010 Management Shell, and then click Run as
administrator.
2.
Click Yes.
3.

stsadm
Examine the output of the command, which includes a list of the numerous
operations supported by Stsadm. Also notice the examples displayed at the
end of the Help documentation.
4.
To display Help documentation for the enumsites operation, type the

following command and then press ENTER:
stsadm help enumsites
Task 2: Enumerate site collections in a Web application using Stsadm

1.
command to execute:
stsadm -o enumsites -url "http://intranet.contoso.com"
Review the Extensible Markup Language (XML) response that you get from
the command, and note that this can be used in a Windows PowerShell script
to iterate through all your site collections.
L3-36
2.
command to execute:
Get-SPSite "http://intranet.contoso.com" | Get-SPWeb
3.
Repeat steps 1 and 2, and observe the amount of time it takes for each
command to execute.
Task 3: Create an Operations site collection using Stsadm

1.

stsadm -o createsite -url
"http://intranet.contoso.com/sites/Operations" -ownerlogin
CONTOSO\SP_Admin -owneremail sharepoint@contoso.com
A new Operations site collection is created.

2.
Open Internet Explorer.
3.
In the address bar, type http://intranet.contoso.com/sites/Operations, and

then press ENTER.
The Template Selection page appears.
4.
Select the Team Site template.
5.
Click OK.
The site is created using the Team Site site definition.
6.
On the Set Up Groups for this Site page, click OK.
Task 4: Create an Operations Maintenance site using Stsadm

1.
Switch to SharePoint Management Shell, and then type the following

command:
stsadm -o createweb -url
"http://intranet.contoso.com/sites/Operations/Maintenance"
A new web called Maintenance is created in the Operations site collection.
2.
3.
In the address bar, type http://intranet.contoso.com/sites/Operations

/Maintenance, and then press ENTER.
L3-37
The Template Selection page appears.

4.
Select the Team Site template, and then click OK.
Task 5: Configure the site collection administrator using Stsadm

1.
Click the SharePoint Administrator menu in the upper-right corner of the

page, and then click Sign in as Different User.
2.
3.
In the Password box, type Pa$$w0rd, and then click OK.

An Error: Access Denied page appears.
4.
Switch to SharePoint2010 Management Shell, and then type the following

command:
stsadm -o siteowner -url
"http://intranet.contoso.com/sites/Operations" -ownerlogin
CONTOSO\Administrator
5.
Switch to Internet Explorer, type http://intranet.contoso.com/sites

/Operations/Maintenance in the address bar, and then press ENTER.
You can now access that site collection as CONTOSO\Administrator.
6.

1.
2.
click Revert.
3.
L4-39
Lab A: Configuring List Throttling

and Remote BLOB Storage
1.
2.
Exercise 1: Configuring List Throttling

Task 1: Create a computer inventory list
1.

Pa$$w0rd.
2.
Start Windows Internet Explorer.
3.
In the address bar, type http://intranet.contoso.com/sites/IT, and then press

ENTER.
The Information Technology site opens.
4.
Click Site Actions, and then click More Options.
5.
In the Filter By panel, click Blank & Custom.
6.
Click Custom List.
7.
In the Name box, type ComputerInventory.
8.
Click Create.
The list is created with the URL http://intranet.contoso.com/sites/IT/Lists
/ComputerInventory.
9.
Click the List tab, and then click List Settings.

The List Settings page opens.
10. Click Title, description and navigation.

11. In the Name box, type Computer Inventory, with a space.
L4-40
12. Click Save.

13. In the navigation breadcrumb, click Computer Inventory.
14. Click the List tab, and then click Create Column.
The Create Column page opens.
15. In the Column name box, type Computer Name, and then click OK.
The Create Column page opens.
17. In the Column name box, type Serial Number, and then click OK.
Task 2: Configure least privilege rights to manage SharePoint using

Windows PowerShell
1.
hold down the SHIFT key and right-click SharePoint 2010 Management
Shell, and then click Run as different user.
2.
Enter the user name CONTOSO\Administrator and the password Pa$$w0rd,

and then click OK.
4.
Type the following command, and then press ENTER.

Add-SPShellAdmin -UserName CONTOSO\SP_Admin -Database (GetSPContentDatabase "WSS_Content_Intranet_IT" )
5.
Close the Windows PowerShell window.
L4-41
Task 3: Create a large list using Windows PowerShell

1.
2.
To create 4,000 items in the new list, type the following commands:
$i = 1
do {
#add item
"0");
$newitem.Update()
$i++
}
while ($i -le 4000)
$web.dispose()
$site.dispose()
Task 4: Observe the list view threshold

1.
2.
3.
Verify that the List view threshold message indicates that the list contains
4,000 items.
4.
In the navigation breadcrumb, click Computer Inventory.
L4-42
Task 5: Add items to exceed the list threshold

1.
2.
To create 5,000 additional items in the Computer Inventory list, type the
following commands:
$i = 4001
do {
#add item
"0");
$newitem.Update()
$i++
}
while ($i -le 9000)
$web.dispose()
$site.dispose()
Task 6: Experience list throttling

1.
2.
Press F5 to refresh the Computer Inventory list.
3.
4.
Verify that the List view threshold message indicates that the list contains
9.000 items.
5.
In the Permissions and Management section, click Delete this list.

6.
L4-43
Click OK.
An Error page appears that indicates the operation is prohibited because it
exceeds the list view threshold.
7.
Click Go back to site.
8.
In the Quick Launch, click Computer Inventory.
9.
Point at the Title column header, and then click the drop-down arrow that
appears.
A message appears: Cannot show the value of the filter. The field may not be
filterable, or the number of items returned exceeds the list view threshold enforced by
the administrator.
10. Click OK.
Task 7: Configure list throttling

1.

The User Account Control dialog appears.
2.
Click Yes.
3.
In the Application Management section, click Manage web applications.

The Web Applications Management page opens.
4.
Click SharePoint intranet.contoso.com80.
5.
On the ribbon, click the General Settings drop-down arrow, and then click
The Resource Throttling page opens.
6.
In the List View Threshold box, type 10000, and then click OK.
7.
Switch to the instance of Internet Explorer that displays the Computer

Inventory list.
8.
Press F5 to refresh the page.
9.
Point at the Title column header, and then click the drop-down arrow that
appears.
10. Verify that the Show Filter Choices command is now available.
L4-44
11. Switch to Central Administration.

12. Click SharePoint intranet.contoso.com80.
13. On the ribbon, click the General Settings drop-down arrow, and then click
14. In the List View Threshold box, type 7000.
15. Select the Enable a daily time window for large queries check box.
16. In the Start time list, select 11pm.
17. In the Duration list, select 5 hours, and then click OK.
18. Switch to the instance of Internet Explorer that displays the Computer
Inventory list.
19. Click the List tab, and then click List Settings.
20. Verify that the List view threshold is 7000.
21. Close all open Internet Explorer windows.
L4-45
Exercise 2: Enabling FILESTREAM and Provisioning the RBS

Data Store
Task 1: Enable FILESTREAM on the computer running SQL Server
1.
Click Start, click All Programs, click Microsoft SQL Server 2008 R2, click
Configuration Tools, hold down the SHIFT key and right-click SQL Server
Configuration Manager, and then click Run as different user.
The Windows Security dialog appears.
2.
In the User name box, type CONTOSO\Administrator. In the Password box,

type Pa$$w0rd. Then, click OK.
3.
Click SQL Server Services.
4.
Right-click SQL Server (MSSQLServer), and then click Properties.
5.
Click the FILESTREAM tab.
6.
Select the Enable FILESTREAM for Transact-SQL access check box.
7.
Select the Enable FILESTREAM for file I/O streaming access check box.
8.
Select the Allow remote clients to have streaming access to FILESTREAM

data check box, and then click OK.
9.
Close SQL Server Configuration Manager.
10. Click Start, click All Programs, click Microsoft SQL Server 2008 R2, hold
down the SHIFT key and right-click SQL Server Management Studio, and
then click Run as different user.
11. In the User name box, type CONTOSO\Administrator. In the Password box,
type Pa$$w0rd. Then, click OK.
12. Confirm that the Server name is SP2010-WFE1, and then click Connect.
13. In Object Explorer, right-click SP2010-WFE1, and then click Properties.
14. In the Select a page section, click Advanced.
15. Click Filestream Access Level, click the drop-down arrow, and then click Full
access enabled. Click OK.
A message appears indicating that you must restart Microsoft SQL Server.
Click OK.
L4-46
16. In Object Explorer, right-click SP2010-WFE1, and then click Restart.

17. Click Yes.
Task 2: Provision a BLOB store

1.
In Microsoft SQL Server Management Studio, expand Databases, and then

click WSS_Content_Intranet_IT.
2.

3.
To set the database master key, type the following query into the Query Editor:
use [WSS_Content_Intranet_IT]
password = N'Master Key Pa$$w0rd'
4.
Click the Execute button on the toolbar.
5.

6.
To enable a new filegroup for your Remote BLOB Storage (RBS) provider, type
the following query into the Query Editor:
groupname=N'RBSFilestreamProvider')alter database
[WSS_Content_Intranet_IT]
7.
Click the Execute button on the toolbar.
8.

9.
L4-47
To add a file system mapping for your RBS provider, type the following query
into the Query Editor:
alter database [WSS_Content_Intranet_IT] add file (name =
RBSFilestreamFile, filename = 'c:\Blobstore') to filegroup
RBSFilestreamProvider
10. Click the Execute button on the toolbar.
L4-48
Exercise 3: Installing RBS on All SharePoint Web and

Application Servers
Task 1: Install RBS on the first Web server
1.
Click Start, right-click Command Prompt, and then click Run as

administrator.
2.
Click Yes.
3.
Type the following commands, and then press ENTER.

cd d:\labfiles\lab04
d:
4.

msiexec /qn /lvx* rbs_install_log1.txt /i RBS.msi
DBNAME="WSS_Content_Intranet_IT" DBINSTANCE="SP2010-WFE1"
5.
Wait one minute for the operation to complete.
Task 2: Confirm the installation of RBS

1.
Open the D:\Labfiles\Lab04\rbs_install_Log1.txt file.
2.
Confirm that you see the following line within the last 20 lines of the end of
the file:
Product: SQL Server 2008 R2 Remote Blob Store -- Installation
completed successfully.
3.
Close rbs_install_log1.
4.
Switch to Microsoft SQL Server Management Studio.
5.
In Object Explorer, right-click the root node SP2010-WFE1, and then click
Refresh.
L4-49
6.
Expand Databases, expand WSS_Content_Intranet_IT, and then expand

Tables.
7.
Verify that several tables exist with names that begin with the letters mssqlrbs.
8.
Close SQL Server Management Studio. When prompted to save changes,

click No.
Task 3: Enable RBS for a content database

1.
2.
To enable RBS in a specific content database, type the following commands:

$rbss.Installed()
$rbss.Enable()
$rbss
Task 4: Test the RBS provider

1.
Open the C:\BlobStore folder.

A message appears indicating that you need permission to access the folder.
2.
Click Continue.
The Blobstore folder opens.
3.
Observe the number of items in the folder.
4.
5.

ENTER.
6.
In the Quick Launch, click Shared Documents.
7.
Click Add document.
8.
Click Browse.
9.
Navigate to the D:\LabFiles\Lab04 folder, select rbs_install_log1, and then

click Open. Click OK.
L4-50
10. Switch to the Windows Explorer window showing the Blobstore folder.
11. Observe that a new folder has been added to the Blobstore folder.
12. Open the folder with the most recent modified date, open the folder inside,
and then open the file with the most recent modified date.
13. Examine the contents of the file to verify that this is the rbs_install_log1 file.
14. Close Notepad.
L4-51
Exercise 4: Configuring the BLOB Size Threshold for RBS

Task 1: Configure the minimum BLOB storage size
1.
2.
To configure the MinimumBlobStorageSize property to 1 Megabyte (Mbyte),

type the following commands:
$cdb.update()
Task 2: Validate the behavior of minimum BLOB storage size

1.
2.
Click Add document.
3.
Click Browse.
4.
Navigate to the D:\LabFiles\Lab04 folder, select

SharePoint_2010_Walkthrough_Guide.pdf, and then click Open. Click OK.
5.
Click Add document.
6.
Click Browse.
7.
Navigate to the D: \LabFiles\Lab04 folder, select

SharePoint_2010_Datasheet.pdf, and then click Open. Click OK.
8.
Switch to the Windows Explorer window showing the Blobstore folder.
9.
Verify that a new file representing

SharePoint_2010_Walkthrough_Guide.pdf has appeared, and observe its
Date modified.
10. Verify that there is not a file representing SharePoint_2010_Datasheet.pdf

with a Date modified after the date of
SharePoint_2010_Walkthrough_Guide.pdf.
11. Close all open applications and windows.
L4-52
L4-53
Lab B: Configuring Managed

Metadata
Exercise 1: Configuring and Implementing Managed
Metadata
Task 1: Assign Term Store Administrators
1.

2.
Click OK.
3.
In the Application Management section, click Manage service applications.
4.
Click the Managed Metadata Service link.

The Term Store Management Tool opens.
5.
In the Term Store Administrators box, type CONTOSO\SP_Admin.
6.
Click Save.
Task 2: Create a group, a term set, and terms

1.
Under Taxonomy Term Store, point at Managed Metadata Service, click the
drop-down arrow that appears, and then click New Group.
2.
Type Organization, and then press ENTER.
3.
Point at Organization, click the drop-down arrow, and then click New Term
Set.
4.
Type Department, and then press ENTER.
5.
Point at Department, click the drop-down arrow, and then click Create Term.
6.
Type Marketing, and then press ENTER.
7.
Type Finance, and then press ENTER.
8.
Type IT, and then press ENTER.
9.
Type Sales, and then press ENTER.
L4-54
Task 3: Add a managed metadata column to a list

1.
Open a new tab in Internet Explorer.
2.

ENTER.
3.
In the Quick Launch, click All Site Content.
4.
Click Create.
5.
Click Custom List.
6.
In the Name box, type SupportRequests.
7.
Click Create.
8.
Click the List tab, and then click Create Column.
9.
In the Column name box, type User Name, and then click OK.
11. In the Column name box, type Department.
12. In the list of column types, click Managed Metadata.
13. In the Term Set Settings section, expand Managed Metadata Service, expand
Organization, and then click Department. Click OK.
15. In the Column name box, type Request Type.
16. In the list of column types, click Managed Metadata.
17. In the Term Set Settings section, click Customize your term set.
18. Click Edit Using Term Set Manager.
A message box appears.
19. Click OK.
The Term Store Management Tool opens in a new window.
20. Confirm that Submission Policy is configured as Open.
21. Close Term Store Management Tool.
L4-55
Task 4: Add items with managed metadata

1.
Click the Items tab, and then click New Item.
2.
In the Title box, type Create a new account for Andy Ruth.
3.
In the User Name box, type AndyR.
4.
In the Department box, type Fin.

The Suggestions list appears and displays Finance.
5.
Press ENTER to accept the suggestion.
6.
In the Request Type box, type New User, and then press ENTER.
New User is displayed with a red, dashed underline. This indicates that the
term does not exist.
7.
Click the Browse for a valid choice button next to the Request Type box.
8.
Click Add New Item.
9.
Type New User, and then press ENTER.
10. Click Select, and then click OK.

11. Click Save.
12. Repeat the steps in this task to create the following support requests:
Title
User Name
Department
Request Type
Reset password for

Christa Geller
ChristaG
IT
Password Reset
Problem starting
computer
FrankM
Marketing
Desktop Support
Create a new
account for Sean
Chai
SeanC
Sales
New User
Reset password for

Lola Jacobsen
LolaJ
Sales
Password Reset
L4-56
Task 5: Configure metadata navigation

1.
2.
In the General Settings section, click Metadata navigation settings.
3.
In the Available Hierarchy Fields list, click Department, and then click Add.
4.
In the Available Hierarchy Fields list, click Request Type, and then click Add.
5.
In the Selected Hierarchy Fields list, click Folders, and then click Remove.
Click OK.
6.
In the Quick Launch, click SupportRequests.
7.
Observe the tree view below the Quick Launch.
8.
Click the terms in the Department and Request Type term sets to filter the
list.

1.
2.
click Revert.
3.
L5-57
Lab A: Configuring Custom

Authentication
1.
2.
Exercise 1: Creating and Configuring an ASP.NET

Membership Database
Task 1: Create an ASP.NET membership database
1.
Log on to SP2010-WFE1 as CONTOSO\SP_Admin with password,

Pa$$w0rd.
2.
Click Start, then right-click Command Prompt, and then click Run as
administrator.
3.
Click Yes.
4.

cd c:\windows\microsoft.net\framework\v2.0.50727
aspnet_regsql.exe
The ASP.NET SQL Server Setup Wizard appears.

5.
On the Welcome page, click Next.
6.
On the Select a Setup Option page, click Next.
7.
On the Select the Server and Database page, click Next.
8.
On the Confirm Your Settings page, click Next.
9.
On the The database has been created or modified page, click Finish.
L5-58
Task 2: Configure the connection to the database

1.

cd c:\windows\microsoft.net\framework\v2.0.50727\config
notepad machine.config
2.
Modify the connectionStrings element of the XML file to match the following:
<connectionStrings>
<clear/>
<add name="LocalSQLServer"
connectionString="Server=.;Database=aspnetdb;uid=sa;pwd=Pa$$w0rd;"
providerName="System.Data.SqlClient"/>
</connectionStrings>
3.
4.
Close Notepad.
5.
In Administrator: Command Prompt, type the following commands:

cd c:\windows\microsoft.net\framework64\v2.0.50727\config
notepad machine.config
6.
Repeat steps 2-4.
Task 3: Create users

1.
right-click SharePoint 2010 Management Shell, and then click Run as
administrator.
2.
Click Yes.
3.
Execute the following commands:

$vals=New-Object
$member.CreateUser('SiteAdministrator', 'Pa$$w0rd',
'SharePoint@contoso.com', 'first person kissed', 'mom', $true,
$id, [ref] $status)
4.

$status
5.
Verify that the result is Success.
6.

$vals=New-Object
$member.CreateUser('JamesF', 'Pa$$w0rd',
'JamesF@tailspintoys.com', 'favorite pet', 'Spot', $true, $id,
[ref] $status)
L5-59
L5-60
7.

$status
8.
9.
Task 4: Enable the secure token service to use forms-based

authentication
1.
In Administrator: Command Prompt, type the following commands:

cd "c:\program files\common files\microsoft shared\web server
extensions\14\webservices\root"
notepad web.config
2.
Locate the <system.web> element, then locate the <membership> element,

and then locate the <providers> element.
3.
Remove the <clear/> directive inside the <providers> element.
4.
Locate the <roleManager> element, and then locate the <providers> element.
5.
Remove the <clear/> directive inside the <providers> element.
6.
7.
Close Notepad.
8.
Close Administrator: Command Prompt.
L5-61
Exercise 2: Creating a Web Application that Uses ClaimsBased Authentication

Task 1: Create a Web application that uses both Windows and formsbased authentication
1.

2.
Click Yes.
3.
4.
On the ribbon, click New.
5.
In the Authentication section, click Claims Based Authentication.
6.
In the Port box, type 80.
7.
In the Host Header box, type clients.contoso.com.
8.
In the Claims Authentication Types section, select the Enable Windows

Authentication and Integrated Windows Authentication check boxes, and
then select NTLM from the drop-down list.
9.
Select Enable Forms Based Authentication (FBA).
10. In the ASP.NET Membership provider name box, type

AspNetSqlMembershipProvider.
11. In the ASP.NET Role manager name box, type AspNetSqlRoleProvider.
12. In the Application Pool section, click Use existing application pool, and then
select SharePoint 80 (CONTOSO\SP_ServiceApps) from the drop-down
list.
13. For the database name, type WSS_Content_Clients.
14. Click OK.
Central Administration provisions the new Web application.
15. On the Application Created page, click the Create Site Collection link.
16. In the Title box, type CONTOSO Client Portal.
L5-62
17. In the Template Selection section, click the Publishing tab, and then click
Publishing Portal.
18. In the Primary Site Collection Administrator section, in the User name text
box, type CONTOSO\SP_Admin.
19. In the Secondary Site Collection Administrator section, type
SiteAdministrator.
20. Click OK.
The Top-Level Site Successfully Created dialog box appears.
21. Click OK.
1.
Click Start, then click to Administrative Tools, then hold SHIFT and rightclick DNS, and then select Run as different user.
2.
3.
4.
Expand CONTOSO-DC, then expand Forward Lookup Zones, and then click
contoso.com.
5.
Right-click contoso.com, and then click New Host (A or AAAA).

The New Host dialog box appears.
6.
In the Name box, type clients.
7.
In the IP address box, type 10.0.0.21.
8.
Click Add Host.
9.
Click OK.
10. Click Done.

11. Close DNS Manager.
L5-63
Task 3: Test claims-based authentication

1.
2.
In the address bar, type http://clients.contoso.com, and then press ENTER.
3.
On the Sign In page, select Forms Authentication from the drop-down list.
4.
In the User name box, type SiteAdministrator.
5.
6.
Click Sign In.
7.
Verify that you are authenticated as SiteAdministrator.
8.
Click SiteAdministrator in the upper-right corner of the page.
9.
Click Sign in as Different User.
10. On the Sign In page, select Windows Authentication from the drop-down list.
11. In the User name box, type CONTOSO\SP_Admin.
12. In the Password box, type Pa$$w0rd.
13. Click OK.
14. Verify that you are authenticated as SharePoint Administrator.
15. Close all open Internet Explorer windows.
L5-64
Lab Review
Question: Why must you remove the <clear/> elements from the Web.config file?
Answer: The <clear/> elements prevent the SharePoint Secure Token service from
finding users in the forms-based authentication database. The service cannot build
claims for the users, and authentication would fail.
Question: If you are familiar with the configuration of forms-based authentication
on Microsoft Office SharePoint Server 2007, what is different about the number
and type of Web applications required to support forms-based authentication in
Microsoft SharePoint Server 2010 in the client extranet scenario presented in this
lab?
Answer: Microsoft Office SharePoint Server 2007 required a separate, extended
Web application to support forms-based authentication. In SharePoint Server
2010, claims-based authentication accepts claims from multiple authentication
mechanisms, including both Windows and forms-based authentication.
Therefore, only one Web application is required to support this scenario.
L5-65

Exercise 1: Creating User Accounts for Access to External
Data
1.
On SP2010-WFE1, click Start, then click Administrative Tools, then hold the
SHIFT key and right-click Active Directory Users and Computers, and then
select Run as different user.
2.
3.
4.
Click OK.
5.
Expand contoso.com, and then click Users.
6.
Right-click Users, then point to New, and then click User.
7.
In the Full name box, type Excel Unattended Service Account.
8.
In the User logon name box, type SP_Excel_USA.
9.
Click Next.
10 In the Password and Confirm password boxes, type Pa$$w0rd.

11. Clear the User must change password at next logon check box.
12 Select the Password never expires check box.
13. Click Next.
14. Click Finish.
15. Repeat steps 6-14 to create the following accounts:
Full name: Performance Point Unattended Service Account, User logon

name: SP_PerfPoint_USA.
Full name: Visio Graphics Unattended Service Account, User logon

name: SP_Visio_USA.
16. Close Active Directory Users and Computers.
L5-66
Exercise 2: Configuring Secure Store Services

Task 1: Initialize an instance of a Secure Store Service application
1.
Open SharePoint 2010 Central Administration. At the User Account Control

dialog box, click Yes.
2.
In the Quick Launch, click Application Management.
3.
In the Service Applications section, click Manage service applications.
4.
Click the Secure Store Service link on the Secure Store Service Application
row.
5.
On the ribbon, click Generate New Key.
6.
In the Pass Phrase and Confirm Pass Phrase boxes, type 10174_SSS_2010.
7.
Click OK.
Task 2: Create a target application for Excel Services

1.
2.
In the Target Application ID box, type ExcelUnattendedSA.
3.
In the Display Name box, type Excel Unattended Service Account.
4.
In the Contact E-mail box, type sharepoint@contoso.com.
5.
In the Target Application Type list, select Group.
6.
In the Target Application Page URL section, click None.
7.
Click Next.
8.
On the Add Field page, click Next.
9.
In the Target Application Administrators box, type CONTOSO\SP_Admin.
10. In the Members list, type Domain Users.

11. Click OK.
L5-67
Task 3: Configure the Secure Store credentials for Excel Services

1.
Select the ExcelUnattendedSA check box.
2.
In the Credentials group of the ribbon, click Set.
3.
In the Windows User Name box, type CONTOSO\SP_Excel_USA.
4.
In the Windows Password and Confirm Windows Password boxes, type

Pa$$w0rd.
5.
Click OK.
Task 4: Create a target application for Visio Graphics

1.
2.
In the Target Application ID box, type VisioUnattendedSA.
3.
In the Display Name box, type Visio Unattended Service Account.
4.
In the Contact E-mail box, type sharepoint@contoso.com.
5.
In the Target Application Type list, select Group.
6.
In the Target Application Page URL section, click None.
7.
Click Next.
8.
On the Add Field page, click Next.
9.
In the Target Application Administrators box, type CONTOSO\SP_Admin.
10. In the Members list, type Domain Users.

11. Click OK.
L5-68
Task 5: Configure the Secure Store credentials for Visio Graphics

1.
Select the VisioUnattendedSA application check box.
2.
In the Credentials group on the ribbon, click Set.
3.
In the Windows User Name box, type CONTOSO\SP_Visio_USA.
4.
In the Windows Password and Confirm Windows Password boxes, type

Pa$$w0rd.
5.
Click OK.
L5-69
Exercise 3: Configuring Secure Store Unattended Accounts

Task 1: Configure Excel Services Secure Store account
1.
Click Application Management.
2.
3.
Click Excel Services Application on the line of Excel Services Application

Web Service Application.
4.
Click Global Settings.
5.
In the External Data section, in the Application ID box, type

ExcelUnattendedSA, and then click OK.
Excel Services can now use the credentials in Secure Store to render
spreadsheets and connect to external data connections.
Task 2: Configure PerformancePoint Secure Store account

1.
2.
In the Service Applications section, click Manage services applications.
3.
Click PerformancePoint Service Application.
4.
Click PerformancePoint Service Application Settings.
5.
In the Secure Store and Unattended Service Account section, in the User
Name box, type CONTOSO\SP_PerfPoint_USA.
6.
In the password box, type Pa$$w0rd.
7.
Click OK.
PerformancePoint will create its own Secure Store account based on the
information you entered.
Task 3: Configure Visio Graphics Secure Store account

1.
2.
3.
Click Visio Graphics Service.
L5-70
4.
Click Global Settings.
5.
On the External Data section, in the Application ID box, type

VisioUnattendedSA, and then click OK.
Visio can now execute diagrams and data connection refreshes using the
unattended account

When you finish the lab, set the virtual machines back to their initial state. To do
1.
2.
click Revert.
3.
L6-71
Lab: Configuring Security for

SharePoint Content
Scenario
You have created an intranet on a new Microsoft SharePoint 2010 farm at
Contoso, Ltd. You have been tasked with helping set up users, groups, and
permissions on the intranet until governance and training are in place, at which
point permission management will be delegated to site collection administrators.
Additionally, you must configure SharePoint to support the business requirement
that the internal security and compliance audit team has the ability to access all
information stored on the intranet.

1.
2.
Exercise 1: Managing SharePoint Groups

Task 1: Add a user to a sites Members group
1.

Pa$$w0rd.
2.
3.

ENTER.
4.
5.
On the ribbon, click Grant Permissions.
6.
In Users/Groups box, type CONTOSO\SanjayS.
L6-72
7.
In the drop-down list, select Information Technology Members [Contribute],

and then click OK.
You have now added Sanjay Shah, the Contoso chief technology officer (CTO),
as a contributor to the IT intranet Web, which gives him Read and Write
permissions.
Task 2: Verify that the member can sign in

1.
In the address bar of Windows Internet Explorer, type

http://intranet.contoso.com/sites/IT, and then press ENTER.
2.
In the upper-right corner of the page, click SharePoint Administrator, and

then click Sign in as Different User.
3.
In the User name box, type CONTOSO\SanjayS.
4.
5.
In the Quick Launch, click Tasks.
6.
Click Add new item.
7.
In the Title box, type Select SharePoint Governance Team.
8.
Click Save.
Task 3: Add a user to a sites Visitors group

1.
In the upper-right corner of the page, click Shah, Sanjay, and then click Sign
in as Different User.
2.
Click Use another account.
3.
In the User name box, type CONTOSO\SP_Admin.
4.
5.
6.
In the groups list, click Information Technology Visitors.
7.
Click the drop-down arrow next to the New button, and then click Add Users.
8.
L6-73
In the Users/Groups box, type CONTOSO\JeffL, and then click OK.

You have now added Jeff Low, the Contoso vice president of finance, as a
visitor to the IT intranet Web, which gives him Read permission.
Task 4: Verify that the visitor can sign in

1.
In the tab navigation, click Information Technology.
2.

3.
4.
In the User name box, type CONTOSO\JeffL.
5.
6.
7.
Verify that you do not see the Add new item command.
Task 5: Create a new group and assign it the Design permission level
1.
In the upper-right corner of the page, click Low, Jeff, and then click Sign in as
Different User.
2.
3.
4.
5.
6.
On the ribbon, click Create Group.
7.
In the Name box, type Information Technology Designers.
8.
In the About Me box, type Use this group to grant people Design
permissions to the SharePoint site: Information Technology.
9.
In the Give Group Permissions to this Site section, select the Design
permission level check box.
10. Click Create.
L6-74
Exercise 2: Creating Custom Permission Levels

Task 1: Create a custom permission level to allow viewing Web
analytics reports
1.
2.
3.
Click Add a Permission Level.
4.
In the Name box, type View Usage.
5.
In the description box, type Can see only usage data about this site.
6.
Select the View Web Analytics Data check box.
Note: Additional permissions check boxes are selected automatically.
7.
Click Create.
8.
9.
On the ribbon, click Create Group.
10. In the Name box, type Usage Monitors.

11. In the About Me box, type Use this group to grant people permission to
view Web Analytics data for the SharePoint site: Information Technology
Dept.
12. In the Give Group Permission to this Site section, select the View Usage
check box.
13. Click Create.
14. Click the drop-down arrow next to the New button, and then click Add Users.
15. In the Users/Groups box, type CONTOSO\LolaJ, and then click OK.
L6-75
Task 2: Attempt to view Web analytics reports

1.
In the address bar of Internet Explorer, type http://intranet.contoso.com

/sites/IT, and then press ENTER.
2.

3.
4.
In the User name box, type CONTOSO\LolaJ.
5.

An Access Denied error appears.
6.
To open the usage page, click in the address bar, type

http://intranet.contoso.com/sites/it/_layouts/usageDetails.aspx, and then
press ENTER.
An Access Denied error appears. This is because although you have permission
to access Web analytics data, you do not yet have permission to view the
default application pages that present that data.
Task 3: Add a permission to the custom permission level

1.
Click Sign in as Different User.

2.
3.
4.
5.
6.
7.
Click View Usage.
8.
Select the View Application Pages check box.
9.
Click Submit.
L6-76
Task 4: Validate the functionality of the custom permission level

1.
In the address bar of Internet Explorer, type

2.

3.
4.
5.

6.
In the address bar, type http://intranet.contoso.com/sites

/it/_layouts/settings.aspx, and then press ENTER.
7.
Click Site Web Analytics reports.
8.
Examine the report, and then click the browsers Back button.
9.
Click Site Collection Web Analytics reports.
10. Examine the report, and then click the browsers Back button.
11. Close Internet Explorer.
L6-77
Exercise 3: Managing Permissions and Inheritance

Task 1: Add a document and a folder to a library
1.
2.

ENTER.
3.
4.
5.
In the Quick Launch, click Shared Documents.
6.
Click Add document.
7.
Click Browse.
8.
Select the file D:\Labfiles\LAB06\IT Policies and Procedures for SharePoint

2010, click Open, and then click OK.
9.
On the ribbon, click the Documents tab.
10. Click New Folder.

11. In the Name box, type Usage Reports.
12. Click Save.
Task 2: Assign permissions to a folder

1.
Click the Usage Reports row to select it.

Do not click the Usage Reports link because it will open the folder.
2.
On the ribbon, click Document Permissions.
3.
On the ribbon, click Stop Inheriting Permissions.

A Message from webpage dialog appears.
4.
Click OK.
5.
To select all permissions, click the check box in the column heading row, next
to Name.
L6-78
6.
On the ribbon, click Remove User Permissions.

A Message from webpage dialog appears.
7.
Click OK.
8.
On the ribbon, click Grant Permissions.
9.
In the Users/Groups box, type CONTOSO\LolaJ.
10. In the Grant Permissions box, select the Full Control check box, and then
click OK.
Task 3: Verify the behavior of SharePoint permissions

1.
In the address bar of Internet Explorer, type

2.

3.
4.
5.

6.
In the address bar, type http://intranet.contoso.com/sites/IT

/Shared Documents.
The document library opens. You are able to see the Usage Reports folder but
not the policies document.
7.
L6-79
Exercise 4: Creating a Web Application Policy

Task 1: Add a user to a group
1.
On SP2010-WFE1, click Start, click Administrative Tools, hold down the

SHIFT key and right-click Active Directory Users and Computers, and then
select Run as different user.
2.
Enter the user name CONTOSO\Administrator and the password Pa$$w0rd,

and then click OK.
3.
Expand the contoso.com domain, and then click the Users container.
4.
Right-click the Users container, point to New, and then click Group.
In the Name box, type SharePoint Content Auditors, and then click OK.
6.
In the details pane, double-click SharePoint Content Auditors.
7.
Click the Members tab.
8.
Click Add.
9.
Type CONTOSO\JimD, click OK, and then click OK again.
Task 2: Create groups

1.
2.
In the Name box, type SharePoint Full Control Policy, and then click OK.
3.
4.
In the Name box, type SharePoint Deny Policy, and click OK.
5.
Task 3: Create a Read Web application policy

1.

2.
Click Yes.
3.
4.
Click SharePoint - intranet.contoso.com80.
L6-80
5.
On the ribbon, click User Policy.
6.
Click Add Users.
7.
In the Zones list, select (All Zones).
8.
Click Next.
9.
In the Users box, type CONTOSO\SharePoint Content Auditors.
10. In the Choose Permissions section, select the Full Read check box.
11. Click Finish.
Task 4: Create a Full Control Web application policy

1.
Click Add Users.
2.
3.
Click Next.
4.
In the Users box, type CONTOSO\SharePoint Full Control Policy.
5.
In the Choose Permissions section, select the Full Control check box.
6.
Click Finish.
Task 5: Create a Deny Web application policy

1.
Click Add Users.
2.
3.
Click Next.
4.
In the Users box, type CONTOSO\SharePoint Deny Policy.
5.
In the Choose Permissions section, select the Deny All check box.
6.
Click Finish, and then click OK.
L6-81
Task 6: Verify the behavior of SharePoint Web application policies

1.
In the address bar of Internet Explorer, type http://intranet.contoso.com

/sites/IT, and then press ENTER.
2.

3.
4.
In the User name box, type CONTOSO\JimD.
5.
6.
7.
Verify that you do not see the Add new item command.
Results: After this exercise, you should have created a new Web application policy
granting full Read permission to the intranet for audit purposes.

1.
2.
click Revert.
3.
L7-83
Lab A: Administering Features and

Solutions
1.
2.
Exercise 1: Administering Features

Task 1: Activate a built-in feature
1.

Pa$$w0rd.
2.
Open Windows Internet Explorer.
3.
In the address bar, type http://intranet.contoso.com, and then press ENTER.
4.
Click Site Actions, and then click View All Site Content.
5.
Click Create.
The Create page appears.
6. Observe that a calendar or contact list are not shown as available options.
7. Close the Create page.
8.
9.
In the Site Actions section, click Manage site features.
10. In the Team Collaboration Lists row, click Activate.

11. Click Site Actions, and then click View All Site Content.
L7-84
12. Click Create.

The Create page appears.
13. Observe that you can now create a calendar or contact list.
14. Close the Create page.
Task 2: Install a custom feature

1.
Open Windows Explorer and browse to the folder, D:\Labfiles\Lab07.
2.
Right-click the CustomAction folder, and then click Copy.
3.
In Windows Explorer, browse to C:\Program Files\Common Files

\Microsoft Shared\web server extensions\14\Template\Features.
Each folder in the Features folder represents a feature on the Microsoft
SharePoint server.
4.
Press CTRL+V to paste the CustomAction folder into the Features folder.
5.
Close the Features folder window.
6.
Click Start, then click All Programs, then click Microsoft SharePoint 2010
Products, then right-click SharePoint 2010 Management Shell, and then
click Run as administrator.
7.
Click Yes.
8.

stsadm -o installfeature -filename CustomAction\feature.xml
This will install a new feature into SharePoint that enables a simple custom
action in the Site Actions menu.
Task 3: Activate and test a custom feature

1.
2.
3.
4.
In the JavaScript Dropdown Item row, click Activate.
5.
L7-85
Click Site Actions, and then click A Custom Action.

A Message from webpage window appears with the message, Hello World.
6.
Click OK.
Task 4: Deactivate a feature

1.
2.
3.
In the JavaScript Dropdown Item row, click Deactivate.

A warning page appears.
4.
Click Deactivate this feature.
5.
Click Site Actions, then observe that A Custom Action no longer appears, and
then press ESC to close the menu.
6.
L7-86
Exercise 2: Administering Solutions

Task 1: Install a solution
1.
2.

stsadm -o addsolution -filename
"d:\Labfiles\Lab07\ApplicationTemplateCore.wsp"
stsadm -o addsolution -filename
"d:\Labfiles\Lab07\BugDatabase.wsp"
3.
4.

5.
Click Yes.
6.
In the Quick Launch, click System Settings.
7.
In the Farm Management section, click Manage farm solutions.
8.
Observe that the two solutions are installed, but are not deployed.
Task 2: Deploy a solution

1.
Click applicationtemplatecore.wsp.
2.
Click Deploy Solution.
3.
Review the settings, and then click OK.
4.
Click bugdatabase.wsp.
5.
Click Deploy Solution.
6.
Review the settings, and then click OK.
L7-87
Task 3: Confirm the deployment of a solution

1.

ENTER.
2.
Click Site Actions, and then click New Site.
3.
In the left navigation, click the Application Templates tab, and then click Bug
Database.
4.
In the Title box, type Bug Tracking.
5.
In the URL name box, type Bugs.
6.
Click Create.
A new bug database Web is created in the IT site collection.
7.
In the address bar, type http://intranet.contoso.com/sites/IT/Bugs, and

then press ENTER.
8.
Results: After completing this exercise, you should have installed and deployed
SharePoint solutions to your farm.
L7-88
Lab Review
Question: What is a disadvantage of deploying a feature, in contrast to a solution,
to a farm with more than one server?
Answer: The Features folder must be the same on all servers in the farm, so you
must copy the feature to all servers and keep the Features folder in sync. When
you deploy a feature with a solution, SharePoint updates the Features folder on
each server in the farm.
Question: Why is it important in some cases, such as the solutions deployed in
this lab, to deploy solutions in a specific order?
Answer: Solutions can have dependencies upon other solutions. The Bug Database
solution has dependencies on the Application Template Core solution.
L7-89
Lab B: Administering Sandboxed

Solutions
Exercise 1: Administering Sandboxed Solutions
Task 1: Ensure that the code service is running
1.
Click Start, then click Administrative Tools, and then click Services.
2.
Right-click SharePoint 2010 User Code Host, and then click Properties.
3.
Verify that the service is not started, and that the Startup type is Disabled.
4.
Click OK.
5.

6.
Click Yes.
7.
In the Quick Launch, click System Settings.
8.
Click Manage services on server.
9.
In the Microsoft SharePoint Foundation Sandboxed Code Service row, click

Start.
The service status changes to Started.
10. Switch to the Services console.

11. Right-click SharePoint 2010 User Code Host, and then click Properties.
12. Verify that the service is started, and that the Startup type is Automatic.
13. Click OK.
14. Close the Services console.
Task 2: Upload a sandboxed solution

1.
2.

ENTER.
3.
L7-90
4.
In the Galleries section, click Solutions.
5.
On the ribbon, click the Solutions tab, and then click Upload Solution.
6.
Click Browse.
7.
Select D:\Labfiles\Lab07\BadReceiver.wsp.
8.
Click Open.
9.
Click OK.
10. On the ribbon, click Activate.

The BadReceiver solution is displayed with a status of Activated.
11. Click Site Actions, and then click Site Settings.
12. In the Site Actions section, click Manage site features.
13. In the BadReceiver Feature1 row, click Activate.
Task 3: Test a sandboxed solution

1.
2.
Click Announcements.
3.
On the ribbon, click the Items tab.
4.
Click New Item.
5.
In the Title box, type My Announcement.
6.
Click Save.
7.
8.
9.
L7-91

Observe that the BadReceiver solution shows no resource usage. That is
because the timer job has not yet calculated the resource usage for the
solution.
If you happened to see resource usage, then you were lucky! The timer jobs
executed just in time.
Results: After completing this exercise, you should have deployed and tested the
BadReceiver solution.
L7-92
Exercise 2: Modifying Sandboxed Solutions Timer Jobs

Task 1: Run sandboxed solution timer jobs
1.

2.
Click Yes.
3.
In the Quick Launch, click Monitoring.
4.
In the Timer Jobs section, click Review job definitions.
5.
Locate the Solution Resource Usage Update timer job for SharePoint
intranet.contoso.com80.
Tip: You must click the arrow at the bottom of the page.
6.
Click Solution Resource Usage Update in the SharePoint

intranet.contoso.com80 row.
Note: Be sure to click Solution Resource Usage Update and not Solution Daily
Resource Usage Update. Clicking the latter will cause resource usage points to be
reset.
7.
Click Run Now.
8.
Click Solution Resource Usage Log Processing in the SharePoint

intranet.contoso.com80 row.
9.
Click Run Now.
L7-93
Task 2: Monitor resource usage

1.
Switch to the instance of Internet Explorer that is displaying the Solutions

Gallery
2.
Press F5 to refresh the page.

The resource usage for the solution should now be updated. If you do not see
the updated resource usage, then you may need to wait for up to 5 minutes for
the timer jobs to execute.
L7-94
Exercise 3: Configuring Sandbox Points

Task 1: Review default resource measures
1.
Run SharePoint 2010 Management Shell as administrator.

2.
Click Yes.
3.
To export a list of default point values, type the following command and then
press ENTER:
$spusercodeservice.ResourceMeasures > c:\ResourceMeasures.txt
4.
Open the file C:\ResourceMeasures.txt.

This file contains a listing of the resource measures that are monitored for
sandboxed solutions.
5.
To find the section for database queries, press CTRL+F, then type
SharePointDatabaseQueryCount, and then press ENTER.
6.
Record the current values of ResourcesPerPoint and AbsoluteLimit.
7.
Close the file.
Task 2: Change default resource measure points

1.
Switch to Administrator: SharePoint 2010 Management Shell.
2.

$obj =
$spusercodeservice.ResourceMeasures["SharePointDatabaseQueryCount"
]
$obj.ResourcesPerPoint = 1
$obj.Update()
$obj | Select-Object Name,ResourcesPerPoint
L7-95
This script sets the ResourcesPerPoint property for

SharePointDatabaseQueryCount to 1 and will cause SharePoint database
queries to increase the resource usage point count very quickly.
3.

iisreset
IIS restarts and enables the new resource settings.

4.
Close Administrator: SharePoint 2010 Management Shell.
Task 3: Test modified sandboxed resource measures

1.
Switch to the instance of Internet Explorer that displays the IT intranet Web.
It will take a few seconds to load the Web, because you recently reset IIS.
2.
3.
Click Announcements.
4.
On the ribbon, click Items.
5.
Click New Item.
6.
In the Title box, type My Next Announcement.
7.
Click Save.
7.
8.
9.

Observe that the BadReceiver solution shows no resource usage. That is
because the timer job has not yet calculated resource usage for the solution.
If you saw resource usage, then you were lucky! The timer jobs executed just
in time. Skip to step 13.
10. Repeat Task 1 of Exercise 2 to run the sandboxed solutions timer jobs.
11. Switch to the instance of Internet Explorer that displays the Solutions gallery
for the IT intranet Web.
L7-96
12. Press F5 to refresh the page.

13. Observe that the resource usage of the solution is increasing more rapidly.
If you do not see the updated resource usage, then you may need to wait for
up to 5 minutes for the timer jobs to execute.
Task 4: Deactivate the bad solution

1.
2.
3.
Click the Bad Receiver row.
4.
On the ribbon, click Deactivate.

The Solution Gallery - Deactivate Solution page opens.
5.
On the ribbon, click Deactivate.
Leave the virtual machines running. You will use them for Lab C.
Lab Review
Question: What was the value of ResourcesPerPoint for
SharePointDatabaseQueryCount? Explain the relationship between this number
and one resource usage point.
Answer: 400. Each database query accrues 1/400 of a resource usage point.
L7-97
Lab C: Administering the

Developer Dashboard
Scenario
You have installed a new SharePoint 2010 farm for your developers. Recently the
development manager fielded several performance issues from end users and has
mandated that applications are designed with performance as top priority. One of
the developers has asked you to enable the Developer Dashboard for debugging
and instrumentation purposes to support this new initiative.
Exercise 1: Configuring the Developer Dashboard

Task 1: Enable the Developer Dashboard
1.
2.

rvice
eloperDashboardLevel]::OnDemand
$ddsetting.Update()
This script enables the Developer Dashboard in OnDemand mode.
Task 2: Review the Developer Dashboard

1.
2.

ENTER.
3.
Click the small icon in the top right next to SharePoint Administrator.
This will enable the Developer Dashboard for the page.
L7-98
4.
Observe the information that is available on the page:
Http Handler Events for Http Request
Web Server stats
Asserts and Critical events
Database Queries
Service Calls
SPRequest Allocations
WebPart Events Offsets
Task 3: Disable the Developer Dashboard

1.
2.

rvice
eloperDashboardLevel]::Off
$ddsetting.Update()
This script disables the Developer Dashboard.
Results: After completing the exercise, you should have enabled and disabled the
Developer Dashboard on the IT intranet Web.
L7-99

1.
2.
click Revert.
3.
Lab Review
Question: Describe the role of the Developer Dashboard.
Answer: The Developer Dashboard exposes performance and debugging
information that can be used to monitor and improve the performance of pages
and solutions.

10174AD-ENU TrainerHandbook Vol1 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

10174AD-ENU TrainerHandbook Vol1 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

OFFICIAL

Be sure to access the extended learning content on your

Configuring and Administering Microsoft SharePoint 2010

Product Number: 10174A

MICROSOFT LICENSE TERMS

Internet-based services, and

conducted at or through Authorized Learning Centers by a Trainer providing training to Students

3. INSTALLATION AND USE RIGHTS.

Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or

becomes publicly known through no wrongful act;

you developed independently.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

work around any technical limitations in the Licensed Content;

publish the Licensed Content for others to copy;

transfer the Licensed Content, in whole or in part, to a third party;

rent, lease or lend the Licensed Content; or

13. APPLICABLE LAW.

les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,

Microsoft Certied Trainers and InstructorsYour instructor is a technical and

Certication Exam BenetsAfter training, consider taking a Microsoft Certication

Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer

Configuring and Administering Microsoft SharePoint 2010

Dan HolmesSubject Matter Expert

Chris GivensSubject Matter Expert

Configuring and Administering Microsoft SharePoint 2010

Enrique LimaSubject Matter Expert

John FerringerSubject Matter Expert

Ryan PowellSubject Matter Expert

Configuring and Administering Microsoft SharePoint 2010

Jason MederoTechnical Reviewer

Configuring and Administering Microsoft SharePoint 2010

Module 2: Creating a SharePoint 2010 Intranet

Module 3: Administering and Automating SharePoint

Module 4: Configuring Content Management

Configuring and Administering Microsoft SharePoint 2010

Module 5: Configuring Authentication

Module 6: Securing Content

Module 7: Managing SharePoint Customizations

Appendix: Lab Answer Keys

About This Course

About This Course

About This Course

Prepare for and install SharePoint 2010.

Configure the fundamental service and logical components of a SharePoint

Manage content in Lists and Libraries.

Administer identities and authentication.

Secure content in SharePoint sites.

Manage customizations to a SharePoint implementation.

Configure SharePoint services and applications.

Configure SharePoint social networking features.

Manage SharePoint Search.

Configure farms, servers, service applications, and Web applications.

Install, upgrade, configure, and operate a SharePoint farm.

Configure high availability and recoverability.

Monitor and optimize SharePoint performance.

About This Course

Module 3, Administering and Automating SharePoint, covers how to apply the

About This Course

Lab Answer Keys. Provides step-by-step lab solution guidance at your

Course CD. Provides additional resources pertaining to this course.

Resources. Includes well-categorized additional resources that give you