AF010283605

Deployment for Windows SharePoint
Services 3.0 technology
Microsoft Corporation
Published: February 2009
Author: Microsoft Office System and Servers Team (o12ITdx@microsoft.com)
Abstract
This book provides information and guidelines to lead a team through the steps of deploying a
solution based on Windows SharePoint Services 3.0. The audiences for this book are business
application specialists, line-of-business specialists, information architects, IT generalists, program
managers, and infrastructure specialists who are deploying a solution based on Windows
SharePoint Services 3.0. You can find information about upgrading to Windows SharePoint
Services 3.0 in the book Upgrading to Windows SharePoint Services 3.0 technology
(http://go.microsoft.com/fwlink/?LinkId=85554&clcid=0x409).
The content in this book is a copy of selected content in the Windows SharePoint Services
technical library (http://go.microsoft.com/fwlink/?LinkId=81199) as of the date above. For the most
current content, see the technical library on the Web.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place
or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote,
Outlook, PerformancePoint, PowerPoint, SharePoint, SQL Server, Visio, Windows,
Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
ii
Contents
Getting Help .............................................................................................................................. xi
Roadmap to Windows SharePoint Services 3.0 content .......................................................... 1

Windows SharePoint Services 3.0 content by audience .......................................................... 1
Windows SharePoint Services 3.0 IT professional content by stage of the IT life cycle .......... 2
Evaluate .............................................................................................................................. 2
Plan ..................................................................................................................................... 3
Deploy................................................................................................................................. 4
Operate ............................................................................................................................... 6
Security and Protection ...................................................................................................... 6
Technical Reference ........................................................................................................... 7
Solutions ............................................................................................................................. 7
I. End-to-end deployment scenarios ........................................................................................ 8
Chapter overview: End-to-end deployment scenarios .............................................................. 9
Install Windows SharePoint Services 3.0 on a stand-alone computer ................................... 10

Hardware and software requirements ..................................................................................... 11
Configure the server as a Web server .................................................................................... 11
Install and configure IIS .................................................................................................... 11
Install the Microsoft .NET Framework version 3.0............................................................ 12
Enable ASP.NET 2.0 ........................................................................................................ 12
Install and configure Windows SharePoint Services 3.0 with Windows Internal Database .... 12
Post-installation steps ............................................................................................................. 14
Deploy in a simple server farm ............................................................................................... 16

Deployment overview .............................................................................................................. 16
Deploying Windows SharePoint Services 3.0 in a DBA environment ................................. 17
Suggested topologies ....................................................................................................... 17
Before you begin deployment ........................................................................................... 17
Overview of the deployment process ............................................................................... 18
Phase 1: Deploy and configure the server infrastructure .................................................... 18
Phase 2: Deploy and configure SharePoint site collections and sites ................................ 18
Deploy and configure the server infrastructure ....................................................................... 18
Prepare the database server ............................................................................................ 18
SQL Server and database collation..................................................................................... 19
Required accounts............................................................................................................... 19
Verify that servers meet hardware and software requirements ........................................ 20
Install and configure IIS ....................................................................................................... 21
Install the Microsoft .NET Framework version 3.0 .............................................................. 21
iii
Enable ASP.NET 2.0 ........................................................................................................... 22
Run Setup on all servers in the farm ................................................................................ 22
Run Setup on the first server ............................................................................................... 22
Run the SharePoint Products and Technologies Configuration Wizard ............................. 23
Add servers to the farm ....................................................................................................... 26
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
......................................................................................................................................... 26
Start the Windows SharePoint Services Search service .................................................. 27
Perform additional configuration tasks .................................................................................... 28
Create a site collection and a SharePoint site ........................................................................ 29
Configure the trace log ..................................................................................................... 33
Deploy using DBA-created databases .................................................................................... 35

About deploying by using DBA-created databases ................................................................ 35
Required database hardware and software ............................................................................ 36
Required accounts .................................................................................................................. 36
Create and configure the databases ....................................................................................... 38
Deploy a simple farm on the Windows Server 2008 operating system .................................. 41
Deployment overview .............................................................................................................. 41
Deploying Windows SharePoint Services 3.0 in a DBA environment ................................. 42
Suggested topologies ....................................................................................................... 42
Before you begin deployment ........................................................................................... 42
Overview of the deployment process ............................................................................... 43
Phase 1: Deploy and configure the server infrastructure .................................................... 43
Phase 2: Deploy and configure SharePoint site collections and sites ................................ 43
Deploy and configure the server infrastructure ....................................................................... 43
Prepare the database server ............................................................................................ 43
SQL Server and database collation..................................................................................... 44
Required accounts............................................................................................................... 45
Verify that servers meet hardware and software requirements ........................................ 46
Install Microsoft .NET Framework version 3.0 .................................................................. 46
Run Setup on all servers in the farm ................................................................................ 47
Run Setup on the first server ............................................................................................... 47
Run the SharePoint Products and Technologies Configuration Wizard ............................. 48
Add servers to the farm ....................................................................................................... 50
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
......................................................................................................................................... 51
Start the Windows SharePoint Services Search service .................................................. 52
Configure Windows Firewall with Advanced Security ............................................................. 53
Create a site collection and a SharePoint site ........................................................................ 55
Configure the trace log ............................................................................................................ 60
Configure Windows Server Backup .................................................................................. 61
iv
Install a stand-alone server on Windows Server 2008 ........................................................... 62
Hardware and software requirements ..................................................................................... 63
Install Microsoft .NET Framework version 3.0 .................................................................. 63
Install and configure Windows SharePoint Services 3.0 with Service Pack 1 ........................ 63
Post-installation steps ............................................................................................................. 65
Configure Windows Server Backup ........................................................................................ 67
Install Windows SharePoint Services 3.0 by using the command line ................................... 69
Install software requirements .................................................................................................. 69
Determine required accounts for installation........................................................................... 70
Install Windows SharePoint Services 3.0 by running Setup at a command prompt ............... 72
Configure the server by using the Psconfig command-line tool ............................................. 74
Create a Web application and a site collection by using the Stsadm command-line tool ...... 76
Install Windows SharePoint Services 3.0 with least privilege administration by using the
command line ...................................................................................................................... 80
Install software requirements .................................................................................................. 81
Determine required accounts for least privilege administration .............................................. 81
Install Windows SharePoint Services 3.0 on the server by using the least privilege account 84
Configure the server by using the Psconfig command-line tool ............................................. 86
Configure Windows SharePoint Services 3.0 on a stand-alone server............................ 86
Configure Windows SharePoint Services 3.0 on a farm .................................................. 87
Create a Web application and a site collection by using the Stsadm command-line tool ...... 89
II. Deploy Windows SharePoint Services 3.0 in a server farm environment ......................... 92
A. Install Windows SharePoint Services 3.0 for a server farm environment ......................... 93
Chapter overview: Install Windows SharePoint Services 3.0 for a server farm environment . 94
Suggested topologies.............................................................................................................. 94
Before you begin deployment ................................................................................................. 95
Overview of the deployment process ...................................................................................... 95
Phase 1: Deploy and configure the server infrastructure ................................................. 95
Phase 2: Deploy and configure SharePoint site collections and sites ............................. 96
Prepare the database servers ................................................................................................. 97

SQL Server and database collation ........................................................................................ 97
Required accounts .................................................................................................................. 97
Preinstall databases (optional) ................................................................................................ 98
Prepare the front-end Web servers ......................................................................................... 99
v
Install the Microsoft .NET Framework version 3.0 .................................................................. 99
Enable ASP.NET 2.0............................................................................................................... 99
Install Windows SharePoint Services 3.0 and run the SharePoint Products and Technologies
configuration wizard ........................................................................................................... 100
Run Setup on the first server ................................................................................................ 100
Run the SharePoint Products and Technologies Configuration Wizard ........................ 101
Add servers to the farm .................................................................................................. 103
Run the SharePoint Products and Technologies Configuration Wizard on additional
servers ......................................................................................................................... 104
Start the Windows SharePoint Services Search service ...................................................... 105
Deploy language packs (Windows SharePoint Services 3.0) ............................................... 106

About language IDs and language packs ............................................................................. 106
Preparing your front-end Web servers for language packs .................................................. 108
Installing language packs on your front-end Web servers .................................................... 109
Uninstalling language packs .............................................................................................. 110
B. Perform additional configuration tasks ............................................................................ 112
Chapter overview: Perform additional configuration tasks .................................................... 113

Configure additional administrative settings ......................................................................... 113
Configure incoming e-mail settings ....................................................................................... 115

Install and configure the SMTP service ................................................................................ 115
Start the Windows SharePoint Services Web Application service ................................. 116
Install the SMTP service ................................................................................................. 116
Configure the SMTP service........................................................................................... 117
Add an SMTP connector in Exchange Server ................................................................ 118
Configure Active Directory .................................................................................................... 118
Configure Active Directory under atypical circumstances .............................................. 120
To delegate full control of the organizational unit to the Central Administration application
pool account ................................................................................................................ 120
To add the Delete Subtree permission for the Central Administration application pool
account ........................................................................................................................ 121
Configure permissions to the e-mail drop folder ................................................................... 122
Configure e-mail drop folder permissions for the logon account for the Windows
SharePoint Services Timer service ............................................................................. 122
Configure e-mail drop folder permissions for the application pool account for a Web
application ................................................................................................................... 122
Configure DNS Manager ....................................................................................................... 123
Configure attachments from Outlook 2003 ........................................................................... 124
Configure incoming e-mail settings ....................................................................................... 124
Configuring incoming e-mail on SharePoint sites ................................................................. 126
Configure outgoing e-mail settings ....................................................................................... 127
vi
Configure outgoing e-mail settings for a specific Web application ....................................... 130
Configure workflow settings .................................................................................................. 133

Configuring workflow settings ............................................................................................... 133
Configure diagnostic logging settings ................................................................................... 135

Customer Experience Improvement Program....................................................................... 135
Error reports .......................................................................................................................... 135
Event throttling ...................................................................................................................... 136
Configuring diagnostic logging settings ................................................................................ 137
Configure anti-virus settings ................................................................................................. 139

Administrative credentials ..................................................................................................... 139
Run the Best Practices Analyzer Tool .................................................................................. 140
Configure authentication ....................................................................................................... 141

Windows SharePoint Services authentication ...................................................................... 141
Windows authentication provider .......................................................................................... 142
Forms authentication provider .............................................................................................. 143
Web single sign-on (SSO) authentication provider ............................................................... 143
Configure digest authentication ............................................................................................ 144

About digest authentication ................................................................................................... 144
Enable digest authentication for a zone of a Web application .............................................. 145
Configure IIS to enable digest authentication ....................................................................... 145
Configure forms-based authentication .................................................................................. 147

About forms-based authentication ........................................................................................ 147
Configure forms-based authentication across multiple zones .............................................. 150
Configure Web SSO authentication by using ADFS ............................................................. 152

About federated authentication systems ............................................................................... 152
Before you begin ................................................................................................................... 152
Configuring your extranet Web application to use Web SSO authentication ....................... 153
Allowing users access to your extranet Web site ................................................................. 155
About using Central Administration ................................................................................ 157
Working with the People Picker ............................................................................................ 158
vii
Working with E-mail and UPN claims ................................................................................... 159
Working with groups and organizational group claims ......................................................... 160
Configure anonymous access ............................................................................................... 162

About anonymous access ..................................................................................................... 162
Enable anonymous access for a zone .................................................................................. 162
Enable anonymous access for individual sites ..................................................................... 163
Enable anonymous access for individual lists ...................................................................... 164
SQL Server Reporting Services integration with SharePoint Products and Technologies:
white paper ........................................................................................................................ 165
C. Deploy and configure SharePoint sites ........................................................................... 166
Chapter overview: Deploy and configure SharePoint sites ................................................... 167
Create or extend Web applications ....................................................................................... 169

Create a new Web application .............................................................................................. 169
Extend an existing Web application ...................................................................................... 172
Configure alternate access mapping .................................................................................... 174

Manage alternate access mappings ..................................................................................... 174
Add an internal URL .............................................................................................................. 174
Edit or delete an internal URL ............................................................................................... 174
Edit public URLs .................................................................................................................... 175
Map to an external resource ................................................................................................. 175
Create zones for Web applications ....................................................................................... 177

Create a new zone ................................................................................................................ 177
View existing zones ............................................................................................................... 177
Create quota templates ......................................................................................................... 178

Create a new quota template ................................................................................................ 178
Edit an existing quota template ............................................................................................. 179
Delete a quota template ........................................................................................................ 179
Create site collections ........................................................................................................... 180
Prepare to crawl host-named sites that use Basic authentication ........................................ 181
Solution prerequisites............................................................................................................ 181
High-level solution overview ................................................................................................. 182
High-level steps .............................................................................................................. 183
Deploy the solution ................................................................................................................ 183
Extend the Web application ............................................................................................ 184
Map site names to static IP addresses in DNS .............................................................. 185
Grant user permissions .................................................................................................. 187
Prepare to crawl host-named sites that use forms authentication ........................................ 188
viii
Solution prerequisites............................................................................................................ 188
High-level solution overview ................................................................................................. 189
High-level steps .............................................................................................................. 190
Deploy the solution ................................................................................................................ 190
Add configuration settings to the applicable Web.config files ........................................ 192
Extend the Web application ............................................................................................ 194
Map site names to static IP addresses in DNS .............................................................. 194
Grant user permissions .................................................................................................. 196
Add site content .................................................................................................................... 197

Use Web site designers to design and add content ............................................................. 197
Migrate content from another site ......................................................................................... 198
Allow users to add content directly ....................................................................................... 198
Enable access for end users ................................................................................................. 199

Add site collection administrators ......................................................................................... 199
Add site owners or other users ............................................................................................. 200
III. Install application templates ............................................................................................ 202
Installing application templates for Windows SharePoint Services 3.0 ................................ 203
Site Admin Templates ........................................................................................................... 203
Server Admin Templates....................................................................................................... 204
IV. Deploy software updates and upgrade to a new operating system ............................... 207
Deploy software updates for Windows SharePoint Services 3.0 .......................................... 208
Before you begin ................................................................................................................... 209
Pre-upgrade preparation ................................................................................................ 210
Overview of installation sequence ........................................................................................ 213
Perform installation steps ...................................................................................................... 213
Install the software update .............................................................................................. 214
Large-farm optimization .................................................................................................. 217
Verify installation ................................................................................................................... 218
Add new servers to a server farm ......................................................................................... 221
Update language template packs ......................................................................................... 223
Known issues ........................................................................................................................ 223
Error: Failed to upgrade SharePoint Products and Technologies .................................. 223
Error: Unknown SQL Exception 15363 .......................................................................... 224
Foxit PDF IFilter must be reinstalled after installing software update ............................ 224
Setup stops responding when you use an alternate location for the Updates folder ..... 224
Error: The search request is unable to connect to the search service ........................... 225
GroupBoard Workspace 2007 and software update failures ......................................... 225
Create an installation source that includes software updates (Windows SharePoint Services
3.0) ..................................................................................................................................... 227
ix
Use the updates folder .......................................................................................................... 227
Language template packs ..................................................................................................... 228
Upgrading to Windows Server 2008 for Windows SharePoint Services 3.0 with SP1 ......... 229
Before you begin ................................................................................................................... 229
Address any installation issues ...................................................................................... 229
Install Windows Internal Database SP2 ......................................................................... 229
Stop the Search service ................................................................................................. 230
Install Windows Server 2008 ................................................................................................ 230
Perform post-installation procedures .................................................................................... 230
Configure Windows Server Backup ...................................................................................... 231
Known issues ........................................................................................................................ 232
Repair not allowed when Least User Access is enabled ............................................... 232
Fixing problems after upgrading without Windows Internal Database Service Pack 2 .. 232
Reset the Windows SharePoint Services Search service index .................................... 233
x
Getting Help
Every effort has been made to ensure the accuracy of this book. This content is also available
online in the Office System TechNet Library, so if you run into problems you can check for
updates at:
http://technet.microsoft.com/office
If you do not find your answer in our online content, you can send an e-mail message to the
Microsoft Office System and Servers content team at:
o12ITdx@microsoft.com
If your question is about Microsoft Office products, and not about the content of this book, please
search the Microsoft Help and Support Center or the Microsoft Knowledge Base at:
http://support.microsoft.com
xi
Roadmap to Windows SharePoint Services
3.0 content
In this article:
 Windows SharePoint Services 3.0 content by audience
 Windows SharePoint Services 3.0 IT professional content by stage of the IT life cycle
Windows SharePoint Services 3.0 content by

audience
Each audience for Windows SharePoint Services 3.0 can go to a specific Web site for content
that is tailored to that audience. The following table lists the audiences and provides links to the
content for each audience.
Information Workers IT Professionals Developers
Content available on Content available on: Content available on:

Office Online TechNet MSDN
 Home page — a central  TechCenter — a central portal  Developer Center — a

portal for Information for IT professional resources central portal for
Worker resources (http://go.microsoft.com/fwlink/ Developer resources
(http://go.microsoft.com/f ?LinkID=73953&clcid=0x409) (http://go.microsoft.com/
wlink/?LinkId=88898&clci  Technical Library — an index fwlink/?LinkId=88910&cl
d=0x409) for IT professional content cid=0x409)
 Help and How-to — an (http://go.microsoft.com/fwlink/  MSDN Library — an
index for Information ?LinkId=88902&clcid=0x409) index for Developer
Worker content  Newly published content — an content
(http://go.microsoft.com/f article that lists new or updated (http://go.microsoft.com/
wlink/?LinkId=88899&clci content in the Technical fwlink/?LinkID=86923&c
d=0x409) Library lcid=0x409)
(http://go.microsoft.com/fwlink/
?LinkId=88906&clcid=0x409)
 Downloadable books — an
article that lists the books
available for download
(http://go.microsoft.com/fwlink/
?LinkId=88907&clcid=0x409)
1
Additionally, there is information for all users of SharePoint Products and Technologies at the
community and blog sites listed in the following table.
Community content and blogs
 SharePoint Products and Technologies community

portal — a central place for community information
(blogs, newsgroups, etc.) about SharePoint Products
and Technologies
(http://go.microsoft.com/fwlink/?LinkId=88915&clcid=0x
409)
 SharePoint Products and Technologies team blog — a
group blog from the teams who develop the SharePoint
Products and Technologies
409)
 Support Center for Microsoft Windows SharePoint
Services 3.0 — a central place for issues and solutions
from Microsoft Help and Support
409)
Windows SharePoint Services 3.0 IT professional

content by stage of the IT life cycle
IT Professional content for Windows SharePoint Services 3.0 includes content appropriate for
each stage of the IT life cycle — evaluate, plan, deploy, and operate — plus technical reference
content. The following sections describe each stage in the IT life cycle and list the content
available to assist IT professionals during that stage. The most up-to-date content is always
available on the TechNet Web site.
We also offer downloadable books that cover each stage of the IT life cycle, plus books that cover
all stages of the life cycle for a specific solution. For an updated list, see Downloadable books for
Windows SharePoint Services (http://go.microsoft.com/fwlink/?LinkId=88907&clcid=0x409).
Evaluate
During the evaluation stage, IT professionals (including decision makers, solution architects, and
system architects) focus on understanding a new technology and evaluate how it can help them
address their business needs. The following table lists resources that are available to help you
evaluate Windows SharePoint Services 3.0.
2
Content Description Links
Online Includes the most Evaluation for Windows SharePoint Services 3.0 technology
content up-to-date (http://go.microsoft.com/fwlink/?LinkID=88902&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Evaluation Provides an Windows SharePoint Services 3.0 Evaluation Guide

Guide overview, (http://go.microsoft.com/fwlink/?LinkId=86962&clcid=0x409)
information about
what's new, and
conceptual
information for
understanding
Windows
SharePoint
Services 3.0.
Plan
During the planning stage, IT professionals have different needs depending on their role within an
organization. If you are focused on designing a solution, including determining the structure,
capabilities, and information architecture for a site, you might want information that helps you to
determine which capabilities of Windows SharePoint Services 3.0 you want to take advantage of,
and that helps you to plan for those capabilities and to tailor the solution to your organization's
needs. On the other hand, if you are focused on the hardware and network environment for your
solution, you might want information that helps you to structure the server topology, plan
authentication methods, and understand system requirements for Windows SharePoint Services
3.0. We have planning content, including worksheets, to address both of these needs.
3
The following table lists resources that are available to help you plan for using Windows
SharePoint Services 3.0.
Online Includes the most Planning and architecture for Windows SharePoint
content up-to-date content. Services 3.0
The Technical (http://go.microsoft.com/fwlink/?LinkId=88954&clcid=0x409)
Library on TechNet
is continually
refreshed with new
and updated
content.
Planning Provides in-depth Planning and architecture for Windows SharePoint

Guide, Part 1 planning Services, part 1
information for (http://go.microsoft.com/fwlink/?LinkId=79600)
application
administrators who
are designing a
solution based on
Windows
SharePoint
Services 3.0.
Planning Provides in-depth Planning and architecture for Windows SharePoint

Guide, Part 2 planning Services, part 2
information for IT (http://go.microsoft.com/fwlink/?LinkId=85553)
professionals who
are designing the
environment to
host a solution
based on Windows
SharePoint
Services 3.0.
Deploy
During the deployment stage, you configure your environment, install Windows SharePoint
Services 3.0, and then start creating SharePoint sites. Depending on your environment and your
solution, you may have several configuration steps to perform for your servers, for your Shared
Services Providers, and for your sites. Additionally, you may have templates, features, or other
custom elements to deploy into your environment.
The process of upgrading from a previous-version product, such as Microsoft Office SharePoint
Portal Server 2003, Microsoft Content Management Server 2002, or Windows SharePoint
4
Services, is also part of the deployment stage of the IT life cycle. We have content that addresses
planning for upgrade, performing the upgrade, and performing post-upgrade steps.
The following table lists resources that are available to help you deploy or upgrade to Windows
Online content Includes the Deployment for Windows SharePoint Services 3.0
most up-to-date (http://go.microsoft.com/fwlink/?LinkID=80752&clcid=0x409)
content. The
Technical
Library on
TechNet is
continually
refreshed with
new and
updated
content.
Deployment Provides in- Deployment for Windows SharePoint Services

Guide depth (http://go.microsoft.com/fwlink/?LinkID=79602)
deployment
information for
Windows
SharePoint
Services 3.0.
Upgrade Guide Provides Upgrading to Windows SharePoint Services 3.0

overview and in- (http://go.microsoft.com/fwlink/?LinkId=85554)
depth
information for
upgrading from
a previous
version product
to Windows
SharePoint
Services 3.0.
5
Migration and Provides cross- Migration and Upgrade Information for SharePoint
Upgrade for audience (IT Developers
SharePoint and developer) (http://go.microsoft.com/fwlink/?LinkId=89129&clcid=0x409)
Developers information for
migration and
upgrade from a
previous version
product to
Windows
SharePoint
Services 3.0.
Operate
After deployment, in which you install and configure your environment, you move to the
operations stage. During this stage, you are focused on the day-to-day monitoring, maintenance,
and tuning of your environment.
The following table lists resources that are available to help with day-to-day operations for
Windows SharePoint Services 3.0.
Online content Includes the most Operations for Windows SharePoint Services 3.0
up-to-date (http://go.microsoft.com/fwlink/?LinkId=89152&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Security and Protection

Because security and protection are concerns during all phases of the IT life cycle, appropriate
content for security and protection is included in the content for each life cycle stage. However,
an aggregate view of this content is provided in a Security and Protection section of the
documentation. The following table lists resources that are available to help you understand
security and protection for Windows SharePoint Services 3.0.
6
Online content Includes the most Security and protection for Windows SharePoint Services
up-to-date 3.0
content. The (http://go.microsoft.com/fwlink/?LinkId=89154&clcid=0x409)
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Technical Reference
Technical reference information supports the content for each of the IT life cycle stages by
providing the technical information you need to work with Windows SharePoint Services 3.0. For
example, the Technical Reference content has information about how permissions work, how to
perform operations from the command line, and how to use Setup.exe from the command line.
The following table lists resources that are available to help you work with Windows SharePoint
Services 3.0.
Online Includes the most Technical Reference for Windows SharePoint Services 3.0
content up-to-date (http://go.microsoft.com/fwlink/?LinkID=88902&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Solutions
In addition to these IT life cycle-specific resources, we also offer several solution guides that help
you plan, deploy, and operate a specific type of solution based on Windows SharePoint Services
3.0. For a current list of solution guides for Windows SharePoint Services 3.0, see Downloadable
books for Windows SharePoint Services 3.0
7
I. End-to-end deployment scenarios
8
Chapter overview: End-to-end deployment
scenarios
This chapter provides information and directions for deploying Windows SharePoint Services 3.0
as an end-to-end solution, whether on a single computer or in a simple server farm. This chapter
does not discuss more complex deployments. For information about deploying Windows
SharePoint Services 3.0 in a large server farm, see Deploy Windows SharePoint Services 3.0
in a server farm environment.
The articles in this chapter include:
 Install Windows SharePoint Services 3.0 on a stand-alone computer discusses how to install
Windows SharePoint Services 3.0 on a single server computer. A stand-alone configuration
is useful if you want to evaluate Windows SharePoint Services 3.0 features and capabilities,
such as collaboration, document management, and search. A stand-alone configuration is
also useful if you are deploying a small number of Web sites and you want to minimize
administrative overhead.
 Deploy in a simple server farm discusses how to do a clean installation of Windows
SharePoint Services 3.0 in a server farm environment. You can deploy in a server farm
environment if you are hosting a large number of sites, if you want the best possible
performance, or if you want the scalability of a multi-tier topology. A server farm consists of
one or more servers dedicated to running the Windows SharePoint Services 3.0 applications.
 Deploy using DBA-created databases discusses how to deploy Windows SharePoint
Services 3.0 in an environment in which database administrators create and manage
databases. This article discusses how database administrators (DBAs) can create these
databases and how farm administrators configure them. The deployment includes all the
required databases and one portal site.
 Deploy a simple farm on the Windows Server 2008 operating system discusses how to
deploy Windows SharePoint Services 3.0 with Service Pack 1 (SP1) on the new Windows
Server 2008 operating system. Only Windows SharePoint Services 3.0 with SP1 or later can
be installed on Windows Server 2008. You can deploy in a server farm environment if you are
hosting a large number of sites, if you want the best possible performance, or if you want the
scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to
running the Windows SharePoint Services 3.0 applications.
 Install a stand-alone server on Windows Server 2008 discusses how to install Windows
SharePoint Services 3.0 with Service Pack 1 (SP1) on the new Windows Server 2008
operating system. Only Windows SharePoint Services 3.0 with SP1 or later can be installed
on Windows Server 2008. A stand-alone configuration is useful if you want to evaluate
Windows SharePoint Services 3.0 features and capabilities, such as collaboration, document
management, and search. A stand-alone configuration is also useful if you are deploying a
small number of Web sites and you want to minimize administrative overhead.
9
Install Windows SharePoint Services 3.0 on a
stand-alone computer
In this article:
 Hardware and software requirements
 Configure the server as a Web server
 Install and configure Windows SharePoint Services 3.0 with Windows Internal Database
 Post-installation steps
This information applies to Microsoft Windows Server 2003. If you are in a
Windows Server® 2008 environment, the steps to install and configure Internet Information
Services (IIS), the Microsoft .NET Framework version 3.0, and Windows SharePoint Services 3.0
are different. For more information, see Install a stand-alone server on Windows Server 2008.
Important:
This document discusses how to install Windows SharePoint Services 3.0 on a single
computer as a stand-alone installation. It does not cover installing Windows SharePoint
Services 3.0 in a farm environment, upgrading from previous releases of Windows
SharePoint Services 3.0, or how to upgrade from SharePoint Portal Server 2003. For
information about how to do this, see the following articles:
 Deploy in a simple server farm
 Upgrading to Windows SharePoint Services 3.0
You can quickly publish a SharePoint site by deploying Windows SharePoint Services 3.0 on a
single server computer. A stand-alone configuration is useful if you want to evaluate Windows
SharePoint Services 3.0 features and capabilities, such as collaboration, document management,
and search. A stand-alone configuration is also useful if you are deploying a small number of
Web sites and you want to minimize administrative overhead. When you deploy Windows
SharePoint Services 3.0 on a single server using the default settings, the Setup program
automatically installs the Windows internal Database uses it to create the configuration database
and content database for your SharePoint sites. Windows Internal Database uses SQL Server
technology as a relational data store for Windows roles and features only, such as Windows
SharePoint Services, Active Directory Rights Management Services, UDDI Services, Windows
Server Update Services, and Windows System Resources Manager.. In addition, Setup installs
the SharePoint Central Administration Web site and creates your first SharePoint site collection
and site.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
10
Hardware and software requirements
Before you install and configure Windows SharePoint Services 3.0, be sure that your servers
have the required hardware and software. For more information about these requirements, see
Determine hardware and software requirements (http://technet.microsoft.com/en-
us/library/cc288751.aspx).
Configure the server as a Web server

Before you install and configure Windows SharePoint Services 3.0, you must install and configure
the required software. This includes installing and configuring Internet Information Services (IIS)
so your computer acts as a Web server, installing the Microsoft .NET Framework version 3.0, and
enabling ASP.NET 2.0.
Install and configure IIS

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows
Server 2003 operating system. To make your server a Web server, you must install and enable
IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.

1. Click Start, point to All Programs, point to Administrative Tools, and then click
Configure Your Server Wizard.
2. On the Welcome to the Configure Your Server Wizard page, click Next.
3. On the Preliminary Steps page, click Next.
4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.
5. On the Application Server Options page, click Next.
6. On the Summary of Selections page, click Next.
7. Click Finish.
Internet Information Services (IIS) Manager.
9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the
Web Sites folder, and then click Properties.
10. In the Web Sites Properties dialog box, click the Service tab.
11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode
check box, and then click OK.
Note:
The Run WWW in IIS 5.0 isolation mode check box is only selected if you have
upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows
2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by
default.
11
Install the Microsoft .NET Framework version 3.0
Go to the Microsoft Download Center Web site
(http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409), and on the Microsoft .NET
Framework 3.0 Redistributable Package page, follow the instructions for downloading and
installing the .NET Framework version 3.0. There are separate downloads for x86-based
computers and x64-based computers. Be sure to download and install the appropriate version for
your computer. The .NET Framework version 3.0 download contains the Windows Workflow
Foundation technology, which is required by workflow features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the
.NET Framework version 3.5 from the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=110508).
Enable ASP.NET 2.0

ASP.NET 2.0 is required for proper functioning of Web content, the Central Administration Web
Site, and many other features and functions of Windows SharePoint Services 3.0.
Enable ASP.NET 2.0

2. In the Internet Information Services tree, click the plus sign (+) next to the server name,
and then click the Web Service Extensions folder.
3. In the details pane, right-click ASP.NET v2.0.50727, and then click Allow.
Install and configure Windows SharePoint

Services 3.0 with Windows Internal Database
When you install Windows SharePoint Services 3.0 on a single server, run the Setup program
using the Basic option. This option uses the Setup program's default parameters to install
Windows SharePoint Services 3.0 and Windows Internal Database. Windows Internal Database
uses SQL Server technology as a relational data store for Windows roles and features only, such
as Windows SharePoint Services, Active Directory Rights Management Services, UDDI Services,
Windows Server Update Services, and Windows System Resources Manager..
Notes
 If you uninstall Windows SharePoint Services 3.0, and then later install Windows
SharePoint Services 3.0 on the same computer, the Setup program could fail when
creating the configuration database causing the entire installation process to fail. You can
prevent this failure by either deleting all the existing Windows SharePoint Services 3.0
databases on the computer or by creating a new configuration database. You can create
a new configuration database by running the following command:
12
 psconfig -cmd configdb -create -database <uniquename>
Run Setup
1. On the Read the Microsoft Software License Terms page, review the terms, select the
I accept the terms of this agreement check box, and then click Continue.
2. On the Choose the installation you want page, click Basic to install to the default
location. To install to a different location, click Advanced, and then on the Data Location
tab, specify the location you want to install to and finish the installation.
3. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
4. Click Close to start the configuration wizard.
Run the SharePoint Products and Technologies Configuration Wizard

1. On the Welcome to SharePoint Products and Technologies page, click Next.
2. In the dialog box that notifies you that some services might need to be restarted or reset
during configuration, click Yes.
3. On the Configuration Successful page, click Finish. Your new SharePoint site opens.
Note:
If you are prompted for your user name and password, you might need to add the
SharePoint site to the list of trusted sites and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are
provided in the following procedure.
Note:
If you see a proxy server error message, you might need to configure your proxy
server settings so that local addresses bypass the proxy server. Instructions for
configuring proxy server settings are provided later in this section.
Add the SharePoint site to the list of trusted sites

1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Security tab, in the Select a Web content zone to specify its security settings
box, click Trusted Sites, and then click Sites.
3. Clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL to your site, and then click Add.
5. Click Close to close the Trusted Sites dialog box.
6. Click OK to close the Internet Options dialog box.
If you are using a proxy server in your organization, use the following steps to configure Internet
Explorer to bypass the proxy server for local addresses.
13
Configure proxy server settings to bypass the proxy server for local addresses
2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN
Settings.
3. In the Automatic configuration section, clear the Automatically detect settings check
box.
4. In the Proxy Server section, select the Use a proxy server for your LAN check box.
5. Type the address of the proxy server in the Address box.
6. Type the port number of the proxy server in the Port box.
7. Select the Bypass proxy server for local addresses check box.
8. Click OK to close the Local Area Network (LAN) Settings dialog box.
Post-installation steps
After Setup finishes, your browser window opens to the home page of your new SharePoint site.
Although you can start adding content to the site or you can start customizing the site, we
recommend that you perform the following administrative tasks by using the SharePoint Central
Administration Web site.
 Configure incoming e-mail settings You can configure incoming e-mail settings so that
SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail
settings so that SharePoint sites can archive e-mail discussions as they happen, save e-
mailed documents, and show e-mailed meetings on site calendars. In addition, you can
configure the SharePoint Directory Management Service to provide support for e-mail
distribution list creation and management. For more information, see Configure incoming e-
mail settings
 Configure outgoing e-mail settings You can configure outgoing e-mail settings so that
your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and
notifications to site administrators. You can configure both the "From" e-mail address and the
"Reply" e-mail address that appear in outgoing alerts. For more information, see Configure
outgoing e-mail settings.
 Configure diagnostic logging settings You can configure several diagnostic logging
settings to help with troubleshooting. This includes enabling and configuring trace logs, event
messages, user-mode error messages, and Customer Experience Improvement Program
events. For more information, see Configure diagnostic logging settings.
 Configure antivirus protection settings You can configure several antivirus settings if you
have an antivirus program that is designed for Windows SharePoint Services 3.0. Antivirus
settings enable you to control whether documents are scanned on upload or download and
whether users can download infected documents. You can also specify how long you want
the antivirus program to run before it times out, and you can specify how many execution
14
threads the antivirus program can use on the server. For more information, see Configure
anti-virus settings.
 Create SharePoint sites When Setup finishes, you have a single Web application that
contains a single SharePoint site collection that hosts a SharePoint site. You can create more
SharePoint sites collections, sites, and Web applications if your site design requires multiple
sites or multiple Web applications. For more information, see Deploy and configure
SharePoint sites.
Perform administrator tasks by using the Central Administration site

1. Click Start, point to All Programs, point to Administrator Tools, and then click
SharePoint 3.0 Central Administration.
2. On the Central Administration home page, under Administrator Tasks, click the task
you want to perform.
3. On the Administrator Tasks page, next to Action, click the task.
15
Deploy in a simple server farm
In this article:
 Deployment overview
 Deploy and configure the server infrastructure
 Perform additional configuration tasks
 Create a site collection and a SharePoint site
 Configure the trace log
are different. For more information, see Deploy a simple farm on the Windows Server 2008
operating system.
Deployment overview
Important:
This article discusses how to do a clean installation of Windows SharePoint Services 3.0
in a server farm environment. It does not cover upgrading from previous releases of
Windows SharePoint Services 3.0 or from previous releases of Windows SharePoint
Services. For more information about upgrading from a previous release of Windows
SharePoint Services, see Upgrading to Windows SharePoint Services 3.0.
Note:
This article does not cover installing Windows SharePoint Services 3.0 on a single
computer as a stand-alone installation. For more information, see Install Windows
SharePoint Services 3.0 on a stand-alone computer.
You can deploy Windows SharePoint Services 3.0 in a server farm environment if you are hosting
a large number of sites, if you want the best possible performance, or if you want the scalability of
a multi-tier topology. A server farm consists of one or more servers dedicated to running the
Windows SharePoint Services 3.0 application.
Note:
Because a server farm deployment of Windows SharePoint Services 3.0 is more complex than a
stand-alone deployment, we recommend that you plan your deployment. Planning your
deployment can help you to gather the information you need and to make important decisions
before beginning to deploy. For information about planning, see Planning and architecture for
Windows SharePoint Services 3.0 technology.
16
Deploying Windows SharePoint Services 3.0 in a DBA environment
In many IT environments, database creation and management are handled by the database
administrator (DBA). Security and other policies might require that the DBA create the databases
required by Windows SharePoint Services 3.0. For more information about deploying using DBA-
created databases, including detailed procedures that describe how the DBA can create these
databases, see Deploy using DBA-created databases.
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many
servers or as few as two servers.
A server farm typically consists of a database server running either Microsoft SQL Server 2005 or
Microsoft SQL Server 2000 with the most recent service pack, and one or more servers running
Internet Information Services (IIS) and Windows SharePoint Services 3.0. In this configuration,
the front-end servers are configured as Web servers. The Web server role provides Web content
and services such as search.
A large server farm typically consists of two or more clustered database servers, several load-
balanced front-end Web servers running IIS and Windows SharePoint Services 3.0, and two or
more servers providing search services.
Before you begin deployment

This section provides information about actions that you must perform before you begin
deployment.
 To deploy Windows SharePoint Services 3.0 in a server farm environment, you must provide
credentials for several different accounts. For information about these accounts, see Plan for
administrative and service accounts (http://technet.microsoft.com/en-
 You must install Windows SharePoint Services 3.0 on the same drive on all load-balanced
front-end Web servers.
 All the instances of Windows SharePoint Services 3.0 in the farm must be in the same
language. For example, you cannot have both an English version of Windows SharePoint
Services 3.0 and a Japanese version of Windows SharePoint Services 3.0 in the same farm.
 You must install Windows SharePoint Services 3.0 on a clean installation of the Microsoft
Windows Server 2003 operating system with the most recent service pack. If you uninstall a
previous version of Windows SharePoint Services 3.0, and then install Windows SharePoint
Services 3.0, Setup might fail to create the configuration database and the installation will fail.
Note:
We recommend that you read the Known Issues/Readme documentation before you
install Windows SharePoint Services 3.0 on a domain controller. Installing Windows
SharePoint Services 3.0 on a domain controller requires additional configuration
steps that are not discussed in this article.
17
Overview of the deployment process
The deployment process consists of two phases: deploying and configuring the server
infrastructure, and deploying and configuring SharePoint site collections and sites.
Phase 1: Deploy and configure the server infrastructure

Deploying and configuring the server infrastructure consists of the following steps:
 Preparing the database server.
 Preinstalling databases (optional).
 Verifying that the servers meet hardware and software requirements.
 Running Setup on all servers you want to be in the farm, including running the SharePoint
Products and Technologies Configuration Wizard.
 Starting the Windows SharePoint Services Search service.
Phase 2: Deploy and configure SharePoint site collections and sites

Deploying and configuring SharePoint site collections and sites consists of the following steps:
 Creating site collections.
 Creating SharePoint sites.
Deploy and configure the server infrastructure

Prepare the database server
The database server computer must be running Microsoft SQL Server 2005 or Microsoft SQL
Server 2000 with Service Pack 3a (SP3a) or later.
The Windows SharePoint Services 3.0 Setup program automatically creates the necessary
databases when you install and configure Windows SharePoint Services 3.0. Optionally, you can
preinstall the required databases if your IT environment or policies require this.
For more information about prerequisites, see Determine hardware and software requirements
(http://technet.microsoft.com/en-us/library/cc288751.aspx).
If you are using SQL Server 2005, you must also change the surface area settings.
Configure surface area settings in SQL Server 2005

1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to
Configuration Tools, and then click SQL Server Surface Area Configuration.
2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area
Configuration for Services and Connections.
3. In the tree view, expand the node for your instance of SQL Server, expand the Database
Engine node, and then click Remote Connections.
4. Select Local and Remote Connections, select Using both TCP/IP and named pipes,
18
and then click OK.
SQL Server and database collation

The SQL Server collation must be configured for case-insensitive. The SQL Server database
collation must be configured for case-insensitive, accent-sensitive, Kana-sensitive, and width-
sensitive. This is used to ensure file name uniqueness consistent with the Windows operating
system. For more information about collations, see Selecting a SQL Collation
(http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup
(http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.
Required accounts
The following table describes the accounts that are used to configure SQL Server and to install
Windows SharePoint Services 3.0. For more information about the required accounts, including
specific privileges required for these accounts, see Plan for administrative and service accounts
[Windows SharePoint Services].
Account Purpose Requirements
SQL Server This account is used as the SQL Server prompts for this account during
Service Account service account for the SQL Server Setup. You have two options:
following SQL Server  Assign one of the built-in system accounts
services: (Local System, Network Service, or Local
 MSSQLSERVER Service) to the logon for the configurable
 SQLSERVERAGENT SQL Server services. For more information
about these accounts and security
If you are not using the
considerations, refer to the Setting Up
default instance, these
Windows Service Accounts topic
services will be shown as:
(http://go.microsoft.com/fwlink/?LinkId=121
 MSSQL$InstanceName
664&clcid=0x409) in the SQL Server
 documentation.
 SQLAgent$Instance
 Assign a domain user account to the logon
Name
for the service. However, if you use this
option you must take the additional steps
required to configure Service Principal
Names (SPNs) in Active Directory in order
to support Kerberos authentication, which
SQL Server uses.
19
Setup user The Setup user account is  Domain user account

account used to run the following:  Member of the Administrators group on
 Setup on each server each server on which Setup is run
 The SharePoint  SQL Server login on the computer running
Products and SQL Server
Technologies  Member of the following SQL Server
Configuration Wizard security roles:
 The PSConfig  securityadmin fixed server role
command-line tool
 dbcreator fixed server role
 The Stsadm command-
If you run Stsadm command-line tool
line tool
commands that read from or write to a
database, this account must be a member of
the db_owner fixed database role for the
database.
Server farm The Server farm account is  Domain user account.

account/Database used to:  If the server farm is a child farm with Web
access account  Act as the application applications that consume shared services
pool identity for the from a larger farm, this account must be a
SharePoint Central member of the db_owner fixed database
Administration role on the configuration database of the
application pool. larger farm.
 Run the Windows Additional permissions are automatically
SharePoint Services granted for this account on Web servers and
Timer service. application servers that are joined to a server
farm.
This account is automatically added as a SQL
Server login on the computer running SQL
Server and added to the following SQL Server
security roles:
 securityadmin fixed server role
 db_owner fixed database role for all
databases in the server farm
Verify that servers meet hardware and software requirements

have the recommended hardware and software. To deploy a server farm, you need at least one
server computer acting as a Web server and an application server, and one server computer
20
acting as a database server. For more information about these requirements, see Determine
hardware and software requirements (http://technet.microsoft.com/en-us/library/cc288751.aspx).
Important:
Windows SharePoint Services 3.0 requires Active Directory directory services for farm
deployments. Therefore Windows SharePoint Services 3.0 cannot be installed in a farm
on a Microsoft Windows NT Server 4.0 domain.

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows
Server 2003 operating system. To make your server a Web server, you must install and enable
IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.

Configure Your Server Wizard.
2. On the Welcome to the Configure Your Server Wizard page, click Next.
3. On the Preliminary Steps page, click Next.
4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.
5. On the Application Server Options page, click Next.
6. On the Summary of Selections page, click Next.
7. Click Finish.
9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the
Web Sites folder, and then click Properties.
10. In the Web Sites Properties dialog box, click the Service tab.
11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode
check box, and then click OK.
Note:
The Run WWW in IIS 5.0 isolation mode check box is only selected if you have
upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows
2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by
default.

installing the Microsoft .NET Framework version 3.0. There are separate downloads for x86-
21
based computers and x64-based computers. Be sure to download and install the appropriate
version for your computer. The Microsoft .NET Framework version 3.0 download contains the
Windows Workflow Foundation technology, which is required by workflow features.
Note:
.NET Framework version 3.5 from the Microsoft Web site
Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all servers.
Enable ASP.NET 2.0

2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click the
Web Service Extensions folder.
3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
Run Setup on all servers in the farm

Run Setup and then the SharePoint Products and Technologies Configuration Wizard on all your
farm servers. Adding servers to the farm can be done at any time to add redundancy, such as
additional load-balanced Web servers.
Note:
We recommend that you run Setup on all the servers that will be in the farm before you
configure the farm.
When you install Windows SharePoint Services 3.0 on the first server, you establish the farm.
Any additional servers that you add must be joined to this farm.
Setting up the first server involves two steps: installing the Windows SharePoint Services 3.0
components on the server, and configuring the farm. After Setup finishes, you can use the
SharePoint Products and Technologies Configuration Wizard to configure Windows SharePoint
Services 3.0. The SharePoint Products and Technologies Configuration Wizard automates
several configuration tasks, including: installing and configuring the configuration database,
installing Windows SharePoint Services 3.0 services, and creating the Central Administration
Web site.
Run Setup on the first server

We recommend that you install and configure Windows SharePoint Services 3.0 on all of your
farm servers before you configure Windows SharePoint Services 3.0 services and create sites.
You must have SQL Server running on at least one back-end database server before you install
Windows SharePoint Services 3.0 on your farm servers.
22
Note:
Setup installs the Central Administration Web site on the first server on which you run
Setup. Therefore, we recommend that the first server on which you install Windows
SharePoint Services 3.0 is a server from which you want to run the Central

1. From the product disc, run Setup.exe, or from the product download, run WSSv3.exe, on
one of your Web server computers.
2. On the Read the Microsoft Software License Terms page, review the terms, select the I
accept the terms of this agreement check box, and then click Continue.
3. On the Choose the installation you want page, click Advanced. The Basic option is for
stand-alone installations.
4. On the Server Type tab, click Web Front End. The Stand-alone option is for stand-
alone installations.
5. Optionally, to install Windows SharePoint Services 3.0 at a custom location, select the
Data Location tab, and then type the location name or Browse to the location.
6. Optionally, to participate in the Customer Experience Improvement Program, select the
Feedback tab and select the option you want. To learn more about the program, click the
link. You must have an Internet connection to view the program information.
7. When you have chosen the correct options, click Install Now.
8. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
9. Click Close to start the configuration wizard. Instructions for completing the wizard are
provided in the next set of steps.

After Setup finishes, you can use the SharePoint Products and Technologies Configuration
Wizard to configure Windows SharePoint Services 3.0. The configuration wizard automates
Web site. Use the following instructions to run the SharePoint Products and Technologies
Configuration Wizard.

2. Click Yes in the dialog box that notifies you that some services might need to be
restarted during configuration.
3. On the Connect to a server farm page, click No, I want to create a new server farm,
23
and then click Next.
4. In the Specify Configuration Database Settings dialog box, in the Database server
box, type the name of the computer that is running SQL Server.
5. Type a name for your configuration database in the Database name box, or use the
default database name. The default name is "SharePoint_Config".
6. In the User name box, type the user name of the server farm account. (Be sure to type
the user name in the format DOMAIN\username.)
Important:
This account is the server farm account and is used to access your SharePoint
configuration database. It also acts as the application pool identity for the
SharePoint Central Administration application pool and it is the account under
which the Windows SharePoint Services Timer service runs. The SharePoint
Products and Technologies Configuration Wizard adds this account to the SQL
Server Logins, the SQL Server Database Creator server role, and the SQL
Server Security Administrators server role. The user account that you specify as
the service account must be a domain user account, but it does not need to be a
member of any specific security group on your Web servers or your back-end
database servers. We recommend that you follow the principle of least privilege
and specify a user account that is not a member of the Administrators group on
your Web servers or your back-end servers.
7. In the Password box, type the user's password, and then click Next.
8. On the Configure SharePoint Central Administration Web Application page, select the
Specify port number check box and type a port number if you want the SharePoint
Central Administration Web application to use a specific port, or leave the Specify port
number check box cleared if you do not care which port number the SharePoint Central
Administration Web application uses.
9. On the Configure SharePoint Central Administration Web Application dialog box, do
one of the following:
 If you want to use NTLM authentication (the default), click Next.
 If you want to use Kerberos authentication, click Negotiate (Kerberos), and then
click Next.
Note:
In most cases, you should use the default setting (NTLM). Use Negotiate
(Kerberos) only if Kerberos authentication is supported in your environment.
Using the Negotiate (Kerberos) option requires you to configure a Service
Principal Name (SPN) for the domain user account. To do this, you must be
a member of the Domain Admins group. For more information, see How to
configure a Windows SharePoint Services virtual server to use Kerberos
authentication and how to switch from Kerberos authentication back to NTLM
authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
10. On the Completing the SharePoint Products and Technologies Configuration Wizard
24
page, click Next.
11. On the Configuration Successful page, click Finish.
The SharePoint Central Administration Web site home page opens.
Note:
SharePoint Central Administration site to the list of trusted sites and configure
user authentication settings in Internet Explorer. Instructions for configuring these
settings are provided in the next set of steps.
Note:
If a proxy server error message appears, you might need to configure your proxy
configuring this setting are provided later in this section.
Add the SharePoint Central Administration Web site to the list of trusted sites
box, click Trusted sites, and then click Sites.
4. In the Add this Web site to the zone box, type the URL for the SharePoint Central
Administration Web site, and then click Add.
5. Click Close to close the Trusted sites dialog box.
Settings.
box.
25
Add servers to the farm
Important:
If you uninstall Windows SharePoint Services 3.0 from the first server on which you
installed it, your farm might experience problems.
Run Setup on additional servers

1. From the product disc, run Setup.exe, or from the product download, run WSSv3.exe, on
one of your Web server computers.
Run the SharePoint Products and Technologies Configuration Wizard on

additional servers
After Setup finishes, use the SharePoint Products and Technologies Configuration Wizard to
configure Windows SharePoint Services 3.0. The configuration wizard automates several
configuration tasks, including: installing and configuring the configuration database, and installing
Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint

26
3. On the Connect to a server farm page, click Yes, I want to connect to an existing
server farm, and then click Next.
5. Click Retrieve Database Names, and then from the Database name list, select the
database name that you created when you configured the first server in your server farm.
6. In the User name box, type the user name of the account used to connect to the
computer running SQL Server. (Be sure to type the user name in the format
DOMAIN\username.) This must be the same user account you used when configuring the
first server.
page, click Next.
Start the Windows SharePoint Services Search service

You must start the Windows SharePoint Services Search service on every computer that you
want to search over content. You must start it on at least one of your servers.

1. On the SharePoint Central Administration home page, click the Operations tab on the
top link bar.
2. On the Operations page, in the Topology and Services section, click Servers in farm.
3. On the Servers in Farm page, click the server on which you want to start the Windows
SharePoint Services Search service.
4. Next to Window SharePoint Services Search, click Start.
5. On the Configure Windows SharePoint Services Search Service Settings page, in the
Service Account section, specify the user name and password for the user account
under which the search service will run.
6. In the Content Access Account section, specify the user name and password for the
user account that the search service will use to search over content. This account must
have read access to all the content you want it to search over. If you do not enter
credentials, the same account used for the search service will be used.
7. In the Indexing Schedule section, either accept the default settings, or specify the
schedule that you want the search service to use when searching over content.
8. After you have configured all the settings, click Start.
27
For information about how to perform this procedure using the Stsadm command-line tool, see
Spsearch.
Perform additional configuration tasks

Although you can start adding content to the site or customizing the site, we recommend that you
first perform the following administrative tasks by using the SharePoint Central Administration
Web site.
settings so that SharePoint sites archive e-mail discussions as they happen, save e-mailed
documents, and show e-mailed meetings on site calendars. In addition, you can configure the
SharePoint Directory Management Service to provide support for e-mail distribution list
creation and management. For more information, see Configure incoming e-mail settings.
settings enable you to control whether documents are scanned on upload or download, and
anti-virus settings

2. On the Central Administration home page, in the Administrator Tasks section, click
the task you want to perform.
28
Create a site collection and a SharePoint site
This section guides you through the process of creating a single site collection containing a single
SharePoint site. You can create many site collections and many sites under each site collection.
For more information, see Chapter overview: Deploy and configure SharePoint sites
You can create new portal sites or migrate pre-existing sites or content from a previous version of
Windows SharePoint Services. For information about planning SharePoint sites and site
collections, see Plan Web site structure and publishing (http://technet.microsoft.com/en-
us/library/cc288423.aspx). For information about migrating content, see Deploy a new server
farm, then migrate content databases.
You can also migrate content from a pre-existing Microsoft Content Management Server 2002
source. For information, see Upgrading to Windows SharePoint Services 3.0.
Before you can create a site or a site collection, you must first create a Web application. A Web
application is comprised of an Internet Information Services (IIS) site with a unique application
pool. When you create a new Web application, you also create a new database and define the
authentication method used to connect to the database.
If you are in an extranet environment where you want different users to access content by using
different domains, you might also need to extend a Web application to another IIS Web site. This
action exposes the same content to different sets of users by using an additional IIS Web site to
host the same content.
Create a new Web application

1. In the SharePoint Central Administration Web site, on the Application Management page,
in the SharePoint Web Application Management section, click Create or extend Web
application.
2. On the Create or Extend Web Application page, in the Adding a SharePoint Web
Application section, click Create a new Web application.
3. On the Create New Web Application page, in the IIS Web Site section, you can configure
the settings for your new Web application.
a. To choose to use an existing Web site, select Use an existing Web site, and specify
the Web site on which to install your new Web application by selecting it from the
drop-down menu.
b. To choose to create a new Web site, select Create a new IIS Web site, and type the
name of the Web site in the Description box.
c. In the Port box, type the port number you want to use to access the Web application.
If you are creating a new Web site, this field is populated with a suggested port
number. If you are using an existing Web site, this field is populated with the current
port number.
d. In the Host Header box, type the URL you want to use to access the Web
application. This is an optional field.
e. In the Path box, type the path to the site directory on the server. If you are creating a
new Web site, this field is populated with a suggested path. If you are using an
29
existing Web site, this field is populated with the current path.
4. In the Security Configuration section, configure authentication and encryption for your
Web application.
a. In the Authentication Provider section, choose either Negotiate (Kerberos) or
NTLM.
Note:
To enable Kerberos authentication, you must perform additional
configuration. For more information about authentication methods, see Plan
authentication methods (http://technet.microsoft.com/en-
b. In the Allow Anonymous section, choose Yes or No. If you choose to allow
anonymous access, this enables anonymous access to the Web site by using the
computer-specific anonymous access account (that is, IUSR_<computername>).
Note:
If you want users to be able to access any site content anonymously, you
must enable anonymous access for the entire Web application. Later, site
owners can configure how anonymous access is used within their sites. For
more information about anonymous access, see Choose which security
groups to use (http://technet.microsoft.com/en-us/library/cc288957.aspx).
c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to
enable SSL for the Web site, you must configure SSL by requesting and installing an
SSL certificate.
Important:
If you use SSL, you must add the appropriate certificate on each server by
using IIS administration tools. For more information about using SSL, see
Plan for secure communication within a server farm
5. In the Load Balanced URL section, type the URL for the domain name for all sites that
users will access in this Web application. This URL domain will be used in all links shown
on pages within the Web application. By default, the box is populated with the current
server name and port.
The Zone box is automatically set to Default for a new Web application, and cannot be
changed from this page. To change the zone for a Web application, see Create or extend
Web applications.
6. In the Application Pool section, choose whether to use an existing application pool or
create a new application pool for this Web application. To use an existing application
pool, select Use existing application pool. Then select the application pool you want to
use from the drop-down menu.
a. To create a new application pool, select Create a new application pool.
b. In the Application pool name box, type the name of the new application pool, or
30
keep the default name.
c. In the Select a security account for this application pool section, select
Predefined to use an existing application pool security account, and then select the
security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a security
account for an existing application pool. In the User name box, type the user name
of the account you want to use, and type the password for the account in the
Password box.
7. In the Reset Internet Information Services section, choose whether to allow Windows
SharePoint Services to restart IIS on other farm servers. The local server must be
restarted manually for the process to finish. If this option is not selected and you have
more than one server in the farm, you must wait until the IIS Web site is created on all
servers and then run iisreset/noforce on each Web server. The new IIS site is not
usable until that action is completed. The choices are unavailable if your farm only
contains a single server.
8. In the Database Name and Authentication section, choose the database server,
database name, and authentication method for your new Web application.
Item Action
Database Server Type the name of the database server and

Microsoft SQL Server instance you want to
use in the format
<SERVERNAME\instance>. You can also
use the default entry.
Database Name Type the name of the database, or use the

default entry.
Database Authentication Choose whether to use Windows

authentication (recommended) or SQL
authentication.
 If you want to use Windows
authentication, leave this option
selected.
 If you want to use SQL
authentication, select SQL
authentication. In the Account
box, type the name of the account
you want the Web application to
use to authenticate to the SQL
Server database, and then type the
password in the Password box.
31
9. Click OK to create the new Web application, or click Cancel to cancel the process and
return to the Application Management page.
Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/en-us/library/cc288051.aspx).
Create a site collection

1. On the SharePoint Central Administration home page, click the Application
Management tab on the top link bar.
2. On the Application Management page, in the SharePoint Site Management section,
click Create site collection.
3. On the Create Site Collection page, in the Web Application section, select a Web
application to host the site collection from the Web Application drop-down list.
4. In the Title and Description section, type a title and description for the site collection.
5. In the Web Site Address section, select a URL type (personal or sites), and then type a
URL for the site collection.
6. In the Template Selection section, select a template from the tabbed template control.
7. In the Primary Site Collection Administrator section, specify the user account for the
user you want to be the primary administrator for the site collection. You can also browse
for the user account by clicking the Book icon to the right of the text box. You can check
the user account by clicking the Check Names icon to the right of the text box.
8. Optionally, in the Secondary Site Collection Administrator section, specify the user
account for the user you want to be the secondary administrator for the site collection.
You can also browse for the user account by clicking the Book icon to the right of the text
box. You can check the user account by clicking the Check Names icon to the right of
the text box.
9. Click Create to create the site collection.
Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc287992.aspx).
Create a SharePoint site

click Site collection list.
3. On the Site Collection List page, in the URL column, click the URL for the site collection
to which you want to add a site. The full URL path for the site collection appears in the
URL box.
4. Copy and paste the full URL path into your browser, and then, on the home page of the
top-level site for the site collection, on the Site Actions menu, click Create.
5. On the Create page, in the Web Pages section, click Sites and Workplaces.
32
6. On the New SharePoint Site page, in the Title and Description section, type a title and
description for the site.
7. In the Web Site Address section, type a URL for the site.
9. Either change other settings, or click Create to create the site.
10. The new site opens.
After creating sites, you might want to configure alternate access mappings. Alternate access
mappings direct users to the correct URLs during their interaction with Windows SharePoint
Services 3.0 (while browsing to the home page of a Windows SharePoint Services 3.0 Web site,
for example). Alternate access mappings enable Windows SharePoint Services 3.0 to map Web
requests to the correct Web applications and sites, and they enable Windows SharePoint
Services 3.0 to serve the correct content back to the user. For more information, see Plan
alternate access mappings (http://technet.microsoft.com/en-us/library/cc288609.aspx).
Configure the trace log

The trace log can be useful for analyzing problems that might occur. You can use events that are
written to the trace log to determine what configuration changes were made in Windows
SharePoint Services 3.0 before the problem occurred.
By default, Windows SharePoint Services 3.0 saves two days of events in the trace log files. This
means that trace log files that contain events that are older than two days are deleted. When you
are using the Windows SharePoint Services Search service, we recommend that you configure
the trace log to save seven days of events.
You can use the Diagnostic Logging page in Central Administration to configure the maximum
number of trace log files to maintain and how long (in minutes) to capture events to each log file.
By default, 96 log files are kept, each one containing 30 minutes of events.
96 log files * 30 minutes of events per file = 2880 minutes or two days of events.
You can also specify the location where the log files are written or accept the default path.
Configure the trace log to save seven days of events

1. In Central Administration, on the Operations tab, in the Logging and Reporting section,
click Diagnostic logging.
2. On the Diagnostic Logging page, in the Trace Log section, do the following:
 In the Number of log files box, type 336.
 In the Number of minutes to use a log file box, type 30.
Tip:
To save 10,080 minutes (seven days) of events, you can use any
combination of number of log files and minutes to store in each log file.
3. Ensure that the path specified in the Path box has enough room to store the extra log
files, or change the path to another location.
33
Tip:
We recommend that you store log files on a hard drive partition that is used to
store log files only.
4. Click OK.
Trace log files can help you to troubleshoot issues related to configuration changes of the
Windows SharePoint Services Search service. Because problems related to configuration
changes are not always immediately discovered, we recommend that you save all trace log files
that the system creates on any day that you make any configuration changes related to either
search service. Store these log files for an extended period of time in a safe location that will not
be overwritten. See step 3 in the previous procedure to determine the location that the system
stores trace log files for your system.
Logging and Events: Stsadm operations (http://technet.microsoft.com/en-
34
Deploy using DBA-created databases
In this article:
 About deploying by using DBA-created databases
 Required database hardware and software
 Required accounts
 Create and configure the databases
operating system.
About deploying by using DBA-created databases

In many IT environments, database administrators (DBAs) create and manage databases.
Security policies and other policies in your organization might require that DBAs create the
databases that Windows SharePoint Services 3.0 requires. This article discusses how DBAs can
create these databases and farm administrators can configure them.
This article describes how to deploy Windows SharePoint Services 3.0 in an environment in
which DBAs create and manage databases. The deployment includes all the required databases
and one portal site. This article only applies to farms that use Microsoft SQL Server 2000 with the
most recent service pack or Microsoft SQL Server 2005 database software.
Some procedures in this article use the Psconfig and Stsadm command-line tools. These tools
are both located in the following folder: Program Files\Common Files\Microsoft Shared\web
server extensions\12\BIN.
Note:
This article does not cover using the Windows SharePoint Services 3.0 graphical user
interface tools to create or configure databases. For information about creating and
configuring databases by using the Windows SharePoint Services 3.0 graphical user
interface tools, see Deploy in a simple server farm.
By using the procedures in this article, DBAs and farm administrators create and configure the
following databases and components in the following order:
1. Configuration database (only one per farm).
2. Content database for Central Administration (only one per farm).
3. Central Administration Web application (only one per farm — created by Setup).
4. Windows SharePoint Services search database (only one per farm).
35
5. Web application content databases (optional). There is one content database for each Web
application; extending a Web application does not require an additional content database.
6. Web applications (optional).
Note:
As part of the Web site and application pool creation process, a Web application is
also created in Internet Information Services (IIS). Extending a Web application will
create an additional Web site in IIS, but not an additional application pool.
Required database hardware and software

Before you install and configure the databases, be sure that your database servers have the
recommended hardware and software. For more information about these requirements, see
Determine hardware and software requirements (http://technet.microsoft.com/en-
If you are using SQL Server 2005 database software, the DBA must configure surface area
settings so that local and remote connections use TCP/IP only. All of the databases required by
Windows SharePoint Services 3.0 use the Latin1_General_CI_AS_KS_WS collation. All of the
databases require that the Setup user account be assigned to them as the database owner (or
dbo). For more information about the security requirements for these databases, see Plan for
administrative and service accounts (http://technet.microsoft.com/en-us/library/cc288210.aspx).
Required accounts
The DBA needs to create SQL Server logins for the accounts that are used to access the
databases for Windows SharePoint Services 3.0 and add them to roles. For more information
about required accounts, including specific permissions and user rights required for these
accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-
36
The following table describes the accounts that are used to access the databases for Windows
 documentation.
 SQLAgent$Instance
 Assign a domain user account to the logon
Name
SQL Server uses.

command-line tool
line tool
database.
37

farm.
security roles:
Note:
If you are using the least-privilege principle for added security, use a different account for
each service, process, and application pool identity for each Web application.
Create and configure the databases

Use the procedures in this section to create the required databases and give the appropriate
accounts membership in the database security groups or roles.
The procedures require action by the DBA and the Setup user account. Each step is labeled
[DBA] or [Setup] to indicate which role performs the action.
The farm only has one configuration database and one content database for Central
Administration. The following procedure is performed once for each farm.
Create and configure the configuration database, the Central Administration content
database, and the Central Administration Web application
1. [DBA] Create the configuration database and the Central Administration content
database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the
database owner (dbo) to be the Setup user account.
2. [Setup] Run Setup on each of the server computers that run Windows SharePoint
Services 3.0. You must run Setup on at least one of these computers by using the Web
38
front end installation option.
3. [Setup] On the computer on which you used the Web front end installation option, do not
run the SharePoint Products and Technologies Configuration Wizard after Setup.
Instead, open the command line, and then run the following command to configure the
databases:
Psconfig –cmd configdb –create –server <SQL Server Name> –database <SQL
Database Name> –user <Domain Name\User Name> –password <password> –
admincontentdatabase <SQL Admin Content Database Name>
Note:
SQL Database Name is the configuration database. Domain Name\User Name is
the server farm account. SQL Admin Content Database Name is the Central
Administration content database.
4. [Setup] After the command has completed, run the SharePoint Products and
Technologies Configuration Wizard and complete the remainder of the configuration for
your server. This creates the Central Administration Web application and performs other
setup and configuration tasks.
The following procedure will only have to be performed once for the farm. The farm only has one
Windows SharePoint Services search database.
Create and configure the Windows SharePoint Services search database and start the
Windows SharePoint Services Search service.
1. [DBA] Create a database for the Windows SharePoint Services Search database using
the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner
(dbo) to be the Setup user account.
2. [Setup] Open the command line, and then run the following command to configure the
database and start the Windows SharePoint Services Search service:
stsadm -o spsearch -action start -farmserviceaccount <Domain Name\User Name> -
farmservicepassword <password> -farmcontentaccessaccount <Domain Name\User
Name> -farmcontentaccesspassword <password> -databaseserver
<Server\Instance> -databasename <Database Name>
Note:
farmserviceaccount is the server farm account. farmcontentaccessaccount is the
Windows SharePoint Services Search service account. For databaseserver, if you
are using the default instance of SQL Server, you only have to specify the name of
the computer running SQL Server. The databasename is the Windows SharePoint
Services Search database.
Spsearch.
The following procedure is performed once for each portal site in the farm.
39
Create and configure the portal site Web application and content database
1. [DBA] Create the portal site Web application content database using the
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [DBA] Using SQL Server Management Studio, add the application pool process account
to the Users group and the db_owner role for the Web application content database.
3. [Setup] Open the command line, and then run the following command to create the Web
application and configure the portal site Web application content database:
stsadm.exe -o extendvs -url <URL> -donotcreatesite -exclusivelyusentlm -
databaseserver <Database Server Name> -databasename <Database Name> -
apidtype configurableid -description <IIS Web Site Name> -apidname <App Pool
Name> -apidlogin <Domain Name\User Name> -apidpwd <password>
Note:
url is the URL (in the form http://hostname:port) of the portal site Web
application. databasename is the content database for the portal site Web
application. description is the text name you give to the Web site in IIS.
apidname is the text name that you give to the Web application pool in IIS.
apidlogin is the identity for the application pool in IIS. This is the application pool
process account.
Important:
This command must be run on the same computer that is indicated in the url
parameter. This is the same computer that will be running the portal site Web
application. The host name and port combination must not describe a Web
application that already exists or an error results and the Web application is not
created.
Extendvs.
40
Deploy a simple farm on the Windows Server
2008 operating system
In this article:
 Deployment overview
 Deploy and configure the server infrastructure
 Configure Windows Firewall with Advanced Security
 Create a site collection and a SharePoint site
As of Windows SharePoint Services 3.0 with Service Pack 1 (SP1), you can now install Windows
SharePoint Services 3.0 on Windows Server 2008. As with the Windows Server 2003 operating
system, you must download and run Setup and the SharePoint Products and Technologies
Configuration Wizard. You cannot install Windows SharePoint Services 3.0 without service packs
on Windows Server 2008.
Important:
The following components are required for Windows SharePoint Services 3.0 to run
correctly: the Web Server role, the Microsoft .NET Framework version 3.0, and Active
Directory Domain Services. Do not uninstall them, or Windows SharePoint Services 3.0
will cease to run.
Deployment overview
Important:
with SP1 in a server farm environment on Windows Server 2008. It does not cover
upgrading the operating system from Windows Server 2003 to Windows Server 2008. For
more information about upgrading the operating system, see Upgrading to Windows
Server 2008 for Windows SharePoint Services 3.0 with SP1.
Note:
computer as a stand-alone installation on Windows Server 2008. For more information,
see Install a stand-alone server on Windows Server 2008.
a multi-tier topology. A server farm consists of one or more servers dedicated to running Windows
41
Note:
Deploying Windows SharePoint Services 3.0 in a DBA environment

required by Windows SharePoint Services 3.0. For more information about deploying using DBA-
created databases, including detailed procedures that describe how the DBA can create these
databases, see Deploy using DBA-created databases.
Server farm environments can encompass a wide range of topologies and can include many

deployment.
administrative and service accounts (http://technet.microsoft.com/en-
42
Note:


 Preinstalling databases (optional).
 Running Setup on all servers you want to be in the farm, including running the SharePoint
Phase 2: Deploy and configure SharePoint site collections and sites

 Creating site collections.
 Creating SharePoint sites.
Deploy and configure the server infrastructure

Prepare the database server
The database server computer must be running Microsoft SQL Server 2005 or Microsoft SQL
Server 2000 with the most recent service pack.
For more information about prerequisites, see Determine hardware and software requirements

43
and then click OK.

sensitive. This is used to ensure file name uniqueness consistent with the Windows operating
system. For more information about collations, see Selecting a SQL Collation
(http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup
(http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.
44
Required accounts
The following table describes the accounts that are used to configure SQL Server and to install
Windows SharePoint Services 3.0. For more information about the required accounts, including
specific role memberships and permissions required for these accounts, see Plan for
administrative and service accounts [Windows SharePoint Services].
 documentation.
 SQLAgent$Instance  Assign a domain user account to the logon
Name
SQL Server uses.

command-line tool
line tool
database.
45

farm.
security roles:
Verify that servers meet hardware and software requirements

server computer acting as a Web server and an application server, and one server computer
acting as a database server. For more information about these requirements, see Determine
hardware and software requirements (http://technet.microsoft.com/en-us/library/cc288751.aspx).
Important:
Windows SharePoint Services 3.0 requires Active Directory Domain Services for farm
deployments in a Windows Server 2008 environment.
Install Microsoft .NET Framework version 3.0

Before you install Windows SharePoint Services 3.0 on Windows Server 2008, you must install
the Microsoft .NET Framework version 3.0. You do not need to install the Web Server role or the
Windows Process Activation Service; these are installed automatically along with the Windows
Internal Database when you install Windows SharePoint Services 3.0, Service Pack 1. Use the
following procedure to install Microsoft .NET Framework version 3.0.
46
1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In Server Manager, on the Action menu, click Add features.
3. In the Features list, select the .NET Framework 3.0 Features check box, and then click
Next.
4. Follow the wizard steps to install Microsoft .NET Framework version 3.0.
Run Setup on all servers in the farm

Run Setup and then the SharePoint Products and Technologies Configuration Wizard on all your
farm servers. Adding servers to the farm can be done at any time to add redundancy — for
example, adding load-balanced Web servers.
Note:
configure the farm.
Web site.

You must have SQL Server database software running on at least one back-end database server
before you install Windows SharePoint Services 3.0 on your farm servers.
Note:
SharePoint Services 3.0 is a server on which you want to run the Central Administration
Web site.

1. Download Windows SharePoint Services 3.0 with SP1 from the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=105656), and then run SharePoint.exe on one of
your Web server computers.
47
Note:
Do not add any server roles in Windows Server 2008 Server Manager before setup for
Windows SharePoint Services 3.0 is complete. If you add a server role, the setup
process will fail and you will need to uninstall and reinstall Windows SharePoint Services
3.0.


48
Important:
This account is the server farm account and is used to access your SharePoint
configuration database. It also acts as the application pool identity for the
SharePoint Central Administration application pool and it is the account under
which the Windows SharePoint Services Timer service runs. The SharePoint
Products and Technologies Configuration Wizard adds this account to the SQL
Server logins, and to the dbcreator and securityadmin fixed server roles in SQL
Server. The user account that you specify as the service account must be a
domain user account, but it does not need to be a member of any specific
security group on your Web servers or your back-end database servers. We
recommend that you follow the principle of least-privilege administration by
specifying a user account that is not a member of the Administrators group on
your Web servers or your back-end servers.
Specify port number check box and type a port number if you want the SharePoint
Central Administration Web application to use a specific port, or leave the Specify port
number check box cleared if you do not care which port number the SharePoint Central
9. On the Configure SharePoint Central Administration Web Application dialog box, do
click Next.
Note:
In most cases, you should use the default setting (NTLM). Use Negotiate
(Kerberos) only if Kerberos authentication is supported in your environment.
Using the Negotiate (Kerberos) option requires you to configure a service
principal name (SPN) for the domain user account. To do this, you must be a
member of the Domain Admins group. For more information, see How to
configure a Windows SharePoint Services virtual server to use Kerberos
authentication and how to switch from Kerberos authentication back to NTLM
authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
page, click Next.
49
Note:
SharePoint Central Administration site to the list of trusted sites and configure
user authentication settings in Internet Explorer. Instructions for configuring these
settings are provided in the next set of steps.
Note:
Settings.
box.

50
Notes
a new configuration database by running the following command from the path
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\bin:
 psconfig -cmd configdb -create -database <unique database name>

(http://go.microsoft.com/fwlink/?LinkId=105656), and then run SharePoint.exe on one of
your additional Web server computers.
Run the SharePoint Products and Technologies Configuration Wizard on

additional servers
configuration tasks, including: installing and configuring the configuration database, and installing
51
DOMAIN\username.) This must be the same user account you used when configuring the
first server.
page, click Next.


top link bar.
4. Next to Window SharePoint Services Search, click Start.
under which the search service will run.
user account that the search service will use to search over content. This account must
credentials, the same account used for the search service will be used.
schedule that you want the search service to use when searching over content.
52
Configure Windows Firewall with Advanced

Security
After you create Web applications in your server farm, you must use Windows Firewall with
Advanced Security in Windows Server 2008 to open ports on computers that host Web
Applications.
After you create Web applications in your server farm, you must use Windows Firewall with
Advanced Security in Windows Server 2008 to open ports on computers that host Web
Applications.
By default, port 80 is open on Web servers, but to be able to communicate with other computers
you must open the port for Central Administration. You must also open the ports for any
additional Web applications that you create in your server farm.
The default configuration of the Windows Server 2008 firewall is to deny all connections unless
there is an exception. Make sure you create the exceptions for the currently enabled profile
(Private, Public, or Domain) when you are making changes to ports. If you create the exceptions
in the wrong profile they will not work.
Note:
If you configure host headers in IIS, the ports for the Web Applications will be created on
port 80 and you may not have to perform the procedures in this section. If, however, you
use the host header mode in Windows SharePoint Services 3.0 to create multiple
domain-named sites in a single Web application you will need to perform the procedures
in this section to determine which ports the Web applications, including Central
Administration, will use in your server farm.
Determine ports used by Web Applications

2. On the Central Administration site, click Application Management.
3. On the Application Management Web page, in the SharePoint Web Application
Management section, click Web application list.
4. On the Web Application List Web page, in the URL column, the server name with port
number is listed for each Web application.
You should use Windows Firewall with Advanced Security to open the ports required for your
server farm as identified in the Determine ports used by Web Applications procedure.
For ease in managing the rules, we recommend that you create one rule per Web application.
Alternatively, for more centralized rule management you can create one rule to manage all the
ports.
For Web applications you only need to create a rule to open a port for incoming connections.
53
Configure Windows Firewall with Advanced Security
Windows Firewall with Advanced Security.
2. On the details pane, in the Overview section, verify that the domain profile is active by
noting if the domain network location entry displays Domain Profile is Active.
3. In the Domain Profile is Active area, depending on how the inbound connections rule is
configured, choose one of these options.
 If it is Inbound connections that do not match a rule are allowed, then you do not
need to complete this procedure.
 If it is Inbound connections that do not match a rule are blocked, then you must
proceed to the next step in this procedure to configure the firewall to allow Windows
SharePoint Services 3.0 traffic.
4. On the console tree, select Inbound Rules, and then in the action pane click New Rule.
5. Complete the New Inbound Rule Wizard using the settings from the following table.
Wizard page Settings
Rule Type Select Port.
Protocol and Ports Select TCP.

Select Specific local ports. In the
Specific local ports text box,
identify all the ports that you need.
Action Select Allow the connection.
Profile Enable Domain.

Clear Private and Public.
Name In the Name and Description text boxes

type information that is both descriptive
and meaningful for your network
administrators. As a best practice, we
recommend that you give the firewall rules
a unique name. Unique names makes
management using the netsh commands
much easier.
For more information about Windows Firewall with Advanced Security, see Windows Firewall
(http://go.microsoft.com/fwlink/?LinkID=84639).

Although you can start adding content to the site or customizing the site, we recommend that you
54
first perform the following administrative tasks by using the SharePoint Central Administration
Web site.
mail settings.

2. On the Central Administration home page, in the Administrator Tasks section, click
the task you want to perform.
Create a site collection and a SharePoint site

This section guides you through the process of creating a single site collection containing a single
SharePoint site. You can create many site collections and many sites under each site collection.
For more information, see Chapter overview: Deploy and configure SharePoint sites. For
information about planning SharePoint sites and site collections, see Plan Web site structure and
publishing (http://technet.microsoft.com/en-us/library/cc288423.aspx).
application is composed of an Internet Information Services (IIS) site with a unique application
55

application.
drop-down menu.
port number.
Web application.
NTLM.
Note:
56
Note:
must enable anonymous access for the entire Web application. Later, site
owners can configure how anonymous access is used within their sites. For
more information about anonymous access, see Choose which security
SSL certificate.
Important:
changed from this page. To change the zone for a Web application, see Create or extend
Web applications.
Password box.
servers and then run iisreset/noforce on each Web server. The new IIS site is not
57
Item Action
Database Server Type the name of the database server and

Microsoft SQL Server instance you want to
use in the format <Server name\instance>.
You can also use the default entry.
Database Name Type the name of the database, or use the

default entry.
Database Authentication Choose whether to use Windows

authentication (recommended) or SQL
authentication.
 If you want to use Windows
authentication, leave this option
selected.
 If you want to use SQL
authentication, select SQL
authentication. In the Account
box, type the name of the account
you want the Web application to
use to authenticate to the SQL
Server database, and then type
the password in the Password
box.

3. On the Create Site Collection page, in the Web Application section, select a Web
application to host the site collection from the Web Application drop-down list.
4. In the Title and Description section, type a title and description for the site collection.
5. In the Web Site Address section, select a URL type (personal or sites), and then type a
58
URL for the site collection.
7. In the Primary Site Collection Administrator section, specify the user account for the
user you want to be the primary administrator for the site collection. You can also browse
for the user account by clicking the Book icon to the right of the text box. You can check
the user account by clicking the Check Names icon to the right of the text box.
8. Optionally, in the Secondary Site Collection Administrator section, specify the user
account for the user you want to be the secondary administrator for the site collection.
You can also browse for the user account by clicking the Book icon to the right of the text
box. You can check the user account by clicking the Check Names icon to the right of
the text box.
9. Click Create to create the site collection.
Create a SharePoint site

click Site collection list.
3. On the Site Collection List page, in the URL column, click the URL for the site collection
to which you want to add a site. The full URL path for the site collection appears in the
URL box.
4. Copy and paste the full URL path into your browser, and then, on the home page of the
top-level site for the site collection, on the Site Actions menu, click Create.
5. On the Create page, in the Web Pages section, click Sites and Workplaces.
6. On the New SharePoint Site page, in the Title and Description section, type a title and
description for the site.
7. In the Web Site Address section, type a URL for the site.
9. Either change other settings, or click Create to create the site.
10. The new site opens.
59

Tip:
files, or change the path to another location.
Tip:
4. Click OK.
that the system creates on any day that you make any configuration changes related to either
60
Configure Windows Server Backup
If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must
configure the following registry keys. If you do not configure these registry keys, Windows Server
Backup will not work properly with Windows SharePoint Services 3.0.
Important:
You must be logged on as a member of the Administrators group on the local server
computer to edit the registry. Incorrectly editing the registry might severely damage your
system. Before making changes to the registry, you should back up any valued data on
the computer.
Configure registry keys for Windows Server Backup

1. Click Start, click Run, and in the Open box, type regedit, and then click OK.
2. In the User Account Control dialog box, click Continue to open the Registry Editor.
3. Navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
4. On the Edit menu, click New, and then click Key.
5. Type WindowsServerBackup, and then press ENTER.
6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and then
click Key.
7. Type Application Support, and then press ENTER.
8. Select the Application Support key, and then on the Edit menu, click New, and then
click Key.
9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name and then press
ENTER.
This is the GUID for the WSS Writer.
10. Select the new key, and then on the Edit menu, click New, and then click String Value.
11. Type Application Identifier as the new value name, and then press ENTER.
12. Right click the Application Identifier value, and then click Modify.
13. In the Value Data box, type Windows SharePoint Services, and then click OK.
14. On the Edit menu, click New, and then click DWORD (32-bit) Value.
15. Type UseSameVssContext as the new value name, and then press ENTER.
16. Right-click the UseSameVssContext value, and then click Modify.
17. In the Value Data box, type 00000001, and then click OK.
61
Install a stand-alone server on Windows
Server 2008
In this article:
 Hardware and software requirements
 Install and configure Windows SharePoint Services 3.0 with Service Pack 1
 Post-installation steps
 Configure Windows Server Backup
As of Windows SharePoint Services 3.0 Service Pack 1 (SP1), you can now install Windows
SharePoint Services 3.0 on Windows Server 2008. As with the Windows Server 2003 operating
system, you must download and run Setup and the SharePoint Products and Technologies
Configuration Wizard. You cannot install Windows SharePoint Services 3.0 without service packs
on Windows Server 2008.
Important:
with SP1 in a stand-alone environment on Windows Server 2008. It does not cover
upgrading the operating system from Windows Server 2003 to Windows Server 2008. For
more information about upgrading the operating system, see Upgrading to Windows
Server 2008 for Windows SharePoint Services 3.0 with SP1.
Note:
This article does not cover installing Windows SharePoint Services 3.0 in a server farm
installation on Windows Server 2008. For more information, see Deploy a simple farm on
the Windows Server 2008 operating system.
You can quickly publish a SharePoint site by deploying Windows SharePoint Services 3.0 on a
single server computer. A stand-alone configuration is useful if you want to evaluate Windows
SharePoint Services 3.0 features and capabilities, such as collaboration, document management,
and search. A stand-alone configuration is also useful if you are deploying a small number of
Web sites and you want to minimize administrative overhead. When you deploy Windows
SharePoint Services 3.0 on a single server using the default settings, the Setup program
automatically installs the Windows Internal Database and uses it to create the configuration
database and an initial content database for your SharePoint sites. Windows Internal Database
uses SQL Server technology as a relational data store for Windows roles and features only, such
as Windows SharePoint Services, Active Directory Rights Management Services, UDDI Services,
Windows Server Update Services, and Windows System Resources Manager.. In addition, Setup
installs the SharePoint Central Administration Web site and creates your first SharePoint site
collection and site.
62
Important:
The following components are required for Windows SharePoint Services 3.0 to run
correctly: the Web Server role, the Microsoft .NET Framework version 3.0, and Windows
Internal Database. Do not uninstall them, or Windows SharePoint Services 3.0 will cease
to run.
Note:
Hardware and software requirements

have the required hardware and software. For more information about these requirements, see
Determine hardware and software requirements (https://technet.microsoft.com/en-

Before you install Windows SharePoint Services 3.0 on Windows Server 2008, you must install
the Microsoft .NET Framework version 3.0. You do not need to install the Web Server role or the
Windows Process Activation Service; these are installed automatically along with the Windows
Internal Database when you install Windows SharePoint Services 3.0, Service Pack 1.Use the
following procedure to install Microsoft .NET Framework version 3.0.

1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In Server Manager, on the Action menu, click Add features.
3. In the Features list, select the .NET Framework 3.0 Features check box, and then click
Next.
4. Follow the wizard steps to install Microsoft .NET Framework version 3.0.
Install and configure Windows SharePoint

Services 3.0 with Service Pack 1
When you install Windows SharePoint Services 3.0 on a single server, run the Setup program
using the Basic option. This option uses the Setup program's default parameters to install
Windows SharePoint Services 3.0 and Windows Internal Database.
Notes
63
a new configuration database by running the following command from the path
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\bin:
 psconfig -cmd configdb -create -database <unique database name>
Download and run setup for Windows SharePoint Services 3.0 with SP1
(http://go.microsoft.com/fwlink/?LinkId=105656), and then run SharePoint.exe.
2. On the Read the Microsoft Software License Terms page, review the terms, select the
I accept the terms of this agreement check box, and then click Continue.
3. On the Choose the installation you want page, click Basic to install to the default
location. To install to a different location, click Advanced, and then on the Data Location
tab, specify the location you want to install to and finish the installation.
4. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
5. Click Close to start the wizard.
Note:
Do not add any server roles in Windows Server 2008 Server Manager before setup for
Windows SharePoint Services 3.0 is complete. If you add a server role, the setup
process will fail, and you will need to uninstall and reinstall Windows SharePoint Services
3.0.

2. In the dialog box that notifies you that some services might need to be restarted or reset
during configuration, click Yes.
3. On the Configuration Successful page, click Finish. Your new SharePoint site opens.
Note:
SharePoint site to the list of trusted sites and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are
provided in the following procedure.
Note:
If you see a proxy server error message, you might need to configure your proxy
configuring proxy server settings are provided later in this section.
64
Add the SharePoint site to the list of trusted sites
box, click Trusted Sites, and then click Sites.
4. In the Add this Web site to the zone box, type the URL to your site, and then click Add.
5. Click Close to close the Trusted Sites dialog box.
If you are using a proxy server in your organization, use the following steps to configure Internet
Explorer to bypass the proxy server for local addresses.
Settings.
box.
Post-installation steps
Although you can start adding content to the site or you can start customizing the site, we
recommend that you perform the following administrative tasks by using the SharePoint Central
mail settings.
65
contains a single SharePoint site collection that hosts a SharePoint site. You can create more
SharePoint sites collections, sites, and Web applications if your site design requires multiple
sites or multiple Web applications. For more information, see Deploy and configure
SharePoint sites.
Note:
If you create additional Web applications to host SharePoint sites, you must also
configure Windows Firewall to allow communication on the ports for those Web
applications. For more information, see Deploy a simple farm on the Windows Server
2008 operating system.

2. On the Central Administration home page, under Administrator Tasks, click the task
you want to perform.

written to the trace log to identify what configuration changes were made in Windows SharePoint
Services 3.0 before the problem occurred.
means that trace log files that contain events that are older than two days are deleted. When
using the Windows SharePoint Services Search service, we recommend that you configure the
trace log to save seven days of events.
66

Tip:
files or change the path to another location.
Tip:
4. Click OK.
that the system creates on any day that you make any configuration changes related to the

configure the following registry keys. If you do not configure these registry keys, Windows Server
Backup will not work properly with Windows SharePoint Services 3.0.
Important:
You must be logged on as a member of the Administrators group on the local server
computer to edit the registry. Incorrectly editing the registry might severely damage your
system. Before making changes to the registry, you should back up any valued data on
the computer.
67
Configure registry keys for Windows Server Backup
1. Click Start, click Run, and in the Open box, type regedit, and then click OK.
2. In the User Account Control dialog box, click Continue to open the Registry Editor.
3. Navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
4. On the Edit menu, click New, and then click Key.
5. Type WindowsServerBackup and then press ENTER.
6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and then
click Key.
7. Type Application Support, and then press ENTER.
8. Select the Application Support key, and then on the Edit menu, click New, and then
click Key.
9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press
ENTER.
This is the GUID for the WSS Writer.
10. Select the new key, and then on the Edit menu, click New, and then click String Value.
11. Type Application Identifier as the new value name, and then press ENTER.
12. Right-click the Application Identifier value, and then click Modify.
13. In the Value Data box, type Windows SharePoint Services, and then click OK.
14. On the Edit menu, click New, and then click DWORD (32-bit) Value.
15. Type UseSameVssContext as the new value name, and then press ENTER.
16. Right-click the UseSameVssContext value, and then click Modify.
17. In the Value Data box, type 00000001, and then click OK.
68
Install Windows SharePoint Services 3.0 by
using the command line
In this article:
 Install software requirements
 Determine required accounts for installation
 Install Windows SharePoint Services 3.0 by running Setup at a command prompt
 Configure the server by using the Psconfig command-line tool
 Create a Web application and a site collection by using the Stsadm command-line tool
This article discusses how to do a clean installation of Windows SharePoint Services 3.0 in a
server-farm environment by using command-line tools.
Command-line tools enable you to customize the configuration of Windows SharePoint Services
3.0. Additionally, you can streamline deployment by using command-line tools in combination with
other administrator tools to automate unattended installations.
To install Windows SharePoint Services 3.0 on a server farm, you have to complete the following
steps:
1. Plan your deployment and ensure that you have installed all the software requirements.
2. Determine the required accounts that are used during installation.
3. Install Windows SharePoint Services 3.0 by running Setup at a command prompt and
specifying a configuration file.
4. Configure the server by using the Psconfig command-line tool with the appropriate options.
5. Create a Web application by using the Stsadm command-line tool.
6. Create a site collection by using the Stsadm command-line tool.
Install software requirements

Before you run Setup, you must perform several actions to prepare your deployment. For more
information about the complete list of actions you must perform before installation, see Install
Windows SharePoint Services 3.0 for a server farm environment. Ensure that you have the
following software requirements before you run Setup:
 Windows SharePoint Services 3.0 on a clean installation of the Windows Server 2003
operating system with the most recent service pack. To install Windows SharePoint Services
3.0 on Windows Server 2008, see Chapter overview: End-to-end deployment scenarios.
69
Note:
All the instances of Windows SharePoint Services 3.0 in the farm must be in the
same language. For example, you cannot have both English and Japanese versions
of Windows SharePoint Services 3.0 in the same farm.
 The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download
contains the Windows Workflow Foundation technology, which is required by workflow
features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download
the .NET Framework version 3.5 from the Microsoft Download Center
 ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all servers that
are running Windows SharePoint Services 3.0.
 Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service pack
running on at least one database server before you install Windows SharePoint Services 3.0
on your Web servers.
To deploy a server farm, you must have at least one server computer acting as a Web server and
an application server, and one server computer acting as a database server.
Determine required accounts for installation

Before installing Windows SharePoint Services 3.0 at a command prompt, you should understand
the two-tier security model for Windows SharePoint Services 3.0, and the detailed account
permissions that are required for each configuration. For more information, see the following
resources:
 Plan for security roles (Windows SharePoint Services 3.0) (http://technet.microsoft.com/en-
us/library/cc288186.aspx)
 Plan for administrative and service accounts (Windows SharePoint Services 3.0)
(http://technet.microsoft.com/en-us/library/cc288210.aspx)
 Windows SharePoint Services security account requirements
(http://go.microsoft.com/fwlink/?LinkId=92885&clcid=0x409)
70
The following table describes the accounts that are used during installation and configuration of
Windows SharePoint Services 3.0. You must create and configure these accounts before you run
Setup.
Setup user account The Setup user account is  Domain user account.
used to run the following:  Member of the
 Setup on each server. Administrators group on
 The SharePoint Products each server on which Setup
and Technologies is run.
Configuration Wizard.  SQL Server login on the
 The Psconfig command- computer that is running
line tool. SQL Server.
 The Stsadm command-line  Member of the following SQL

tool. Server security roles:
 securityadmin fixed
server role
 dbcreator fixed server
role
If you run Stsadm command-line
tool commands that read from or
write to a database, the Setup
user account must be a member
of the db_owner fixed database
role for the database.
Server farm account or The server farm account is  Domain user account.
database access account used to: Additional permissions are
 Configure and manage the automatically granted for the
server farm. server farm account on Web
 Act as the application pool servers and application servers
identity for the SharePoint that are joined to a server farm.
Central Administration The server-farm account is
application pool. automatically added as a SQL
 Run the Windows Server login on the computer
SharePoint Services Timer that is running SQL Server, and
service. added to the following SQL
Server security roles:
 securityadmin fixed server
role
71
 db_owner fixed database
role for all databases in the
server farm
Install Windows SharePoint Services 3.0 by

running Setup at a command prompt
After you have determined the required accounts for the installation, you can install Windows
SharePoint Services 3.0. To install Windows SharePoint Services 3.0, you have to do the
following:
1. Install Windows SharePoint Services 3.0 and save the SharePoint.exe file to your computer.
2. Extract the SharePoint.exe file.
3. Select a Config.xml file.
4. Run Setup with the selected Config.xml file.
Note:
You must install Windows SharePoint Services 3.0 on the same drive on all load-
balanced front-end Web servers.
Depending on your hardware requirements, you have to install Windows SharePoint Services 3.0
from one of the following resources, and save the SharePoint.exe file to your computer:
 Windows SharePoint Services 3.0 with Service Pack 1 (SP1)
(http://go.microsoft.com/fwlink/?LinkID=105656&clcid=0x409)
 Windows SharePoint Services 3.0 x64 with Service Pack 1
The SharePoint.exe file has to be extracted, which you do at the command prompt:
drive:\path\SharePoint.exe /extract:drive:\path
The folder to which you extracted the SharePoint.exe file contains examples of configuration
(Config.xml) files. These example files are stored under the \Files folder in the root directory of
the DVD, in folders that correspond to different scenarios. These example files are described in
the following table.
Configuration file Description
Setup\Config.xml Single server installation
SetupFarmSilent\Config.xml Server-farm installation in silent mode
SetupGradualUpgradeSilent\Config.xml Gradual upgrade of an existing farm in silent mode
SetupSilent\Config.xml Single server installation in silent mode
72
SetupUpgradeSilent\Config.xml In-place upgrade of an existing farm in silent mode
Note:
The example configuration files that are included with Windows SharePoint Services 3.0
omit the <Setting Id="SETUP_REBOOT"Value="Never"/> setting. You must include this
setting if you want to suppress restarts during a command-line installation.
Example
The following example shows the configuration for setting up a farm in silent mode
(SetupFarmSilent).
<Configuration>
<Package Id="sts">
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Logging Type="verbose" Path="%temp%" Template="Microsoft Windows SharePoint Services
3.0 Setup(*).log"/>
<Setting Id="SERVERROLE" Value="WFE"/>
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
<Display Level="none" CompletionNotice="no" />
</Configuration>
Run Setup with a Config.xml file at a command prompt

1. On the drive on which Windows SharePoint Services 3.0 is installed, change to the root
directory to locate the setup.exe file.
setup /config<path and file name>
Note:
You can select one of the example configuration files, or customize your own
configuration file.
3. Press ENTER.
Setup is now finished.

Example
To set up a farm in silent mode, type the following command at a command prompt, and then
press ENTER:
setup /config Files\SetupFarmSilent\config.xml
73
You can also customize your own configuration file. To control the installation, first edit the
Config.xml file in a text editor to include the elements that you want with the appropriate settings
for those elements. Then run setup /config<path and file name> to specify that Setup runs and
uses the options that you set in the Config.xml file. For example, a typical configuration option
includes adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"
Path="path name" Template="file name.log"/>, which you can view if command-line installation
fails.
Important:
Use a text editor, such as Notepad, to edit the Config.xml file. Do not use a general-
purpose XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see
Config.xml reference (Windows SharePoint Services 3.0).
For more information about the command-line options for Setup, see Setup.exe command-line
reference (https://technet.microsoft.com/en-us/library/cc288033.aspx).
Configure the server by using the Psconfig

command-line tool
You use the Psconfig command-line tool to configure Windows SharePoint Services 3.0 after
Setup has finished. In server-farm deployments, you use the Psconfig command-line tool to
create a new farm or to connect to an existing farm. The tool is located on the drive on which
SharePoint Products and Technologies is installed in the following directory:
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Psconfig installs the SharePoint Central Administration Web site on the first server in your farm.
Therefore, we recommend that the first server on which you install Windows SharePoint Services
3.0 is a server from which you want to run the Central Administration Web site.
For more information about the SharePoint Products and Technologies Configuration Wizard and
the Psconfig command-line tool and its operations and parameters, see Command-line reference
for the SharePoint Products and Technologies Configuration Wizard (Windows SharePoint
Services 3.0).
The following procedure describes how to configure the first server in your farm. How to add
servers to your farm is described at the end of this procedure.
Configure Windows SharePoint Services 3.0 on a farm by using the Psconfig command-
line tool
1. On the drive on which SharePoint Products and Technologies is installed, change to the
following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Bin.
2. Create the configuration database:
psconfig-cmd configdb -create -server<database server name>-database<database
name>
74
[ -dbuser<domain\user name>-dbpassword <password>]
-user<domain\user name>-password<password>
-admincontentdatabase<Central Administration Web application content database
name>
Note:
The dbuser and dbpassword parameters are only used in deployments that use
SQL Server authentication. If you are using Windows authentication, these
parameters are not required.
3. Install the Help collection:
psconfig-cmd helpcollections -installall
4. Perform resource security enforcement:
psconfig-cmd secureresources
5. Register services in the server farm:
psconfig-cmd services -install
Note:
After installing services, you must start and configure Windows SharePoint
Services Search by using the Stsadm command-line tool:
a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> -
farmservicepassword<password>[-database name<content database name>][-
database server<server instance>][-search server<search server name>]
For more information, see Spsearch: Stsadm operation
(https://technet.microsoft.com/en-us/library/cc288507.aspx).
Note:
Use the domain and user account information for the server farm account
that you created and configured previously.
b. Provision the services of the farm:
psconfig -cmd services –provision
6. Register all features:
psconfig-cmd installfeatures
7. Provision the SharePoint Central Administration Web application:
psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
8. Install shared application data:
psconfig-cmd applicationcontent –install
The SharePoint Central Administration Web site has now been created.
We recommend that you install and configure Windows SharePoint Services 3.0 on all the farm
servers before you create sites.
75
Note:
If any of these commands fail, look in the post-setup configuration log files. The log files
are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Logs, and can be identified by a file name that begins with “PSC” and the
.log file name extension.
To connect to an existing configuration database and join the server to an existing server farm,
you have to run the configdb command together with the -connect parameter instead of the
create parameter.
psconfig -cmd configdb -connect -server<server name>-database<database name>
Note:
Omit the -admincontentdatabase command because you have already included this
command when you created the configuration database.
Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
command if you want to provision the SharePoint Central Administration Web application on
additional servers, which minimizes the risk if the server that is running the SharePoint Central
Administration Web application fails.
To successfully complete the command-line installation, you must use the Stsadm command-line
tool to create a Web application and a site collection for the farm. However, before you create a
Web application and a site collection, we recommend that you first perform some additional
configuration tasks.

After you have installed Windows SharePoint Services 3.0, we recommend that you perform the
following administrative tasks:
 Configure incoming e-mail settings
 Configure outgoing e-mail settings
 Configure outgoing e-mail settings for a specific Web application
 Configure workflow settings
 Configure diagnostic logging settings
 Configure antivirus settings
Create a Web application and a site collection by

using the Stsadm command-line tool
After you create and configure Windows SharePoint Services 3.0 on a farm, you must use the
Stsadm command-line tool to create a Web application and a site collection. A Web application is
composed of an Internet Information Services (IIS) site together with a unique application pool.
When you create a new Web application, you also create a new database and define the
authentication method that is used to connect to the database.
76
If you are in an extranet environment in which you want different users to access content by using
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators
group on the local computer.
Create a Web application and a site collection by using the Stsadm command-line tool
extensions\12\Bin.
2. Type the following command, and then press ENTER:
stsadm -o extendvs
-url <URL name>
-ownerlogin <domain\user name>
-owneremail <e-mail address>
[-exclusivelyusentlm]
[ownername<display name>]
[databaseuser<database user name>]
[-databaseserver <database server name>]
[-databasename <new content database name>]
[databasepassword<database password>]
[lcid<language>]
[sitetemplate<site template>]
[description]
[sethostheader]
[-apidname <application pool name>]
[-apidtype {configurableID | NetworkService}]
[-apidlogin <domain\user name>]
[-apidpwd <application pool password>]
For more information, see Stsadm command-line tool (https://technet.microsoft.com/en-
us/library/cc288981.aspx) and Extendvs: Stsadm operation
Example
The following command creates a Web application and a site collection with the URL
http://intranet that uses the corporate team site template.
77
stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail
<user@domain.com>-sitetemplate STS#0 -exclusivelyusentlm -databaseserver <database
server name> -databasename <content database name> -apidname <application pool name> -
apidtype {configurableID | NetworkService} -apidlogin <domain\user name> -apidpwd
<password>
If you do not specify the template to use, site owners can choose the template when they first
browse to the site.
If you want to create additional Web applications or site collections by using the Stsadm
command-line tool, you can use either the extendvs or createsite operation.
The extendvs operation extends a Web application and creates a new content database. The
createsite operation creates a site collection at a specific URL with a specified user as site
owner.
Note:
The createsite operation does not create a new content database. If you want to create a
new content database together with the new site, see the createsiteinnewdb operation.
For more information, see Createsite: Stsadm operation (https://technet.microsoft.com/en-
us/library/cc287992.aspx) and Createsiteinnewdb: Stsadm operation
The extendvs operation also enables administrators to specify the language of the site collection
by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the
server is used for the site collection. For more information about the available LCID values, see
List of Locale ID (LCID) Values as Assigned by
Microsoft(http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409).

78
number of trace log files to maintain, and how long (in minutes) to capture events to each log file.
96 log files * 30 minutes of events per file = 2880 minutes (two days) of events.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows
SharePoint Services Search service. Because problems related to configuration changes are not
always immediately discovered, we recommend that you save all trace log files that the system
creates on any day that you make any configuration changes. Store these log files for some time
in a safe location that will not be overwritten. We recommend that you store log files on a hard
disk partition that is used to store log files only.
79
Install Windows SharePoint Services 3.0 with
least privilege administration by using the
command line
In this article:
 Install software requirements
 Determine required accounts for least-privilege administration
 Install Windows SharePoint Services 3.0 by using the least-privilege account
 Configure the server by using the Psconfig command-line tool
 Create a Web application and a site collection by using the Stsadm command-line tool
This article discusses how to install Windows SharePoint Services 3.0 on a stand-alone server or
on a server farm by using least-privilege administration.
The Windows SharePoint Services 3.0 standard configuration uses a set of user accounts and
installation settings for both stand-alone servers and server farms to simplify the installation
process. However, enterprises are often required to use the least-privilege security practice in
which each service or user is provided with only the minimum permissions and group
memberships that they must have to do the tasks that they are authorized to perform. Installing
Windows SharePoint Services 3.0 to meet least-privilege requirements requires additional
preparation and configuration steps. We strongly recommend that you use least-privilege
administration.
To install Windows SharePoint Services 3.0 by using least-privilege administration on either a
stand-alone server or a server farm, you must complete the following steps:
1. Plan the deployment and ensure that you have installed all the software requirements.
2. Determine the required accounts that are used during installation.
3. Use the least-privilege Setup user account to install Windows SharePoint Services 3.0 by
using Setup at a command prompt, and specifying a configuration file.
4. Configure the server by using the Psconfig command-line tool with the appropriate options.
5. Create a Web application by using the Stsadm command-line tool (only applies on server-
farm installations).
6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm
installations).
80
Install software requirements
Before running Setup, you must perform several actions to prepare the deployment. For more
information about the complete list of actions you must perform before installation, see Install
Windows SharePoint Services 3.0 for a server farm environment. Ensure that you have the
following software requirements before you run Setup in any deployment:
 Windows SharePoint Services 3.0 on a clean installation of the Windows Server 2003
operating system with the most recent service pack. To install Windows SharePoint Services
3.0 on Windows Server 2008, see Chapter overview: End-to-end deployment scenarios.
Note:
All the instances of Windows SharePoint Services 3.0 in the farm must be in the
same language. For example, you cannot have both English and Japanese versions
of Windows SharePoint Services 3.0 in the same farm.
 The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download
contains the Windows Workflow Foundation technology, which is required by workflow
features.
Note:
.NET Framework version 3.5 from the Microsoft Download Center
 ASP.NET 2.0 enabled in Internet Information Services (IIS) Manager on all servers that are
running Windows SharePoint Services 3.0.
 Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service pack
running on at least one database server before you install Windows SharePoint Services 3.0
on the Web servers.
To deploy a server farm, you must have at least one server computer acting as a Web server and
an application server, and one server computer acting as a database server.
Determine required accounts for least privilege

administration
Before installing Windows SharePoint Services 3.0 by using least-privilege administration in any
security configuration, you should understand the two-tier security model for Windows SharePoint
Services 3.0 and the detailed account permissions that are required for each configuration. For
more information, see the following resources:
 Plan for security roles (Windows SharePoint Services 3.0) (http://technet.microsoft.com/en-
 Plan for administrative and service accounts (Windows SharePoint Services 3.0)
(http://technet.microsoft.com/en-us/library/cc288210.aspx)
 Windows SharePoint Services security account requirements
81
Many requirements and configuration steps for installing Windows SharePoint Services 3.0 by
using least-privilege administration resemble the standard farm installation, with which you should
be familiar. For more information about the standard farm installation, see Install Windows
SharePoint Services 3.0 for a server farm environment.
The following table describes the accounts that are used to install Windows SharePoint Services
3.0 by using least-privilege administration, compared to the standard account requirements for
farm installation.
Account Purpose Server farm standard Least-privilege

requirements administration using
domain user accounts
requirements
Setup user The Setup user account  Domain user account. Server farm standard
account that is used to run the  Member of the requirements with the
following: Administrators group on following additions or
 Setup on each each server on which exceptions:
server. Setup is run.  Use a separate
 The SharePoint  SQL Server login on the domain user
Products and computer that is running account.
Technologies SQL Server.  The Setup user
Configuration  Member of the following account should not
Wizard. SQL Server security be a member of
 The Psconfig roles: the Administrators
command-line tool. group on the
computer that is
 The Stsadm server role
running SQL
command-line tool.  dbcreator fixed
Server.
server role
If you run Stsadm command-
line commands that read
from or write to a database,
the Setup user account must
be a member of the
db_owner fixed database
role for the database.
82
Account Purpose Server farm standard Least-privilege
requirements administration using
domain user accounts
requirements
Server farm The server farm  Domain user account. Server farm standard
account or account is used to: Additional permissions are requirements with the
database  Configure and automatically granted for the following additions or
access manage the server server farm account on Web exceptions:
account farm. servers and application  Use a separate
 Act as the servers that are joined to a domain user
application pool server farm. account.
identity for the The server farm account is  The server farm
SharePoint Central automatically added as a account is not a
Administration Web SQL Server login on the member of the
site. computer that is running SQL Administrators
 Run the Windows Server and added to the group on any
SharePoint following SQL Server security server in the
Services Timer roles: server farm. This
service.  dbcreator fixed server includes the
role computer that is
running SQL
Server.
server role
 The server farm
 db_owner fixed
account does not
database role for all
require
databases in the server
permissions to
farm
SQL Server before
you create the
configuration
database.
The minimum requirements to achieve least-privilege administration include the following:

 Separate accounts are used for different services and processes.
 No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions assigned to
each account, you reduce the opportunity for a malicious user or process to compromise the
environment.
You can implement least-privilege administration in many ways, depending upon the security
configuration of each scenario. The configurations for least-privilege administration include:
 Separate domain user accounts
 SQL Server authentication
83
 Domain user accounts connecting to existing databases
Install Windows SharePoint Services 3.0 on the

server by using the least privilege account
After you have determined the required accounts for the installation, you can install Windows
SharePoint Services 3.0. To install Windows SharePoint Services 3.0, you perform the following
actions:
1. Install Windows SharePoint Services 3.0 and save the SharePoint.exe file to the computer.
2. Extract the SharePoint.exe file.
3. Select a Config.xml file.
4. Run Setup with the selected Config.xml file, and by using the least-privilege Setup user
account that you previously created.
Note:
You must install Windows SharePoint Services 3.0 on the same drive on all load-
balanced front-end Web servers.
Depending on hardware requirements, install Windows SharePoint Services 3.0 from one of the
following resources, and save the SharePoint.exe file to the computer:
 Windows SharePoint Services 3.0 with Service Pack 1
 Windows SharePoint Services 3.0 x64 with Service Pack
1(http://go.microsoft.com/fwlink/?LinkID=105802&clcid=0x409)
The SharePoint.exe file has to be extracted, which you do at the command prompt:
drive:\path\SharePoint.exe /extract:drive:\path
The folder to which you extracted the SharePoint.exe file contains examples of configuration
(Config.xml) files. These example files are stored under the \Files folder in the root directory of
the DVD, in folders that correspond to different scenarios. The example files are listed and
described in the following table.
Setup\Config.xml Single server installation
SetupFarmSilent\Config.xml Server-farm installation in silent mode
SetupGradualUpgradeSilent\Config.xml Gradual upgrade of an existing farm in silent mode
SetupSilent\Config.xml Single server installation in silent mode
SetupUpgradeSilent\Config.xml In-place upgrade of an existing farm in silent mode
84
Important:
The example configuration files that are included with Windows SharePoint Services 3.0
omit the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this
setting if you want to suppress restarts during a command-line installation.
Example
The following example shows the configuration for setting up a farm in silent mode
(SetupFarmSilent).
<Configuration>
<Package Id="sts">
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Logging Type="verbose" Path="%temp%" Template="Microsoft Windows SharePoint Services
3.0 Setup(*).log "/>
<Setting Id="SERVERROLE" Value="WFE"/>
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
<Display Level="none" CompletionNotice="no" />
</Configuration>
Run Setup with a Config.xml file at a command prompt

1. On the drive on which Windows SharePoint Services 3.0 is installed, change to the root
directory to locate the setup.exe file.
setup /config<path and file name>
Note:
You can select one of the example configuration files, or customize your own
configuration file.
3. Press ENTER.
Setup is now complete.

Example
To set up a farm in silent mode, type the following command at a command prompt, and then
press ENTER:
setup /config Files\SetupFarmSilent\config.xml
You can also customize your own configuration file. To control the installation, first edit the
Config.xml file in a text editor to include the elements that you want with the appropriate settings
for those elements. Then run setup /config<path and file name> to specify that Setup runs and
uses the options that you set in the Config.xml file. For example, a typical configuration option
85
includes adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"
Path="path" Template="file name.log"/>, which you can view if command-line installation fails.
Important:
Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose
XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see
Config.xml reference (https://technet.microsoft.com/en-us/library/cc287749.aspx).
For more information about the command-line options for Setup, see Setup.exe command-line
reference (https://technet.microsoft.com/en-us/library/cc288033.aspx).
Configure the server by using the Psconfig

command-line tool
You use the Psconfig command-line tool to configure Windows SharePoint Services 3.0 after
Setup has completed. The tool is located at %COMMONPROGRAMFILES%\Microsoft
shared\Web server extensions\12\Bin. The configuration options are different depending whether
Windows SharePoint Services 3.0 is installed on a stand-alone server or on a farm.
For more information about the Psconfig command-line tool and its operations and parameters,
see Command-line reference for the SharePoint Products and Technologies Configuration
Wizard (https://technet.microsoft.com/en-us/library/cc263093.aspx).
Configure Windows SharePoint Services 3.0 on a stand-alone

server
In stand-alone server deployments that use least-privilege administration, you can run the
Psconfig command-line tool with the setup command.
The following procedure describes how to configure Windows SharePoint Services 3.0 on a
stand-alone server.
Configure Windows SharePoint Services 3.0 on a stand-alone server by using the

Stsadm command-line tool
1. Log on by using the Setup user account that you created and configured previously.
extensions\12\Bin.
stsadm -cmd setup
The Psconfig command-line tool describes the configuration steps as they occur and notes the
successful completion of configuration. For a stand-alone server installation, this is the final step
in a command-line installation.
86
Configure Windows SharePoint Services 3.0 on a farm
In server farm deployments that use least-privilege administration, you use the Psconfig
command-line tool to create a new farm or connect to an existing farm. The Psconfig command-
line tool installs the SharePoint Central Administration Web site on the first server in the farm.
Therefore, we recommend that the first server on which you install Windows SharePoint Services
3.0 is a server from which you want to run the Central Administration Web site.
The following procedure describes how to configure the first server in the farm.
Configure Windows SharePoint Services 3.0 on a farm by using the Psconfig command-
line tool
1. Log on by using the Setup user account that you created and configured previously.
extensions\12\Bin.
3. Create the configuration database:
psconfig-cmd configdb -create -server<database server name>-database<database
name>
[ -dbuser<domain\user name>-dbpassword<password>]
-user<domain\user name> -password<password>
-addomain<domain name>-adorgunit<org unit>
-admincontentdatabase<Central Administration Web application content database
name>
Note:
The dbuser and dbpassword parameters are only used in deployments that use
SQL Server authentication. If you are using Windows authentication, these
parameters are not necessary.
4. Install the Help collection:
psconfig-cmd helpcollections -installall
5. Perform resource security enforcement:
psconfig-cmd secureresources
6. Register services in the server farm:
psconfig-cmd services -install
Note:
After installing services, you must start and configure Windows SharePoint
Services Search by using the Stsadm command-line tool:
a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> -
farmservicepassword<password> [-database name<content database name>][-
database server<server instance>][-search server<search server name>]
For more information, see Spsearch: Stsadm operation
87
Note:
Use the domain and user account information for the server farm account
that you previously created and configured.
b. Provision the services of the farm:
psconfig -cmd services –provision:
7. Register all features:
psconfig-cmd installfeatures
8. Provision the SharePoint Central Administration Web application:
psconfig -cmd adminvs -provision -port<port> -windowsauthprovider onlyusentlm
9. Install shared application data:
psconfig -cmd applicationcontent –install
The Central Administration Web site has now been created.

We recommend that you install and configure Windows SharePoint Services 3.0 on all of the farm
servers before you start to create sites.
Note:
If any of these commands fail, look in the post-Setup configuration log files. The log files
are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Logs, and can be identified by a file name starting with “PSC” and the .log
extension.
To connect to an existing configuration database and join the server to an existing server farm,
run the configdb command with the -connect parameter instead of the –create parameter.
psconfig -cmd configdb -connect –server<server name>-database<database name>
Note:
Omit the –admincontentdatabase command because you have already included this
command when you created the configuration database.
Use the psconfig -cmd adminvs -provision –port<port>-windowsauthprovider onlyusentlm
command if you want to provision the SharePoint Central Administration Web application on
additional servers, which reduces the risk if the server that is running the SharePoint Central
Administration Web application fails.
To successfully complete command-line installation on a server farm, you must use the Stsadm
command-line tool to create a Web application, and a site collection for the farm. However, before
you create a Web application and a site collection, we recommend that you first perform some
additional configuration tasks.

After you have installed Windows SharePoint Services 3.0, we recommend that you perform the
following administrative tasks:
88
 Configure workflow settings
 Configure diagnostic logging settings
 Configure antivirus settings
Create a Web application and a site collection by

using the Stsadm command-line tool
After you create and configure Windows SharePoint Services 3.0 on a farm, you must use the
Stsadm command-line tool to create a Web application and a site collection. A Web application is
composed of an Internet Information Services (IIS) site together with a unique application pool.
When you create a new Web application, you also create a new database and define the
authentication method that is used to connect to the database.
different domains, you might also have to extend a Web application to another IIS Web site. This
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators
Create a Web application and a site collection by using the Stsadm command-line tool
extensions\12\Bin.
stsadm -o extendvs
-url <URL name>
-ownerlogin <domain\user name>
-owneremail <e-mail address>
[-exclusivelyusentlm]
[-ownername<display name>]
[-databaseuser<database user name>]
[-databaseserver <database server name>]
[-databasename <new content database name>]
[-databasepassword<database password>]
[-lcid<language>]
89
[-sitetemplate<site template>]
[-description]
[-sethostheader]
[-apidname <application pool name>]
[-apidtype {configurableID | NetworkService}]
[-apidlogin <domain\user name>]
[-apidpwd <application pool password>]
For more information, see Stsadm command-line tool (https://technet.microsoft.com/en-
us/library/cc288981.aspx) and Extendvs: Stsadm operation
Example
The following command creates a Web application and a site collection with the URL
http://intranet that uses the corporate team site template.
stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail
<user@domain.com>sitetemplate STS#0 -exclusivelyusentlm -databaseserver <database
server name> -databasename <content database name> -apidname <application pool name> -
apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd
<password>
If you do not specify the template to use, site owners can choose the template when they first
browse to the site.
If you want to create additional Web applications or site collections by using the Stsadm
command-line tool, you can use either the extendvs or createsite operation.
The extendvs operation extends a Web application and creates a new content database. The
createsite operation creates a site collection at a specific URL with a specified user a site
collection owner and site collection administrator.
Note:
The createsite operation does not create a new content database. If you want to create a
new content database together with the new site, use the createsiteinnewdb operation.
For more information, see Createsite: Stsadm operation (https://technet.microsoft.com/en-
us/library/cc287992.aspx) and Createsiteinnewdb: Stsadm operation
The extendvs operation also enables you to specify the language of the site collection by using
the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used
for the top-level site collection. For more information about the available LCID values, see List of
Locale ID (LCID) Values as Assigned by Microsoft
90

number of trace log files to maintain, and how long (in minutes) to capture events to each log file.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows
SharePoint Services Search service. Because problems related to configuration changes are not
always immediately discovered, we recommend that you save all trace log files that the system
creates on any day that you make any configuration changes. Store these log files for some time
in a safe location that will not be overwritten. We recommend that you store log files on a hard
disk drive partition that is used to store log files only.
91
II. Deploy Windows SharePoint Services 3.0
in a server farm environment
92
A. Install Windows SharePoint Services 3.0
for a server farm environment
93
Chapter overview: Install Windows
SharePoint Services 3.0 for a server farm
environment
Important:
in a server farm environment. It does not cover upgrading from previous releases of
Windows SharePoint Services 3.0 or from previous releases of Windows SharePoint
Services. For more information about upgrading from a previous release of Windows
SharePoint Services, see Upgrading to Windows SharePoint Services 3.0.
Note:
computer as a stand-alone installation. For more information, see Install Windows
SharePoint Services 3.0 on a stand-alone computer.
a multi-tier topology. A server farm consists of one or more servers dedicated to running the
Windows SharePoint Services 3.0 application.
Note:
Server farm environments can encompass a wide range of topologies, and can include many
94
deployment.
administrative and service accounts.
 You must install Windows SharePoint Services 3.0 on a clean installation of the Microsoft
Windows Server 2003 operating system with the most recent service pack. If you uninstall a
previous version of Windows SharePoint Services 3.0, and then install Windows SharePoint
Services 3.0, Setup might fail to create the configuration database and the installation will fail.
Note:


 Preinstalling the databases (optional).
 Running Setup on all servers you want to be in the farm.
 Installing available language template packs on front-end Web servers (optional). For more
information about installing language template packs, see Deploy language packs (Windows
SharePoint Services 3.0).
 Running the SharePoint Products and Technologies Configuration Wizard.
95
Phase 2: Deploy and configure SharePoint site collections and
sites
 Creating the site collections.
 Creating the sites.
For more information about creating site collections and sites, see Deploy and configure
SharePoint sites.
96
Prepare the database servers
In this article:
 SQL Server and database collation
 Required accounts
 Preinstall databases (optional)
Before installing Windows SharePoint Services 3.0, you must prepare the database server.
The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000
with the most recent service pack.
For more information about prerequisites, see Determine hardware and software requirements.

and then click OK.

sensitive. This is to ensure file name uniqueness consistent with the Windows operating system.
For more information about collations, see "Selecting a SQL Collation" or "Collation Settings in
Setup" in SQL Server Books Online.
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and
to install Windows SharePoint Services 3.0. For more information about the required accounts,
including specific privileges required for these accounts, see Plan for administrative and service
accounts (http://technet.microsoft.com/en-us/library/cc288210.aspx).
97
Account Purpose
Setup user account The account that is used to run Setup on each server.
Farm search service account The service account for the Windows SharePoint
Services Search service. There is only one instance of
this service in the server farm.
Application pool process account Used to access content databases associated with the
Web application.
Preinstall databases (optional)

required by Windows SharePoint Services 3.0. For more information about preinstalling
databases, including detailed procedures that describe how the DBA can create these databases,
see Deploy using DBA-created databases.
98
Prepare the front-end Web servers
In this article:
 Install the Microsoft .NET Framework version 3.0
 Enable ASP.NET 2.0
server acting as a Web server and an application server, and one server acting as a database
server.
For more information about these requirements, see Determine hardware and software
requirements (http://technet.microsoft.com/en-us/library/cc288751.aspx).

installing the .NET Framework version 3.0. There are separate downloads for x86-based
computers and x64-based computers; be sure to download and install the appropriate version for
your computer. The .NET Framework version 3.0 download contains the Windows Workflow
Foundation technology, which is required by workflow features.
Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all servers.
Enable ASP.NET 2.0

2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click the
Web Service Extensions folder.
3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
99
Install Windows SharePoint Services 3.0 and
run the SharePoint Products and
Technologies configuration wizard
In this article:
 Run Setup on the first server
 Start the Windows SharePoint Services Search service
operating system.
After preparing your database and the servers in your farm, run Setup and then run the
SharePoint Products and Technologies Configuration Wizard on all your farm servers. Adding
servers to the farm can be done at any time to add redundancy, such as additional load-balanced
Web servers.
Note:
configure the farm.
several configuration tasks, including installing and configuring the configuration database,
Web site.

You must have Microsoft SQL Server 2005 database software running on at least one back-end
database server before you install Windows SharePoint Services 3.0 on your farm servers.
Note:
100
SharePoint Services 3.0 be a server from which you want to run the Central

Run the SharePoint Products and Technologies Configuration

Wizard
several configuration tasks, including installing and configuring the configuration database,

2. In the dialog box that notifies you that some services might need to be restarted during
configuration, click Yes.
101
Important
This account is the server farm account and it is used to access your configuration database.
It also acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows® SharePoint Services Timer
service runs. The SharePoint Products and Technologies Configuration Wizard adds this
account to the SQL Server Logins, the SQL Server Database Creator server role, and the
SQL Server Security Administrators server role.
The user account that you specify for this service account must be a domain user account.
Because this account does not require a high level privilege, we recommend that you follow
the principle of least privilege, and specify a user account that is not a member of the
Administrators group on your Web servers or your back-end servers.
Specify port number check box; type a port number if you want the SharePoint Central
Administration Web application to use a specific port, or leave the Specify port number
check box cleared if you do not care which port number the SharePoint Central
9. In the Configure SharePoint Central Administration Web Application dialog box, do
click Next.
Note:
In most cases, use the default setting (NTLM). Use Negotiate (Kerberos)
only if Kerberos authentication is supported in your environment. Using the
Negotiate (Kerberos) option requires you to configure a Service Principal
Name (SPN) for the domain user account. To do this, you must be a member
of the Domain Admins group. For more information, see How to configure a
Windows SharePoint Services virtual server to use Kerberos authentication
and how to switch from Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
page, click Next.
Note:
102
SharePoint Central Administration Web site to the list of trusted sites, and then
configure user authentication settings in Internet Explorer. Instructions for
configuring these settings are provided in the next set of steps.
Note:
Settings.
box.

You must have SQL Server 2005 running on at least one back-end database server before you
install Windows SharePoint Services 3.0 on your farm servers.
103
Important:
If you uninstall Windows SharePoint Services 3.0 from the first server on which you
installed it, your farm might experience problems.

Run the SharePoint Products and Technologies Configuration

Wizard on additional servers
configuration tasks, including installing and configuring the configuration database, and installing

104
DOMAIN\username.) This must be the same user account you used when you configured
the first server.
page, click Next.
Start the Windows SharePoint Services Search

service

top link bar.
4. Next to Windows SharePoint Services Search, click Start.
under which the Search service will run.
user account that the Search service will use to search over content. This account must
credentials, the same account used for the Search service will be used.
schedule that you want the Search service to use when searching over content.
105
Deploy language packs (Windows
SharePoint Services 3.0)
In this article:
 About language IDs and language packs
 Preparing your front-end Web servers for language packs
 Installing language packs on your front-end Web servers
Language packs enable site owners and site collection administrators to create SharePoint sites
and site collections in multiple languages without requiring separate installations of Windows
SharePoint Services 3.0. You install language packs, which contain language-specific site
templates, on your front-end Web servers. When an administrator creates a site or a site
collection based on a language-specific site template, the text that appears on the site or the site
collection is displayed in the site template's language. Language packs are typically used in
multinational deployments where a single server farm supports people in different locations or in
situations where sites and Web pages must be duplicated in one or more languages.
Note:
You cannot change an existing site, site collection, or Web page from one language to
another by applying different language-specific site templates; once you choose a
language-specific site template for a site or a site collection, the site or site collection will
always display content in the language of the original site template.
Word breakers and stemmers enable you to efficiently and effectively search across content on
SharePoint sites and site collections in multiple languages without requiring separate installations
of Windows SharePoint Services 3.0. Word breakers and stemmers are automatically installed on
your front-end Web servers by Setup.
You can install language lacks for Windows SharePoint Services 3.0 from the Microsoft
Download site, at "Windows SharePoint Services 3.0 Language Pack"
(http://www.microsoft.com/downloads/details.aspx?FamilyID=36ee1bf0-652c-4e38-b247-
f29b3eefa048&DisplayLang=en).
Important:
If you are uninstalling Windows SharePoint Services 3.0, you must uninstall all language
packs before you uninstall Windows SharePoint Services 3.0.
About language IDs and language packs

When site owners or site collection administrators create sites or site collections, they can choose
a language for the each site or site collection
The language they choose represents the language identifier (ID), and the language ID
determines the language that is used to display text and interpret text that is put on the site or site
106
collection. For example, when a site administrator chooses to create a site in French, the site's
toolbars, navigation bars, lists, and column headings appear in French. Likewise, if a site
administrator chooses to create a site in Arabic, the site's toolbars, navigation bars, lists, and
column headings appear in Arabic, and the default left-to-right orientation of the site changes to a
right-to-left orientation to properly display Arabic text.
The list of available languages that a site administrator can use to create a site or site collection is
generated by the language packs that are installed on your front-end Web servers. By default,
sites and site collections are created in the language in which Windows SharePoint Services 3.0
was installed. For example, if you install the Spanish version of Windows SharePoint Services
3.0, the default language for sites, site collections, and Web pages is Spanish. If a site
administrator needs to create sites, site collections or Web pages in a language other than the
default Windows SharePoint Services 3.0 language, you must install the language pack for that
language on your front-end Web servers. For example, if you are running the French version of
Windows SharePoint Services 3.0, and a site administrator wants to create sites in French,
English, and Spanish, you must install the English and Spanish language packs on your front-end
Web servers.
Note:
By default, when a site administrator creates a new Web page within a site, the Web
page uses the site's language ID to display text.
Language packs for Windows SharePoint Services 3.0 are not bundled into multilingual
installation packages. You must install a specific language pack for each language that you want
to support. Also, language packs must be installed on each of your front-end Web servers to
ensure that each Web server can render content in the specified language.
The following table lists the language packs that are available for Windows SharePoint Services
3.0.
Language Country/Region Language ID
German Germany 1031
English United States 1033
Japanese Japan 1041
Although a site administrator specifies a language ID for a site, some user interface elements
such as error messages, notifications, and dialog boxes do not display in the language that was
specified. This is because Windows SharePoint Services 3.0 relies on several supporting
technologies — for example, the Microsoft .NET Framework, Microsoft Windows Workflow
Foundation, Microsoft ASP.NET, and Microsoft SQL Server 2005 — some of which are localized
into only a limited number of languages. If a user interface element is generated by any of the
supporting technologies that is not localized into the language that the site administrator specified
for the site, the user interface element appears in English. For example, if a site administrator
creates a site in Hebrew, and the.NET Framework component displays a notification message,
the notification message will not display in Hebrew because the .NET Framework is not localized
107
into Hebrew. This situation can occur when sites are created in any language except the
following: Chinese, French, German, Italian, Japanese, Korean, and Spanish.
In some cases, some text might originate from the original installation language, which can create
a mixed-language experience. This type of mixed-language experience is typically seen only by
content creators or site administrators and is not seen by site users.
Preparing your front-end Web servers for

language packs
Before you install language packs on your front-end Web servers, you must do the following:
 Install the necessary language files on your front-end Web servers.
 Install Windows SharePoint Services 3.0 on each of your front-end Web servers.
 Run the SharePoint Products and Technologies Configuration Wizard on each of your front-
end Web servers.
Language files are used by the operating system and provide support for displaying and entering
text in multiple languages. Language files include:
 Keyboard files
 Input Method Editors (IMEs)
 TrueType font files
 Bitmap font files
 Code page conversion tables
 National Language Support (.nls) files
 Script engines for rendering complex scripts
Most language files are installed by default on the Microsoft Windows Server 2003 operating
system. However, you must install supplemental language files for East Asian languages and
languages that use complex script or require right-to-left orientations. The East Asian languages
include Chinese, Japanese, and Korean; the complex script and right-to-left oriented languages
include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese.
Instructions for installing these supplemental language files are provided in the following
procedure.
We recommend that you install these language files only if you need them. The East Asian files
require about 230 megabytes of hard disk space. The complex script and right-to-left languages
do not use much disk space, but installing either set of files might reduce performance when
entering text.
Note:
You must be a member of the Administrators group on the computer to install these
language files. After the language files are installed, the languages are available to all
users of the computer.
108
Note:
You will need your Windows Server 2003 product disc to perform this procedure, or you
will need to know the location of a shared folder that contains your operating system
installation files.
Note:
You must restart your computer after you install supplemental language files.
Install additional language files

1. On your front-end Web server, click Start, point to Settings and then Control Panel, and
then click Regional and Language Options.
2. In the Regional and Language Options dialog box, on the Languages tab, in the
Supplemental Language Support section, select one or both of the following
checkboxes:
 Install files for complex script and right-to-left languages
 Install files for East Asian languages
3. Click OK in the dialog box that alerts you that additional disk space is required for the
files.
4. Click OK to install the additional language files.
5. When prompted, insert your Windows Server 2003 product disc or provide the location of
your Windows Server 2003 installation files.
6. When prompted to restart your computer, click Yes.
After you install the necessary language files on your front-end servers, you need to install
Windows SharePoint Services 3.0 and run the SharePoint Products and Technologies
Configuration Wizard. The wizard creates and configures the configuration database and
performs other configuration tasks that must be done before you install language packs. For more
information about installing Windows SharePoint Services 3.0 and running the SharePoint
Products and Technologies Configuration Wizard, see Deploy in a simple server farm and Install
Windows SharePoint Services 3.0 on a stand-alone computer.
Installing language packs on your front-end Web

servers
After you install the necessary language files on your front-end servers, you can install your
language packs. Language packs are available as individual downloads (one download for each
supported language). If you have a server farm environment, and you are installing language
packs to support multiple languages, you must install the language packs on each of your front-
end Web servers.
109
Important:
The language pack installs in its native language, for example the Russian language
pack executable file is localized into Russian. The procedure provided below is for the
English language pack.
Install a language pack

1. Run setup.exe.
3. The setup wizard runs and installs the language pack.
4. Rerun the SharePoint Products and Technologies Configuration Wizard, using the default
settings. If you do not run the SharePoint Products and Technologies Configuration
Wizard after you install a language pack, the language pack will not be installed properly.
Rerun the SharePoint Products and Technologies Configuration Wizard

SharePoint Products and Technologies Configuration Wizard.
3. Click Yes in the dialog box that alerts you that some services might need to be restarted
during configuration.
4. On the Modify server farm settings page, click Do not disconnect from this server
farm, and then click Next.
5. If the Modify SharePoint Central Administration Web Administration Settings page
appears, do not modify any of the default settings, and then click Next.
page, click Next.
When you install language packs, the language-specific site templates are installed in the
\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\number
directory, where number is the Language ID for the language that you are installing. For example,
the US English language pack installs to the \Program Files\Common Files\Microsoft Shared\web
server extensions\12\template\1033 directory. After you install a language pack, site owners and
site collection administrators can create sites and site collections based on the language-specific
site templates by specifying a language when they are creating a new SharePoint site or site
collection.
Uninstalling language packs

If you no longer need to support a language for which you have installed a language pack, you
can remove the language pack by using Add/Remove Programs in Control Panel. Removing a
language pack removes the language-specific site templates from your computer. All sites that
110
were created with those language-specific site templates will no longer work (the URL will
produce a HTTP 500 - Internal server error page). Reinstalling the language pack will make the
site functional.
Note:
You cannot remove the language pack for the version of Windows SharePoint Services
3.0 that you have installed on your server. For example, if you are running the Japanese
version of Windows SharePoint Services 3.0, you cannot uninstall the Japanese
language support for Windows SharePoint Services 3.0.
111
B. Perform additional configuration tasks
112
Chapter overview: Perform additional
configuration tasks
After the initial installation and configuration of Windows SharePoint Services 3.0, you can
configure several additional settings. The configuration of additional settings is optional, but many
key features are not available unless these settings are configured.
Configure additional administrative settings

To take full advantage of the administrative features and capabilities of Windows SharePoint
Services 3.0, perform the following optional administrative tasks by using SharePoint Central
Administration:
mail settings.
"Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail
settings for all Web applications or for only one Web application. For more information, see
Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web
application.
hosts a single SharePoint site. If your site design requires multiple sites or multiple Web
applications, you can create more SharePoint sites and Web applications. For more
information, see Deploy and configure SharePoint sites.
 Configure workflow settings You can configure workflow settings to enable end users to
create their own workflows by using code pre-generated by administrators. You can also
configure whether internal users without site access can receive workflow alerts, and whether
external users can participate in workflows by receiving copies of documents by e-mail. For
more information, see Configure workflow settings.
settings to help with troubleshooting. These include enabling and configuring trace logs,
event messages, user-mode error messages, and Customer Experience Improvement
Program events. For more information, see Configure diagnostic logging settings.
113
 Configure antivirus settings You can configure several antivirus settings if you have an
antivirus program that is designed for Windows SharePoint Services 3.0. Antivirus settings
allow you to control whether documents are scanned on upload or on download, and whether
users can download infected documents. You can also specify how long you want the
antivirus program to run before it times out, and you can specify how many execution threads
the antivirus program can use on the server. For more information, see Configure anti-virus
settings.
You can use the following procedure to configure optional administrative settings using
SharePoint Central Administration.
Configure administrative settings using SharePoint Central Administration

2. On the SharePoint Central Administration home page, under Administrative Tasks,
click the administrative task that you want to perform.
3. On the Administrative Tasks page, next to Action, click the task.
114
Configure incoming e-mail settings
 Install and configure the SMTP service
 Configure Active Directory
 Configure permissions to the e-mail drop folder
 Configure DNS Manager
 Configure attachments from Outlook 2003
 Configure incoming e-mail on SharePoint sites
Use this procedure to configure the incoming e-mail settings for Windows SharePoint Services
3.0.
The features of Windows SharePoint Services 3.0 that use incoming e-mail are not available until
these settings are configured.
Before you configure incoming e-mail settings in Windows SharePoint Services 3.0, confirm that:
 You have read the topic Plan incoming e-mail (http://technet.microsoft.com/en-
 One or more servers in your server farm are running the Internet Information Services (IIS)
Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server that
is running the SMTP service. This server must be configured to accept relayed e-mail from
the mail server for the domain.
 One or more servers in your server farm are running the Microsoft SharePoint Directory
Management Service, or you know the name of another server that is running the SharePoint
Directory Management Web Service.
 The application pool account for the SharePoint Central Administration Web site has the
Create, delete, and manage user accounts right to the container in the Active Directory
directory service.
 The application pool account for Central Administration, the logon account for the Windows
SharePoint Services Timer service, and the application pool accounts for your Web
applications have the correct permissions to the e-mail drop folder.
 The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS
Manager for the mail server that you plan to use for incoming e-mail.
Note:
All of these configuration steps are described in detail in the following sections.
Install and configure the SMTP service

Incoming e-mail for Windows SharePoint Services 3.0 uses the SMTP service. The SMTP service
can be either installed on one or more servers in the farm, or administrators can provide an e-mail
115
drop folder for e-mail forwarded from the service on another server. The drop folder option is not
recommended because administrators of the other server can affect the availability of incoming e-
mail by changing the configuration of SMTP, and because this requires the additional step of
configuring permissions to the e-mail drop folder.
If a drop folder is not used, the SMTP service must be installed on each server that is used to
receive and process incoming e-mail. Typically, this includes every front-end Web server in the
farm.
Start the Windows SharePoint Services Web Application service

Each server that is running the SMTP service must also be running the Windows SharePoint
Services Web Application service. These servers are called front-end Web servers. In many
cases, this service will have already been configured.
Important:
Membership in the Administrators group of the Central Administration site is required to
complete this procedure.
Start the Windows SharePoint Services Web Application service

1. On the top navigation bar, click Operations.
2. On the Operations page, in the Topology and Services section, click Services on
server.
3. On the Services on Server page, find Windows SharePoint Services Web Application
in the list of services, and click Start.
Install the SMTP service

The SMTP service is a component of IIS. It must be installed on every front-end Web server in
the farm that you want to configure for incoming e-mail.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.

1. In Control Panel, click Add or Remove Programs.
2. In Add or Remove Programs, click Add/Remove Windows Components.
3. In the Windows Components Wizard, in the Components box, click Application Server,
and then click the Details button.
4. In the Application Server dialog box, in the Subcomponents of Application Server
box, click Internet Information Services (IIS), and then click the Details button.
5. In the Internet Information Services (IIS) dialog box, select the SMTP Service check
box.
116
6. Click OK to return to the Application Server dialog box.
7. Click OK to return to the main page of the Windows Components Wizard.
8. Click Next.
9. When Windows has finished installing the SMTP service, on the Completing the Windows
Components Wizard page, click Finish.
Configure the SMTP service

After installing the SMTP service, you must configure the service to accept relayed e-mail from
the mail server for the domain.
You can decide to accept relayed e-mail from all servers except those you specifically exclude.
Alternatively, you can block e-mail from all servers except those you specifically include. You can
include servers individually, or in groups by subnet or domain.
Important:
this procedure.

2. In IIS Manager, expand the server name that contains the SMTP server that you want to
configure.
3. Right-click the SMTP virtual server that you want to configure, and then click Properties.
4. On the Access tab, under Access control, click Authentication.
5. In the Authentication dialog box, under Select acceptable authentication methods for
this resource, verify that Anonymous access is selected.
6. Click OK.
7. On the Access tab, under Relay restrictions, click Relay.
8. To enable relaying from any server, under Select which computer may relay through
this virtual server, select All except the list below.
9. To accept relaying from one or more specific servers, follow these steps:
a. Under Select which computer may relay through this virtual server, select Only
the list below.
b. Click Add, and then add servers one at a time by IP address, or in groups by using a
subnet or domain.
c. Click OK to close the Computer dialog box.
10. Click OK to close the Relay Restrictions dialog box.
11. Click OK to close the Properties dialog box.
117
Add an SMTP connector in Exchange Server
In some scenarios, mail from Microsoft Exchange Server computers might not be automatically
relayed to the Windows SharePoint Services 3.0 servers that are running the SMTP service. In
these scenarios, administrators of Exchange mail servers can add an SMTP connector so that all
mail sent to the Windows SharePoint Services 3.0 domain uses the Windows SharePoint
Services 3.0 servers that are running the SMTP service.
For more information about SMTP connectors, see the Help documentation for Exchange Server.
Configure Active Directory

Incoming e-mail uses the Microsoft SharePoint Directory Management Service to connect
SharePoint sites to the directory services used by your organization. If you enable the Microsoft
SharePoint Directory Management Service, users can create and manage distribution groups
from SharePoint sites. SharePoint lists that use e-mail can then be found in directory services,
such as the Address Book. You must also select which distribution group requests from
SharePoint lists require approval. The Microsoft SharePoint Directory Management Service can
be installed on a server in the farm, or you can use a remote Microsoft SharePoint Directory
Management Service.
To use the Microsoft SharePoint Directory Management Service on a farm or server, you must
configure the Central Administration application pool identity account to have the Create, delete,
and manage user accounts right to the container that you specify in Active Directory. The
preferred way to do this is by delegating the right to the Central Administration application pool
identity account. An Active Directory administrator must set up the organizational unit (OU) and
delegate the Create, delete, and manage user accounts right to the container. The advantage
of using the Microsoft SharePoint Directory Management Service on a remote farm is that you do
not have to delegate rights to the organizational unit for multiple farm service accounts.
If the application pool account for Central Administration is different from the application pool
account for the Web application of the list or site that is enabled for e-mail, you must use the
application pool account for the Web application when completing the following procedures. You
must then delegate additional rights to the Central Administration application pool account.
The following procedures are performed on a domain controller that runs Microsoft Windows
Server 2003 SP1 (with DNS Manager) and Microsoft Exchange Server 2003 SP1. In some
deployments, these applications might run on multiple servers in the same domain.
Important:
Membership in the Domain Administrators group or delegated authority for domain
administration is required to complete this procedure.
Create an organizational unit in Active Directory

1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active
Directory Users and Computers.
2. In Active Directory Users and Computers, right-click the folder for the second-level
118
domain that contains your server farm, point to New, and then click Organizational Unit.
3. Type the name of the organizational unit, and then click OK.
After creating the organization unit, we recommend that you delegate the Create, delete, and
manage user accounts right to the container.
Important:
Membership in the Domain Administrators group or the Enterprise Administrators group
in Active Directory, or delegated authority for administration, is required to complete this
procedure.
Delegate right to the application pool account

1. In Active Directory Users and Computers, find the organizational unit that you just
created.
2. Right-click the organizational unit, and then click Delegate control.
3. On the Welcome page of the Delegation of Control Wizard, click Next.
4. On the Users and Groups page, click Add, and then type the name of the application
pool identity account that the Web application uses.
5. In the Select Users, Computers, and Groups dialog box, click OK.
6. On the Users or Groups page of the Delegation of Control Wizard, click Next.
7. On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create,
delete, and manage user accounts check box, and then click Next.
8. On the last page of the Delegation of Control Wizard, click Finish to exit the wizard.
If you must add permissions for the application pool identity account directly, complete the
following procedure.
Important:
Membership in the Account Operators group, Domain Administrators group, or the
Enterprise Administrators group in Active Directory, or delegated authority for
administration, is required to complete this procedure.
Add permissions for the application pool account

1. In Active Directory Users and Computers, click the View menu, and then click Advanced
Features.
2. Right-click the organizational unit that you just created, and then click Properties.
3. In the Properties dialog box, click the Security tab, and then click Advanced.
4. Click Add, and then type the name of the application pool identity account for the Web
application.
5. Click OK.
6. In the Permission Entries section, double-click the application pool identity account.
7. In the Permissions section, under Allow, select the Modify permissions check box.
119
8. Click OK to close the Permissions dialog box.
10. Click OK to close the Active Directory Users and Computers plug-in.
If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you
must know the URL for the Web service. This URL is typically in the following format:
http://server:adminport/_vti_bin/SharePointEmailWS.asmx.
Configure Active Directory under atypical circumstances

If you are using the Directory Management Service and the Central Administration application
pool uses a different account from the Web application for the list or site on which you want to
enable incoming e-mail, you must delegate additional rights to the Central Administration
application pool account. If you do not delegate these rights, then you cannot enable incoming e-
mail for the list or site.
Note:
Before you delegate the following rights to the Central Administration application pool
account for the organizational unit, you must delegate rights to the application pool
account for the Web application. The procedures for delegating those rights are
explained in the previous section.
Administrators must delegate full control of the organizational unit to the Central Administration
application pool account. After this delegation is complete, administrators can enable incoming e-
mail.
To delegate full control of the organizational unit to the Central

Administration application pool account
Important:
Membership in the Domain Administrators group or the Enterprise Administrators group
in Active Directory, or delegated authority for administration, is required to complete this
procedure.
Delegate full control of the organizational unit to the Central Administration application
pool account
1. Right-click the organizational unit, and then click Delegate control.
2. In the Delegation of Control wizard, click Next.
3. Click Add, and then type the name of the application pool account for Central
Administration.
4. Click OK.
5. Click Next.
6. On the Tasks to Delegate page of the Delegation of Control wizard, select Create a
custom task to delegate, and then click Next.
120
7. Select This folder, existing objects in this folder, and creation of new objects in this
folder, and then click Next.
8. In the Permissions section, select Create all Child Objects and Delete all Child
Objects.
9. Click Next.
10. On the last page of the Delegation of Control wizard, click Finish to exit the wizard.
Delegating full control of the organizational unit to the Central Administration application pool
account enables administrators to enable e-mail for a list. Administrators cannot disable e-
mail for the list or document library after delegating full control because the Central
Administration account tries to delete the contact from the entire organizational unit rather
than deleting the contact from the list.
To add the Delete Subtree permission for the Central

Administration application pool account
To enable administrators to disable incoming e-mail on a list, you must add the Delete Subtree
permission for the Central Administration application pool account.
Important:
Membership in the Account Operators group, Domain Administrators group, or the
Enterprise Administrators group in Active Directory, or delegated authority for
administration, is required to complete this procedure.
Add the Delete Subtree permission for the Central Administration application pool
account
1. In Active Directory Users and Computers, click the View menu, and then click Advanced
Features.
2. Right-click the organizational unit and then click Properties.
3. In the Properties dialog box, click the Security tab, and then click Advanced.
4. In the Permission Entries section, double-click the Central Administration application
pool account.
5. In the Permissions section, under Allow, select Delete Subtree.
6. Click OK to close the Permissions dialog box.
8. Click OK to close the Active Directory Users and Computers plug-in.
After adding the permission, you must restart Internet Information Services (IIS) for the farm.
For more information about Active Directory, see the Help documentation for Active Directory.
121
Configure permissions to the e-mail drop folder
When incoming e-mail settings are set to advanced mode, you must ensure that certain accounts
have the correct permissions to the e-mail drop folder.
Configure e-mail drop folder permissions for the logon account

for the Windows SharePoint Services Timer service
Ensure that the logon account for the Windows SharePoint Services Timer service has the Modify
permission on the e-mail drop folder. If the logon account for the service does not have the
Modify permission, e-mail enabled document libraries will receive duplicate e-mail messages.
Important:
Membership in the Administrators group on the local computer that contains the e-mail
drop folder is required to complete this procedure.
Configure e-mail drop folder permissions

1. In Windows Explorer, right-click the drop folder, click Properties, and then click the
Security tab.
2. On the Security tab, under the Group or user names box, click the Add button.
3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select
box, type the name of the logon account for the Windows SharePoint Services Timer
service, and then click OK.
Note:
This account is listed on the Log On tab of the Properties dialog box for the
service in the Services console.
4. In the Permissions for User or Group box, next to Modify, select the Allow check box.
5. Click OK.
Configure e-mail drop folder permissions for the application

pool account for a Web application
If your deployment uses different application pool accounts for Central Administration and one or
more Web applications for front-end Web servers, each application account must have
permissions to the e-mail drop folder. If the application pool account for the Web application does
not have the required permissions, e-mail will not be delivered to document libraries on that Web
application.
In most cases, when you configure incoming e-mail settings and select an e-mail drop folder,
permissions are added for two worker process groups:
 WSS_Admin_WPG, which includes the application pool account for Central Administration
and the logon account for the Windows SharePoint Services Timer service, has Full Control
permission.
122
 WSS_WPG, which includes the application pool accounts for Web applications, has Read &
Execute, List Folder Contents, and Read permissions.
In some cases, these groups might not be configured automatically for the e-mail drop folder. For
example, if Central Administration is running as the Network Service account, the groups or
accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It
is a good idea to check whether these groups have been added automatically to the e-mail drop
folder. If the groups have not been added automatically, you can add them or add the specific
accounts that are required.
Important:
Membership in the Administrators group on the local computer that contains the e-mail
drop folder is required to complete this procedure.
Configure e-mail drop folder permissions

1. In Windows Explorer, right-click the drop folder, click Properties, and then click the
Security tab.
2. On the Security tab, under the Group or user names box, click the Add button.
3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select
box, type the name of the worker process group or application pool account for the Web
application, and then click OK.
Note:
This account is listed on the Identity tab of the Properties dialog box for the
application pool in IIS.
4. In the Permissions for User or Group box, next to Modify, select the Allow check box.
5. Click OK.
Configure DNS Manager

Incoming mail requires a Mail Exchanger (MX) resource record to be added in DNS Manager for
the host or subdomain running Windows SharePoint Services 3.0. This is distinct from any
existing MX records in the domain.
Important:
this procedure.
Add a Mail Exchanger (MX) resource record for the subdomain

1. In DNS Manager, select the forward lookup zone for the domain that contains the
subdomain for Windows SharePoint Services 3.0.
2. Right-click the zone and then click New Mail Exchanger.
3. In the Host or domain text box, type the host or subdomain name for Windows
123
4. In the Fully qualified domain name (FQDN) of mail server text box, type the fully
qualified domain name for the server that is running Windows SharePoint Services 3.0.
This is typically in the format subdomain.domain.com.
5. Click OK.
Configure attachments from Outlook 2003

Attachments to messages sent from Microsoft Outlook 2003 must be encoded in UUEncode or
Binhex format to appear separately in e-mail enabled document libraries. Attachments from
Outlook 2003 that use different encoding will not be listed, but e-mail messages that contain
attachments will be listed.

Before you can enable incoming e-mail on the server that is running Windows SharePoint
Services 3.0, you must have configured the SMTP service on front-end Web servers in the farm
and the Active Directory and DNS Manager on the domain controller, or you must know the name
of other servers that are running these services.
This procedure configures the settings that are used for incoming e-mail. You can also configure
options for safe e-mail servers and the incoming e-mail display address.
Important:

2. On the Operations page, in the Topology and Services section, click Incoming e-mail
settings.
3. If you want to enable sites on this server to receive e-mail, on the Incoming E-mail
Settings page, in the Enable Incoming E-Mail section, click Yes.
4. Select either the Automatic or the Advanced settings mode.
If you select Advanced, you can specify a drop folder instead of using an SMTP server.
5. If you want to connect to the SharePoint Directory Management Service, in the Directory
Management Service section, click Yes.
a. In the Active Directory container where new distribution groups and contacts
will be created box, type the name of the container in the format
OU=ContainerName, DC=domain, DC=com, where ContainerName is the name of
the organizational unit in Active Directory, domain is the second-level domain, and
com is the top-level domain.
124
Note:
The Central Administration application pool account must be delegated the
Create, delete, and manage user accounts task for the container. Access
is configured in the properties for the organizational unit in Active Directory.
b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail
server. The server name must match the fully qualified domain name in the MX entry
for the mail server in DNS Manager.
c. To accept only messages from authenticated users, click Yes for Accept messages
from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow
creation of distribution groups from SharePoint sites. Otherwise, click No.
e. Under Distribution group request approval settings, select the actions that will
require approval. Actions include the following:
 Create new distribution group
 Change distribution group e-mail address
 Change distribution group title and description
 Delete distribution group
6. If you want to use a remote SharePoint Directory Management Web Service, select Use
remote.
a. In the Directory Management Service URL box, type the URL of the Microsoft
SharePoint Directory Management Service that you want to use.
b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail
server. The server name must match the fully qualified domain name in the MX entry
for the mail server in DNS Manager on the domain server.
c. To accept messages from authenticated users only, click Yes for Accept messages
from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow
creation of distribution groups from SharePoint sites. Otherwise, click No.
7. If you do not want to use the Microsoft SharePoint Directory Management Service, click
No.
8. In the Incoming E-Mail Server Display Address section, type a display name for the e-
mail server (for example, mail.fabrikam.com) in the E-mail server display address box.
Tip:
You can specify the e-mail server address that is displayed when users create an
incoming e-mail address for a list or group. Use this setting together with the
Microsoft SharePoint Directory Management Service to provide an e-mail server
address that is more user-friendly.
9. In the Safe E-Mail Servers section, select one of the following options:
 Accept mail from all e-mail servers
125
 Accept mail from these safe e-mail servers. If you select this option, type the IP
addresses (one per line) of the e-mail servers that you want to specify as safe in the
corresponding box.
10. In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of the
folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from the
SMTP service.
This option is available only if you selected advanced mode.
11. Click OK.
Configuring incoming e-mail on SharePoint sites

After configuring incoming e-mail settings, site administrators can configure e-mail enabled lists
and document libraries. For more information about e-mail enabled document libraries, see the
Help documentation for site administrators.
Contact addresses created for these document libraries appear automatically in Active Directory
Users and Computers under the organizational unit for Windows SharePoint Services 3.0, and
must be managed by the administrator of Active Directory. The Active Directory administrator can
add more e-mail addresses for each contact. For more information about how to manage
contacts in Active Directory, see the Help documentation for Active Directory.
Alternatively, the Exchange Server can be configured by adding a new Exchange Server Global
recipient policy to automatically add external addresses that use the second-level domain name
and not the subdomain or host for Windows SharePoint Services 3.0. For more information about
how to manage Exchange Server, see the Help documentation for Exchange Server.
See Also
 Plan incoming e-mail (http://technet.microsoft.com/en-us/library/cc288433.aspx)
126
Configure outgoing e-mail settings
In this article:
Use this procedure to configure the default outgoing e-mail settings for all Web applications. You
can override the default outgoing e-mail settings for specific Web applications by using the
procedure that is described in Configure outgoing e-mail settings for a specific Web application.

Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS)
Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the
SMTP server must be configured to allow anonymous access and to allow e-mail messages to be
relayed. Additionally, the SMTP server must have Internet access if you want the ability to send
messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a
server that has Internet access. The SMTP server that you use can be a server in the farm, or
another server.

The SMTP service is a component of IIS.
Important:
this procedure.

box.
8. Click Next.
127

After installing the SMTP service, configure the service to accept relayed e-mail from servers in
your farm.
By enabling both anonymous access and e-mail relaying, you increase the possibility that the
SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit
this possibility by carefully configuring your mail servers to help protect against spam. One way
that you can do this is by limiting relaying to a specific list of servers or domain, and preventing
relaying from all other servers.
Important:
this procedure.

configure.
6. Click OK.
the list below.
subnet or domain.
128
Important:
Membership in the Farm Administrators group of the Central Administration site is
required to complete this procedure.

1. On the top navigation bar of the SharePoint Central Administration Web site, click
Operations.
2. On the Operations page, in the Topology and Services section, click Outgoing e-mail
settings.
3. On the Outgoing E-Mail Settings page, in the Mail Settings section, type the SMTP
server name for outgoing e-mail (for example, mail.example.com) in the Outbound
SMTP server box.
4. In the From address box, type the e-mail friendly address as you want it to appear to e-
mail recipients.
5. In the Reply-to address box, type the e-mail address to which you want e-mail recipients
to reply.
6. In the Character set menu, select the character set that is appropriate for your language.
7. Click OK.
Email.
See Also
 Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc287948.aspx)
129
Configure outgoing e-mail settings for a
specific Web application
In this article:
Use this procedure to configure the outgoing e-mail settings for a specific Web application. Before
using this procedure, you must first configure the default outgoing e-mail settings for all Web
applications by using the procedure described in Configure outgoing e-mail settings.

Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS)
Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the
SMTP server must be configured to allow anonymous access and to allow e-mail messages to be
relayed. Additionally, the SMTP server must have Internet access if you want the ability to send
messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a
server that has Internet access. The SMTP server that you use can be a server in the farm, or
another server.

The SMTP service is a component of IIS.
Important:
this procedure.

box.
130
8. Click Next.

After installing the SMTP service, configure the service to accept relayed e-mail from servers in
your farm.
By enabling both anonymous access and e-mail relaying, you increase the possibility that the
SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit
this possibility by carefully configuring your mail servers to help protect against spam. One way
that you can do this is by limiting relaying to a specific list of servers or domain, and preventing
relaying from all other servers.
Important:
this procedure.

configure.
6. Click OK.
the list below.
subnet or domain.
131

Important:
Membership in the Farm Administrators group of the Central Administration site is
required to complete this procedure.

1. On the top navigation bar of the SharePoint Central Administration Web site, click
Application Management.
2. On the Application Management page, in the SharePoint Web Application
Management section, click Web application outgoing e-mail settings.
3. On the Web Application E-Mail Settings page, select a Web application by using the Web
Application menu in the Web Application section.
4. In the Mail Settings section, type the SMTP server name for outgoing e-mail (for
example, type mail.fabrikam.com) in the Outbound SMTP server box.
5. In the From address box, type the e-mail friendly address as you want it to appear to e-
mail recipients.
6. In the Reply-to address box, type the e-mail address to which you want e-mail recipients
to reply.
7. On the Character set menu, click the character set that is appropriate for your language.
8. Click OK.
See Also
 Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc287948.aspx)
132
Configure workflow settings
Use this procedure to configure the workflow settings for Windows SharePoint Services 3.0.
Workflow settings are configured at the Web application level, enabling you to configure different
settings for different Web applications. When you configure workflow settings, you must first
select the Web application to configure.
Site administrators can create workflows from the Site Settings page for the site or site collection.
By default, end users can create their own workflows by using code already deployed by an
administrator. You can also choose to limit workflow creation to site administrators.
By default, workflows can include users who do not have site access. Users without site access
who attempt to complete the task assigned to them will be directed to the Error: Access Denied
page, where they can request access to the site. If you do not enable alerts for internal users
without site access, workflows that include those users will not generate alerts for those users.
By default, external users cannot participate in workflows, and external users included in
workflows will not be alerted. You can choose to allow external users to participate in workflows
by sending copies of documents to those users by e-mail.
Configuring workflow settings

Note:
Configure workflow settings

1. On the top navigation bar, click Application Management.
2. On the Application Management page, in the Workflow Management section, click
Workflow settings.
3. On the Workflow Settings page, in the Web Application section, the current Web
application is displayed in the Web Application menu. To configure the settings for a
different Web application, click Change Web Application, and then select a new Web
application on the Select Web Application page.
4. In the User-Defined Workflows section, select Yes if you want to enable user-defined
workflows, or select No if you do not want to enable user-defined workflows.
5. In the Workflow Task Notifications section, under Alert internal users who do not have
site access when they are assigned a workflow task, select Yes if you want internal
users without site access to be sent an e-mail alert when a task is assigned to them.
Users attempting to complete the task by using the link in the alert will be directed to the
Request Permissions page. If you do not want internal users without site access to be
sent an e-mail alert when a task is assigned to them, select No.
133
6. Under Allow external users to participate in workflow by sending them a copy of
the document, select Yes if you want documents to be sent to external users by e-mail
when those users are part of the workflow but they do not have access permissions to
the documents. If you do not want documents to be sent to external users who do not
have access permissions, select No.
Note:
If the object in the workflow is not a document but a list item, the list item
properties are displayed in a table as part of the e-mail message.
7. Click OK.
Workflow management: Stsadm properties.
134
Configure diagnostic logging settings
In this article:
 Customer Experience Improvement Program
 Error reports
 Event throttling
 Configuring diagnostic logging settings
Use this procedure to configure the diagnostic logging settings for Windows SharePoint Services
3.0.
You can configure how diagnostic events are logged according to their criticality. Additionally, you
can set the maximum number of log files that can be maintained, and you can set how long to
capture events to a single log file.
You can also indicate whether or not to provide Microsoft with continuous improvement and Dr.
Watson event data.
Customer Experience Improvement Program

The Customer Experience Improvement Program (CEIP) is designed to improve the quality,
reliability, and performance of Microsoft® products and technologies. With your permission,
anonymous information about your server will be sent to Microsoft to help us improve
SharePoint® Products and Technologies.
For more information, see the Customer Experience Improvement Program privacy statement
Error reports
Error reports are created when your system encounters hardware or software problems. Microsoft
and its partners actively use these reports to improve the reliability of your software. Error reports
include the following: information regarding the condition of the server when the problem occurs;
the operating system version and computer hardware in use; and the Digital Product ID, which
can be used to identify your license. The IP address of your computer is also sent because you
are connecting to an online service to send error reports; however, the IP address is used only to
generate aggregate statistics.
Microsoft does not intentionally collect any personal information. However, error reports could
contain data from log files, such as user names, IP addresses, URLs, file or path names, and e-
mail addresses. Although this information, if present, could potentially be used to determine your
identity, the information will not be used in this way. The data that Microsoft collects will be used
only to fix problems and to improve software and services. Error reports will be sent by using
encryption technology to a database with limited access, and will not be used for marketing
purposes.
135
For more information, see the Microsoft Error Reporting Service privacy statement
If you want to provide error reports to Microsoft and its partners, select the option to collect error
reports. Base your decision on your organization's policies about sharing the information
collected by error reports, and the potential impact of error collection on users and administrators.
Two options are available for error reports:
 You can choose to periodically download a file from Microsoft that can help identify system
problems based on the error reports that you provide to Microsoft.
 You can change the error collection policy to silently send all reports. This changes the
computer's error reporting behavior to automatically send reports to Microsoft without
prompting users when they log on.
Event throttling
You can configure the diagnostic options for event logging. Events can be logged in either the
Windows® event log or the trace log. You can configure event throttling settings to control how
many events are recorded in each log, according to the criticality of the events. To provide more
control in event throttling, you can decide to throttle events for all events, or for any single
category of events. Several categories of events are available, based on different services and
features of SharePoint Products and Technologies.
Categories of events can be defined by individual services or by groupings of related events.
Selected event categories include:
 All
 Categories defined by product, such as Office SharePoint Server 2007 and Microsoft Office
Project Server 2007
 Administrative functions such as Administration, Backup and Recovery, Content Deployment,
and Setup and Upgrade
 Feature areas such as Document Management, E-Mail, Forms Services, Information Policy
Management, Information Rights Management, Publishing, Records Center, Site Directory,
Site Management, User Profiles, and Workflow
 SharePoint Services and other services such as the Load Balancer Service
 Shared services such as all Office Server Shared Services, Business Data, and Excel
Calculation Services
For the selected category, select the least-critical event to record, for both the Windows event log
and the trace log. Events that are equally critical to or more critical than the selected event will be
recorded in each log. The list entries are sorted in order from most-critical to least-critical.
The levels of events for the Windows event log include:
 None
 Error
 Warning
 Audit Failure
136
 Audit Success
 Information
The levels of events for the trace log include:
 None
 Unexpected
 Monitorable
 High
 Medium
 Verbose
For more information about the Windows event log or the trace log, see the Windows
documentation.
Configuring diagnostic logging settings

Note:
Configure diagnostic logging settings

2. On the Operations page, in the Logging and Reporting section, click Diagnostic
logging.
3. On the Diagnostic Logging page, in the Customer Experience Improvement Program
section, under Sign Up for the Customer Experience Improvement Program, select one of
the following options:
 Yes, I am willing to participate anonymously in the Customer Experience
Improvement Program (Recommended).
 No, I don't wish to participate.
If you select Yes, users can decide whether they want to report Customer Experience
Improvement Program events to Microsoft.
4. In the Error Reports section, under Error reporting, select one of the following:
 Collect error reports.
If you select this option, you can also select or clear two options to control how error
reports are collected:
 Periodically download a file that can help identify system problems.
 Change this computer's error collection policy to silently send all reports. This
changes the computer's error reporting behavior to automatically send reports to
Microsoft without prompting users when they log on.
 Ignore errors and don't collect information.
137
5. In the Event Throttling section, in the Select a category menu, select a category of
events:
a. In the Least critical event to report to the event log menu, select the least-critical
event to report to the event log for the selected category.
b. In the Least critical event to report to the trace log menu, select the least-critical
event to report to the trace log for the selected category.
6. In the Trace Log section, in the Path text box, type the local path to use for the trace log
on all servers in the farm. The location must exist on all servers in the farm.
a. In the Number of log files text box, type the maximum number of files that you want
to maintain.
b. In the Number of minutes to use a log file text box, type the number of minutes to
use each log file.
7. Click OK.
Listlogginglevels and Setlogginglevels.
138
Configure anti-virus settings
Use this procedure to configure the antivirus settings for Windows SharePoint Services 3.0.
You can activate antivirus measures only after installing a compatible antivirus scanner. In a
server farm, you must install antivirus software on every front-end Web server in the server farm.
You can configure four antivirus settings:
 Scan documents on upload: Select this setting to scan uploaded documents. This helps
prevent users with infected documents from distributing them to other users.
 Scan documents on download: Select this setting to scan downloaded documents. This
helps prevent users from downloading infected documents by warning them about infected
files. Users can still choose to download infected files, unless the option to allow users to
download infected documents is not selected.
 Allow users to download infected documents: If this option is selected, users can
download infected documents. In most cases, do not select this option. Unless you have a
specific reason to download infected documents, such as troubleshooting a virus infection on
your system, do not select this option.
 Attempt to clean infected documents: Select this setting to automatically clean infected
documents that were discovered during scanning.
Administrative credentials
Membership in the Administrators group of the Central Administration site is required to complete
this procedure.
Configure antivirus settings

2. On the Operations page, in the Security Configuration section, click Antivirus.
3. On the Antivirus page, in the Antivirus Settings section, select one or all of the
following:
 Scan documents on upload
 Scan documents on download
 Allow users to download infected documents
 Attempt to clean infected documents
4. Click OK.
For information about how to perform this procedure using the Stsadm command-line
tool, see Antivirus: Stsadm properties (http://technet.microsoft.com/en-
139
Run the Best Practices Analyzer Tool
You can run the Best Practices Analyzer tool to check for common issues and best security
practices. The tool generates a report that can help you optimize the configuration of your
system. The tool can be run locally or from a server that is not attached to the server farm. To
download the tool, click Microsoft Best Practices Analyzer for Windows SharePoint Services 3.0
140
Configure authentication
In this article:
 Configure digest authentication
 Configure forms-based authentication
 Configure Web SSO authentication by using ADFS
 Configure anonymous access
Authentication is the process of validating client identity, usually by means of a designated
authority. Web site authentication helps establish that a user who is trying to access Web site
resources can be verified as an authenticated entity. An authentication application obtains
credentials from a user who is requesting Web site access. Credentials can be various forms of
identification, such as user name and password. The authentication application tries to validate
the credentials against an authentication authority. If the credentials are valid, the user who
submitted the credentials is considered to be an authenticated identity.
Windows SharePoint Services authentication

To determine the most appropriate Windows SharePoint Services 3.0 authentication mechanism
to use, consider the following issues:
 To use a Windows authentication mechanism, you need an environment that supports user
accounts that can be authenticated by a trusted authority.
 If you use a Windows authentication mechanism, the operating system performs user
credential management tasks. If you use an authentication provider other than Windows,
such as forms authentication, you must plan and implement a credential management system
and determine where to store user credentials.
Windows SharePoint Services 3.0 authentication for is built on the ASP.NET authentication
model and includes three authentication providers:
 Windows authentication provider
 Forms authentication provider
 Web SSO authentication provider
You can use the Active Directory directory service for authentication, or you can design your
environment to validate user credentials against other data stores, such as a Microsoft SQL
Server database, a lightweight directory access protocol (LDAP) directory, or any other directory
that has an ASP.NET 2.0 membership provider. The membership provider specifies the type of
data store you are going to use. The default ASP.NET 2.0 membership provider uses a SQL
Server database. ASP.NET 2.0 includes a SQL Server membership provider.
The authentication providers are used to authenticate against user and group credentials that are
stored in Active Directory, in a SQL Server database, or in a Non-Active Directory LDAP directory
service (such as NDS). For more information about ASP.NET membership providers, see
141
Configuring an ASP.NET Application to Use Membership
Windows authentication provider

The Windows authentication provider supports the following authentication methods:
 Anonymous authentication
Anonymous authentication enables users to find resources in the public areas of Web sites
without having to provide authentication credentials. Internet Information Services (IIS)
creates the IUSR_computername account to authenticate anonymous users in response to a
request for Web content. The IUSR_computername account, where computername is the
name of the server that is running IIS, gives the user access to resources anonymously under
the context of the IUSR account. You can reset anonymous user access to use any valid
Windows account. In a stand-alone environment, the IUSR_computername account is on the
local server. If the server is a domain controller, the IUSR_computername account is defined
for the domain. By default, anonymous access is disabled when you create a new Web
application. This provides an additional layer of security, because IIS rejects anonymous
access requests before they can ever be processed if anonymous access is disabled.
 Basic authentication
Basic authentication requires previously assigned Windows account credentials for user
access. Basic authentication enables a Web browser to provide credentials when making a
request during an HTTP transaction. Because user credentials are not encrypted for network
transmission, but are sent over the network in plaintext, using basic authentication over an
unsecured HTTP connection is not recommended. To use basic authentication, you should
enable Secure Sockets Layer (SSL) encryption.
 Digest authentication
Digest authentication provides the same functionality as basic authentication, but with
increased security. User credentials are encrypted instead of being sent over the network in
plaintext. User credentials are sent as an MD5 message digest in which the original user
name and password cannot be deciphered. Digest authentication uses a challenge/response
protocol that requires the authentication requestor to present valid credentials in response to
a challenge from the server. To authenticate against the server, the client has to supply an
MD5 message digest in a response that contains a shared secret password string. The MD5
Message-Digest Algorithm is described in detail in Internet Engineering Task Force (IETF)
RFC 1321 (http://www.ietf.org).
To use digest authentication, note the following requirements:
 The user and IIS server must be members of, or trusted by, the same domain.
 Users must have a valid Windows user account stored in Active Directory on the domain
controller.
 The domain must use a Microsoft Windows Server 2003 domain controller.
 You must install the IISSuba.dll file on the domain controller. This file is copied
automatically during Windows Server 2003 Setup.
142
 Integrated Windows authentication using NTLM
This method is for Windows servers that are not running Active Directory on a domain
controller. NTLM is a secure protocol that supports user credential encryption and
transmission over a network. NTLM is based on encrypting user names and passwords
before sending the user names and passwords over the network. NTLM is the authentication
protocol that is used in Windows NT Server and in Windows 2000 Server workgroup
environments, and in many Active Directory deployments. NTLM is used in mixed Windows
2000 Active Directory domain environments that must authenticate Windows NT systems.
Forms authentication provider

The forms authentication provider supports authentication against credentials stored in Active
Directory, in a database such as a SQL Server database, or in an LDAP data store such as
Novell eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms authentication enables
user authentication based on validation of credential input from a logon form. Unauthenticated
requests are redirected to a logon page, where the user must provide valid credentials and
submit the form. If the request can be authenticated, the system issues a cookie that contains a
key for reestablishing the identity for subsequent requests.
Web single sign-on (SSO) authentication provider

Web SSO is also referred to as federated authentication or delegate authentication, because it
supports secure communication across network boundaries.
SSO is an authentication method that enables access to multiple secure resources after a single
successful authentication of user credentials. There are several different implementations of SSO
authentication. Web SSO authentication supports secure communication across network
boundaries by enabling users who have been authenticated in one organization to access Web
applications in another organization. Active Directory Federation Services (ADFS) supports Web
SSO. In an ADFS scenario, two organizations can create a federation trust relationship that
enables users in one organization to access Web-based applications that are controlled by
another organization. For information about using ADFS to configure Web SSO authentication,
see Configure Web SSO authentication by using ADFS.
143
Configure digest authentication
In this article:
 About digest authentication
 Enable digest authentication for a zone of a Web application
 Configure IIS to enable digest authentication
About digest authentication

Basic authentication requires previously assigned Windows account credentials for user access.
Basic authentication enables a Web browser to provide credentials when making a request during
an HTTP transaction. Because user credentials are not encrypted for network transmission, but
are sent over the network in plaintext, using basic authentication over an unsecured HTTP
connection is not recommended. To use basic authentication, you should enable Secure Sockets
Layer (SSL) encryption.
Digest authentication provides the same functionality as basic authentication, but with increased
security. User credentials are encrypted instead of being sent over the network in plaintext. User
credentials are sent as an MD5 message digest in which the original user name and password
cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the
authentication requestor to present valid credentials in response to a challenge from the server.
To authenticate against the server, the client has to supply an MD5 message digest in a response
that contains a shared secret password string. The MD5 Message-Digest Algorithm is described
in detail in RFC 1321. For access to RFC 1321, see http://www.ietf.org.
To use digest authentication, note the following requirements:
 The user and IIS server must be members of, or trusted by, the same domain.
 Users must have a valid Windows user account stored in Active Directory on the domain
controller.
 The domain must use a Microsoft Windows Server 2003 domain controller.
 You must install the IISSuba.dll file on the domain controller. This file is copied automatically
during Windows Server 2003 Setup.
 You must install Windows Server 2003 with SP2 or later. Windows SharePoint Services 3.0
does not support digest authentication on Windows Server 2003 with SP1 or earlier.
 To enable digest authentication to work with browsers other than Microsoft Internet Explorer
6.0 or Internet Explorer 7.0, you must install the IIS hotfix described in Knowledge Base
article 932729. For information about this hotfix, see FIX: Error message when you try to
access a Web site that is hosted on IIS 6.0: Access Denied
144
Enable digest authentication for a zone of a Web
application
Use the following procedures to enable digest authentication for a zone of a Web application.
Within each Web application, you can categorize different classes of users into one of the
following five zones:
 Internet is the zone used for customers.
 Intranet is the zone used for internal employees.
 Default is the zone used for remote employees.
 Custom is the zone used for administrators.
 Extranet is the zone used for partners.
Enable digest authentication for a zone of a Web application

1. From Administrative Tools, open the SharePoint Central Administration Web site
application.
2. On the Central Administration home page, click Application Management.
3. On the Application Management page, in the Application Security section, click
Authentication providers.
4. On the Authentication Providers page, make sure the Web application that is listed in the
Web Application box (under Site Actions) is the one that you want to configure. If the
listed Web application is not the one that you want to configure, click the drop-down
arrow to the right of the Web Application drop-down list box and select Change Web
Application.
5. In the Select Web Application dialog box, click the Web application that you want to
configure.
6. On the Authentication Providers page, click the zone of the Web application on which you
want to enable digest authentication. The zones that are configured for the selected Web
application are listed on the Authentication Providers page.
7. On the Edit Authentication page, in the IIS Authentication section, clear the Integrated
Windows authentication and Basic authentication check boxes, and then click Save.
At this point use the IIS Management Console to configure IIS to enable digest authentication.
Configure IIS to enable digest authentication

Use the following procedures to configure IIS to enable digest authentication.
Configure IIS to enable digest authentication

1. From Administrative Tools on the Start menu, click Internet Information Services to
start the IIS Management Console.
2. Under the Web Sites node on the console tree, right-click the IIS Web site that
145
corresponds to the Web application zone on which you want to configure digest
authentication, and then click Properties.
3. On the Web Site Properties page, click the Directory Security tab.
4. In the Anonymous access and authentication control section, click the Edit button.
5. In the Authenticated access section of the Authentication Methods dialog box, select
Digest authentication for Windows domain servers. A dialog box is displayed
informing you that digest authentication only works with Active Directory domain
accounts, and asking you if you want to continue. Click Yes.
6. In the Realm section of the of the Authentication Methods dialog box, click the Select
button.
7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK.
At this point, your Web site is configured to use digest authentication.
146
Configure forms-based authentication
In this article:
 About forms-based authentication
 Configure forms-based authentication across multiple zones
Windows SharePoint Services 3.0 authentication is performed by an authentication mechanism
that is supported by one of the available authentication providers. Providers are modules that
contain the code necessary to authenticate the credentials of a requestor Authentication for
Windows SharePoint Services 3.0 is built on the ASP.NET authentication model and includes
three authentication providers:
 Windows authentication provider
 Forms-based authentication provider
 Web Single Sign-On (SSO) authentication provider
In addition, ASP.NET supports the use of pluggable authentication providers, which means that
you can write an authentication provider to support any credential store that you want to use.
About forms-based authentication

The forms-based authentication provider supports authentication against credentials stored in
Active Directory, in a database such as a SQL Server database, or in a Lightweight Directory
Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS),
or Sun ONE. Forms-based authentication enables user authentication based on validation of
credential input from a logon form. Unauthenticated requests are redirected to a logon page,
where the user must provide valid credentials and submit the form. If the request can be
authenticated, the system issues a cookie that contains a key for reestablishing the identity for
subsequent requests.
The forms-based authentication provider supports authentication against credentials stored in
 The Active Directory directory service
 A database
 An LDAP data store
To enable forms-based authentication for a Windows SharePoint Services 3.0 Web site and add
users to the user account database, perform the following procedures.
Create a new site

1. On the home page of the SharePoint Central Administration Web site, click Application
Management.
Management section, click Create or extend Web application.
147
3. On the Create or Extend Web Application page, click Create a new Web application.
4. On the Create New Web Application page, in the Security Configuration section, make
sure NTLM is selected under Authentication provider. Also, select Yes under Allow
Anonymous.
5. Use the default entries to complete the new Web application creation procedure and click
OK.
At this point, you have created a new site placeholder. Use the following procedure to create a
site collection.

1. On the top link bar, click Application Management.
3. On the Create Site Collection page, in the Web Application section, verify that the Web
application in which you want to create the site collection is selected.
If it is not, click Change Web Application on the Web Application menu. Then, on the
Select Web Application page, click the Web application in which you want to create the
site collection.
4. In the Title and Description section, type the title and description for the site collection.
5. In the Web Site Address section, under URL, select the path to use for your URL.
Note:
If you select a wildcard inclusion path, you must also type the site name to use in
the URL of your site. The paths available for the URL option are taken from the
list of managed paths that have been defined as wildcard inclusions.
6. In the Template Selection section, in the Select a template list, select the template that
you want to use for the top-level site in the site collection.
7. In the Primary Site Collection Administrator section, enter the user name (in the form
domain\username) for the user who will be the site collection administrator.
8. If you want to identify a user as the secondary owner of the new top-level Web site
(recommended), in the Secondary Site Collection Administrator section, enter the
user name for the secondary administrator of the site collection.
9. If you are using quotas to limit resource use for site collections, in the Quota Template
section, click a template in the Select a quota template list.
10. Click OK.
At this point, you have created a site collection. Use the following procedure to configure a forms-
based authentication provider.
Configure a forms-based authentication provider

1. On the home page of the SharePoint Central Administration Web site, click Application
148
Management.
Management section, click Web application list.
3. On the Web Application List page, double-click the new Web application that you created
in the previous procedure.
5. On the Authentication Providers page, click the zone name for the authentication provider
whose settings you want to configure.
6. On the Edit Authentication page, in the Authentication Type section, select Forms.
If you need to explicitly grant anonymous access to a site collection, in the Anonymous
Access section, select the Enable anonymous access check box for all sites within the
Web application. To disable anonymous access for all sites within the Web application,
clear the Enable anonymous access check box.
Note:
If you enable anonymous access here, anonymous access can still be denied at
the site collection level or at the site level. However, if you disable anonymous
access here, it is disabled at all levels within the Web application.
7. In the Membership Provider Name section, in the Membership provider name box,
type the name of the membership provider that you want to use.
Note:
If the Web application is going to support forms-based authentication, the
membership provider must be correctly configured in the Web.config file for the
IIS Web application that hosts SharePoint content on each Web server. The
membership provider must also be added to the Web.config file for the IIS Web
application that hosts Central Administration.
8. In the Client Integration section, under Enable Client Integration, make sure No is
selected, and then click Save.
 If you select Yes, features that start client applications according to document types
will be enabled. This option will not work correctly with some types of forms-based
authentication.
 If you select No, features that start client applications according to document types
will be disabled. Users will have to download documents and then upload them after
they make changes.
Notes
For forms-based authentication, client integration is disabled by default. When client
integration is disabled, links to client applications are not visible and documents cannot be
opened in client applications; documents can only be opened in a Web browser. However,
users can download documents, edit them in client applications locally, and then upload them
to the site.
149
Client integration is disabled by default when you use forms-based authentication. This is
because client integration does not natively support forms-based authentication. You might
be able to use many client integration features with forms-based authentication, and there are
workarounds available to implement varying levels of client integration functionality with
forms-based authentication. However, if published workarounds are inadequate, or if you find
unexpected issues using workarounds, we do not provide support and there are no product
changes to address these issues. If you plan to use client integration with forms-based
authentication, you must fully test any available solutions or workarounds to determine if the
performance and functionality are acceptable in your environment.
Product Support can provide commercially reasonable support to help you troubleshoot
published workarounds.
After a user provides credentials, the system issues a cookie that identifies the user. On
subsequent requests, the system first checks the cookie to see whether the user has already
been authenticated, so the user does not have to supply credentials again.
If the user has not selected the Remember me? box on the logon page, the credential
information is not cached on the client computer, and is valid only during the current session. This
is especially important in a scenario where users are connecting from public computers or kiosks,
where you would not want user credentials to be cached. Users are required to reauthenticate if
they close the browser, log off from a session, or navigate to another Web site. Also, you can
configure a maximum idle session time-out value to force reauthentication if a user is idle for a
prolonged period of time during a session.
Configure forms-based authentication across

multiple zones
Implementing forms-based authentication can interfere with search functionality. To enable
search across content authenticated using a custom authentication mechanism, you must have
the Default zone configured to support NTLM authentication. The Windows SharePoint Services
3.0 crawler polls zones in the following order:
 Default zone
 Intranet zone
 Internet zone
 Custom zone
 Extranet zone
Note:
If you use forms-based authentication and the Windows SharePoint Services 3.0 crawler
polls a zone that is configured to support Kerberos authentication, the Windows
SharePoint Services 3.0 crawler will fail.
Windows SharePoint Services 3.0 does not allow a Web application to work with the same
provider name across multiple zones. You can configure the Web.config file to use the same
provider for each zone; however, the name of the provider has to be unique for each zone.
150
For additional information on authentication mechanisms and samples for configuring forms-
based authentication with multiple providers, see Plan for authentication
151
Configure Web SSO authentication by using
ADFS
In this article:
 About federated authentication systems
 Before you begin
 Configuring your extranet Web application to use Web SSO authentication
 Allowing users access to your extranet Web site
 Working with the People Picker
 Working with E-mail and UPN claims
 Working with groups and organizational claims
About federated authentication systems

Windows SharePoint Services 3.0 provides support for federated authentication scenarios where
the authentication system is not local to the computer that hosts Windows SharePoint Services
3.0. Federated authentication systems are also known as Web single sign-on (SSO) systems.
With Active Directory Federation Services (ADFS), people in one company can access servers
hosted by a different company by using their existing Active Directory accounts. ADFS also
establishes a trust relationship between the two companies and a seamless one-time logon
experience for end users. ADFS relies on 302 redirects to authenticate end users. Users are
issued an authentication token (cookie) after they are authenticated.
Before you begin

Before you use ADFS to configure Web SSO authentication for your extranet Web application,
you should become familiar with the following resources:
 Microsoft SharePoint Products and Technologies Team Blog entry about configuring multiple
authentication providers (http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-
multiple-authentication-providers-for-sharepoint-2007.aspx).
 Step-by-Step Guide for Active Directory Federation Services
(http://www.microsoft.com/downloads/thankyou.aspx?familyId=062F7382-A82F-4428-9BBD-
A103B9F27654&displayLang=en). The server names and examples used in this article are
based on this step-by-step guide, which describes setting up ADFS in a small lab
environment. In this environment, a new server named Trey-SharePoint is joined to the Trey
Research forest. Follow the steps in the step-by-step guide to configure your ADFS
infrastructure. However, because this article describes how to configure Windows SharePoint
Services 3.0 in a claims-aware application mode, you do not have to implement all the steps
152
for building Windows NT token agent applications that are described in the step-by-step
guide.
Note:
When you use the People Picker to add users to Windows SharePoint Services 3.0,
Windows SharePoint Services 3.0 validates the users against the provider, which in this
example is ADFS. Therefore, you should configure the Federation Server before you
configure Windows SharePoint Services 3.0.
Important:
The setup process has been captured in a VBScript file that you can use to configure
Windows SharePoint Services 3.0 to use ADFS for authentication. This script file is
contained in the file (SetupSharePointADFS.zip) and is available on the Microsoft
SharePoint Products and Technologies blog, listed in the Attachments section. For more
information, see the blog page A script to configure SharePoint to use ADFS for
authentication (http://go.microsoft.com/fwlink/?LinkId=113894&clcid=0x409).
Configuring your extranet Web application to use

Web SSO authentication
1. Install the Web Agent for Claims Aware Applications.
2. Download and install the hot fix for ADFS described in The role provider and the membership
provider cannot be called from Windows SharePoint Services 3.0 on a Windows Server 2003
R2-based computer that is running ADFS and Microsoft Windows SharePoint Services 3.0
(http://support.microsoft.com/kb/920764/en-us). This hot fix will be included in Windows
Server 2003 Service Pack 2 (SP2).
3. Install Windows SharePoint Services 3.0, configure all the services and servers in the farm,
and then create a new Web application. By default, this Web application will be configured to
use Windows authentication, and it will be the entry point through which your intranet users
will access the site. In the example used in this article, the site is named http://trey-moss.
4. Extend the Web application that you created in step 2 in another zone. On the Application
Management page in the SharePoint Central Administration Web site, click Create or Extend
Web Application, click Extend an existing Web Application, and then do the following:
a. Add a host header. This is the DNS name by which the site will be known to users in the
extranet. In this example, the name is extranet.treyresearch.net.
b. Change the zone to Extranet.
c. Give the site a host header name that you will configure in DNS for your extranet users to
resolve against.
d. Click Use Secure Sockets Layer (SSL), and change the port number to 443. ADFS
requires that sites be configured to use SSL.
153
e. In the Load Balanced URL box, delete the text string :443. Internet Information Services
(IIS) will automatically use port 443 because you specified the port number in the
previous step.
f. Complete the rest of the steps on the page to finish extending the Web application.
5. On the Alternate Access Mappings (AAM) page, verify that the URLs resemble the following
table.
Internal URL Zone Public URL for Zone
http://trey-moss Default http://trey-moss
https://extranet.treyresearch.net Extranet https://extranet.treyresearch.net
6. Add an SSL certificate to the Extranet Web Site in IIS. Make sure that this SSL certificate is
issued to extranet.treyresearch.net, because this is the name that clients will use when they
access the sites.
7. Configure the Authentication provider for the extranet zone on your Web application to use
Web SSO by doing the following:
a. On the Application Management page of your farm’s Central Administration site, click
Authentication Providers.
b. Click Change in the upper-right corner of the page, and then select the Web application
on which you want to enable Web SSO.
c. In the list of two zones that are mapped for this Web application (both of which should
say Windows), click the Windows link for the Extranet zone.
d. In the Authentication Type section, click Web Single Sign On.
e. In the Membership provider name box, type
SingleSignOnMembershipProvider2
Make a note of this value; you will be adding it to the name element of the <membership>
section in the web.config files that you will edit later in this procedure.
f. In the Role manager name box, type
SingleSignOnRoleProvider2
Make a note of this value; you will be adding it to the name element of the
<roleManager> section in the web.config files you will edit later in this procedure.
g. Make sure the Enable Client Integration setting is set to No.
h. Click Save.
Your extranet Web application is now configured to use Web SSO. However, at this point, the site
will be inaccessible because no one has permissions to it. The next step is to assign permissions
to users so that they can access this site.
154
Note:
After selecting WebSSO as the Authentication Provider, Anonymous Authentication will
be automatically enabled for the SharePoint site in IIS (no user action is required). This
setting is required for the site to allow access using only claims.
Allowing users access to your extranet Web site

1. Use a text editor to open the web.config file for the Web site on the default zone that is using
Windows authentication.
2. Add the following entry anywhere in the <system.web> node.
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide
r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-
server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
</providers>
</roleManager>
3. Change the value for fs-server to reflect your resource Federation Server
(adfsresource.treyresearch.net). Ensure that you entered the correct membership provider
and the role manager names on the Central Administration Authentication Providers page.
When this entry is added to web.config, the People Picker on the default zone site that is
using Windows authentication is able to know about the ADFS providers and, therefore, can
resolve the ADFS claims. This enables you to grant permissions to the ADFS claims on your
Web site.
4. Grant ADFS claims access to the site by doing the following:
155
a. Navigate to the Web site on the default zone that uses Windows authentication as an
administrator of the site.
b. Click the Site Actions menu, point to Site Settings, and then click Advanced
Permissions.
c. Click New, and then click Add Users.
d. To add a user claim, specify their e-mail address or User Principal Name in the
Users/Groups section. If both UPN and e-mail claims are sent from the federation
server, then SharePoint will use UPN to verify against the MembershipProvider.
Therefore, if you want to use e-mail, you will have to disable the UPN claim in your
federation server. See “Working with UPN and e-mail Claims” for more information.
e. To add a group claim, type the name of the claim you want the SharePoint site to use in
the Users/Groups section. For example, create an organizational group claim named
Adatum Contributers on the Federation Server. Add the claim name Adatum
Contributers to the Sharepoint site as you would a Windows user or group. You can
assign this claim Home Members [Contribute], and then any user who accesses the
SharePoint site by using this group claim will have Contributor access to the site.
f. Select the appropriate permission level or SharePoint group.
g. Click OK.
5. Use the text editor of your choice to open the web.config file for the extranet site, and add the
following entry in the <configSections> node.
<sectionGroup name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
6. Add the following entry to the <httpModules> node
<add name="Identity Federation Services Application Authentication
Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
Note:
The ADFS authentication module should always be specified after the Sharepoint
SPRequest module in the <httpModules> node of the web.config file. It is safest to
add it as the last entry in that section.
7. Add the following entry anywhere under the <system.web> node.
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
156
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
defaultProvider="SingleSignOnRoleProvider2">
<providers>
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://your_application</returnurl>
</urls>
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
Note:
Change the value for fs-server to your Federation Server computer, and change the
value of your_application to reflect the URL of your extranet Web application.
8. Browse to the https://extranet.treyresearch.net Web site as an ADFS user who has
permissions to the extranet web site.
About using Central Administration

You can also use Central Adminstration policy to grant rights to ADFS users, but it is best not to
use that method for the following reasons:
 Granting rights by policy is a very coarse operation. It allows the user (or group) to have the
same set of rights in every Web site, in every site collection on the whole Web application. It
157
should be used very judiciously; in this particular scenario, we can grant access to ADFS
users without using this method.
 After the sites are being used in an extranet environment, it is very likely that the internal
users will be responsible for granting access to sites and content. Because only the farm
administrators have access to the Central Administration site, it makes the most sense that
internal users can add ADFS claims from the default zone site that is using Windows
authentication.
 As you extend Web applications by using different providers, you can configure one or more
of them to be able to find users and groups from various providers that you are using on that
Web application. In this scenario, we configured our site that uses Windows authentication in
a way that allows users of that site to select other Windows users, Windows groups, and
ADFS claims, all from one site.
Working with the People Picker

The People Picker cannot perform wildcard searches for searching roles. If you have a Web SSO
Role provider role named Readers, and you type Read in the People Picker search dialog box, it
will not find your claim. If you type Readers, it will. This is not a bug, you just cannot perform
wildcard searching by using the Role provider.
Command-line executable files like stsadm.exe will not be able to resolve the ADFS claims by
default. For example, you might want to add a new user to the extranet site by using the
stsadm.exe –o adduser command. To enable Stsadm (or other executable file) to resolve users,
create a new config file by doing the following:
 Create a new file named stsadm.exe.config in the same directory where stsadm.exe is
located (%programfiles%\Common Files\Microsoft Shared Debug\Web Server
Extensions\12\BIN). Add the following entry in the stsadm.exe.config file:
<configuration>
<system.web>
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
</providers>
</membership>
defaultProvider="SingleSignOnRoleProvider2">
<providers>
158
</providers>
</roleManager>
</system.web>
</configuration>
Note:
Change the value of fs-server to your resource Federation Server
(adfsresource.treyresearch.net).
Working with E-mail and UPN claims

To configure whether or not the Federation Server is enabled to send e-mail or UPN claims to
Windows SharePoint Services 3.0, perform the following procedure.
Configure E-mail and UPN claims on a Federation Server

1. From Administrative Tools on your Federation Server, open the ADFS snap-in.
Note:
You can also open the ADFS snap-in by typing ADFS.MSC in the Run dialog
box.
2. Select your Windows SharePoint Services 3.0 application node (your application should
already be added to the list of nodes).
3. In the claims list on the right, right-click E-mail, and select Enable or Disable.
4. In the claims list on the right, right-click UPN, and select Enable or Disable.
Note:
If both UPN and E-mail are enabled, Office SharePoint Server 2007 will use UPN
to perform user claim verification. Therefore, when configuring the Office
SharePoint Server 2007, be careful about which user claim you enter. Also note
that the UPN claim will only work consistently if the UPN suffixes and the e-mail
suffixes that are accepted by the Federation Server are identical. This is because
the membership provider is e-mail based. Because of this complexity in
configuring UPN claims, e-mail is the recommended user claim setting for
membership authentication.
159
Working with groups and organizational group
claims
In Windows SharePoint Services 3.0, rights can be assigned to Active Directory groups by adding
them to a SharePoint group or directly to a permission level . The level of permissions a given
user has on a site is calculated based on the Active Directory groups the user is a member of, the
SharePoint groups the user belongs to, and any permission levels that the user has been
directlyadded to.
When you use ADFS as a role provider in Windows SharePoint Services 3.0, the process is
different. There is no way for the Web SSO provider to directly resolve an Active Directory group;
instead, it resolves membership by using organizational group claims. When you use ADFS with
Windows SharePoint Services 3.0, you must create a set of organizational group claims in ADFS.
You can then associate multiple Active Directory groups with an ADFS organizational group
claim.
For group claims to work with the latest version of ADFS, you need to edit the web.config file for
the ADFS application in IIS on your ADFS server.
Open the web.config file and add <getGroupClaims /> to the
<FederationServerConfiguration> node inside the <System.Web> node, as shown in the
following example.
<configuration>
<system.web>
<FederationServerConfiguration>
<getGroupClaims />
</FederationServerConfiguration>
</system.web>
</configuration>
In the Adatum (Account Forest), do the following:
1. Create an Active Directory group named Trey SharePoint Readers.
2. Create an Active Directory group named Trey SharePoint Contributors.
3. Add Alansh to the Readers group and Adamcar to the Contributors group.
4. Create an organizational group claim named Trey SharePoint Readers.
5. Create an organizational group claim named Trey SharePoint Contributors.
6. Right-click the Active Directory account store, and then click New Group Claim Extraction.
a. Select the Trey SharePoint Readers organizational group claim, and then associate it
with the Trey SharePoint Readers Active Directory group.
b. Repeat step 6, and then associate the Trey SharePoint Contributors group claim with the
Trey SharePoint Contributors Active Directory group.
7. Right-click the Trey Research Account Partner, and then create the outgoing claim mappings:
160
a. Select the Trey SharePoint Reader claim, and then map to outgoing claim adatum-trey-
readers.
b. Select the Trey SharePoint Contributor claim, and then map to outgoing claim adatum-
trey-contributors.
Note:
The claim mapping names must be agreed on between the organizations, and they must
match exactly.
On the Trey Research side, start ADFS.MSC, and then do the following:
1. Create an organizational group claim named Adatum SharePoint Readers.
2. Create an organizational group claim named Adatum SharePoint Contributors.
3. Create incoming group mappings for your claims:
a. Right-click the Adatum account partner, and then click Incoming Group Claim Mapping.
b. Select Adatum SharePoint Readers, and then map it to the incoming claim name
adatum-trey-readers.
c. Select Adatum SharePoint Contributors, and then map it to the incoming claim name
adatum-trey-contributors.
4. Right-click the Windows SharePoint Services 3.0 Web application, and then click Enable on
both the Reader and Contributor claims.
Browse to the http://trey-moss site on the Trey Research side as the site administrator, and then
do the following:
1. Click the Site Actions menu, point to Site Settings, and then click People and Groups.
2. If it is not already selected, click the Members group for your site.
3. Click New, and then click Add Users on the toolbar.
4. Click the address book icon next to the Users/Groups box.
5. In the Find box in the People Picker dialog box, type
Adatum SharePoint Readers
In the Give Permission section, select SharePoint group home Visitors [Readers].
6. In the Find box, type
Adatum SharePoint Contributors
In the Give Permission section, select SharePoint group home Members [Contribute].
161
Configure anonymous access
In this article:
 About anonymous access
 Enable anonymous access for a zone
 Enable anonymous access for individual sites
 Enable anonymous access for individual lists
Anonymous access enables users to find resources in the public areas of Web sites without
having to provide authentication credentials.
About anonymous access

Internet Information Services (IIS) creates the IUSR_computername account to authenticate
anonymous users in response to a request for Web content. The IUSR_computername account,
where computername is the name of the server that is running IIS, gives the user access to
resources anonymously under the context of the IUSR account. You can reset anonymous user
access to use any valid Windows account.
Note
You can set up different anonymous accounts for different Web sites, virtual or physical
directories, and files.
In a stand-alone environment, the IUSR_computername account is on the local server. If the
server is a domain controller, the IUSR_computername account is defined for the domain.
By default, anonymous access is disabled by Windows SharePoint Services 3.0 when you create
a new Web application. This provides an additional layer of security because IIS rejects
anonymous access requests before they can ever be processed by Windows SharePoint
Services 3.0 if anonymous access is disabled.
Enable anonymous access for a zone

Use the following procedures to enable anonymous access for a zone of a Web application.
Within each Web application, you can categorize different classes of users into one of the
following five zones:
 Internet is the zone used for customers. Typically, the Internet zone is the only zone you
would configure for anonymous access.
 Intranet is the zone used for internal employees.
 Default is the zone used for remote employees.
 Custom is the zone used for administrators.
 Extranet is the zone used for partners.
162
Important:
Membership in the Farm Administrators SharePoint group is the minimum required to
Enable anonymous access for a zone of a Web application

1. From Administrative Tools, open the SharePoint Central Administration Web site
application.
4. On the Authentication Providers page, make sure the Web application that is listed in the
Web Application box (under Site Actions) is the one that you want to configure. If the
listed Web application is not the one that you want to configure, click the drop-down
arrow to the right of the Web Application drop-down list box and select Change Web
Application.
5. In the Select Web Application dialog box, click the Web application that you want to
configure.
6. On the Authentication Providers page, click the zone of the Web application on which you
want to enable anonymous access. The zones that are configured for the selected Web
application are listed on the Authentication Providers page.
7. On the Edit Authentication page, in the Anonymous Access section, select Enable
Anonymous Access, and then click Save.
At this point, the Web application zone has been enabled for anonymous access.
Enable anonymous access for individual sites

Now you need to enable anonymous access for individual sites in the site collection.
Enable anonymous access for individual sites

1. Go to the site on which you want to enable anonymous access and click the Site Actions
menu.
2. On the Site Actions menu, click Site Settings.
3. On the Site Settings page, in the Users and Permissions section, click Advanced
Permissions.
4. On the Permissions page, on the Settings menu, click Anonymous Access. The
settings for anonymous access lists three options:
 Entire Web site Select this option if you want to enable anonymous access for the
entire Web site.
 Lists and libraries Select this option if you want to limit anonymous access to only
the lists and libraries on your site.
163
 Nothing Select this option if you want to prevent anonymous access from being
used on your site.
5. Click OK.
At this point, your site is configured for anonymous access based on the options that you have
selected.
Enable anonymous access for individual lists

If you select Lists and libraries, enable anonymous access for individual lists.
Enable anonymous access for individual lists

1. Go to the home page of your Web site and, in the left navigation pane, click View All Site
Content.
2. Click the list on which you want to enable anonymous access.
3. On the Settings menu, click List Settings.
4. On the Customize List page, in the Permissions and Management section, click
Permissions for this list.
5. On the Permissions page, on the Actions menu, click Edit Permissions. A dialog box is
displayed informing you that you are about to create unique permissions for this list. Click
OK.
6. On the Settings menu, click Anonymous Access.
7. Select permissions for users who have anonymous access to the list, and then click OK.
At this point, users have anonymous access to the list you have configured. You can control
whether users have anonymous access to other lists, the home page, or other pages on this site.
164
SQL Server Reporting Services integration
with SharePoint Products and Technologies:
white paper
Windows SharePoint Services 3.0 includes functionality to create and manage reports. However,
when you integrate Windows SharePoint Services 3.0 with Microsoft SQL Server 2005 Service
Pack 2 (SP2) database software, you can use SQL Server 2005 Reporting Services (SSRS) to
create richer reporting experiences. For example, an end user can view and manage SSRS
reports completely from within a Windows SharePoint Services environment.
The following white papers are available to help you understand how SSRS and the SharePoint
Products and Technologies can be integrated to provide additional business intelligence
capabilities:
 2007 Microsoft Office System Business Intelligence Integration
(http://go.microsoft.com/fwlink/?LinkId=98657) Provides an overview of integrating SQL
Server 2005 with the business intelligence features available in the SharePoint Products and
Technologies.
 Microsoft SQL Server Reporting Services (SSRS) Installation/Configuration Guide for
SharePoint Integration Mode (http://go.microsoft.com/fwlink/?LinkId=98664) Provides
detailed information about configuring SSRS in SharePoint Integration Mode.
165
C. Deploy and configure SharePoint sites
166
Chapter overview: Deploy and configure
SharePoint sites
After you have installed Windows SharePoint Services 3.0 and performed the other configuration
tasks for your servers, you are ready to begin creating SharePoint sites.
In this chapter:
 Create or extend Web applications SharePoint sites are hosted by Web applications, so you
must create one or more Web applications before you can create any sites. This article
covers how to create a Web application, or how to extend a Web application to host the same
content as another Web application.
 Create zones for Web applications Each Web application can have as many as five zones,
and each zone can have a different authentication method. A default zone is automatically
created when you create a Web application. This article helps you configure any additional
zones you need.
 Create quota templates Quota templates enable you to set a limit on how large a site
collection can become. This article helps you configure the quota templates you want to use
for any site collections you create.
 Configure alternate access mapping Alternate access mapping enables you to assign
different URLs to the same site (for example, you can configure access via the HTTP protocol
for internal users and via the HTTPS protocol for external users). Alternate access mapping
settings are configured per zone at the Web application level. Although the settings can be
configured at any time, it is useful to configure alternate access mapping before you create
your SharePoint sites. This article helps you configure alternate access mapping for a Web
application.
 Create site collections After you have configured the settings that the previous articles
describe, you can create a site collection. This article helps you create a site collection from
Central Administration and assign primary and secondary owners. If you want to allow users
to create their own sites, you need to configure Self-Service Site Management for the Web
application. For more information about choosing a method to use for site creation, see Plan
process for creating sites [Windows SharePoint Services].
 Prepare to crawl host-named sites that use forms authentication If you are using host-named
sites with forms authentication, you need to configure additional settings for search. This
article helps you configure host-named sites for search crawls.
 Prepare to crawl host-named sites that use Basic authentication If you are using host-named
sites with Basic authentication, you need to configure additional settings for search. This
article helps you configure host-named sites for search crawls.
 Add site content After you have created your site collection, you can begin adding site
content. This article provides links to information that can help you add content to your sites.
167
 Enable access for end users After you have created your site, you can add users and grant
them access to the site. This article helps you add users to a site collection.
168
Create or extend Web applications
application is comprised of an Internet Information Services (IIS) site with a unique application
In this article:
 Create a new Web application
 Extend an existing Web application

application.
drop-down menu.
port number.
169
Web application.
NTLM.
Note:
Note:
must enable anonymous access for the entire Web application. Then later,
site owners can configure how anonymous access is used within their sites.
For more information about anonymous access, see Choose which security
SSL certificate.
Important:
changed from this page. To change the zone for a Web application, see Extend an
existing Web application later in this article.
170
Password box.
servers and then run iisreset /noforce on each Web server. The new IIS site is not
Item Action
Database Server Type the name of the database server and Microsoft
SQL Server instance you want to use in the format
<SERVERNAME\instance>.You can also use the
default entry.
Database Name Type the name of the database, or use the default
entry.
Database Authentication Choose whether to use Windows authentication

(recommended) or SQL authentication.
 If you want to use Windows authentication,
leave this option selected.
 If you want to use SQL authentication,
select SQL authentication. In the Account
box, type the name of the account you want
the Web application to use to authenticate
to the SQL Server database, and then type
the password in the Password box.
171
Extend an existing Web application
You can extend an existing Web application if you need to have separate IIS Web sites that
expose the same content to users. This is typically used for extranet deployments where different
users access content by using different domains. This option reuses the content database from
an existing Web application.
Extend an existing Web application

application.
Application section, click Extend an existing Web application.
3. On the Extend Web Application to Another IIS Web Site page, in the Web Application
section, click the Web application link and then click Change Web application.
4. On the Select Web Application page, click the Web application you want to extend.
5. On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site
section, you can select Use an existing IIS Web site to use a Web site that has already
been created, or you can choose to leave Create a new IIS Web site selected. The
Description, Port, and Path boxes are populated for either choice. You can choose to
use the default entries or type the information you want in the boxes.
6. In the Security Configuration section, configure authentication and encryption for the
extended Web application.
NTLM.
Note:
Note:
must enable anonymous access for the entire Web application. Then later,
site owners can configure how anonymous access is used within their sites.
For more information about anonymous access, see Choose which security
172
SSL certificate.
Important:
on pages within the Web application. By default, the text box is populated with the current
8. In the Load Balanced URL section, under Zone, select the zone for the extended Web
application from the drop-down menu. You can choose Intranet, Internet, Custom, or
Extranet.
9. Click OK to extend the Web application, or click Cancel to cancel the process and return
to the Application Management page.
Extendvs.
173
Configure alternate access mapping
Each Web application can be associated with a collection of mappings between internal and
public URLs. Both internal and public URLs consist of the protocol and domain portion of the full
URL (for example, https://www.fabrikam.com). A public URL is what users type to get to the
SharePoint site, and that URL is what appears in the links on the pages. Internal URLs are in the
URL requests that are sent to the SharePoint site. Many internal URLs can be associated with a
single public URL in multi-server farms (for example, when a load balancer routes requests to
specific IP addresses to various servers in the load-balancing cluster).
Each Web application supports five collections of mappings per URL; the five collections
correspond to five zones (default, intranet, extranet, Internet, and custom). When the Web
application receives a request for an internal URL in a particular zone, links on the pages
returned to the user have the public URL for that zone. For more information, see Plan alternate
access mappings (http://technet.microsoft.com/en-us/library/cc288609.aspx).
Manage alternate access mappings

2. On the Operations page, in the Global Configuration section, click Alternate access
mappings.
Add an internal URL

1. On the Alternate Access Mappings page, click Add Internal URLs.
2. If the mapping collection that you want to modify is not specified, then choose one. In the
Alternate Access Mapping Collection section, click Change alternate access mapping
collection on the Alternate Access Mapping Collection menu.
3. On the Select an Alternate Access Mapping Collection page, click a mapping collection.
4. In the Add internal URL section, in the URL protocol, host and port box, type the new
internal URL (for example, https://www.fabrikam.com).
5. In the Zone list, click the zone for the internal URL.
6. Click Save.
For information about how to perform this procedure using the Stsadm command-line tool,
see Addalternatedomain: Stsadm operations (http://technet.microsoft.com/en-
Edit or delete an internal URL

Note:
You cannot delete the last internal URL for the default zone.
174
1. On the Alternate Access Mappings page, click the internal URL that you want to edit or
delete.
2. In the Edit internal URL section, modify the URL in the URL protocol, host and port box.
3. In the Zone list, click the zone for the internal URL.
4. Do one of the following:
 Click Save to save your changes.
 Click Cancel to discard your changes and return to the Alternate Access Mappings page.
5. Click Delete to delete the internal URL.
For information about how to perform this procedure using the Stsadm command-line tool,
see Deletealternatedomain: Stsadm operation (http://technet.microsoft.com/en-
Edit public URLs

Note:
There must always be a public URL for the default zone.
1. On the Alternate Access Mappings page, click Edit Public URLs.
2. If the mapping collection that you want to modify is not specified, then choose one. In the
Alternate Access Mapping Collection section, click Change alternate access mapping
collection on the Alternate Access Mapping Collection menu.
3. On the Select an Alternate Access Mapping Collection page, click a mapping collection.
4. In the Public URLs section, you may add new URLs or edit existing URLs in any of the
following text boxes:
 Default
 Intranet
 Extranet
 Internet
 Custom
5. Click Save.
Map to an external resource

You can also define mappings for resources outside internal Web applications. To do so, you
must supply a unique name, initial URL, and a zone for that URL. (The URL must be unique to
the farm.)
1. On the Alternate Access Mappings page, click Map to External Resource.
2. On the Create External Resource Mapping page, in the Resource Name box, type a unique
name.
3. In the URL protocol, host and port box, type the initial URL.
175
4. Click Save.
176
Create zones for Web applications
If your solution architecture includes Web applications with more than one zone, use the
guidance in this article to create additional zones.
Create a new zone

You can create a new zone by extending an existing Web application. Follow the "Extend an
existing Web application" procedure in Create or extend Web applications to create a new zone.
The new zone is created when you select a zone in step 8 of the procedure and extend the Web
application.
Refer to your planning architecture documents and worksheets to determine which zones you
need to create and what authentication method should be associated with each zone.
You can change the authentication provider for a zone on the Authentication Providers page. For
more information, see Plan authentication methods (http://technet.microsoft.com/en-
View existing zones

On the Alternate Access Mappings page, you can view the zones that have been created for your
farm.
1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and
then click SharePoint 3.0 Central Administration.
2. On the Central Administration home page, click Operations.
3. On the Operations page, in the Global Configuration section, click Alternate access
mappings.
On the Alternate Access Mappings page, each Web application is displayed with its associated
zone.
Enumalternatedomains.
See Also
 Create or extend Web applications
 Configure alternate access mapping
 Plan authentication methods (http://technet.microsoft.com/en-us/library/cc288475.aspx)
177
Create quota templates
In this article:
 Create a new quota template
 Edit an existing quota template
 Delete a quota template
A quota template consists of storage limit values that specify how much data can be stored in a
site collection and the storage size that triggers an e-mail alert to the site collection administrator
when that size is reached. You can create a quota template that can be applied to any site
collection in the farm.
Note:
When you apply a quota template to a site collection, the storage limit applies to the site
collection as a whole. In other words, the storage limit applies to the sum of the content
sizes for the top-level site and all subsites within the site collection.
You can also modify existing quota templates. When a quota template is modified, the new
storage limits you defined in the template will apply to any site collection that uses that quota
template. This allows you to modify storage limits for multiple site collections without having to
change settings for each site collection individually.
Create a new quota template

Create a new quota template
click Quota templates.
4. On the Quota Templates page, in the Template Name section, select Create a new
quota template.
5. Type the name of the new template in the New template name box.
 If you want to base your new template on an existing quota template, click the
Template to start from down arrow and select the desired template from the drop-
down menu.
6. In the Storage Limit Values section, set the values you want to apply to the template.
a. If you want to restrict the amount of data that can be stored, click the Limit site
storage to a maximum of check box and type the storage limit in megabytes into
the text box.
178
b. If you want an e-mail to be sent to the site collection administrator when a certain
storage threshold is reached, click the Send warning E-mail when site storage
reaches check box and type the threshold in megabytes into the text box.
7. Click OK to create the new quota template, or click Cancel to cancel the operation and
Edit an existing quota template

Edit an existing quota template
4. In the Template Name section, click the Template to modify down arrow and select the
template you want to edit from the drop-down menu.
5. In the Storage Limit Values section, set the values you want to apply to the template.
a. If you want to restrict the amount of data that can be stored, click the Limit site
storage to a maximum of check box and type the storage limit in megabytes into
the text box.
b. If you want an e-mail to be sent to the site collection administrator when a certain
storage threshold is reached, click the Send warning E-mail when site storage
reaches check box and type the threshold in megabytes into the text box.
6. Click OK to modify the quota template, or click Cancel to cancel the operation and return
to the Application Management page.
Delete a quota template

Delete a quota template
4. In the Template Name section, click the Template to modify down arrow and select the
template you want to delete from the drop-down menu.
5. Click the Delete button.
6. Click OK on the dialog box that appears to delete the quota template.
179
Create site collections
When you create a site collection, you also create the top-level site within that site collection.
Select the appropriate template for your scenario, such as: team site for a team collaboration
Web site, or Blog for a blog site.

1. On the top navigation bar, click Application Management.
3. On the Create Site Collection page, in the Web Application section, if the Web
application in which you want to create the site collection is not selected, click Change
Web Application on the Web Application menu, and then on the Select Web
Application page, click the Web application in which you want to create the site collection.
4. In the Title and Description section, type the title and description for the site collection.
5. In the Web Site Address section, under URL, select the path to use for your URL (such
as an included path like /sites/ or the root directory, /).
If you select a wildcard inclusion path, such as /sites/, you must also type the site name
to use in your site's URL.
Note:
The paths available for the URL option are taken from the list of managed paths
that have been defined as wildcard inclusions. For more information about
managed paths, see Define managed paths in the Central Administration Help
system.
6. In the Template Selection section, in the Select a template list, select the template that
you want to use for the top-level site in the site collection.
7. In the Primary Site Collection Administrator section, enter the user name (in the form
DOMAIN\username) for the user who will be the site collection administrator.
8. If you want to identify a user as the secondary owner of the new top-level Web site
(recommended), in the Secondary Site Collection Administrator section, enter the
user name for the secondary administrator of the site collection.
9. If you are using quotas to limit resource use for site collections, in the Quota Template
section, click a template in the Select a quota template list.
10. Click OK.
Createsite.
180
Prepare to crawl host-named sites that use
Basic authentication
In this article:
 Solution prerequisites
 High-level solution overview
 Deploy the solution
When configuring a Web application to use host-named sites, Web hosters typically use Basic
authentication for the default zone. The index component of the search server, sometimes called
the crawler, cannot crawl host-named Web sites that are deployed in the usual way for the
following reasons:
 The crawler cannot authenticate using Basic authentication.
 Host-named sites do not enable the index component of the search server to authenticate by
using another zone in the polling order.
For more information about how polling order works with non-host-named sites, see the
“Authentication requirements for crawling content” section in Plan authentication methods
This article describes how to create a solution in Windows SharePoint Services 3.0 so the crawler
can crawl your host-named sites. The components of the solution are to:
 Create two zones for your Web application.
 Direct requests from end-users to the default zone, which is configured for Basic
authentication.
 Direct requests from intranet users and the crawler directly to the Intranet zone, which you
configure for NTLM authentication.
Solution prerequisites
The procedures included in this solution require the following types of administrators:
 Domain Name System (DNS) administrator
 Server administrator
 Farm administrator
Other requirements include:
 Two DNS servers: one Internet-facing DNS server, and one intranet-facing DNS server.
 Two static IP addresses: one from the Internet-facing DNS server, and a different static IP
address from the intranet-facing DNS server. These two IP addresses must be associated
with the same site name.
This solution assumes the following:
181
 A server administrator either configures separate network interface cards (NICs) on all front-
end Web servers in the server farm with both static IP addresses or adds both static IP
addresses to one NIC.
 The search server that you will use for your Web application is running.
 You do not have another Web application using port 80.
Note:
Although it is possible to implement this solution by using a different port (as long as
both zones use the same port), port 80 is typically used so end-users do not see a
port number in the URL of their host-named site.
High-level solution overview

The following figure shows a high-level overview of this solution.
This solution requires two DNS servers. Each DNS server maps the same host name to a
different static IP address. This is typically referred to as a split DNS environment. The Internet-
facing DNS server resolves the URL of the host-named site to the default zone of your Web
application. This is the zone end-users use to access the site using Basic authentication. The
intranet-facing DNS server resolves this same URL to an IP address that is mapped to the
Intranet zone of your Web application. This is the zone that intranet users and the crawler use to
access the site using NTLM authentication.
This mapping is possible because when a new zone is created by extending the Web application,
Windows SharePoint Services 3.0 creates an Internet Information Services (IIS) Web site for that
zone. A server administrator can use IIS Manager to map a static IP address directly to an IIS
Web site, which is associated with a particular zone of a particular Web application.
182
High-level steps
The following list describes the high-level steps for this solution.
1. The farm administrator uses the Central Administration Web site to create a Web application
on port 80 without a host header assigned to it.
2. The farm administrator configures the default zone of this Web application to use Basic
authentication.
3. The farm administrator extends the Web application, specifies the host header name, and
then specifies NTLM authentication on the intranet zone.
4. The DNS administrator maps the site name to the static IP addresses in DNS.
5. The server administrator uses IIS Manager to perform the following actions:
 Map the static IP address from the Internet-facing DNS server to the IIS Web site that is
associated with the default zone (that is, the zone that uses Basic authentication) of your
Web application.
 Map the static IP address from the intranet-facing DNS server to the IIS Web site
associated with the Intranet zone (that is, the zone that uses NTLM authentication) of
your Web application, and remove the IIS host header that was assigned to this site in
step 3.
6. The server administrator creates a host header-based site collection by using the Stsadm
command-line utility.
Note:
You must use the Stsadm command-line utility to specify the URL that you want for
your host header-based site collection.
7. The farm administrator can grant permissions to the Web application and the site collection
administrator can grant permissions to the site collection.
Deploy the solution

Use the following procedures in the order listed to deploy the solution described earlier in this
article.
Create Web application

2. On the top link bar of the Central Administration home page, click Application
Management.
5. On the Create New Web Application page, in the IIS Web Site section, configure the
183
following settings for your new Web application.
a. Accept the default setting, Create a new IIS web site, and then type a name for the
Web site in the Description box.
b. In the Port box, type 80.
c. Ensure that the Host Header box is blank.
6. In the Application Pool section, select Use existing application pool, or accept the
default setting, Create new application pool. If you are creating a new application pool,
specify the security account to use for the new application pool.
7. In the Search Server section, select the search server that you want to use to index this
Web application from the Select Windows SharePoint Services search server list.
8. Click OK.
Perform the following procedure on all front-end Web servers in the server farm.
Restart IIS
1. Click Start and then click Run.
2. In the Run dialog box, in the Open box, type cmd, and then click OK.
3. At the command prompt, type the following command, and then press ENTER:
iisreset /noforce
4. Close the command prompt window.
Perform the following procedure to configure the Web application to use Basic authentication.
Configure the default zone to use Basic authentication

3. On the Authentication Providers page, in the Zone column, click Default.
4. In the IIS Authentication Settings section, select Basic authentication (password is
sent in clear text).
5. Click Save.
Extend the Web application

Use the following procedure to extend the Web application to create a new zone that uses NTLM
authentication.

184
section, on the Web Application menu, click Change Web Application.
5. On the Select Web Application page, select the Web application you want to extend. This
is the Web application you created earlier in this article.
6. In the IIS Web Site section, do the following:
a. In the Description box, type a description for the new site.
c. In the Host Header box, type a host header name.
7. In the Security Configuration section, ensure that NTLM is selected.
8. In the Load Balanced URL section, select the zone you want to use, (in this example,
Intranet.)
Note:
The intranet-facing DNS server must be able to resolve this load-balanced URL
to the static IP address that you assign to the Web site that you configure to use
NTLM authentication.
9. Click OK.
Restart IIS
3. At the command prompt, type the following command, and then press ENTER:
iisreset /noforce
Map site names to static IP addresses in DNS

Host-named sites enable farm administrators to choose the name they want to use in the URL for
their sites. Note that the name (that is, the URL) must be a unique name on the domain. The
administrator for the Internet-facing DNS server must map the site name chosen by the farm
administrator to the appropriate static IP address. In a later step, the server administrator maps
this static IP address to the IIS Web site that is configured to use the default zone used by the
Web application.
Likewise, the administrator for the intranet-facing DNS server must map this same site name to a
different static IP address. In a later step, the server administrator will map this static IP address
to the IIS Web site that is configured to use the Intranet zone used by the Web application.
Additionally, this DNS administrator must also map the host header name that the farm
administrator used when extending the Web application to this static IP address. Even though this
185
host name is removed in a later procedure, this host name is used by the crawler to access the
Web application on the Intranet zone.
The following procedure must be performed by a server administrator on each front-end Web
server in the server farm.
Map the static IP addresses to the Web sites

2. In the console tree, expand the local computer node, expand Web Sites, right-click the
Web site you configured for Basic authentication, and then click Properties.
3. In the Properties dialog box, on the Web Site tab, in the Web site identification
section, in the IP address list, select the IP address that you want to map to the
customer-facing Web site.
5. In the console tree, right-click the Web site you configured for NTLM authentication, and
then click Properties.
section, click Advanced.
7. In the Advanced Web Site Identification dialog box, in the Multiple identities for this
Web site section, select the row containing the host header name you configured for the
Web site that is using NTLM authentication, and then click Edit.
8. In the Add/Edit Web Site Identification dialog box, select the IP address that you want
to map to the Web site that is using NTLM authentication from the IP address list.
9. In the Host Header value box, make a note of the host header name. This is the host
header name you assigned to the site that you configured for NTLM authentication. You
will need to use this name in the next procedure.
10. In the Host Header value box, delete the host header name, and then click OK.
11. Click OK to close the Advanced Web Site Identification dialog box.
13. Close IIS Manager.
Use the following procedure to create a site collection for your Web application. You must be a
server administrator to perform the following steps.
Create a site collection for the Web application

3. Browse to the following folder:
systemdrive:\Program Files\Common Files\Microsoft Shared\web server
extensions\12\BIN
186
where systemdrive is the drive on which Windows SharePoint Services 3.0 is installed.
4. In the command window, type the following command, and then press ENTER:
stsadm.exe -o createsite -url http://<HostNamedSiteAddress> -ownerlogin
<DomainName\UserName> -owneremail <username@example.com> -
hostheaderwebapplicationurl http://<WebApplicationUrl>
The following table describes the variables used in step 4 of the previous procedure.
Variable Description
HostNamedSiteAddress URL chosen by the farm administrator for users to access

the top-level site of the site collection. The DNS
administrator maps this name to the IP address used to
access the Default zone of your Web application.
DomainName\UserName Primary owner of the host header-based site collection.
username@example.com E-mail address of the site collection owner.
WebApplicationUrl URL of the default zone of the Web application. You can
find this URL on the Web Application List page in Central
Administration.
Grant user permissions

Before users can access the sites on the Web application you have created, you must grant
those users the appropriate permissions to your sites. If you want to manage security at the Web
application level, a farm administrator can create a policy to grant permissions to the Web
application. Alternatively, if you want to manage permissions at the site collection level and at
lower levels, site collection administrators can add users to the appropriate SharePoint groups.
For information about using a policy to grant users permissions, see "Manage permissions
through policy" in the Help system. For more information about managing permissions at the site
collection and lower levels, see Chapter overview: Plan site and content security [Windows
SharePoint Services].
187
Prepare to crawl host-named sites that use
forms authentication
In this article:
 Solution prerequisites
 High-level solution overview
 Deploy the solution
When configuring a Web application to use host-named sites, Web hosters typically use forms
authentication for the default zone. The index component of the search server, sometimes called
the crawler, cannot crawl host-named Web sites that are deployed in the usual way for the
following reasons:
 The crawler cannot authenticate using forms authentication.
 Host-named sites do not enable the index component of the search server to authenticate by
using another zone in the polling order.
For more information about how polling order works with non-host-named sites, see the
“Authentication requirements for crawling content” section in Plan authentication methods
This article describes how to create a solution in Windows SharePoint Services 3.0 so the crawler
can crawl your host-named sites. The components of the solution are to:
 Create two zones for your Web application.
 Direct requests from end-users to the default zone, which is configured for forms
authentication.
 Direct requests from intranet users and the crawler directly to the Intranet zone, which you
configure for NTLM authentication.
Solution prerequisites
The procedures included in this solution require the following types of administrators:
 Domain Name System (DNS) administrator
 Server administrator
 Farm administrator
Other requirements include:
 Two DNS servers: one Internet-facing DNS server and one intranet-facing DNS server.
 Two static IP addresses: one from the Internet-facing DNS server and a different static IP
address from the intranet-facing DNS server. These two IP addresses must be associated
with the same site name.
This solution assumes the following:
188
 A server administrator will either configure separate network interface cards (NICs) on all
front-end Web servers in the server farm with both static IP addresses or will add both static
IP addresses to one NIC.
 The search server that you will use for your Web application is running.
 You do not have another Web application using port 80.
Note:
Although it is possible to implement this solution by using a different port (as long as
both zones use the same port), port 80 is typically used so end-users don’t see a port
number in the URL of their host-named site.
 You have already implemented forms authentication in your environment. Note that forms
authentication can be implemented using several different authentication providers. The
authentication provider you use with your implementation of forms authentication determines
where user accounts are stored.
High-level solution overview

The following figure shows a high-level overview of this solution.
This solution requires two DNS servers. Each DNS server maps the same host name to a
different static IP address. This is typically referred to as a split DNS environment. The Internet-
facing DNS server resolves the URL of the host-named site to the default zone of your Web
application. This is the zone end-users use to access the site using forms authentication. The
intranet-facing DNS server resolves this same URL to an IP address that is mapped to the
Intranet zone of your Web application. This is the zone intranet users and the crawler use to
access the site using NTLM authentication.
This mapping is possible because when a new zone is created by extending the Web application,
Windows SharePoint Services 3.0 creates an Internet Information Services (IIS) Web site for that
189
zone. A server administrator can use IIS Manager to map a static IP address directly to an IIS
Web site, which is associated with a particular zone of a particular Web application.
High-level steps
The following list describes the high-level steps for this solution.
1. The farm administrator uses the Central Administration Web site to create a Web application
on port 80 without a host header assigned to it.
2. The farm administrator configures the default zone of this Web application to use forms
authentication.
3. The server administrator adds a custom XML element to the appropriate Web.config files to
specify the name of the authentication provider used with forms authentication.
4. The server administrator creates a file named stsadm.exe.config to enable the Stsadm
command-line utility to determine how to find the authentication provider you want to use with
forms authentication.
5. The farm administrator extends the Web application, specifies the host header name, and
then specifies NTLM authentication on the Intranet zone.
6. The DNS administrator maps the site name to the static IP addresses in DNS.
7. The server administrator uses IIS Manager to do the following:
 Map the static IP address from the Internet-facing DNS server to the IIS Web site
associated with the default zone (that is, the zone using forms authentication) of your
Web application.
 Map the static IP address from the intranet-facing DNS server to the IIS Web site
associated with the Intranet zone (that is, the zone using NTLM authentication) of your
Web application and removes the IIS host header that was assigned to this site in step 5.
8. The server administrator creates a host header-based site collection by using the Stsadm
command-line utility.
Note:
You must use the Stsadm command-line utility to specify the URL you want for your
host header-based site collection.
9. The farm administrator can grant permissions to the Web application and the site collection
administrator can grant permissions to the site collection.
Deploy the solution

Use the following procedures in the order listed to deploy the solution described earlier in this
article.
Create a Web application

190
2. On the top link bar of the Central Administration home page, click Application
Management.
5. On the Create New Web Application page, in the IIS Web Site section, configure the
following settings for your new Web application.
a. Accept the default setting, Create a new IIS web site, and then type a name for the
Web site in the Description box.
c. Ensure that the Host Header box is blank.
6. In the Application Pool section, select Use existing application pool, or accept the
default setting, Create new application pool. If you are creating a new application pool,
specify the security account to use for the new application pool.
7. In the Search Server section, select the search server that you want to use to index this
Web application from the Select Windows SharePoint Services search server list.
8. Click OK.
Restart IIS
iisreset /noforce
Perform the following procedure to configure the Web application to use forms authentication.
Configure the default zone to use forms authentication

3. On the Authentication Providers page, in the Zone column, click Default.
4. On the Edit Authentication page, in the Authentication Type section, select Forms.
5. In the Membership Provider Name section, in the Membership provider name box, type
the name of your membership provider.
6. Optionally, in the Role Manager Name section, in the Role manager name box, type the
name of your role manager.
191
7. Click Save.
Add configuration settings to the applicable Web.config files

The server administrator must add an XML element to the Web.config file for the default zone of
the Web application created earlier in this article and to the Web.config file for the Central
Administration site. This XML element must specify the name of the authentication provider and
optionally other information about the authentication provider your organization uses with forms
authentication.
Note that the contents of this XML element (and even the name of the element itself) will differ
from one organization to another. For more information about constructing this required XML
element, see Authentication samples [Windows SharePoint Services].
After you have constructed the required XML element, you must add it to the appropriate
Web.config files on the appropriate servers in your server farm. On each server in the farm
running the Windows SharePoint Services Web Application service, add the required XML
element to the Web.config file of the IIS Web site associated with the default zone for your Web
application. On each server in your server farm running the Central Administration service, add
the required XML element to the Web.config file of the Central Administration site.
Note:
Farm administrators can use the Services on Server page in Central Administration to
determine which servers are running these services.
Add the custom XML element to servers running the Windows SharePoint Services Web
Application service
1. Log on to a server in your server farm that is running the Windows SharePoint Services
Web Application service.
2. Click Start, and then click Run. In the Run dialog box, type inetmgr, and then click OK.
3. In IIS Manager, in the console tree, expand the local computer node, and then expand
Web Sites.
4. Right-click the Web site associated with the default zone of the Web application you
created earlier, and then click Explore.
5. In the Name column, right-click web.config, select Open, and then open the file using an
ASCII text editor, such as Notepad.
6. Insert your custom XML element named <connectionStrings> immediately after the
</configSections> element.
7. If you are inserting the optional <membership> or <roleManager> elements, you must
insert them inside the <system.web> element.
8. Save and close the Web.config file.
9. Repeat steps 1 through 7 on any additional server in your farm running the Windows
SharePoint Services Web Application service.
You must be a member of the Administrators group to perform the following procedure.
192
Add the custom XML element to servers running the Central Administration service
1. Log on to a server in your server farm that is running the Central Administration service.
2. Click Start, and then click Run. In the Run dialog box, type inetmgr, and then click OK.
3. In IIS Manager, in the console tree, expand the local computer node, and then expand
Web Sites.
4. Right-click the Central administration Web site, and then click Explore. This site is
named SharePoint Central Administration v3, by default.
5. In the Name column, right-click web.config, click Open, and then open the file using an
ASCII text editor, such as Notepad.
6. Insert your custom XML element named <connectionStrings> immediately after the
</configSections> element.
7. If you are using custom <membership> or <roleManager> elements, you must insert
them inside the <system.web> element.
8. Save and close the Web.config file.
9. Repeat steps 1 through 7 on any additional server in your farm running the Central
Administration service.
Use the following procedure to create a file named stsadm.exe.config. This file must contain the
same XML element that you added to the Web.config files. This file enables the Stsadm
command-line utility to determine how to find the authentication provider you want to use.
Create the stsadm.exe.config file

1. Open an ASCII text editor, such as Notepad, and add the following text:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<configuration> <system.web> </system.web> </configuration>
2. Insert the same custom XML element named <connectionStrings> that you added to your
Web.config files in the preceding step after the <configuration> tag.
3. If you are using custom <membership> or <roleManager> elements, you must insert
them inside the <system.web> element.
4. Save the file and name it stsadm.exe.config.
5. You must ensure that the text editor you are using does not add the .txt extension to the
filename. If this occurs, remove the .txt extension before proceeding to the next step.
6. Copy the stsadm.exe.config file to the following folder on each server in the farm from
which a farm administrator might use the stsadm.exe utility:
extensions\12\BIN
We recommend that you copy this file to each server in the server farm.
193
Use the following procedure to extend the Web application to create a new zone that uses NTLM
authentication.

section, on the Web Application menu, click Change Web Application.
5. On the Select Web Application page, select the Web application you want to extend from
list.
6. In the IIS Web Site section, do the following:
a. In the Description box, type a description for the new site.
c. In the Host Header box, type a host header name.
7. In the Security Configuration section, ensure that NTLM is selected.
8. In the Load Balanced URL section, select the zone you want to use (in this example,
Intranet.)
Note:
The intranet-facing DNS server must be able to resolve this load-balanced URL
to the static IP address that you assign to the Web site that you configure to use
NTLM authentication.
9. Click OK.
Restart IIS
1. Click Start, and then click Run.
3. At the command prompt, type the following and then press ENTER.
iisreset /noforce
Map site names to static IP addresses in DNS

Host-named sites enable farm administrators to choose the name they want to use in the URL for
their sites. Note that the name (that is, the URL) must be a unique name on the domain. The
194
administrator for the Internet-facing DNS must map the site name chosen by the farm
administrator to the appropriate static IP address. In a later step, the server administrator maps
this static IP address to the IIS Web site that is configured to use the default zone used by the
Web application.
Likewise, the administrator for the intranet-facing DNS must map this same site name to a
different static IP address. In a later step, the server administrator will map this static IP address
to the IIS Web site that is configured to use the Intranet zone used by the Web application.
Additionally, this DNS administrator must also map the host header name that the farm
administrator used when extending the Web application to this static IP address. Even though this
host name is removed in a later procedure, this host name is used by the crawler to access the
Web application on the Intranet zone.
The following procedure must be done by a server administrator on each front-end Web server in
the server farm.
Map the static IP addresses to the Web sites

2. In the console tree, expand the local computer node, expand Web Sites, right-click the
Web site you configured for forms authentication and then click Properties.
section, select the IP address that you want to map to the customer-facing Web site from
the IP address list.
5. In the console tree, right-click the Web site you configured for NTLM authentication and
then click Properties.
section, click Advanced.
7. In the Advanced Web Site Identification dialog box, in the Multiple identities for this
Web site section, select the row containing the host header name you configured for the
Web site that is using NTLM authentication and then click Edit.
8. In the Add/Edit Web Site Identification dialog box, select the IP address you want to
map to the Web site that is using NTLM authentication from the IP address list.
9. In the Host Header value box, make a note of the host header name. This is the host
header name you assigned to the site that you configured for NTLM authentication. You
will need to use this name in the next procedure.
10. In the Host Header value box, delete the host header name and then click OK.
11. Click OK to close the Advanced Web Site Identification dialog box.
13. Close IIS Manager.
195
Use the following procedure to create a site collection for your Web application. You must be a
server administrator to perform the following steps.
Create a site collection for the Web application

3. Browse to the following folder:
extensions\12\BIN
where systemdrive is the drive on which Windows SharePoint Services 3.0 is installed.
stsadm.exe -o createsite -url http://<HostNamedSiteAddress>
-ownerlogin <ProviderName:UserName> -owneremail <username@example.com>
-hostheaderwebapplicationurl http://<WebApplicationUrl>
The following table describes the variables used in step 4 of the previous procedure.
Variable Description
HostNamedSiteAddress URL chosen by the farm administrator for users to access

the top-level site of the site collection. The DNS
administrator maps this name to the IP address used to
access the Default zone of your Web application.
ProviderName:UserName Primary owner of the host header based site collection.
username@example.com E-mail address of the site collection owner.
WebApplicationUrl URL on the default zone of the Web application. You can
find this address on the Web Application List page in Central
Administration.
Grant user permissions

Before users can access the sites on the Web application you have created, you must grant
those users the appropriate permissions to your sites. If you want to manage security at the Web
application level, a farm administrator can create a policy to grant permissions to the Web
application. Alternatively, if you want to manage permissions at the site collection level and at
lower levels, site collection administrators can add users to the appropriate SharePoint groups.
For information about using a policy to grant users permissions, see "Manage permissions
through policy" in the Help system. For more information about managing permissions at the site
collection and lower levels, see Chapter overview: Plan site and content security [Windows
SharePoint Services].
196
Add site content
In this article:
 Use Web site designers to design and add content
 Migrate content from another site
 Allow users to add content directly
There are several methods that you can use to add content to sites, including:
 Using Web site designers to design and add content.
 Migrating content from another site.
 Allowing users to add content directly.
Depending on your scenario, you may find particular methods more appropriate.
Use Web site designers to design and add content when you are working with:
 A public-facing Internet site
 A large intranet site
Migrate content from another site when you are working with:
 A site or set of sites that is being reorganized.
Allow users to add content directly when you are working with:
 A collaboration site in which the site owner can create the lists and libraries that are needed,
and then grant site members access so that they can begin contributing content.
 A blog site in which the blog owner can set up the structure for the blog, and then start
creating posts.
 A wiki site in which the wiki site owner can grant access to users and the users can start
creating topics in the wiki.
Use Web site designers to design and add content

When you create a public-facing site or a larger intranet site, Web site owners and designers
must plan and implement many elements, such as site navigation, site design (master pages plus
.css files), and the overall information architecture for the site. For more information about
planning for these elements, see Planning and architecture for Windows SharePoint Services 3.0
technology.
Follow the steps in Enable access for end users to give Web site designers permissions to the
site. When they have completed their work, you can then optionally grant access to authors to
contribute content before you grant access to the other users in your organization or before you
make the site available to the public on the Internet.
197
Migrate content from another site
If you are reorganizing an existing site and need to migrate content to a different site collection,
you can use several methods to migrate the content. You can use:
 The Export and Import operations for the Stsadm command-line tool to migrate site
collections or subsites.
For more information about using Stsadm operations, see the following resources:
 Export: Stsadm operation (http://technet.microsoft.com/en-us/library/cc288940.aspx)
 Import: Stsadm operation (http://technet.microsoft.com/en-us/library/cc287920.aspx)
 The Content Migration object model to programmatically move content at any level in the site
(Web site, list, library, folder, file, or list item).
For more information about using the Content Migration object model, see "Content Migration
Overview" in the Windows SharePoint Services 3.0 Software Development Kit
Allow users to add content directly

If you want your site owners to begin adding content directly to a site, you can immediately grant
them access and allow them to control the site's organization and design.
Follow the steps in Enable access for end users to give your end users permissions to the site.
After you grant permissions, users can begin adding content. For more information about adding
content to sites, see the Help system for Windows SharePoint Services 3.0.
198
Enable access for end users
In this article:
 Add site collection administrators
 Add site owners or other users
After you create your site collection and populate it with content, you are ready to grant access to
end users. This article helps you configure administrative and user permissions for a site
collection. Note that you can also configure permissions for the following securable objects within
a site collection: site, list, library, folder, document, or item. For more information about assigning
permissions for different securable objects within a site collection, see Plan site security
In most cases, these actions are not performed by farm administrators, but are performed by site
collection administrators or site owners. Moreover, these steps are performed in the site
collection itself, not in Central Administration. (However, you can add site collection
administrators by using Central Administration and by using the Site Settings page in the site
collection.) Nonetheless, this information is presented in the Deployment Guide because it is truly
the final stage of deployment — the stage when the site collection is made available for end
users.
This article does not cover how to enable anonymous access. When you create a Web
application, you decide whether to allow anonymous access for site collections on that Web
application. For more information about anonymous access, see the following resources:
 Chapter overview: Plan environment-specific security (http://technet.microsoft.com/en-
 Plan authentication settings for Web applications (http://technet.microsoft.com/en-
 Choose which security groups to use (http://technet.microsoft.com/en-
 "Enable anonymous access" in the Central Administration Help system.
Add site collection administrators

When you created the site collection, you were required to supply the user name for at least one
site collection administrator. If the user name you supplied was not that for the actual
administrator for the site collection — for example, if you did not know who was going to be actual
administrator and you used your own user name — or if you need to change or add a user name
for a site collection administrator, you can do so by using the following procedure.
Note:
This procedure uses the Central Administration Web site, but you can also add a site
collection administrator from the top-level site in the site collection by using the Site
199
Settings page for the top-level site. On the Site Settings page, in the Users and
Permissions section, click Site collection administrators.
Add a site collection administrator

1. In Central Administration, on the top link bar, click Application Management.
click Site collection administrators.
3. If the selected site is not the site for which you want to manage administrators, on the
Site Collection Administrators page, on the Site Collection menu in the Site Collection
section, click Change Site Collection.
 In the Select Site Collection dialog box, select the site for which you want to
manage administrators.
 Click OK.
4. In either the Primary site collection administrator box or the Secondary site
collection administrator box, enter the user name of the user to whom you want to
assign that role.
5. Click OK.
Add site owners or other users

If you have not yet set up any groups for this site or site collection, you must set up groups before
you can add any users to groups. (You can also add users individually, without setting up groups,
but if you want to manage users efficiently, we recommend that you use groups.) To specify
which group to assign to site visitors, site members, site owners, or other groups, use the
following procedure. This procedure helps you set up the default groups, but you can also create
additional groups.
Note:
The SiteName Owners group has the Full Control permission level on the site, so you
can add users to that group to give them administrative access for that site. For more
information about groups and permission levels, see Determine permission levels and
Set up Members, Visitors, and Owners groups for a site

1. On the site home page, on the Site Actions menu, click Site Settings.
2. On the Site Settings page, click People And Groups.
3. On the People and Groups page, on the Quick Launch, click Groups.
4. On the People and Groups: All Groups page, on the Settings menu, click Set Up
Groups.
5. On the Set Up Groups for this Site page, select a group for each set of users that you
want to change. Alternatively, select Create a new group to assign a custom group to a
200
set of users.
After you have configured groups for the site, you can add users and grant them permissions by
using the following procedure.
Add users to groups

1. On the site home page, on the Site Actions menu, click Site Settings.
2. On the Site Settings page, click People And Groups.
3. On the People and Groups page, on the Quick Launch, click Groups.
4. Click the name of the group to which you want to add users.
5. On the People and Groups: Group name page, on the New menu, click Add Users.
6. On the Add Users page, type the account names that you want to add, or browse to find
users from Active Directory directory service.
7. In the Give Permission section, be sure that Add users to a SharePoint group is
selected and that the correct group is displayed.
Note:
In rare cases, you might want to give individual permissions to a user by clicking
Give users permission directly. However, assigning individual permissions to
many users can quickly become difficult and time-consuming to manage. We
recommend that you use groups as much as possible to efficiently manage site
access.
8. Click OK.
For more information about managing users and groups, see "Manage SharePoint groups" in the
Help system for Windows SharePoint Services 3.0.
201
III. Install application templates
202
Installing application templates for Windows
SharePoint Services 3.0
Microsoft has created 40 application templates for Windows SharePoint Services 3.0 that are
available for download at the SharePoint Products and Technologies Web site
Application templates for Windows SharePoint Services 3.0 are separated into two groups, site
admin templates and server admin templates.
 Site admin templates are custom templates that are easy for any SharePoint site
administrator to install into the template gallery.
 Server admin templates were created as site definitions, enabling tighter integration and
enhanced functionality with the Windows SharePoint Services 3.0 platform. They require
administrator permissions on the server to install.
Site Admin Templates

Note:
To install or remove a site admin template, you must be a member of the Owners
SharePoint group (or another SharePoint group with Full Control permissions) on the
Windows SharePoint Services 3.0 site.
Install a template
1. Download the template you want to install to your computer.
2. Double-click the .exe file to extract the files.
3. Log on to the SharePoint site as a member of the Owners group.
5. In the Galleries section, click Site templates.
If you don’t see Site templates in the Galleries section, you might not be at a top-level
site. In the Site Collection Administration section, click Go to top-level site
administration.
6. Click Upload to save an application template to this SharePoint site.
If you want to save more than one application template, click Upload Multiple Files.
7. Browse to the <template_name>.stp file, and then click Open.
8. Click OK.
Create a site
203
3. In the Site Administration section, click Sites and workspaces.
4. Click Create.
5. On the New SharePoint Site page, fill in the information about your new site.
6. In the Template Selection section, click the Custom tab.
Any site admin application templates that have been uploaded will be listed here.
7. Click the template to use for the new site, and then click Create.
The following procedure will not remove any sites that were already created by using the
template. It will only prevent users from creating new sites based on the template.
Remove a template
1. Log on to the top-level SharePoint site as a member of the Owners group.
3. In the Galleries section, click Site templates.
4. In the list of site templates, find the application template to remove, and then click Edit.
5. Confirm that this is the application template to remove, and then click Delete Item.
6. Click OK to confirm the deletion.
The application template is now unavailable to SharePoint sites and it has been removed from
the SharePoint site template gallery.
Server Admin Templates

Note:
To install or remove a server admin template, you must be a member of the Owners
SharePoint group (or another group with Full Control permissions) on the SharePoint site
and be a member of the Administrators group on the server running Windows SharePoint
Services 3.0.
Install and remove server admin templates by using the Stsadm command-line tool at
%PROGRAMFILES%\common files\microsoft shared\web server extensions\12\bin.
Before installing a server admin template, you must first install the Application Template Core
solution (http://go.microsoft.com/fwlink/?LinkId=85162&clcid=0x409). If you have already installed
this solution, skip to "Install a template."
Install the Application Template Core solution

1. Download the Application Template Core solution to the server.
3. Open a Command Prompt window.
Note:
204
To open a Command Prompt window, click Start, point to All Programs, point to
Accessories, and then click Command Prompt.
4. Type stsadm -o addsolution -filename <file_path>\ApplicationTemplateCore.wsp,
where <file_path> is the location you extracted the Application Template Core files to,
and then press ENTER.
5. Type stsadm -o deploysolution -name ApplicationTemplateCore.wsp -
allowgacdeployment, and then press ENTER.
Note:
Additional attributes may be required based on your Windows SharePoint
Services 3.0 configuration. For more information about available attributes, type
stsadm -help deploysolution, and then press ENTER.
6. Type stsadm -o copyappbincontent, and then press ENTER.
Install a template
1. Download the template you want to install to the server.
3. At the command prompt, type stsadm -o addsolution -filename
<file_path>\<template_name>.wsp, where <file_path> is the location you extracted the
template files to and <template_name>.wsp is the .wsp file for your template, and then
press ENTER.
4. Type stsadm -o deploysolution -name <template_name>.wsp -allowgacdeployment,
and then press ENTER.
Note:
Services 3.0 configuration. For more information about available attributes, type
stsadm -help deploysolution, and then press ENTER.
5. To check the deployment status, open the Central Administration site for the server.
6. Click the Operations tab, and then, in the Global Configuration section, click Solution
management, and then check the status of your solutions.
7. After all the solutions are marked Globally Deployed, from the command line, run
iisreset.
Create a site
3. In the Site Administration section, click Sites and workspaces.
4. Click Create.
5. On the New SharePoint Site page, fill in the information about your new site.
205
6. In the Template Selection section, click the Application Templates tab.
Any server admin application templates that have been uploaded will be listed here.
7. Click the template to use for the new site, and then click Create.
The following procedure will not remove any sites that were already created by using the
template. It will only prevent users from creating new sites based on the template. The
Application Template Core solution must remain installed and deployed for other server admin
templates to be installed.
Remove a template
1. Log on to the server running Windows SharePoint Services 3.0 as a member of the
Administrators group on the server.
2. Do one or both of the following:
 To remove a solution from the list of templates for new sites, at the command prompt,
type stsadm -o retractsolution -name <template_name>.wsp, and then press
ENTER.
Note:
Services 3.0 configuration. For more information about available attributes,
type stsadm -help retractsolution, and then press ENTER.
 To remove a solution from the server, at the command prompt, type stsadm -o
deletesolution -name <template_name>.wsp, and then press ENTER.
Note:
Services 3.0 configuration. For more information about available attributes,
type stsadm -help deletesolution, and then press ENTER.
206
IV. Deploy software updates and upgrade to
a new operating system
207
Deploy software updates for Windows
SharePoint Services 3.0
In this article:
 Before you begin
 Overview of installation sequence
 Perform installation steps
 Verify installation
 Add new servers to a server farm
 Update language template packs
 Known issues
To help you better understand the update deployment process we have posted the Presentation:
Understanding and deploying hotfixes, public updates, and service packs
(http://go.microsoft.com/fwlink/?LinkId=121946&clcid=0x409), given by Daniel Winter at the
SharePoint Products and Technologies conference in March, 2008. This presentation provides
valuable information about the different types of software updates that Microsoft releases for
Windows SharePoint Services and Microsoft Office SharePoint Server.
Using Service Pack 1 for Windows SharePoint Services 3.0 and Microsoft Office SharePoint
Server 2007 as examples, Daniel Winter provides detailed information about pre-upgrade steps,
deploying the upgrade, validating the upgrade, and troubleshooting the upgrade. Viewing the
presentation is highly recommended prior to reading further in this topic and deploying an update.
We recommend that you follow the process and procedures in this topic for most deployment
scenarios, from stand-alone server deployments to very large server farms. The typical process
for installing software updates consists of copying the files to a computer and then running either
the SharePoint Products and Technologies Configuration Wizard or the Psconfig command-line
tool to upgrade the databases.
Note:
In this article, we use the term software update as a general term for all update types,
including any service pack, update, update rollup, feature pack, critical update, security
update, or hotfix used to improve or fix this software product.
If you chose Basic installation (single server with Microsoft SQL Server Desktop Engine) when
you installed your Web server running Windows SharePoint Services 3.0, you do not need to
follow the process and procedures in this topic. In this case, if you have Automatic Updates
enabled, your computers are updated automatically. If you do not have Automatic Updates
enabled, you can use the Microsoft Update
(http://go.microsoft.com/fwlink/?LinkId=90953&clcid=0x409) Web site to install the software
updates.
208
Note:
Typically, only public software updates, such as operating system fixes or security
patches can be installed from the Microsoft Update Web site.
After the software update is installed, the SharePoint Products and Technologies Configuration
Wizard runs automatically to update the databases for SharePoint Products and Technologies. In
this scenario, the SharePoint Products and Technologies Configuration Wizard will not prompt for
user input or display any notifications.
For any deployment other than single server, such as Web servers in a server farm, you must
visit the Microsoft download center to download and then install the software update. The
software update will not be installed automatically, even if Automatic Updates is enabled on your
Web servers, and you cannot use the Windows Update Web site to initiate the software update
installation.
The software update checks the registry and blocks automatic installation on any Web server that
does not contain the value singleserver in the SERVERROLE key.
If you need to determine whether to manually download and install the software update, use a
registry editor to verify the value in the following key:
HKLM\Software\Microsoft\Shared Tools\Web server extensions\12.0\WSS\SERVERROLE
In server farm deployments, you must update all the Web servers running Windows SharePoint
Services 3.0 to the same software update version. If the software update versions are not the
same on all of the Web servers running Windows SharePoint Services 3.0 in your server farm,
when users request resources from a Web server that does not have the software update
installed, they receive a Page cannot be found (404) error. If you attempt to install the software
update and the installation fails, all user requests to the Web servers with a failed software
update installation will return the error: Server error:
http://go.microsoft.com/fwlink?LinkID=96177. Once the software update installation is
successful, the Web server displays content as expected.
Before you begin

This section provides an overview of what you must do before you install a software update.
You must remove the Web servers running Windows SharePoint Services 3.0 from service for the
duration of the software update installation. The reason for doing this is that the software update
could make schema changes to the SQL Server database, and user authoring during the upgrade
could result in the front-end and back-end servers having different content.
We recommend that you schedule the installation of the software update for a time that causes
the least amount of disruption for your users. You should communicate the proposed schedule to
the users and the key people involved with the Web sites hosted on the Web servers running
Windows SharePoint Services 3.0 and, if necessary, adjust the schedule.
If you are installing on Web servers running Windows SharePoint Services 3.0 in a server farm,
after the software update is installed on the first Web server in the server farm, the file versions
on that Web server and the databases in that server farm are different from the file versions on
the other Web servers. This mismatch prevents the server farm from working correctly, and even
209
valid requests result in errors. When the software update has been installed on all of the Web
servers in the server farm, results are returned to users as expected.
When you first installed Windows SharePoint Services on the Web servers in your server farm, if
you used an upgrade method—either in-place or gradual—and upgrade jobs are still in progress,
the software update installation might fail. To ensure that none of the upgrade processes are
running, you must view the Timer Job Status page on the SharePoint Central Administration Web
site. If you see any upgrade jobs listed, you must allow the upgrade to finish before you install the
software update.
The upgrade jobs that appear on the Timer Job Status page result from the following operations:
 Sites that are in the process of being upgraded.
 You selected the in-place upgrade option in the SharePoint Products and Technologies
After you have verified that no upgrade items are listed on the Timer Job Status page, you can
continue installing the software update.
Pre-upgrade preparation
Before you install a software update, we recommend the following:
 If there are orphaned objects in the content databases—orphans are items that do not have
any parent or child relationships—the software update installation will fail. To make sure that
the installation can succeed, you must either fix the relationship or drop the orphans before
you begin the software update installation. For more information about a resolution for when
the content database contains one or more orphaned objects, see the Microsoft Knowledge
Base article titled Error message when you try to upgrade Windows SharePoint Services 2.0
to Windows SharePoint Services 3.0: "Upgrade has encountered one or more lists that were
not updated by Prescan.exe and must exit" (http://go.microsoft.com/fwlink/?LinkId=105755).
 If you customized a predefined site template by directly modifying the site template files—
something we do not recommend doing—the software update installation may overwrite
some of the files that you modified, and your customizations in those files will be lost. You
must reapply any site-template customizations after you install the software update.
 Stop the World Wide Web publishing service (W3SVC) on all front-end Web servers to
disconnect all the users from the server farm. In server farms with multiple front-end Web
servers, if you allow users to connect after the files and databases have been updated on
one Web server, and the other Web servers have not been updated, users will not be able to
browse the Web sites.
Note:
If you manually stop the World Wide Web Publishing service, you must manually start
it at the end of the installation.
 Before you start the backup you should clean up your environment by performing the
following steps.
210
 Defragment all of the SQL Server database indexes. For more information, see How to
defragment Windows SharePoint Services 3.0 databases and SharePoint Server 2007
databases (http://go.microsoft.com/fwlink/?LinkID=102795&clcid=0x409).
 Make sure that there is adequate hard drive space in your database files volumes,
tempdb volumes, and Windows temporary folder on the servers running SQL Server,
front-end Web servers, and application servers. The upgrade operation writes the
progress of various steps into an upgrade log that can take up disk space, but if you plan
for extra storage you should not encounter issues due to space limitations.
 If any of your databases contain more than the number of site collections recommended in
the Information Architecture Recommendations of the download White paper: Performance
recommendations for storage planning and monitoring, you should load-balance your site
collections across multiple databases.
 Follow the best practices for content database sizing before you perform any upgrade
operations.
 Make sure that you follow the recommendations concerning SQL Server page-fill factor and
other storage planning best practices before you begin the upgrade. For more information
about storage best practices, see Performance recommendations for storage planning and
monitoring (http://go.microsoft.com/fwlink/?LinkID=105890&clcid=0x409)
 Back up the server farm before you start the software update installation. You should create a
backup of search and all databases. We recommend that you follow these guidelines:
 Configuration database and Central Administration content database: You must
back up your databases by using SQL Server tools after you have stopped your farm.
Use the simple recovery model so that your transaction log is truncated. For more
information, see Move all databases (http://technet.microsoft.com/en-
 Content databases: Perform a full backup operation with either Stsadm or SQL Server
to back up all content databases. If you are using SQL Server, use the simple recovery
model, so that your transaction log is truncated.
 Single sign-on (SSO) database: Perform a full backup operation with SQL Server to
back up the SSO database. If you are using SQL Server, use the simple recovery model,
so that your transaction log is truncated.
 Front-end Web server: If you have customized the front-end Web server, or are unsure
of the extent of the customizations to your Web applications, we recommend that you
make a backup image of your front-end Web server. Make sure you have a backup of
any solution packages that you have deployed on your front-end Web servers.
Note:
Ideally, if you are customizing front-end Web computers, the customization
should be managed using a robust build process or script that allows the
customizations to be applied to a new computer.
211
If you experience an unrecoverable failure during upgrade, you may have to restore your
server from the backup image you created. You would need to manually apply any
customizations to your front-end Web server.
Note:
We recommend that you back up the server farm after you have verified that the
software update installation succeeded.
After you have backed up all of your databases, use the SQL Server DBCC shrinkfile
command to free unused log space, making the logs as empty as possible. For more
information, see Shrinking the Transaction Log
(http://go.microsoft.com/fwlink/?LinkId=105233). It is a best practice to verify that you can
restore the databases.
For more information about how to perform backups, see Prepare to back up Windows
SharePoint Services 3.0 technology.
 In server farms that have a large number of sites, you will find that installing a software
update with the content databases attached is not practical in terms of downtime. In order to
minimize the downtime, we recommend that you perform the additional step of detaching the
content databases.
 To deploy software updates in a server farm you must be logged in to the Web server or
application server as a domain account that also has the following permissions:
 Member of the Administrators group on the Web server computer.
 Member of the Administrators group on the server running SQL Server or be granted the
fixed database role db_owner to all SharePoint Products and Technologies databases.
 If you have previously installed a hotfix, and the problem that it addresses is not fixed in this
widely available software update, you must obtain the updated version of that hotfix to
address specific issues in your environment by contacting Microsoft Customer Support
Services (http://go.microsoft.com/fwlink/?LinkId=99201).
For more information about the software updates in Windows SharePoint Services 3.0 with
Service Pack 1, see Microsoft Knowledge Base article 942388
For more information about the software updates in Windows SharePoint Services 3.0 Post
Service Pack 1 rollup, see Microsoft Knowledge Base article 941422
Note:
All Web servers running Windows SharePoint Services in the server farm must be
running Windows SharePoint Services 3.0.
 You must download the correct software update file for your hardware and language. The
pattern for the software update naming convention is productnamerrr-kby-xnn-fullfile-
lang.exe, where:
 productname is a short identifier for the name of the released product.
 rrr is a description of the release. For example, Service Pack 1 would be sp1.
212
 y is a number that corresponds to the Knowledge Base article about the software update.
 nn is a number indicating the hardware architecture, either x86 or x64.
 lang is the language of the software update. For example, U.S. English is en-us.
For example, the file name for the Windows SharePoint Services 3.0 Service Pack 1 (SP1) file, in
U.S. English and for x86-based hardware, is wssv3sp1-kb936988-x86-fullfile-en-us.exe.
For more information, and to download the appropriate file, see Download details: Windows
SharePoint Services 3.0 Service Pack 1 (SP1)
Overview of installation sequence

The following approach updates the database from one server that hosts the Central
Administration Web site, so that when you run the SharePoint Products and Technologies
Configuration Wizard on the subsequent front-end Web servers, the front-end servers can simply
connect to the updated database, rather than attempt to upgrade the database.
Note:
This installation sequence ensures that you can avoid database locking issues.
You must update the Web servers in your server farm in the following order:
1. The files from the software update must be installed on all the Web servers in the server farm
by running the software update installation on each Web server up to the point where the
dialog box with the following message is displayed:
You must run Setup to install new binary files for every server in your server farm. If
you have multiple servers in your server farm, run Setup and the configuration wizard
on the other servers now, and then return to this server and click OK to continue.
Note:
If you started the installation in silent mode, using the /q switch, the SharePoint
Products and Technologies Configuration Wizard does not automatically start. To
continue the upgrade, you need to force the upgrade by either manually starting the
wizard or running the psconfig command with arguments to force an in-place, build-
to-build upgrade. For specific information, in the Perform installation steps section,
follow the "To force a software update" procedure.
2. Complete the software update by clicking OK in the dialog box on one Web server that hosts
the Central Administration Web site (front-end Web server) for the server farm.
3. Complete the software update, one Web server at a time, for the rest of the server farm.
Perform installation steps

Important:
Make sure you are aware of the prerequisites, as outlined earlier in this document, before
you follow the procedures in this section.
213
You must install the software update on each Web server running Windows SharePoint Services
3.0 to the point that the files are copied to all Web servers in the server farm. You should return to
one Web server to complete the installation. After the installation has been completed on the Web
server that you selected, you can complete the installation on each of the other Web servers.
To ensure that you have the correct permissions to install the software update and run the
SharePoint Products and Technologies Configuration Wizard, we recommend that you add the
account for the SharePoint Central Administration v3 application pool identity to the
Administrators group on each of the local Web servers and application servers and then log on by
using that account. These changes are only required for installing the update and then running
the SharePoint Products and Technologies Configuration Wizard to complete the upgrade.
If you use a different account to install the software update, it must be a domain account with the
following memberships, roles, and authorization:
 Member of the Administrators group on the Web server computer.
 Granted the fixed database role db_owner to all SharePoint Products and Technologies
databases.
In many IT environments, database administrators (DBAs) create and manage databases.
Security policies and other policies in your organization might require that DBAs create the
databases needed by Windows SharePoint Services 3.0.
Note:
For information about how to deploy Windows SharePoint Services 3.0 in an environment
in which DBAs create and manage databases, see Deploy using DBA-created databases
You can install the software update by logging on to the server directly or by connecting through a
Terminal Services console session.
Note:
For information about how to use console sessions, see Microsoft Knowledge Base
article 278845: How to Connect to and Shadow the Console Session with Windows
Server 2003 Terminal Services (http://go.microsoft.com/fwlink/?LinkId=98317).
Install the software update

This section includes all of the procedures required to install a software update successfully in
any size server farm. If you are in a large server farm, you should read the "Large-farm
optimization" section later in this document.
The following procedure provides the steps to:
 Make all software update files available on all servers in your server farm.
 Complete the update on one front-end Web server.
 Finish updating the remaining servers in the server farm.
214
Note:
You must perform steps 1 though 6 from the following procedure on every Web server in
the server farm before you complete the installation on any one Web server.
To install a software update

1. Disconnect users from the server farm by stopping the World Wide Web Publishing
service (W3SVC) on all Web servers.
Note:
This manual step is done as a precaution to ensure that the service is fully
stopped.
2. Download and install the appropriate Windows SharePoint Services 3.0 software update
for all servers in your server farm.
3. At the end of the software update installation, the SharePoint Products and Technologies
Configuration Wizard starts.
Note:
If the wizard does not start automatically, click Start, point to All Programs, point
to Administrative Tools, and then click SharePoint Products and
Technologies Configuration Wizard.
4. On the SharePoint Products and Technologies Configuration Wizard Welcome page,
click Next.
6. On the Completing the SharePoint Products and Technologies Configuration
Wizard page, click Next.
7. When the dialog box about installation in a server farm appears, do not click OK.
Instead, leave each server with the following dialog box displayed:
You must run Setup to install new binary files for every server in your server farm. If you
have multiple servers in your server farm, run Setup and the configuration wizard on the
other servers now, and then return to this server and click OK to continue.
8. When the dialog box from the previous step is displayed on all Web servers in the server
farm, use one Web server that hosts the Central Administration Web site to finalize the
installation.
9. On the server you selected in the previous step, click OK.
11. After you have finished updating one Web server that hosts the Central Administration
Web site, you should follow the procedures in the "Verify installation" section on this one
Web server to ensure that the software update installation was successful.
12. Continue updating the remaining computers in the server farm, one at a time, by clicking
OK in the dialog box.
215
Note:
It is important that the SharePoint Products and Technologies Configuration
Wizard perform the configuration procedures on only one computer at a time.
13. When the software update installation and configuration is complete on all the Web
servers in the server farm, make the Web servers available to users by manually starting
the World Wide Web Publishing service on each server on which you manually stopped
the service.
If you completed the "To detach content databases" procedure, depending on if you configured
additional computers to upgrade the content databases, you must use one of the following
procedures to attach the content database after the software update installation is complete.
Note:
If you did not follow the "To detach content databases" procedure, you can skip the "To
attach the content database" procedures.
If you did not configure additional computers specifically to upgrade the content databases, you
will need to follow the "To attach the content database from the command line" procedure. This
procedure attaches and initiates an upgrade of the content database.
To attach the content database from the command line

 To attach the database, enter the following command:
stsadm -o addcontentdb -url <http://backupservername:port> -databasename
<ContentDBName> -databaseserver <NewPrincipalServer>
If you did configure additional computers specifically to upgrade the content databases, you can
use the following procedure to attach the content database to the updated computers.
To attach the content database

2. On the Central Administration site, click Application Management.
Management section, click Content databases.
4. On the Manage Content Databases page, click Add a content database.
5. Enter the information for the content database you detached earlier.
6. Repeat steps 4 and 5 for every content database you want to attach.
You must perform the following procedure on all indexers and query servers in your server farm if
either of the following conditions is true:
 You are running in a least-privileges scenario.
 The account that you are using for the search service is either:
 Not an Administrator on the local computer.
216
 Not a member of the server farm administrator account.
To start the search service

1. Open a Command Prompt window and navigate to
%COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12\bin.
2. To identify the computers that are running an instance of the online Windows SharePoint
Services search service, run the following command:
stsadm -o spsearch -action list
3. Log on to each computer, either locally or through a remote connection, that is returned
in the list from the previous step and run the following command:
stsadm -o spsearch -action start
Large-farm optimization
In very large server farms, installing a software update with the content databases attached is not
practical in terms of downtime. In the scenario where you have a large number of sites or many
Web servers, to minimize the downtime required to upgrade, we recommend that you perform the
additional step of detaching the content databases. For the best performance with the upgrade
operations, you should use four or five front-end Web servers per database server.
Note:
Unless you are dealing with a very large server farm, you do not need to follow this
procedure.
To detach content databases

1. To detach a content database using Stsadm, open a command prompt and change
directories to %COMMONPROGRAMFILES%\Microsoft Shared\Web server
extensions\12\Bin.
2. Run the following operation from the command line:
stsadm -o deletecontentdb -url http://computername -databasename
In this operation, -url specifies the Web application from which the content databases will
be detached and -databasename specifies the name of content database to be
detached.
Note:
If your database server is on a separate server, you need to use the -
databaseserver parameter to specify the database server name.
After you upgrade your server farm, you must attach the content databases back to the server
farm. You can only attach one content database to the server farm at a time, because when you
attach the databases to the upgraded server farm, the content database is upgraded
automatically.
217
If you want to streamline the upgrade process even further, you can configure additional
computers as Web servers running Windows SharePoint Services 3.0 with SP1 in a single-
computer server farm; we recommend four to five Web servers. You must configure alternate
access mappings on these temporary front-end Web servers to match the original servers. If the
alternate access mappings are not identical, the content databases may be upgraded with the
wrong URLs within their site content. This will result in certain pages not displaying correctly, and
you must contact Microsoft Product Services to correct this problem. Then, to perform a parallel
upgrade of the content databases, use these Web servers to upgrade the content databases
while they are detached from the original server farm.
After you detach the upgraded content databases from the temporary Web server, and attach
them back to the original server farm, the content databases are ready for service. At this point,
you should remove any content databases from the previous version and then back up the server
farm.
Notes
 If you detach and reattach a content database, be aware that the next time the content
within that content database is crawled a full crawl will occur, even if an incremental crawl
has been requested. Because a full crawl recrawls all content, regardless of whether that
content has been previously crawled, full crawls can take significantly more time to
complete than incremental crawls.
 If you are running the Infrastructure Update for Windows SharePoint Services 3.0, the
identifier (ID) of each content database is retained when you restore or reattach the
database by using built-in tools. Default change log retention behavior when using built-in
tools is as follows:
 When a database ID and change log are retained, Search continues crawling based on
the regular schedule defined by crawl rules. When a change log is not retained, Search
performs a full crawl during the next scheduled crawl.
 For more information, see Move all databases (http://technet.microsoft.com/en-
us/library/cc512723.aspx) and Back up and restore the farm
The limiting factor for this method is that you cannot simultaneously update more than one
content database for each Web application—even if you use multiple computers.
Verify installation
After you install a software update, you should verify that the installation was successful by
reviewing the upgrade log file (Upgrade.log), as described in the following procedure.
To view the upgrade log file

1. In Windows Explorer, change to the following directory:
%COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\12\LOGS
2. Use a text editor to open the Upgrade.log file.
218
3. Scroll to the date on which you installed the software update.
4. Search, or visually scan, for the following entries:
Finished upgrading SPFarm Name=<Name of Configuration Database>
In-place upgrade session finishes. Root object = SPFarm=<Name of Configuration
Database>, recursive = True. 0 errors and 0 warnings encountered.
If you find these entries, the installation was successful.
5. If you do not find the entries from the previous step, you can identify specific issues that
may have contributed to the failure by searching, or visually scanning, through the
Upgrade.log file for the following terms:
 fail
 error
After you identify and resolve the blocking issues, use the "To force a software update"
procedure later in this section.
In some configurations, the SharePoint Timer Service (OWStimer) account—which, by default, is

the same account used by the SharePoint Central Administration v3 application pool
account—is configured with credentials that do not have permission to access the LOGS folder in
%COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\12\. If this is the case,
part of the Upgrade.log is stored in the temporary storage folder of the account that is running the
SharePoint Timer service.
To write all available logging information, including verbose output and detailed debugging
information, to the log files for the software update installation, run the following command:
msiexec /p <PatchPackage> /l*vx %temp%\patch.log
Where PatchPackage is the path to the software update file.
You can find the log file in the temporary file location with the file name msi*.log.
Note:
You can enable Windows Installer logging before you start the software update
installation again. To enable logging for Windows Installer, see Microsoft Knowledge
Base article 99206: How to enable Windows Installer logging
(http://go.microsoft.com/fwlink/?LinkID=99206).
In addition to the previous procedure, verify that the update was successful by using the
SharePoint Central Administration Web site to view the version number on the Servers in Farm
page.
To view the Servers in Farm page

1. Use one of the following methods to open the Servers in Farm page:
 On the Central Administration home page, click Operations. Then, on the Operations
page, in the Topology and Services section, click Servers in farm.
 From Internet Explorer, view the following Web page:
http://ServerName:Port/_admin/FarmServers.aspx
219
Where ServerName is the name of the server, and Port is the port that is configured
for the Central Administration Web site.
2. On the Servers in Farm page, next to Version, verify the version number of each server
in the farm to verify that each one has been updated to the new binary version.
The following Windows SharePoint Services 3.0 version numbers are correct:
 Release 12.0.0.4518
 August 24, 2007 hotfix package 12.0.0.6036
For more information about the software updates in the August hotfix, see Microsoft
Knowledge Base article 941422: Description of the Windows SharePoint Services 3.0
hotfix package (http://go.microsoft.com/fwlink/?LinkId=102044&clcid=0x409).
 October public update 12.0.0.6039
 Service Pack 1 12.0.0.6219
 Post Service Pack 1 rollup 12.0.0.6300
If the version number matches the version number for the software update, you have
succeeded in updating the server. If the version number is not correct, the software
update installation did not complete successfully. To identify and resolve the blocking
issues, follow the "To view the upgrade log file" procedure earlier in this article.
If you need to investigate the success of the software update installation in more depth, use the
following procedure to verify version numbers on certain files and verify certain keys in the
registry.
To perform advanced installation verification

1. You can examine the version number of certain files in
%COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\12\ISAPI
The following Windows SharePoint Services 3.0 owssvr.dll version numbers are correct:
 Release 12.0.4518.1016
 October public update 12.0.0.6039
 Service Pack 1 12.0.0.6219
 Post Service Pack 1 rollup 12.0.0.6300
 Infrastructure Update 12.0.0.6318
2. Verify that the value is correct in the Version key in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server
Extensions\12.0
You can also verify that the software update installation was successful by using SQL Query
Analyzer to examine the SQL Server schema. Although the version of the DLL files and the
registry are updated during the first part of an upgrade—when the files are being copied—the
SQL Server schema is only upgraded after the SharePoint Products and Technologies
Configuration Wizard is run.
220
Note:
The SSP databases could have different version numbers and the SSO databases do not
have a versions table.
You should use the following procedure to determine if the SharePoint Products and
Technologies Configuration Wizard was run after the software update.
To verify through direct examination of the SQL schema

 This SQL Server query can be run on any SharePoint Products and Technologies
database to track all the upgrades run on the database in the GUID 00000000-0000-
0000-0000-000000000000:
SELECT * FROM Versions
The highest value that maps to the GUID above should equal the current version of the
product. For Service Pack 1 the version should include 6211.
If the installation did not succeed, you can run the SharePoint Products and Technologies
Configuration Wizard again, or you can use the following procedure to complete the configuration
from the command line.
Note:
You can enable Windows Installer logging before you start the software update
installation again. For information, see Microsoft Knowledge Base article 99206: How to
enable Windows Installer logging (http://go.microsoft.com/fwlink/?LinkID=99206).
To force a software update

1. Open a Command Prompt window and change to the following directory:
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin
2. Type the following command:
psconfig –cmd upgrade –inplace b2b –wait –force
Add new servers to a server farm

If you need to build a new server to join an existing server farm, we recommend that you use an
installation source that has the software update files included. When you use this installation
source to add new servers to your server farm, the software update is already applied to the new
server and the version of the new server matches the rest of the servers in your server farm.
You can download Windows SharePoint Services 3.0 with SP1 as an updated version at the
following location:
 X86: Windows SharePoint Services 3.0 with Service Pack 1
 X64: Windows SharePoint Services 3.0 x64 with Service Pack 1
221
You can create an installation source location that already contains the software updates that
match those installed on your server farm by using the updates folder. For more information, see
the topic Create an installation source that includes software updates (Windows SharePoint
Services 3.0).
If you need to build a new server to join an existing server farm, but you have not created an
updated installation source, you must use the following procedure.
To build a server to join an existing farm

1. Install the product without any software updates and do not run the SharePoint Products
and Technologies Configuration Wizard.
Note:
By not running the SharePoint Products and Technologies Configuration Wizard
you do not define the location for the configuration database by creating the
registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\Web server extensions\12.0\Secure\ConfigDB.
2. Install the software update.
3. Run the SharePoint Products and Technologies Configuration Wizard at the prompt.
If you do not follow this process and you do run the SharePoint Products and Technologies
Configuration Wizard after you install the released product, the SharePoint Products and
Technologies Configuration Wizard reads the ConfigDB registry key and the SharePoint
Products and Technologies Configuration Wizard displays: Exception:
System.InvalidOperationException: Operation is not valid due to the current state of the
object. To address this problem, you must either modify the registry or use the command line to
force the configuration to complete successfully.
Use registry editor to modify the contents of the ConfigDB registry key and then run the
SharePoint Products and Technologies Configuration Wizard.
To force an install after a failed configuration by modifying the registry

1. Install the software update and do not allow the SharePoint Products and Technologies
Configuration Wizard to run.
2. Use a registry editor to modify the setup type to a clean install. Change the registry key to
the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web server
extensions\12.0\WSS\SETUPTYPE=CLEAN_INSTALL
3. Run SharePoint Products and Technologies Configuration Wizard to perform a
disconnect operation.
4. Run SharePoint Products and Technologies Configuration Wizard to connect to your
server farm.
Use the Psconfig command-line tool.
222
Note:
For more information about using Psconfig, see Command-line reference for the
SharePoint Products and Technologies Configuration Wizard
To force an install after a failed configuration (command line)

1. Install the product without any software updates and do not run the SharePoint Products
and Technologies Configuration Wizard.
2. Install the software update and do not run the SharePoint Products and Technologies
3. Open a Command Prompt window and run the following command:
psconfig -cmd configdb -connect -server <SQLServerName> -database
SharePoint_Config_<dbname> -user <domainusername> -password <password> -
cmd helpcollections -installall -cmd secureresources -cmd services -install -cmd
installfeatures -cmd applicationcontent –install
Update language template packs

For each language template pack installed on a server that renders content, you must install
updated language template packs. To install the language template packs, you can download
updated language template packs through the Microsoft Download Center. However, we
recommend that you browse to the Microsoft Update or Windows Update Web sites to detect the
language template packs installed on your front-end Web server. An updated language template
pack is installed for each language template pack that is currently installed.
You must run the SharePoint Products and Technologies Configuration Wizard after updated
language template packs have been installed for each currently installed language template pack.
To create an installation location that you can use to install the language template packs with
software updates already applied, see the topic Create an installation source that includes
software updates (Windows SharePoint Services 3.0)0)}.
Known issues
This section describes common errors you might encounter and what you need to do to fix them.
Error: Failed to upgrade SharePoint Products and Technologies

If you add a new Web server to an existing server farm that does not have any Web applications,
and you update the Web server and then run the SharePoint Products and Technologies
Configuration Wizard, you might receive the following error message:
An exception of type
Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was
223
thrown. Additional exception information: Failed to upgrade SharePoint Products and
Technologies.
The Upgrade.log file found in %COMMONPROGRAMFILES%\Microsoft Shared\Web server
extensions\12\Logs contains the following error:
The access control list on %COMMONPROGRAMFILES%\Microsoft Shared\Web server
extensions\12\template\layouts\Web.config could not be modified because the path could
not be located in the file system.
This error occurs when the SharePoint Products and Technologies Configuration Wizard cannot
locate or modify the Web.config file.
To resolve the issue, you must manually copy the Web.config file from
%COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\12\Config to
%COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\12\Template\Layouts.
After the Web.config file is in the Layouts folder, you can run the SharePoint Products and
Technologies Configuration Wizard again.
Error: Unknown SQL Exception 15363

The following error in the Event Viewer application log might appear after you install a software
update:
Source: Windows SharePoint Services
Category: Database
Event ID: 5586
Type: Error
Description: Unknown SQL Exception 15363 occurred. Additional error information from
SQL server is included below.
This error occurs when the role WSS_Content_Application_Pools already exists in the current
database. This is a known issue and you can safely ignore this error message.
Foxit PDF IFilter must be reinstalled after installing software

update
If you installed the Foxit PDF IFilter on your search server, the IFilter does not work after you
install a software update. You must reinstall the IFilter.
Setup stops responding when you use an alternate location for

the Updates folder
When you are using the updates folder and specify an alternate location for the updates folder by
modifying the SUpdateLocation parameter in the Config.xml file Setup will stop responding and
an error dialog box will appear.
This is a known limitation in the product. If you want to use the updates folder, you must use the
default location for the SUpdateLocation parameter.
224
Error: The search request is unable to connect to the search
service
After you install Service Pack 1 (SP1), more disk space is required for your query server or index
server. If adequate disk space is not available, your query servers will slow down or stop. Queries
that normally take less than 5 seconds will be very slow, return an error, or timeout, and you will
see the service error The search request is unable to connect to the search service.
This issue occurs because the method used to merge indexes has been modified to significantly
improve performance and reduce server downtime. However, this change increases the disk
space required to perform a master merge. Previously, a maximum of 2 times the physical size of
the index was required. The new maximum disk space requirement on a query server or index
server is increased to 2.85 times the physical size of the index.
GroupBoard Workspace 2007 and software update failures

The Windows SharePoint Services 3.0 Service Pack 1 installation will not succeed if the following
issues apply:
 Software updates for GroupBoard Workspace 2007 that were released before Service Pack 1
were not installed on your Web servers running Windows SharePoint Services 3.0.
 GroupBoard Workspace 2007 is installed on your Web servers running Windows SharePoint
Services 3.0.
To verify that this issue was the reason that the software update installation failed, you can
review the upgrade log file for the following error message:
[SPManager] [ERROR] [2/5/2008 4:36:23 PM]: The specified SPContentDatabase
Name=SharePoint_AdminContent_913f064d-579e-4029-9522-ec21ecc6f0c1
Parent=SPDatabaseServiceInstance Name=Microsoft##SSEE has been upgraded to a
newer version of SharePoint. Please upgrade this SharePoint application server before
attempting to access this object.
To resolve this issue, follow one these processes:
 Apply the GroupBoard Workspace 2007 patch, install the Windows SharePoint Services
3.0 software update, and then run the SharePoint Products and Technologies
 Remove GroupBoard Workspace 2007, install the Windows SharePoint Services 3.0
software update, run the SharePoint Products and Technologies Configuration Wizard,
and then reinstall GroupBoard Workspace 2007.
To manually run the SharePoint Products and Technologies Configuration Wizard from the
command line, you can use the following command from the
%COMMONPROGRAMFILES%\Microsoft Shared\Web server extensions\12\Bin directory:
psconfig -cmd upgrade -inplace b2b -wait –force
The GroupBoard product team has developed a software update to enable you to install the
Windows SharePoint Services 3.0 software update with GroupBoard installed. For more
information, see Microsoft Knowledge Base article 941678: The SharePoint Products and
225
Technologies Configuration Wizard does not finish successfully on a computer that also has
GroupBoard Workspace 2007 installed
See Also
 Windows SharePoint Services TechCenter (http://go.microsoft.com/fwlink/?LinkID=88900)
226
Create an installation source that includes
software updates (Windows SharePoint
Services 3.0)
In server farm deployments, all your Web servers must have the same software update version
applied. This means that, before you add a new Web server to an existing server farm, this new
Web server must have the same software updates as the rest of the Web servers in your server
farm. To accomplish this, we recommend that you follow the procedures in this topic to create an
installation source that contains a copy of the released version of the software, along with
software updates that match those installed on your server farm (also known as a slipstreamed
installation source). When you run Setup from this updated installation source, the new Web
server will have the same software update version as the rest of the Web servers in your server
farm.
Note:
In this article, we use the term software update as a general term for all update types,
including any service pack, update, update rollup, feature pack, critical update, security
update, or hotfix used to improve or fix this software product.
Use the updates folder

To create an installation source, you must add software updates to the updates folder of the
released version of the software.
To use the updates folder

1. Copy the files from the released version source media for the product to a folder that you
can use as an installation point for the servers in your server farm.
2. Download the appropriate software update package.
3. Extract the software update files, by using this command:
<package> /extract:<path>
The /extract switch prompts you to provide a folder name for the files, for example, for
x86 systems:
wssv3sp1-kb936988-x86-fullfile-en-us.exe /extract:<C:\WSS>\Updates
<C:\WSS> is the location to which you copied the files that you extracted from the
Windows SharePoint Services 3.0 released version.
Note:
You must use the default location for the updates folder. If you use the
SupdateLocation="path-list" property to specify a different location, Setup
227
stops responding.
4. Copy the files that you extracted from the Windows SharePoint Services 3.0 software
update package to the updates folder you created in the previous step.
5. You can now use this location as an installation point, or you can create an image of this
source that you can burn to a CD-ROM.
Note:
If you extracted the software update files to a location to which you had
previously copied the source for a released version, the source is updated and is
ready to use.
As an alternative to creating an updated installation source, you can download Windows

SharePoint Services 3.0 with Service Pack 1 (SP1) as an updated version at the following
location:
 X86: Windows SharePoint Services 3.0 with Service Pack 1:
 X64: Windows SharePoint Services 3.0 x64 with Service Pack 1:
Language template packs

Use the following procedure to create an installation location that you can use to install the
language template packs with software updates already applied.
To use the updates folder with language template packs

1. Download the language template pack package for the released product.
2. Extract the files from the language template pack package.
3. Copy the extracted files to a folder that you can use as an installation point for the
servers in your server farm.
4. Download the updated language template pack package for the released product.
5. Extract the files from the updated language template pack package.
6. Copy these extracted files to the updates folder, in the subfolder in which you stored the
files for the released product in step 3.
You can now use this location as an installation point, or you can create an image of this
source that you can burn to a CD-ROM.
7. To install the language template pack with the software update already applied, run
Setup from this location, and then run the SharePoint Products and Technologies
Configuration Wizard to complete the configuration.
228
Upgrading to Windows Server 2008 for
Windows SharePoint Services 3.0 with SP1
If you have Windows SharePoint Services 3.0 with Service Pack 1 (SP1) installed on a computer
running Windows Server 2003, and you are planning to upgrade to Windows Server 2008, use
the procedures in this article to prepare Windows SharePoint Services 3.0 for the upgrade.
Before you begin

Address any installation issues
The Windows Server 2008 installer will block the upgrade if any one of the following applies to the
computer running Windows Server 2003:
 Windows SharePoint Services 2.0 is installed.
 FrontPage 2002 Server Extensions from Microsoft are installed.
 Windows Internal Database SP1 is installed.
 Windows SharePoint Services 3.0 SP1 is not installed.
You will need to address any installation issues on the computer running Windows Server 2003
before preparing Windows SharePoint Services 3.0 for the upgrade.
Install Windows Internal Database SP2

If this is a basic or stand-alone Windows SharePoint Services 3.0 installation that uses Windows
Internal Database (MICROSOFT##SSEE) as the default back-end database, you must install
Windows Internal Database SP2 before you begin the Windows Server 2008 installation.
Windows Internal Database uses SQL Server technology as a relational data store for Windows
roles and features only, such as Windows SharePoint Services, Active Directory Rights
Management Services, UDDI Services, Windows Server Update Services, and Windows System
Resources Manager.
For more information about Windows Internal Database SP2, and to download the service pack
for either x86 or x64 architecture, see the following links:
 Update for Windows Internal Database x86 (WYukon SP2 x86)
 Update for Windows Internal Database x64 (WYukon SP2 x64)
229
Stop the Search service
If the Windows SharePoint Services Search service (Spsearch) is running while you are installing
Windows Server 2008, the search index might become corrupt. To avoid this, you should perform
the following procedure.
To stop the Windows SharePoint Services Search service

1. Open a command prompt window.
2. Change the Startup type for the Windows SharePoint Services Search service to
disabled by running the following command:
sc config spsearch start=disabled
The message [SC] ChangeServiceConfig SUCCESS is displayed.
3. Stop the Windows SharePoint Services Search service by running the following
command:
net stop spsearch
The message The Windows SharePoint Services Search service was stopped
successfully is displayed.
Note:
The search index might be corrupt if the SharePoint Products and Technologies
Configuration Wizard cannot start or if the wizard seems to be stalled while trying
to start the Windows SharePoint Services Search service after the upgrade. For
more information, see the "Reset the Windows SharePoint Services Search
service index" section in this article.
Install Windows Server 2008

You can now proceed with the Windows Server 2008 installation. For more information about
installing Windows Server 2008, see the Windows Server 2008 Technical Library
Perform post-installation procedures

After the Windows Server 2008 installation is complete, you must perform a binary repair to
configure Windows SharePoint Services 3.0.
To configure Windows SharePoint Services on Windows Server 2008

1. Perform a binary repair. In Windows Server 2008, click Start, click Control Panel, open
Programs and Features, select Windows SharePoint Services 3.0, and then click
Change.
If Least User Access (LUA) is enabled on this computer, you can follow either of the
following steps:
230
 Turn off LUA and then repeat the instructions in this step.
 Run Setup.exe from an installation point (where you have extracted the SP1 files to
the Updates folder). When Setup prompts you to choose an action, choose Repair.
2. Run the SharePoint Products and Technologies Configuration Wizard.
If you installed Windows SharePoint Services 3.0 as a stand-alone installation or if you installed it
on a Web server in a server farm but the farm account is not an administrator on the computer,
you must grant the Windows SharePoint Services Timer (SPTimerV3) service permission to read
from Internet Information Services (IIS) 7.0. Examples of symptoms that you might experience if
the SPTimerV3 service does not have the appropriate permissions include:
 Future installations of software updates might fail.
 Web application creation could fail in server farms with more than one Web application.
 Operations that use the timer job to query for IIS Web site properties could fail.
To grant the SPTimerV3 service permission to read from IIS 7.0

1. Log on to the computer with a domain account that is a member of the Administrators
2. Open an elevated command prompt window. Click Start, point to All Programs, click
Accessories, right-click Command Prompt, and then click Run as administrator.
3. Change directory to %COMMONPROGRAMFILES%\Microsoft Shared\Web server
extensions\12\BIN.
4. Run the command:
stsadm -o grantiis7permission
The following messages confirm the changes:
Granting permission to SPTimerV3 service to read from IIS 7.0 or above.
Operation completed successfully.

configure certain registry keys. If you do not configure these registry keys, Windows Server
Backup will not work properly with Windows SharePoint Services 3.0. For information about
configuring the registry keys for Windows Server Backup, see the "Configure Windows Server
Backup" topic in Install a stand-alone server on Windows Server 2008 (Windows SharePoint
Services) (http://go.microsoft.com/fwlink/?LinkId=106802).
231
Known issues
Repair not allowed when Least User Access is enabled
After the Windows Server 2008 installation is complete, when you open Programs and Features
to repair Windows SharePoint Services 3.0 or language template packs, you will not be able to
run the repair operation if LUA is enabled (the default setting). Before running repair, make sure
LUA is disabled.
Fixing problems after upgrading without Windows Internal

Database Service Pack 2
The Windows Server 2008 installer will block the upgrade if you have Windows Internal Database
SP1 installed. A potential problem is that, after the upgrade is blocked, the user removes
Windows Internal Database SP1, but does not install Windows Internal Database SP2. If this is
the situation, and Windows Server 2008 installed successfully after Windows Internal Database
SP1 was removed, install Windows Internal Database SP2 and then use the following procedure
to make sure your sites and the Search service work properly.
To fix sites and the search function after upgrade

1. Stop all Windows SharePoint Services 3.0 services:
 Windows SharePoint Services Timer
 Windows SharePoint Services Administration
 Windows SharePoint Services Tracing
 Windows SharePoint Services Search
2. Open a command prompt window and restart IIS with the following command:
restartiis
3. To install Windows Internal Database, included with Windows Server 2008, open Server
Manager, click Features, click Add Features, select the Windows Internal Database
check box, and then click Install to complete the Add Features Wizard.
4. Use the Microsoft SQL Server 2005 Command Line Query Utility (sqlcmd) to start the
Windows Internal Database:
sqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query -E
Note:
The sqlcmd utility is a free download, but because sqlcmd requires Microsoft
SQL Server Native Client, we recommend that you download the entire Feature
Pack for Microsoft SQL Server 2005
(http://go.microsoft.com/fwlink/?LinkId=70728). For more information about the
sqlcmd utility, see sqlcmd Utility (http://go.microsoft.com/fwlink/?LinkId=81183).
5. Run the following command for each Windows SharePoint Services 3.0 database (*.mdf)
and log file (*_log.ldf). By default, all files will be in the following folder:
232
%Windows%\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data
EXEC sp_attach_db @dbname = '<dbname>', @filename1 =
'<drive:\path\Data>\<dbname>.mdf', @filename2 =
<drive:\path\Data>\<dbname>_log.ldf'
Go
Note:
You should see, at a minimum, these databases: configdb, contentdb, admin
contentdb, and searchdb.
6. Start the following Windows SharePoint Services 3.0 services:
 Windows SharePoint Services Timer
 Windows SharePoint Services Administration
 Windows SharePoint Services Tracing
Note:
Make sure you do not start the Windows SharePoint Services Search service.
7. Restart the Windows Internal Database service:
a. Click Start, point to Administrative Tools, and then click Services.
b. In the list of services, right-click Windows Internal Database
(MICROSOFT##SSEE), and then click Stop.
c. Right-click Windows Internal Database (MICROSOFT##SSEE), and then click
Start.
Notes
If the Windows SharePoint Services Search service was running before you started this step,
you must restart it by running the following command:
stsadm -o spsearch -action start -databaseserver %_be% -databasename wsssearch
8. If you completed a binary repair in the "Perform post-installation procedures" section you
can skip this step. Otherwise, to perform a binary repair, click Start, click Control Panel,
click Programs and Features, select Windows SharePoint Services 3.0, and then click
Change.
9. Run the SharePoint Products and Technologies Configuration Wizard to configure
Windows SharePoint Services 3.0.
Reset the Windows SharePoint Services Search service index

If you did not stop the Windows SharePoint Services Search service while the upgrade was
running, you might need to reset the search index for the Windows SharePoint Services Search
service by performing the following procedure.
233
Note:
If you ran the SharePoint Products and Technologies Configuration Wizard while the
Windows SharePoint Services Search service was running, the wizard could have
corrupted the search index. In this case, you should follow the "To reset a corrupt
Windows SharePoint Services Search service index" procedure in this article.
To reset the Windows SharePoint Services Search service index

1. Open SharePoint Central Administration. Click Start, point to Administrative Tools, and
2. On the Operations tab, click Services on server.
3. In the list of services, click Stop to stop the Windows SharePoint Services Search
service.
4. In the warning dialog box, click OK.
Wait for the operation to complete.
5. On the Services on Server page, click Start to start Windows SharePoint Services
Search.
The Windows SharePoint Services Search service settings page opens.
6. On the Windows SharePoint Services Search service settings page, scroll to the Search
Database section and rename the Database Name. Scroll down and click Start.
Wait for the operation to complete.
If the SharePoint Products and Technologies Configuration Wizard cannot start the Spsearch
service, then the search index might be corrupt. In this situation, you can use Central
Administration to open the Operations Web page and the Services on Server Web page, and
then you will see that the status for Spsearch is starting. However, because the service will not
respond to a stop request from Central Administration, you must use the following procedure.
To reset a corrupt Windows SharePoint Services Search service index

1. Close the SharePoint Products and Technologies Configuration Wizard manually:
a. Open Task Manager, and then click the Process tab.
b. Select Psconfig, and then click End Process.
2. To stop the Spsearch service, open a command prompt window and enter the command:
stsadm -o spsearch -action stop
3. Open Central Administration. Click Start, point to Administrative Tools, and then click
4. On the Operations tab, click Services on server.
5. On the Services on Server page, click Start to start Windows SharePoint Services
Search.
The Windows SharePoint Services Search service settings page opens.
6. On the Windows SharePoint Services Search service settings page, scroll to the Search
234
Database section and rename the Database Name. Scroll down and click Start.
7. Wait for the operation to complete.
8. Start the SharePoint Products and Technologies Configuration Wizard.
235

AF010283605

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AF010283605

Hochgeladen von

Copyright:

Verfügbare Formate

Deployment for Windows SharePoint

Services 3.0 technology

Roadmap to Windows SharePoint Services 3.0 content .......................................................... 1

I. End-to-end deployment scenarios ........................................................................................ 8

Chapter overview: End-to-end deployment scenarios .............................................................. 9

Install Windows SharePoint Services 3.0 on a stand-alone computer ................................... 10

Deploy in a simple server farm ............................................................................................... 16

Deploy using DBA-created databases .................................................................................... 35

Prepare the database servers ................................................................................................. 97

Prepare the front-end Web servers ......................................................................................... 99

Deploy language packs (Windows SharePoint Services 3.0) ............................................... 106

B. Perform additional configuration tasks ............................................................................ 112

Chapter overview: Perform additional configuration tasks .................................................... 113

Configure incoming e-mail settings ....................................................................................... 115

Configure outgoing e-mail settings ....................................................................................... 127

Configure workflow settings .................................................................................................. 133

Configure diagnostic logging settings ................................................................................... 135

Configure anti-virus settings ................................................................................................. 139

Run the Best Practices Analyzer Tool .................................................................................. 140

Configure authentication ....................................................................................................... 141

Configure digest authentication ............................................................................................ 144

Configure forms-based authentication .................................................................................. 147

Configure Web SSO authentication by using ADFS ............................................................. 152

Configure anonymous access ............................................................................................... 162

C. Deploy and configure SharePoint sites ........................................................................... 166

Chapter overview: Deploy and configure SharePoint sites ................................................... 167

Create or extend Web applications ....................................................................................... 169

Configure alternate access mapping .................................................................................... 174

Create zones for Web applications ....................................................................................... 177

Create quota templates ......................................................................................................... 178

Create site collections ........................................................................................................... 180

Add site content .................................................................................................................... 197

Enable access for end users ................................................................................................. 199

III. Install application templates ............................................................................................ 202

Windows SharePoint Services 3.0 content by

Information Workers IT Professionals Developers

Content available on Content available on: Content available on:

 Home page — a central  TechCenter — a central portal  Developer Center — a

Community content and blogs

 SharePoint Products and Technologies community

Windows SharePoint Services 3.0 IT professional

Evaluation Provides an Windows SharePoint Services 3.0 Evaluation Guide

Content Description Links

Planning Provides in-depth Planning and architecture for Windows SharePoint

Planning Provides in-depth Planning and architecture for Windows SharePoint

Content Description Links

Deployment Provides in- Deployment for Windows SharePoint Services

Upgrade Guide Provides Upgrading to Windows SharePoint Services 3.0

Content Description Links

Security and Protection

Content Description Links

Configure the server as a Web server

Install and configure IIS

Install and configure IIS

Enable ASP.NET 2.0

Enable ASP.NET 2.0

Install and configure Windows SharePoint

Run the SharePoint Products and Technologies Configuration Wizard

Add the SharePoint site to the list of trusted sites

Perform administrator tasks by using the Central Administration site

Before you begin deployment

Phase 1: Deploy and configure the server infrastructure

Phase 2: Deploy and configure SharePoint site collections and sites