Beruflich Dokumente
Kultur Dokumente
Microsoft Corporation Published: March 2009 Author: Microsoft Office System and Servers Team (o12ITdx@microsoft.com)
Abstract
This book provides deployment instructions for Microsoft Office SharePoint Server 2007. The audiences for this book include application specialists, line-of-business application specialists, and IT administrators who are ready to deploy Office SharePoint Server 2007 and want installation steps. Before using the instructions in this book you should read the Planning and architecture for Office SharePoint Server (http://technet.microsoft.com/enus/library/cc261834.aspx) and plan your deployment. For a complete list of downloadable books for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc262788.aspx). The content in this book is a copy of selected content in the Office SharePoint Server technical library (http://go.microsoft.com/fwlink/?LinkId=84739) as of the publication date. For the most current content, see the technical library on the Web.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e -mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ii
Contents
Getting Help ............................................................................................................................. xv Roadmap to Office SharePoint Server 2007 content ................................................................ 1 Office SharePoint Server 2007 content by audience ................................................................ 1 Office SharePoint Server 2007 IT professional content by stage of the IT life cycle ................ 2 Evaluate .............................................................................................................................. 3 Plan ..................................................................................................................................... 3 Deploy ................................................................................................................................. 5 Operate ............................................................................................................................... 6 Security and Protection ....................................................................................................... 7 Technical Reference ........................................................................................................... 7 Deployment worksheets for Office SharePoint Server 2007 ..................................................... 8 Deployment worksheets by task ................................................................................................ 8 Deployment worksheets by title ................................................................................................. 9 I. End-to-end deployment scenarios ........................................................................................ 11 Chapter overview: End-to-end deployment scenarios ............................................................ 12 Install Office SharePoint Server 2007 on a stand-alone computer ......................................... 14 Hardware and software requirements ..................................................................................... 14 Configure the server as a Web server ..................................................................................... 15 Install and configure IIS .................................................................................................... 15 Install the Microsoft .NET Framework version 3.0 ............................................................ 15 Enable ASP.NET 2.0......................................................................................................... 16 Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition .................................................................................................................................. 16 Post-installation steps .............................................................................................................. 18 Deploy in a simple server farm ................................................................................................ 20 Deployment overview .............................................................................................................. 20 Suggested topologies ....................................................................................................... 21 Before you begin deployment ........................................................................................... 21 Overview of the deployment process ................................................................................ 23 Deploy and configure the server infrastructure ....................................................................... 23 Security account requirements ......................................................................................... 23 Prepare the database server ............................................................................................ 24 Verify that servers meet hardware and software requirements ........................................ 26 Run Setup and build the farm ........................................................................................... 28 Run Setup on the first server ............................................................................................ 30 Run the SharePoint Products and Technologies Configuration Wizard ........................... 31
iii
Add the SharePoint Central Administration Web site to the list of trusted sites ............... 32 Configure proxy server settings to bypass the proxy server for local addresses ............. 33 Add servers to the farm ..................................................................................................... 33 Run the SharePoint Products and Technologies Configuration Wizard on additional servers ........................................................................................................................... 35 Start the Windows SharePoint Services Search service (optional) .................................. 35 Stop the Central Administration service on all index servers ............................................ 36 Disable the Windows SharePoint Services Web Application service on all servers not serving content .............................................................................................................. 36 Create and configure a Shared Services Provider .................................................................. 37 Start the Office SharePoint Server Search service ........................................................... 37 Create a Web application to host the SSP and create the SSP ....................................... 39 Perform additional configuration tasks .................................................................................... 40 Create a site collection and a SharePoint site ......................................................................... 41 Configure the trace log ............................................................................................................ 45 Deploy using DBA-created databases .................................................................................... 47 About deploying by using DBA-created databases ................................................................. 47 Required database hardware and software ............................................................................ 48 Required accounts ................................................................................................................... 48 Create and configure the databases ....................................................................................... 50 Deploy a simple farm on the Windows Server 2008 operating system ................................... 57 Deployment overview .............................................................................................................. 57 Suggested topologies........................................................................................................ 58 Before you begin deployment ........................................................................................... 58 Overview of the deployment process ................................................................................ 59 Deploy and configure the server infrastructure ....................................................................... 60 Prepare the database server ............................................................................................ 60 Verify that servers meet hardware and software requirements ........................................ 62 Run Setup on all servers in the farm ................................................................................. 63 Run the SharePoint Products and Technologies Configuration Wizard.................................. 76 Run the SharePoint Products and Technologies Configuration Wizard on additional servers ........................................................................................................................... 83 Start the Windows SharePoint Services Search Service .................................................. 83 Configure Windows Firewall with Advance Security ......................................................... 84 Perform additional configuration tasks .................................................................................... 86 Create a site collection and a SharePoint site ......................................................................... 88 Configure the trace log ............................................................................................................ 92 Configure Windows Server Backup .................................................................................. 93 Install Office SharePoint Server 2007 by using the command line ......................................... 95 Install software requirements ................................................................................................... 95 Determine required accounts for installation ........................................................................... 96 Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt ..... 98
iv
Configure the server by using the Psconfig command-line tool ............................................ 101 Configure SharePoint Server 2007 on a stand-alone server .......................................... 101 Configure SharePoint Server 2007 on a farm ................................................................. 101 Perform additional configuration tasks .................................................................................. 103 Create a Shared Services Provider (SSP) by using the Stsadm command-line tool ............ 104 Create a site collection by using the Stsadm command-line tool .......................................... 106 Configure the trace log .......................................................................................................... 109 Install Office SharePoint Server 2007 with least privilege administration by using the command line ..................................................................................................................... 110 Install software requirements................................................................................................. 111 Determine required accounts for least-privilege administration ............................................ 111 Install Microsoft Office SharePoint Server 2007 by using least-privilege administration ...... 114 Configure the server by using the Psconfig command-line tool ............................................ 116 Configure SharePoint Server 2007 on a stand-alone server .......................................... 116 Configure SharePoint Server 2007 on a farm ................................................................. 117 Perform additional configuration tasks .................................................................................. 119 Create a Shared Services Provider by using the Stsadm command-line tool ...................... 119 Create a site collection by using the Stsadm command-line tool .......................................... 122 Configure the trace log .......................................................................................................... 123 Migrate a stand-alone installation to a server farm installation ............................................. 125 Install SharePoint Portal Server 2007 on a new farm ........................................................... 126 Prepare servers for installation ....................................................................................... 126 Install SharePoint Server 2007 and configure the server by using the SharePoint Products and Technologies configuration wizard ........................................................ 127 Migrate data from the stand-alone server ............................................................................. 127 Stsadm Command-Line Tool .......................................................................................... 130 Create and attach data from the Shared Services Provider (SSP) ....................................... 131 Attach site collection data from content databases ............................................................... 132 Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008 ........................................................................................................................................... 134 Hardware and software requirements ................................................................................... 135 IIS 6.0 Management Compatibility role service .............................................................. 135 Microsoft .NET Framework version 3.0........................................................................... 135 Perform installation steps ...................................................................................................... 136 Configure SharePoint Products and Technologies ......................................................... 137 Perform post-installation steps .............................................................................................. 139 Configure the trace log .......................................................................................................... 140 Configure Windows Server Backup ....................................................................................... 141 II. Install Office SharePoint Server 2007 in a server farm environment ................................ 143 Chapter overview: Install Office SharePoint Server 2007 in a server farm environment ...... 144
v
Suggested topologies ............................................................................................................ 144 Before you begin deployment ................................................................................................ 145 Overview of the deployment process .................................................................................... 146 Phase 1: Deploy and configure the server infrastructure ................................................ 146 Phase 2: Create and configure a Shared Services Provider .......................................... 147 Phase 3: Deploy and configure SharePoint site collections and sites ............................ 147 Prepare the database servers ............................................................................................... 148 SQL Server and database collation ....................................................................................... 148 Required accounts ................................................................................................................. 149 Preinstall databases (optional) .............................................................................................. 149 Prepare the Web and application servers ............................................................................. 150 Install the Microsoft .NET Framework version 3.0 ................................................................. 150 Enable ASP.NET 2.0 ............................................................................................................. 150 Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard ........................................................................................................... 151 Recommended order of configuration ................................................................................... 151 Add servers to the farm ................................................................................................... 153 Run Setup on the first server ................................................................................................. 153 Run the SharePoint Products and Technologies Configuration Wizard................................ 154 Add the SharePoint Central Administration Web site to the list of trusted sites .................... 156 Configure proxy server settings to bypass the proxy server for local addresses .................. 156 Add servers to the farm ......................................................................................................... 156 Run the SharePoint Products and Technologies Configuration Wizard on additional servers ............................................................................................................................................ 158 Start the Windows SharePoint Services Search service (optional) ....................................... 159 Stop the Central Administration service on all index servers ................................................ 159 Disable the Windows SharePoint Services Web Application service on all servers not serving content ................................................................................................................................ 160 Deploy language packs ......................................................................................................... 161 About language IDs and language packs .............................................................................. 162 Preparing your front-end Web servers for language packs ................................................... 163 Installing language packs on your front-end Web servers .................................................... 164 III. Create and configure Shared Services Providers ............................................................ 167 Chapter overview: Create and configure Shared Services Providers ................................... 168 Configure the primary Shared Services Provider .................................................................. 169 Create the Shared Services Provider .................................................................................... 169 Create a new SSP ................................................................................................................. 171 Associate an SSP with a Web application ............................................................................. 172
vi
Configure the Office SharePoint Server Search service ....................................................... 173 Server-level configuration ...................................................................................................... 173 Install protocol handlers .................................................................................................. 173 Install and register IFilters ............................................................................................... 174 Farm-level configuration ........................................................................................................ 176 Create crawler impact rules ............................................................................................ 176 Configure farm-level search settings .............................................................................. 177 Configure the trace log .................................................................................................... 178 SSP-level configuration ......................................................................................................... 179 Open the administration page for the SSP ..................................................................... 179 Specify the default content access account .................................................................... 179 Create content sources ................................................................................................... 179 Create crawl rules ........................................................................................................... 181 Reorder your crawl rules ................................................................................................. 182 Configure the file type inclusions list ............................................................................... 183 Crawl the content ............................................................................................................ 183 Create managed properties ............................................................................................ 184 Create shared scopes ..................................................................................................... 185 Create scope rules .......................................................................................................... 186 Specify authoritative pages ............................................................................................. 189 Create server name mappings ........................................................................................ 190 Manage search-based alerts .......................................................................................... 190 Site collectionlevel configuration ......................................................................................... 191 Create scopes at the site collection level ........................................................................ 191 Create scope rules at the site collection level ................................................................. 192 Manage display groups ................................................................................................... 194 Create keywords and Best Bets...................................................................................... 196 A. Configure personalization ................................................................................................. 198 Chapter overview: Configure personalization ........................................................................ 199 Configure personalization permissions ................................................................................. 199 Configure connections to personalization services ............................................................... 199 Configure targeted content .................................................................................................... 200 Configure personalization sites ............................................................................................. 200 Configure policies for Profile Services ................................................................................... 200 Configure personalization permissions ................................................................................. 201 Configure SSP administrator permissions for Profile Services ............................................. 201 Configure access to the SSP pages ...................................................................................... 202 Configure user permissions for personalization .................................................................... 203 Configure access to trusted My Site host locations............................................................... 204 Configure connections to Profile Services ............................................................................. 206 Configure import settings ....................................................................................................... 206
vii
Add import connections ......................................................................................................... 207 Configure user profiles .......................................................................................................... 211 Configure targeted content .................................................................................................... 214 Create and configure audiences ............................................................................................ 214 Configure published links to Office client applications .......................................................... 216 Configure personalization site links ....................................................................................... 216 Configure access to trusted My Site host locations ............................................................... 217 Configure personalization sites ............................................................................................. 219 Create personalization sites .................................................................................................. 219 Design personalization sites .................................................................................................. 220 Target personalization site links ............................................................................................ 220 Configure policies for Profile Services ................................................................................... 222 Configure policies for personalization features ..................................................................... 222 Configure policies for user profiles ........................................................................................ 223 B. Configure business intelligence features .......................................................................... 226 Chapter overview: Configure business intelligence features ................................................ 227 Configure access to business data........................................................................................ 227 Register line-of-business applications in the Business Data Catalog ................................... 227 Customize business data lists, Web Parts, and sites ............................................................ 228 Configure business data search ............................................................................................ 228 Configure access to business data........................................................................................ 229 Configure SSP administrator rights for the Business Data Catalog ...................................... 229 Configure access to the SSP pages ...................................................................................... 230 Configure application definitions and single sign-on for the Business Data Catalog ............ 231 Configure data warehousing .................................................................................................. 232 Configure permissions for business data .............................................................................. 233 Register business applications in the Business Data Catalog .............................................. 235 Create application definitions ................................................................................................ 235 Import application definitions ................................................................................................. 236 Configure enterprise application definitions for single sign-on .............................................. 236 Configure business data types and fields .............................................................................. 238 Manage permissions for an application or entity ............................................................ 238 Add business data actions for an entity .......................................................................... 239 Edit the profile page template ......................................................................................... 240 Customize business data lists, Web Parts, and sites ............................................................ 241 Create business data lists ..................................................................................................... 241 Create KPIs and KPI lists ...................................................................................................... 242 Create and configure reports in the Report Center site......................................................... 243
viii
Create and configure dashboard sites .................................................................................. 243 Create other business data sites ........................................................................................... 244 Configure business data search ............................................................................................ 246 Ensure availability of business data ...................................................................................... 246 Configure and crawl business data content sources ............................................................. 246 Configure and customize query options for business data ................................................... 247 C. Configure Excel Services .................................................................................................. 249 Chapter overview: Configure Excel Services ........................................................................ 250 About Excel Services configuration ....................................................................................... 250 Add a trusted file location ...................................................................................................... 251 About trusted file locations .................................................................................................... 251 Add a trusted file location ...................................................................................................... 251 Start the Single Sign-On service ........................................................................................... 253 About single sign-on authentication ...................................................................................... 253 Start the Single Sign-On service ........................................................................................... 253 Manage settings for single sign-on ........................................................................................ 254 About single sign-on settings................................................................................................. 254 Manage single sign-on settings ............................................................................................. 254 Add a trusted data provider ................................................................................................... 255 About trusted data providers ................................................................................................. 255 Add a trusted data provider ................................................................................................... 255 Add a trusted data connection library .................................................................................... 257 About trusted data connection libraries ................................................................................. 257 Add a trusted data connection library .................................................................................... 257 Enable user-defined functions ............................................................................................... 259 About user-defined functions ................................................................................................. 259 Enable user-defined functions ............................................................................................... 259 Enable user-defined functions for workbooks in a trusted file location ................................. 260 D. Configure InfoPath Forms Services .................................................................................. 261 Configure InfoPath Forms Services for Office SharePoint Server ........................................ 262 Configure InfoPath Forms Services using Central Administration ........................................ 262 Configure session state for InfoPath Forms Services ........................................................... 265 Configure session state for Forms Services .......................................................................... 265 Session state versus Form view ............................................................................................ 265 E. Configure Office Project Server ........................................................................................ 267
ix
Deploy Project Server 2007 with Office SharePoint Server 2007 ......................................... 268 IV. Perform additional configuration tasks ............................................................................. 269 Chapter overview: Additional configuration tasks .................................................................. 270 Configure additional administrative settings .......................................................................... 270 Configure incoming e-mail settings ....................................................................................... 272 Install and configure the SMTP service ................................................................................. 273 Start the Windows SharePoint Services Web Application service ................................. 273 Install the SMTP service ................................................................................................. 273 Configure the SMTP service ........................................................................................... 274 Add an SMTP connector in Exchange Server ................................................................ 275 Configure Active Directory ..................................................................................................... 275 Configure Active Directory under atypical circumstances ............................................... 277 To delegate full control of the organizational unit to the Central Administration application pool account ................................................................................................................ 277 To add the Delete Subtree permission for the Central Administration application pool account ........................................................................................................................ 278 Configure permissions to the e-mail drop folder .................................................................... 279 Configure e-mail drop folder permissions for the logon account for the Windows SharePoint Services Timer service ............................................................................. 279 Configure e-mail drop folder permissions for the application pool account for a Web application .................................................................................................................... 279 Configure DNS Manager ....................................................................................................... 280 Configure attachments from Outlook 2003 ............................................................................ 281 Configure incoming e-mail settings ....................................................................................... 281 Configuring incoming e-mail on SharePoint sites .................................................................. 283 Configure outgoing e-mail settings ........................................................................................ 284 Install and configure the SMTP service ................................................................................. 284 Install the SMTP service ................................................................................................. 284 Configure the SMTP service ........................................................................................... 285 Configure outgoing e-mail settings ........................................................................................ 286 Configure outgoing e-mail settings for a specific Web application ........................................ 287 Install and configure the SMTP service ................................................................................. 287 Install the SMTP service ................................................................................................. 287 Configure the SMTP service ........................................................................................... 288 Configure outgoing e-mail settings ........................................................................................ 289 Configure workflow settings ................................................................................................... 290 Configuring workflow settings ................................................................................................ 290 Configure diagnostic logging settings .................................................................................... 292 Customer Experience Improvement Program ....................................................................... 292
x
Error reports........................................................................................................................... 292 Event throttling ....................................................................................................................... 293 Configuring diagnostic logging settings ................................................................................. 294 Configure single sign-on ........................................................................................................ 296 Configure and start the Microsoft Single Sign-On service .................................................... 296 Configure Single Sign-On for Office SharePoint Server 2007 .............................................. 297 Manage the encryption key ................................................................................................... 299 Create a new encryption key .......................................................................................... 299 Back up an encryption key .............................................................................................. 300 Restore an encryption key .............................................................................................. 300 Manage enterprise application definitions ............................................................................. 300 Manage account information for an enterprise application definition .................................... 301 Configure antivirus settings ................................................................................................... 303 Administrative credentials ...................................................................................................... 303 Configure authentication ........................................................................................................ 304 Office SharePoint Server authentication ............................................................................... 304 Windows authentication provider........................................................................................... 305 Forms authentication provider ............................................................................................... 308 Web single sign-on (SSO) authentication provider ............................................................... 308 Configure anonymous access ............................................................................................... 309 About anonymous access ..................................................................................................... 309 Enable anonymous access for a zone .................................................................................. 309 Enable anonymous access for individual sites ...................................................................... 310 Enable anonymous access for individual lists ....................................................................... 311 Configure digest authentication ............................................................................................. 312 About digest authentication ................................................................................................... 312 Enable digest authentication for a zone of a Web application .............................................. 313 Configure IIS to enable digest authentication ........................................................................ 313 Configure forms-based authentication .................................................................................. 315 About forms-based authentication ......................................................................................... 315 Configure forms-based authentication across multiple zones ............................................... 318 Configure forms-based authentication for My Sites Web applications .................................. 319 Configure the SSP for forms-based authentication ............................................................... 322 Configure user profiles and people search ............................................................................ 324 Configure Web SSO authentication by using ADFS ............................................................. 326 About federated authentication systems ............................................................................... 326 Before you begin ................................................................................................................... 326 Configuring your extranet Web application to use Web SSO authentication ........................ 327 Allowing users access to your extranet Web site .................................................................. 329
xi
About using Central Administration ................................................................................. 331 Working with the People Picker ............................................................................................. 332 Working with E-mail and UPN claims .................................................................................... 333 Working with groups and organizational group claims .......................................................... 333 Configure Kerberos authentication ........................................................................................ 336 About Kerberos authentication .............................................................................................. 336 Before you begin.................................................................................................................... 337 Software version requirements ....................................................................................... 338 Known issues .................................................................................................................. 338 Additional background..................................................................................................... 339 Server farm topology ....................................................................................................... 340 Active Directory, computer naming, and NLB conventions ............................................. 341 Active Directory domain account conventions ................................................................ 342 Preliminary configuration requirements .......................................................................... 343 Configure Kerberos authentication for SQL communications ............................................... 343 Create the SPNs for your SQL Server service account .................................................. 344 Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to SQL Server ......................................................................................... 344 Configure Internet Explorer to include port numbers in Service Principal Names ................ 346 Create Service Principal Names for your Web applications using Kerberos authentication . 347 Deploy the server farm .......................................................................................................... 348 Install Office SharePoint Server 2007 on all of your servers .......................................... 349 Run the SharePoint Products and Technologies Configuration Wizard and create a new farm .............................................................................................................................. 349 Run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm ....................................................................................................... 351 Configure services on servers in your farm ........................................................................... 352 Windows SharePoint Services Search ........................................................................... 352 Index server .................................................................................................................... 352 Query server ................................................................................................................... 353 Create Web applications using Kerberos authentication ...................................................... 353 Create the portal site Web application ............................................................................ 353 Create the My Site Web application ................................................................................ 354 Create the Shared Services Administration site Web application .................................. 354 Create a site collection using the Collaboration Portal template in the portal site Web application .......................................................................................................................... 355 Create a Shared Services Provider for your farm ................................................................. 356 Confirm successful access to the Web applications using Kerberos authentication ............ 356 Confirm correct Search Indexing functionality ....................................................................... 359 Confirm correct Search Query functionality ........................................................................... 359 Configure your SSP infrastructure for Kerberos authentication ............................................ 360 Register new custom-format SPNs for your SSP service account in Active Directory ......... 361
xii
Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication ..................................................................................................................... 362 Add a new registry key to all of your servers running Office SharePoint Server to enable generation of the new custom-format SPNs ...................................................................... 362 Confirm Kerberos authentication for root-level shared services access ............................... 363 Confirm Kerberos authentication for virtual-directory-level shared services access ............. 364 Configuration limitations ........................................................................................................ 366 Additional resources and troubleshooting guidance.............................................................. 366 Run the Best Practices Analyzer tool .................................................................................... 368 Configure usage reporting ..................................................................................................... 369 About usage reporting ........................................................................................................... 369 Enable Windows SharePoint Services usage logging .......................................................... 370 Enable usage reporting ......................................................................................................... 371 Activate usage reporting ........................................................................................................ 371 Monitor usage reporting ......................................................................................................... 372 V. Deploy and configure SharePoint sites ............................................................................. 373 Chapter overview: Deploy and configure SharePoint sites ................................................... 374 Create or extend Web applications ....................................................................................... 376 Create a new Web application............................................................................................... 376 Extend an existing Web application ...................................................................................... 378 Configure alternate access mapping ..................................................................................... 380 Manage alternate access mappings ...................................................................................... 380 Add an internal URL .............................................................................................................. 380 Edit or delete an internal URL ............................................................................................... 381 Edit public URLs .................................................................................................................... 381 Map to an external resource .................................................................................................. 381 Create zones for Web applications ....................................................................................... 383 Create a new zone ................................................................................................................ 383 View existing zones ............................................................................................................... 383 Create quota templates ......................................................................................................... 384 Create a new quota template ................................................................................................ 384 Edit an existing quota template ............................................................................................. 385 Delete a quota template ........................................................................................................ 385 Create a site collection .......................................................................................................... 386 Create a site collection .......................................................................................................... 386 Create a blank site to migrate content into ............................................................................ 388 Create a site collection .......................................................................................................... 388
xiii
Add site content ..................................................................................................................... 390 Use Web site designers to design and add content .............................................................. 390 Migrate content from another site .......................................................................................... 391 Allow users to add content directly ........................................................................................ 391 Enable access for end users ................................................................................................. 392 Add site collection administrators .......................................................................................... 393 Add site owners or other users .............................................................................................. 394
xiv
Getting Help
Every effort has been made to ensure the accuracy of this book. This content is also available online in the Office System TechNet Library, so if you run into problems you can check for updates at: http://technet.microsoft.com/office If you do not find your answer in our online content, you can send an e-mail message to the Microsoft Office System and Servers content team at: o12ITdx@microsoft.com If your question is about Microsoft Office products, and not about the content of this book, please search the Microsoft Help and Support Center or the Microsoft Knowledge Base at: http://support.microsoft.com
xv
Additionally, there is information for all users of SharePoint Products and Technologies at the community and blog sites listed in the following table.
Community content and blogs
SharePoint Products and Technologies community portal a central place for community information (blogs, newsgroups, and so on) about SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=88915&clcid=0x409) SharePoint Products and Technologies team blog a group blog from the teams who develop the SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=88916&clcid=0x409) Support Center for Microsoft Office SharePoint Server 2007 a central place for issues and solutions from Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkId=89555&clcid=0x409)
Office SharePoint Server 2007 IT professional content by stage of the IT life cycle
IT Professional content for Office SharePoint Server 2007 follows the IT life cycle and includes content appropriate for each stage in that cycle evaluate, plan, deploy, and operate plus technical reference content. The following sections describe each stage in the IT life cycle and list the content available to assist IT professionals during that stage. The most up-to-date content is always available on the TechNet Web site. We also offer downloadable books that cover each stage in the IT life cycle, plus books that cover all stages of the lifecycle for a specific solution. For an updated list of all downl oadable books available for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=89172&clcid=0x409).
Evaluate
During the evaluation stage, IT professionals (including decision makers, solution architects, and system architects) focus on understanding a new technology and evaluate how it can help them address their business needs. The following table lists resources that are available to help you evaluate Office SharePoint Server 2007.
Content Description Links
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content. Provides overview, what's new, and conceptual information for understanding Office SharePoint Server 2007.
Evaluation Guide
Provides Evaluation guide for search in Office SharePoint Server overview, what's 2007 new, and (http://go.microsoft.com/fwlink/?LinkID=79614&clcid=0x409) conceptual information for understanding how searching works in Office SharePoint Server 2007.
Plan
During the planning stage, IT professionals have different needs depending on their role within an organization. If you are focused on designing a solution, including determining the structure, capabilities, and information architecture for a site, you might want information that helps you to
3
determine which capabilities of Office SharePoint Server 2007 you want to take advantage of, and that helps you to plan for those capabilities and to tailor the solution to your organization's needs. On the other hand, if you are focused on the hardware and network environment for your solution, you might want information that helps you to structure the server topology, plan authentication methods, and understand system requirements for Office SharePoint Server 2007. We have planning content, including worksheets, to address both of these needs. The following table lists resources that are available to help you plan for using Office SharePoint Server 2007.
Content Description Links
Online content Includes the most Planning and architecture for Office SharePoint Server up-to-date content. 2007 The Technical (http://go.microsoft.com/fwlink/?LinkId=89404&clcid=0x409) Library on TechNet is continually refreshed with new and updated content. Planning Guide, Part 1 Provides in-depth planning information for application administrators designing a solution based on Office SharePoint Server 2007. Provides in-depth planning information for IT professionals designing the environment to host a solution based on Office SharePoint Server 2007.
Planning and architecture for Office SharePoint Server, part 1
(http://go.microsoft.com/fwlink/?LinkID=79552)
(http://go.microsoft.com/fwlink/?LinkID=85548)
Deploy
During the deployment stage, you configure your environment, install Office SharePoint Server 2007, and then start creating SharePoint sites. Depending on your environment and your solution, you may have several configuration steps to perform for your servers, for your Shared Services Providers, and for your sites. Additionally, you may have templates, features, or other custom elements to deploy into your environment. The process of upgrading from a previous version product, such as Microsoft Office SharePoint Portal Server 2003, Microsoft Content Management Server 2002, or Windows SharePoint Services, is also part of the deployment stage of the IT life cycle, and we have content that addresses planning for upgrade, performing the upgrade, and performing post-upgrade steps. The following table lists resources that are available to help you deploy or upgrade to Office SharePoint Server 2007.
Content Description Links
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content. Provides indepth deployment information for Office SharePoint Server 2007.
Deployment Guide
Content
Description
Links
Upgrade Guide
Provides Upgrading to Office SharePoint Server 2007 overview and in- (http://go.microsoft.com/fwlink/?LinkId=85556) depth information for upgrading from a previous version product to Office SharePoint Server 2007. Provides cross- Migration and Upgrade Information for SharePoint audience (IT Developers and developer) (http://go.microsoft.com/fwlink/?LinkId=89129&clcid=0x409) information for migration and upgrade from a previous version product to Office SharePoint Server 2007.
Operate
After deployment, in which you install and configure your environment, you move to the operations stage. During this stage, you are focused on the day-to-day monitoring, maintenance and tuning of your environment. The following table lists resources that are available to help with day-to-day operations for Office SharePoint Server 2007.
Content Description Links
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content.
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content.
Technical Reference
Technical reference information supports the content for each of the IT life cycle stages by providing the technical information you need to work with Office SharePoint Server 2007. For example, the Technical Reference content has information about how permissions work, how to perform operations from the command line, and how to use Setup.exe from the command line. The following table lists resources that are available to help you use Office SharePoint Server 2007.
Content Description Links
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content.
This section provides links to worksheets that you can use to record information that you gather and decisions that you make as you perform your deployment of Microsoft Office SharePoint Server 2007. Use these worksheets in conjunction with not as a substitute for Deployment for Office SharePoint Server 2007.
Chapter overview: Create and configure Shared Services Providers Deploy and configure SharePoint sites Upgrading to Office SharePoint Server 2007 Custom templates and mapping files worksheet Record which (http://go.microsoft.com/fwlink/?LinkId=73751&clcid=0x409) custom site definitions and page templates need mapping files, and record file names and paths for mapping files.
To do this
Estimate database space and time for upgrade worksheet Record current (http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) database sizes and estimate how much space you need for upgrade. Supported topologies for upgrade worksheet Record current (http://go.microsoft.com/fwlink/?LinkId=73753&clcid=0x409) topologies and any changes needed before upgrade. Upgrade server requirements worksheet List servers in the (http://go.microsoft.com/fwlink/?LinkId=73754&clcid=0x409) farm, hardware capacities, and identify requirements before upgrading.
Custom templates and mapping files worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73751&clcid=0x409) Office SharePoint Server 2007
Record which custom site definitions and page templates need mapping files, and record file names and paths for mapping files. Record current database sizes and estimate how much space you need for upgrade.
Estimate database space and time for upgrade worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) Office SharePoint Server 2007
To do this
Supported topologies for upgrade worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73753&clcid=0x409) Office SharePoint Server 2007
Record current topologies and any changes needed before upgrade. List servers in the farm, hardware capacities, and identify requirements before upgrading.
Upgrade server requirements worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73754&clcid=0x409) Office SharePoint Server 2007
10
11
12
Install Office SharePoint Server 2007 by using the command line discusses how to use the command-line tools Setup.exe, Psconfig.exe, and Config.xml, to install and configure Office SharePoint Server 2007 from the command prompt window. Install Office SharePoint Server 2007 with least privilege administration by using the command line discusses how to install Office SharePoint Server 2007 from the command prompt window while granting the user the least privileges necessary. Migrate a stand-alone installation to a server farm installation discusses the process for moving from a stand-alone installation to a server farm installation. This process consists of creating a new server farm, and then migrating the data from your stand-alone server to the new farm.
13
Important: This section discusses how to install Microsoft Office SharePoint Server 2007 on a single computer as a stand-alone installation. It does not cover installing Office SharePoint Server 2007 in a farm environment, upgrading from previous releases of Office SharePoint Server 2007, or how to upgrade from SharePoint Portal Server 2003. For information about how to do this, see the following: Deploy in a simple server farm Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/enus/library/cc303420.aspx) You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration, document management, and search. A stand-alone configuration is also useful if you are deploying a small number of Web sites and you want to minimize administrative overhead. When you deploy Office SharePoint Server 2007 on a single server using the default settings, the Setup program automatically installs Microsoft SQL Server 2005 Express Edition and uses it to create the configuration database and content database for your SharePoint sites. In addition, the Setup program creates a Shared Services Provider (SSP), installs the SharePoint Central Administration Web site and creates your first SharePoint site collection and site. Note: There is no direct upgrade from a stand-alone installation to a farm installation.
10. In the Web Sites Properties dialog box, click the Service tab. 11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK. Note: The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.
computers and x64-based computers. Be sure to download and install the appropriate version for your computer. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=110508).
Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition
When you install Office SharePoint Server 2007 on a single server, run the Setup program using the Basic option. This option uses the Setup program's default parameters to install Office SharePoint Server 2007 and SQL Server 2005 Express Edition. Notes If you uninstall Office SharePoint Server 2007 and then later install Office SharePoint Server 2007 on the same computer, the Setup program could fail when creating the configuration database causing the entire installation process to fail. You can prevent this failure by either deleting all the existing Office SharePoint Server 2007 databases on the computer or by creating a new configuration database. You can create a new configuration database by running the following command: psconfig -cmd configdb -create -database <uniquename>
Run Setup 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe. 2.
16
On the Enter your Product Key page, enter your product key, and then click Continue.
Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup places a red circle next to the text box and displays a message that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Basic to install to the default location. To install to a different location, click Advanced, and then on the File Location tab, specify the location you want to install to and finish the installation.
5. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 6. Click Close to start the configuration wizard. Run the SharePoint Products and Technologies Configuration Wizard 1. 2. 3. On the Welcome to SharePoint Products and Technologies page, click Next. In the dialog box that notifies you that some services might need to be restarted or reset during configuration, click Yes. On the Configuration Successful page, click Finish. Your new SharePoint site opens. Note: If you are prompted for your user name and password, you might need to add the SharePoint site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the following procedure. Note: If you see a proxy server error message, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring proxy server settings are provided later in this section. Add the SharePoint site to the list of trusted sites 1. 2. 3. 4. 5. In Internet Explorer, on the Tools menu, click Internet Options. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted Sites, and then click Sites. Clear the Require server verification (https:) for all sites in this zone check box. In the Add this Web site to the zone box, type the URL to your site, and then click Add. Click Close to close the Trusted Sites dialog box.
17
6.
If you are using a proxy server in your organization, use the following steps to configure Internet Explorer to bypass the proxy server for local addresses. Configure proxy server settings to bypass the proxy server for local addresses 1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Explorer, on the Tools menu, click Internet Options. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. In the Automatic configuration section, clear the Automatically detect settings check box. In the Proxy Server section, select the Use a proxy server for your LAN check box. Type the address of the proxy server in the Address box. Type the port number of the proxy server in the Port box. Select the Bypass proxy server for local addresses check box. Click OK to close the Local Area Network (LAN) Settings dialog box. Click OK to close the Internet Options dialog box.
Post-installation steps
After Setup finishes, your browser window opens to the home page of your new SharePoint site. Although you can start adding content to the site or you can start customizing the site, we recommend that you perform the following administrative tasks by using the SharePoint Central Administration Web site. Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save emailed documents, and show e-mailed meetings on site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming email settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. For more information, see Configure outgoing e-mail settings. Create SharePoint sites When Setup finishes, you have a single Web application that contains a single SharePoint site collection that hosts a SharePoint site. You can create more SharePoint sites collections, sites, and Web applications if your site design requires multiple sites or multiple Web applications.
18
Configure Workflow settings Specify whether users can assemble new workflows and if participants without site access should be sent documents in email attachments so they can participate in document workflows. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. This includes enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configure diagnostic logging settings. Configure antivirus protection settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings enable you to control whether documents are scanned on upload or download and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. Configure search You can configure several search and index settings to customize how Office SharePoint Server 2007 crawls your site content or external content. For more information, see Configure the Office SharePoint Server Search service (http://technet.microsoft.com/en-us/library/cc262700.aspx). Configure Excel Services Before you can use Excel Services, you must start the service and add at least one trusted location. For more information about doing this, see C. Configure Excel Services. Perform administrator tasks by using the Central Administration site 1. 2. 3. Click Start, point to All Programs, point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. On the Central Administration home page, under Administrator Tasks, click the task you want to perform. On the Administrator Tasks page, next to Action, click the task.
19
Deployment overview
Important: This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007 in a server farm environment. It does not cover upgrading from previous releases of Office SharePoint Server 2007 or how to upgrade from Microsoft SharePoint Portal Server 2003. For more information about upgrading from Microsoft Office SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc303420.aspx). Note: This section does not cover installing Office SharePoint Server 2007 on a single computer as a stand-alone installation. For more information, see Install Office SharePoint Server 2007 on a stand-alone computer. You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalabil ity of a multi-tier topology. A server farm consists of one or more servers dedicated to running the Office SharePoint Server 2007 application. Note: There is no direct upgrade from a stand-alone installation to a farm installation. Because a server farm deployment of Office SharePoint Server 2007 is more complex than a stand-alone deployment, we recommend that you plan your deployment. Planning your deployment can help you to gather the information you need and to make important decisions before beginning to deploy. For information about planning, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
required by Office SharePoint Server 2007. This topic provides details about how the DBA can create these databases before beginning the Office SharePoint Server 2007 installation or creation of a Shared Services Provider (SSP). For more information about deploying using DBAcreated databases, including detailed procedures, see Deploy using DBA-created databases.
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many servers or as few as two servers. A small server farm typically consists of a database server running either Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers running Internet Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end servers are configured as Web servers and application servers. The Web server role provides Web content to clients. The application server role provides Office SharePoint Server 2007 services such as servicing search queries, and crawling and indexing content. A medium server farm typically consists of a database server, an application server running Office SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server 2007 and IIS. In this configuration, the application server provides indexing services and Excel Calculation Services, and the front-end Web servers service search queries and provide Web content. A large server farm typically consists of two or more clustered database servers, several loadbalanced front-end Web servers running Office SharePoint Server 2007, and two or more application servers running Office SharePoint Server 2007. In this configuration, each of the application servers provides specific Office SharePoint Server 2007 services such as indexing or Excel Calculation Services, and the front-end servers provide Web content. Note: All of the Web servers in your server farm must have the same SharePoint Products and Technologies installed. For example, if all of the servers in your server farm are running Office SharePoint Server 2007, you cannot add to your farm a server that is running only Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office SharePoint Server 2007 on your server farm, you must install Office Project Server 2007 and Office SharePoint Server 2007 on each of your Web servers. To enhance the security of your farm and reduce the surface area that is exposed to a potential attack, you can turn off services on particular servers after you install SharePoint Products and Technologies.
21
Important The account that you select for installing Office SharePoint Server 2007 needs to be a member of the Administrators group on every server on which you install Office SharePoint Server 2007. You can, however, remove this account from the Administrators group on the servers after installation. For information about assigning users to be SSP administrators, see Shared Services Providers in Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
To deploy Office SharePoint Server 2007 in a server farm environment, you must provide credentials for several different accounts. For information about these accounts, see Shared Service Providers in the Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide. You must install Office SharePoint Server 2007 on the same drive on all load-balanced frontend Web servers. You must install Office SharePoint Server 2007 on a clean installation of the Microsoft Windows Server 2003 operating system with the most recent service pack. If you uninstall a previous version of Office SharePoint Server 2007, and then install Office SharePoint Server 2007, Setup might fail to create the configuration database and the installation will fail. Note: We recommend that you read the Known Issues/Readme documentation before you install Office SharePoint Server 2007 on a domain controller. Installing Office SharePoint Server 2007 on a domain controller requires additional configuration steps that are not discussed in this document.
You must install the same language packs on all servers in the farm. For more information about installing language packs, see Deploy language packs. All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both an English version of Office SharePoint Server 2007 and a Japanese version of Office SharePoint Server 2007 in the same farm. You must use the Complete installation option on all computers you want to be index servers, query servers, or servers that run Excel Calculation Services. If you place a query server beyond a firewall from its index server, you must open the NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls that separate these servers. If your environment does not use NetBIOS, you must use directhosted server message block (SMB). This requires that you open the TCP/UDP 445 port. If you want to have more than one index server in a farm, you must use a different Shared Services Provider (SSP) for each index server.
22
23
24
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and to install Office SharePoint Server 2007. For more information about the required accounts, including specific privileges required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose Requirements
This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you are not using the default instance, these services will be shown as:
MSSQL$InstanceName SQLAgent$InstanceName
SQL Server prompts for this account during SQL Server Setup. You have two options: Assign one of the built-in system accounts (Local System, Network Service, or Local Service) to the logon for the configurable SQL Server services. For more information about these accounts and security considerations, refer to the Setting Up Windows Service Accounts topic (http://go.microsoft.com/fwlink/?LinkId=121664&clc id=0x409) in the SQL Server documentation. Assign a domain user account to the logon for the service. However, if you use this option you must take the additional steps required to configure Service Principal Names (SPNs) in Active Directory in order to support Kerberos authentication, which SQL Server uses. Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role
The Setup user account is used to run the following: Setup on each server The SharePoint Products and Technologies Configuration Wizard The PSConfig command-line tool The Stsadm command-line tool
If you run Stsadm command-line tool commands that read from or write to a database, this account must be a member of the db_owner fixed database role for the database.
25
Account
Purpose
Requirements
The Server farm account is used to: Act as the application pool identity for the SharePoint Central Administration application pool. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, this account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm
2. On the Welcome to the Configure Your Server Wizard page, click Next. 3. On the Preliminary Steps page, click Next. 4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next. 5. On the Application Server Options page, click Next. 6. On the Summary of Selections page, click Next. 7. Click Finish. 8. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the Web Sites folder, and then click Properties. 10. In the Web Sites Properties dialog box, click the Service tab. 11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK. Note: The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.
Web Service Extensions folder. 3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
You can configure different features on different servers. The following table shows which installation type you should use for each feature set.
Server type Installation type
Central Administration Web application Application server (such as Excel Calculation Services) Search index server Search query server Web server
Complete Complete Web Front End (subsequent servers must join an existing farm) or Complete Note: If you choose the Web Front End installation option you will not be able to run additional services, such as search, on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any servers that you add you will join to this farm. Setting up the first server involves two steps: installing the Office SharePoint Server 2007 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The SharePoint Products and Technologies Configuration Wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site.
29
30
one of the following: If you want to use NTLM authentication (the default), click Next. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next. Note: In most cases, use the default setting (NTLM). Use Negotiate (Kerberos) only if Kerberos authentication is supported in your environment. Using the Negotiate (Kerberos) option requires you to configure a Service Principal Name (SPN) for the domain user account. To do this, you must be a member of the Domain Admins group. For more information, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409). 10. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 11. On the Configuration Successful page, click Finish. The SharePoint Central Administration Web site home page opens. Note: If you are prompted for your user name and password, you might need to add the SharePoint Central Administration site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps. Note: If a proxy server error message appears, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring this setting are provided later in this section.
Add the SharePoint Central Administration Web site to the list of trusted sites
1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration Web site, and then click Add. 5. Click Close to close the Trusted sites dialog box.
32
Configure proxy server settings to bypass the proxy server for local addresses
1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. Type the address of the proxy server in the Address box. 6. Type the port number of the proxy server in the Port box. 7. Select the Bypass proxy server for local addresses check box. 8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.
the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Web Front End. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the following section. Run Setup on additional servers index or query server 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web server computers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the
34
configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including installing Office SharePoint Server 2007 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard on additional servers 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 3. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 6. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format DOMAIN\username.) This must be the same user account you used when configuring the first server. 7. In the Password box, type the user's password, and then click Next. 8. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 9. On the Configuration Successful page, click Finish.
top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Window SharePoint Services Search, click Start. 4. On the Configure Windows SharePoint Services Search Service Settings page, in the Service Account section, type the user name and password for the user account under which the Windows SharePoint Services Search service account will run. 5. In the Content Access Account section, type the user name and password for the user account that the search service will use to search over content. This account must have read access to all the content you want it to search over. If you do not specify credentials, the same account used for the search service will be used. 6. In the Indexing Schedule section, either accept the default settings, or specify the schedule that you want the search service to use when searching over content. 7. After you have configured all the settings, click Start.
Disable the Windows SharePoint Services Web Application service on all servers not serving content
You should disable the Windows SharePoint Service Web Application service on all servers that are not serving content, especially index servers. On the other hand, you must be sure that this service is enabled on the servers that are serving content.
36
Disable the Windows SharePoint Services Web Application service on a server 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Window SharePoint Services Web Application, click Stop.
End and Crawling sections. 6. If you want to use this server to service search queries, select the Use this server for servicing search queries check box. This expands the page and adds the Query Server Index File Location section. If not, skip to the next step. 7. In the Contact E-mail Address section, type the e-mail address you want external site administrators to use to contact your organization if problems arise when their sites are being crawled by your index server. 8. In the Farm Search Service Account section, specify the User name and Password of the account under which the search service will run. This domain account should not be a member of the Farm Administrators group in the Central Administration Web site (the WSS_ADMIN_WPG Windows security group). For least privilege scenarios, this should be a separate domain account, used only for this service. For more information about this account, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx). 9. Optionally, you can also configure other settings or accept the default settings. 10. When you have configured all the settings, click Start. You can optionally use the following steps to start the Office SharePoint Server Search service on computers that were set up by using the Complete option during Setup to deploy query servers. Important: If you selected the Use this server for serving search queries option in step 6 of the previous procedure, you cannot deploy additional query servers unless you first remove the query server role from the index server. For information about how to perform this procedure using the Stsadm command-line tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). Start the Office SharePoint Server Search service on query servers 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. In the Server list, select the server that you want to configure as a query server. 4. On the Services on Server page, next to Office SharePoint Server Search, click Start. 5. Select the Use this server for servicing search queries check box. This expands the page and adds the Query Server Index File Location section. 6. In the Farm Search Service Account section, specify the User name and Password of the account under which the search service will run. This domain account should not be a member of the Farm Administrators group in the Central Administration Web site (the WSS_ADMIN_WPG Windows security group). For least privilege scenarios, this should be a separate domain account, used only for this service. For more information about this account, see Plan for administrative and service accounts
38
(http://technet.microsoft.com/en-us/library/cc263445.aspx). 7. In the Query Server Index File Location section, in the Query server index file location box, either type the location on the local drive of the query server on which you want to store the propagated index, or accept the default path. 8. In the Query Server Index File Location section, select one the following: Configure share automatically Select this option to automatically configure the share on which you want to store the propagated index, and type the user name and password of the account that you want to use to propagate the index (recommended). Important: This account must a member of the Administrators group and a member of the WSS_ADM_WPG group on the query server before you proceed to the next step, or propagation of the index will fail. I will configure the share with STSAdm Select this option if you want to use the Stsadm command-line tool to create this share at a later time. Do nothing. The share is already configured Select this option if the share already exists and the permissions to the share are configured as described above.
9. When you have configured all the settings, click Start. For information about how to perform this procedure using the Stsadm command-line tool, see Osearch: Stsadm operation (http://technet.microsoft.com/enus/library/cc262920.aspx).
Create a Web application to host the SSP and create the SSP
1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. 3. On the Manage this Farm's Shared Services page, click New SSP. 4. On the New Shared Services Provider page, in the SSP Name section, click Create a new Web application. Note: If you see any items in the Web application drop-down list, a Web application has already been created. You can either use this Web application or create another. 5. On the Create New Web Application page, in the Application Pool section, specify the User name and Password for the user account that the Web application pool will run under.
39
6. You can also configure other settings on this page, or click OK to create the new Web application. Note: By default, the Web application uses the default Web site in IIS and port 80. This port might be used by other Web applications. Ensure that this port is open for use, or choose another port before you click OK. Note: By default, Restart IIS Manually is selected. If you use this setting, you must restart the default Web site in IIS, or restart the W3C service by using the command line. 7. On the New Shared Services Provider page, in the SSP Service Credentials section, type the user name and password for the user account that the SSP service will run under. 8. Optionally, you can also configure other settings. 9. When you have configured all the settings, click OK. 10. If you used the same Web application for the SSP administration site and the My Sites site collection, you will be prompted to use separate Web applications for these site collections. If you want to use the same Web application, click OK. For more information about site planning, see Plan Web site structure and publishing (http://technet.microsoft.com/en-us/library/cc262789.aspx). 11. After the SSP has been created, click OK on the confirmation page that appears.
40
Configure workflow settings Specify whether users can assemble new workflows, and if participants without site access should be sent documents in e-mail attachments so they can participate in document workflows. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. This includes enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configure diagnostic logging settings. Configure antivirus protection settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings enable you to control whether documents are scanned on upload or download, and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. Configure search Before search queries can be serviced, content must first be crawled. You can configure several search and index settings to customize how Office SharePoint Server 2007 crawls your site content or external content. For more information, see Configure the Office SharePoint Server Search service. Configure Excel Calculation Services Before you can use Excel Services, you must start the service and add at least one trusted location. For more information, see C. Configure Excel Services. Perform administrator tasks by using the Central Administration site 1. Click Start, point to All Programs, point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, in the Administrator Tasks section, click the task you want to perform. 3. On the Administrator Tasks page, next to Action, click the task.
41
You can also migrate content from a pre-existing Microsoft Content Management Server 2002 source. For information, see Migrate from Microsoft Content Management Server 2002 to Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261812.aspx). Before you can create a site collection or a site, you must first create a Web application. A Web application is comprised of an Internet Information Services (IIS) site with a unique application pool. Create a new Web application 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 4. On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Create a new Web application. 5. On the Create New Web Application page, in the IIS Web Site section, you can configure the settings for your new Web application. a. To choose to use an existing Web site, select Use an existing Web site, and specify the Web site on which to install your new Web application by selecting it from the drop-down menu. b. To choose to create a new Web site, select Create a new IIS Web site, and type the name of the Web site in the Description box. c. In the Port box, type the port number you want to use to access the Web application. If you are creating a new Web site, this field is populated with a suggested port number. If you are using an existing Web site, this field is populated with the current port number.
d. In the Host Header box, type the URL you wish to use to access the Web application. This is an optional field. e. In the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path. 6. In the Security Configuration section, configure authentication and encryption for your Web application. a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site by using the computer-specific anonymous access account (that is, IUSR_<computername>). c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an
42
SSL certificate. 7. In the Load Balanced URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the box is populated with the current server name and port. The Zone box is automatically set to Default for a new Web application and cannot be changed from this page. 8. In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application. To use an existing application pool, select Use existing application pool. Then select the application pool you wish to use from the drop-down menu. a. To create a new application pool, select Create a new application pool. b. In the Application pool name box, type the name of the new application pool, or keep the default name. c. In the Select a security account for this application pool section, select Predefined to use an existing application pool security account, and then select the security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a security account for an existing application pool. In the User name box, type the user name of the account you wish to use, and type the password for the account into the Password box. 9. In the Reset Internet Information Services section, choose whether to allow Office SharePoint Server 2007 to restart IIS on other farm servers. The local server must be restarted manually for the process to finish. If this option is not selected and you have more than one server in the farm, you must wait until the IIS Web site is created on all servers and then run iisreset/noforce on each Web server. The new IIS site is not usable until that action is completed. These choices are unavailable if your farm only contains a single server. 10. Under Database Name and Authentication, choose the database server, database name, and authentication method for your new Web application.
Item Action
Database Server
Type the name of the database server and SQL Server instance you want to use in the format <SERVERNAME\instance>. You may also use the default entry. Type the name of the database, or use the default entry.
Database Name
43
Database Authentication
Choose whether to use Windows authentication (recommended) or SQL authentication. If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
11. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page. For information about how to perform this procedure using the Stsadm command-line tool, see Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/enus/library/cc262407.aspx). Create a site collection 1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application section, either select a Web application to host the site collection from the Web Application drop-down list, or create a new Web application to host the site collection. 4. In the Title and Description section, type a title and description for the site collection. 5. In the Web Site Address section, select a URL type, and specify a URL for the site collection. 6. In the Template Selection section, select a template from the tabbed template control. 7. In the Primary Site Collection Administrator section, type the user account name for the user you want to be the primary administrator for the site collection. You can also browse for the user account by clicking the Book icon to the right of the text box. You can verify the user account by clicking the Check Names icon to the right of the text box. 8. Optionally, in the Secondary Site Collection Administrator section, type the user account for the user you want to be the secondary administrator for the site collection. You can also browse for the user account by clicking the Book icon to the right of the text
44
box. You can verify the user account by clicking the Check Names icon to the right of the text box. 9. Click Create to create the site collection. For information about how to perform this procedure using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx). Create a SharePoint site 1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the SharePoint Site Management section, click Site collection list. 3. On the Site Collection List page, in the URL column, click the URL for the site collection to which you want to add a site. The full URL path for the site collection appears in the URL box. 4. Copy and paste the full URL path into your browser, and then, on the home page of the top-level site for the site collection, on the Site Actions menu, click Create. 5. On the Create page, in the Web Pages section, click Sites and Workplaces. 6. On the New SharePoint Site page, in the Title and Description section, type a title and description for the site. 7. In the Web Site Address section, specify a URL for the site. 8. In the Template Selection section, select a template from the tabbed template control. 9. Either change other settings, or click Create to create the site. 10. The new site opens. After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx). For information about how to perform this procedure using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).
45
By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. Whether you are using the Office SharePoint Server Search service or the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify the location where the log files are written or accept the default path. Configure the trace log to save seven days of events 1. In Central Administration, on the Operations tab, in the Logging and Reporting section, click Diagnostic logging. 2. On the Diagnostic Logging page, in the Trace Log section, do the following: In the Number of log files box, type 336. In the Number of minutes to use a log file box, type 30. Tip: To save 10,080 minutes (seven days) of events, you can use any combination of number of log files and minutes to store in each log file. 3. Ensure that the path specified in the Path box has enough room to store the extra log files or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK. Trace log files can help you to troubleshoot issues related to configuration changes of either the Office SharePoint Server Search service or the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes related to either search service. Store these log files for an extended period of time in a safe location that will not be overwritten. See step 3 in the previous procedure to determine the location that the system stores trace log files for your system. For information about how to perform this procedure using the Stsadm command-line tool, see Logging and events: Stsadm operations (http://technet.microsoft.com/enus/library/cc262191.aspx).
46
A content database for the My Sites Web application (if the SSP is using its own Web application). A content database for the Shared Services Administration Web application (if the SSP is using its own Web application). SSP Search database (one per SSP). SSP Web application (created by Setup if the SSP is using its own Web application). Note: As part of the Web site and application pool creation process, a Web application is also created in Internet Information Services (IIS). Extending a Web application will create an additional Web site in IIS, but not an additional application pool.
Required accounts
The DBA needs to create SQL Server logins for the accounts that are used to access the databases for Office SharePoint Server 2007 and add them to roles For more information about the required accounts, including specific permissions and roles required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
48
The following table describes the accounts that are used to access the databases for Office SharePoint Server 2007.
Account Purpose Requirements
This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you are not using the default instance, these services will be shown as:
MSSQL$InstanceName SQLAgent$InstanceName
SQL Server prompts for this account during SQL Server Setup. You have two options: Assign one of the built-in system accounts (Local System, Network Service, or Local Service) to the logon for the configurable SQL Server services. For more information about these accounts and security considerations, refer to the Setting Up Windows Service Accounts topic (http://go.microsoft.com/fwlink/?LinkId=121664& clcid=0x409) in the SQL Server documentation. Assign a domain user account to the logon for the service. However, if you use this option you must take the additional steps required to configure Service Principal Names (SPNs) in Active Directory in order to support Kerberos authentication, which SQL Server uses. Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role
The Setup user account is used to run the following: Setup on each server The SharePoint Products and Technologies Configuration Wizard The PSConfig command-line tool
dbcreator fixed server role The Stsadm commandIf you run Stsadm command-line tool commands that line tool read from or write to a database, this account must be a member of the db_owner fixed database role for the database.
49
Account
Purpose
Requirements
The Server farm account is used to: Act as the application pool identity for the SharePoint Central Administration application pool. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, this account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm
Note: If you are using the least-privilege principle for added security, use a different account for each service, process, and application pool identity for each Web application. Each SSP will use two accounts, one for the SSP service account and one for the application pool identity for the Shared Services Administration Web application.
one of these computers by using the Complete installation option. Note: The rest of the farm servers will be configured after the procedures in the article are finished and the farm is established. You will run the SharePoint Products and Technologies Configuration Wizard on these servers by selecting the Yes, I want to connect to an existing server farm option, instead of by using the commands used in this procedure. 3. [Setup] On the server on which you used the Complete installation option, do not run the SharePoint Products and Technologies Configuration Wizard after Setup. Instead open the command line, and then run the following command to configure the databases: Psconfig cmd configdb create server <SqlServerName> database <SqlDatabaseName> user <DomainName\UserName> password <password> admincontentdatabase <SqlAdminContentDatabaseName> Note: <SqlDatabaseName> is the configuration database. -user is the server farm account. <SqlAdminContentDatabaseName> is the Central Administration content database. 4. [Setup] After the command has completed, run the SharePoint Products and Technologies Configuration Wizard and complete the remainder of the configuration for the server. This creates the Central Administration Web application and performs other setup and configuration tasks. 5. [DBA] After the SharePoint Products and Technologies Configuration Wizard has completed, perform the following actions for both the configuration database and the Central Administration content database: Add the Office SharePoint Server Search account, default content access account, and the SSP service account to the Users group. Add the Office SharePoint Server Search account, default content access account, and the SSP service account to the WSS_Content_Application_Pools role.
6. [Setup] To confirm that the databases were created and correctly configured, verify that the home page of the Central Administration Web site can be accessed. However, do not configure anything by using Central Administration at this time. If the Central Administration page does not render, verify the accounts used in this procedure and ensure that they are properly assigned.
51
The following procedure will only have to be performed once for the farm. The farm has only one Windows SharePoint Services search database. Create and configure the Windows SharePoint Services Search database and start the Windows SharePoint Services Search service 1. [DBA] Create the Windows SharePoint Services Search database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [Setup] Open the command line, and then run the following command to configure the database and start the Windows SharePoint Services Search service: stsadm -o spsearch -action start -farmserviceaccount <DomainName\UserName> farmservicepassword <password> -farmcontentaccessaccount <DomainName\UserName> -farmcontentaccesspassword <password> databaseserver <server\instance> -databasename <DatabaseName> Note: -farmserviceaccount is the server farm account. -farmcontentaccessaccount is the Office SharePoint Services Search service account. For -databaseserver, if you are using the default instance of SQL Server, you only have to specify the name of the computer running SQL Server. The following procedure must be performed once for each server running indexing or search queries in the farm. Start the Office SharePoint Server Search service on each server that will run search queries or indexing 1. [Setup] Open the command line, and then run the following command: stsadm -o osearch -action start -role <OsearchRole>-farmcontactemail <FarmContactEmail> -farmserviceaccount <DomainName\UserName> farmservicepassword <password> For additional information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). Note: farmserviceaccount is the server farm account. role specifies what type of server role the server plays. The values for OsearchRole can be "Index", "Query", or "IndexQuery". For more information about these options, see Add query servers to expand a farm (http://technet.microsoft.com/en-us/library/cc297192.aspx). The following procedure will only have to be performed once for the farm. The farm only has one My Sites database. The My Sites Web application typically is hosted by its own SSP. Create and configure the content database and Web application for My Sites 1. [DBA] Create the My Sites content database using the LATIN1_General_CI_AS_KS_WS
52
collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Add the SSP service account to the db_owner role for the My Sites Web application content database. 3. [Setup] Open the command line, and then run the following command to configure the My Sites content database: stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm databaseserver <DatabaseServerName> -databasename <DatabaseName> apidtype configurableid -description <IISWebSiteName> -apidname <AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password> For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263040.aspx). Note: url is the URL (in the form http://hostname:port) of the My Sites Web application. databasename is the content database for the My Sites Web application. description is the text name you give to the Web site in IIS. apidname is the text name that you give to the Web application pool in IIS. apidlogin is the identity for the application pool in IIS. This is the application pool process account. If you are using Kerberos v5 authentication rather than NTLM authentication, use the negotiate parameter rather than the exclusivelyusentlm parameter Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the My Sites Web application. The host name and port combination must not describe a Web application that already exists or an error will result without creating the Web application. 4. [Setup] Open the command line, and then run the following command to restart IIS: iisreset /noforce. You must create a Shared Services Administration site Web application for every SSP in the farm. Create the content database and the Web application for the Shared Services Administration site 1. [DBA] Create the Shared Services Administration site content database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Using SQL Server Management Studio, add the SSP service account to the Users group and then to the db_owner role for the Shared Services Administration site content database. 3. [Setup] Open the command line, and then run the following command to create the
53
Shared Services Administration site Web application and configure the content database: stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm databaseserver <DatabaseServerName> -databasename <DatabaseName> apidtype configurableid -description <IISWebSiteName> -apidname <AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password> For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263040.aspx). Note: url is the URL (in the form http://hostname:port) of the Shared Services Administration site Web application. databasename is the content database for the Shared Services Administration site Web application. description is the text name you give to the Web site in IIS. apidname is the text name that you give to the application pool in IIS. apidlogin is the identity for the application pool in IIS. This is the application pool process account. If you are using Kerberos v5 authentication rather than NTLM authentication, use the negotiate parameter rather than the exclusivelyusentlm parameter Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the Shared Services Administration Web application. The host name and port combination must not describe a Web application that already exists or an error results and the Web application is not created. 4. [Setup] Open the command line, and then run the following command to restart IIS: iisreset /noforce. The following procedure will have to be performed once for each portal site in the farm. Create and configure the portal site Web application content database 1. [DBA] Create the portal site Web application content database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Using Microsoft SQL Server Management Studio, add the SSP Service account to the Users group and then to the db_owner role for the portal site Web application content database. 3. [Setup] Open the command line, and then run the following command to configure the portal site Web application content database: stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm databaseserver <DatabaseServerName> -databasename <DatabaseName> apidtype configurableid -description <IISWebSiteName> -apidname <AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password> For additional information, see Extendvs: Stsadm operation
54
(http://technet.microsoft.com/en-us/library/cc263040.aspx). Note: url is the URL (in the form http://hostname:port) of the portal site Web application. databasename is the content database for the portal site Web application. description is the text name you give to the Web site in IIS. apidname is the text name that you give to the Web application pool in IIS. apidlogin is the identity for the application pool in IIS. This is the application pool process account. If you are using Kerberos v5 authentication rather than NTLM authentication, use the negotiate parameter rather than the exclusivelyusentlm parameter. Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the Web application. The host name and port combination must not describe a Web application that already exists or an error results and the Web application is not created. 4. [Setup] Open the command line, and then run the following command to restart IIS: iisreset /noforce. The following procedure must be performed once for each SSP in the farm. Create and configure the SSP content database and SSP Search database, and then create and configure the SSP 1. [DBA] Create the SSP content database and the SSP Search database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Using Microsoft SQL Server Management Studio, add the following accounts to the Users group and then to the db_owner role in both databases: Server farm account SSP Service account Windows SharePoint Services Search service account Office SharePoint Server Search service account Application pool process account. This is the Web application pool identity for each Web application associated with the SSP. In this section, these are the Shared Services Administration Web application and the My Sites site Web application.
3. [Setup] Open the command line, and then run the following command to create the SSP (the SSP will use the DBA-created SSP content database and the SSP Search database): stsadm -o createssp -title <SSPName> -url <url> -mysiteurl <url>-ssplogin <UserName> -ssppassword <password> -indexserver <IndexServerName>indexlocation <IndexFilePath>-sspdatabaseserver <SSPDatabaseServerName> sspdatabasename <SSPDatabaseName> -searchdatabaseserver
55
<SearchDatabaseServer> -searchdatabasename <SearchDatabaseName> For additional information, see Createssp: STSadm operation (http://technet.microsoft.com/en-us/library/cc262773.aspx). Note: url is the URL (in the format http://hostname:port/ssp/admin) of the Shared Services Administration site. mysiteurl is the URL (in the format http://hostname:port) of the My Sites Web site. ssplogin is the SSP service account in the format domain\username. indexserver is the name of the server that the index is hosted on. indexlocation is the directory on the index server where the farm administrator specified the index to be stored. By default this is SystemDrive:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications. Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the Web applications. In this section, this is the server where the Shared Services Administration site Web application and the My Sites Web application are running. Note: For more information about properly sizing these databases, see Estimate performance and capacity requirements (http://technet.microsoft.com/enus/library/cc261716.aspx) and Estimate performance and capacity requirements for portal collaboration environments (http://technet.microsoft.com/enus/library/cc263100.aspx).
56
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the Windows Server 2003 operating system, you must download and run Setup and the SharePoint Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server 2007 without service packs on Windows Server 2008. Important: Office SharePoint Server 2007 requires the following components: the Web Server role, Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint Server 2007 will cease to run if you uninstall these components.
Deployment overview
You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to running Office SharePoint Server 2007. Note: There is no direct upgrade from a stand-alone installation to a farm installation.
Important: This section discusses how to perform a clean installation of Office SharePoint Server 2007 with SP1 in a server farm environment on Windows Server 2008. It does not cover upgrading the operating system from Windows Server 2003 to Windows Server 2008.
Note: This section does not cover installing Office SharePoint Server 2007 on a single computer as a stand-alone installation on Windows Server 2008. For more information,
57
see Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008. Because a server farm deployment of Office SharePoint Server 2007 is more complex than a stand-alone deployment, we recommend that you plan your deployment. Planning your deployment can help you to gather the information you need and to make important decisions before beginning to deploy. For information about planning, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many servers or as few as two servers. A server farm typically consists of a database server and one or more servers running Internet Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front -end servers are configured as Web servers. The Web server role provides Web content and services such as search. A large server farm typically consists of two or more clustered database servers, several loadbalanced front-end Web servers running IIS and Office SharePoint Server 2007, and two or more servers providing Search services. When you install Office SharePoint Server 2007, you can decide if you want to perform a complete installation, which results in an application server, or to install just a front -end Web server. The main difference between an application server installation and a front-end Web server installation is the ability to run services such as the Search service. Since the front-end Web server installation is a subset of the application server installation, if necessary, you can use an application server as a front-end Web server; however, you should note that this configuration increases the attack surface area on the server.
58
All the Office SharePoint Server 2007 installations in the server farm must be in the same language. For example, you cannot have both an English version of Office SharePoint Server 2007 and a Japanese version of Office SharePoint Server 2007 in the same server farm. Note: We recommend that you read the Known Issues and the Readme documentation before you install Office SharePoint Server 2007 on a domain controller. Installing Office SharePoint Server 2007 on a domain controller requires additional configuration steps that are not discussed in this section.
All of the Office SharePoint Server 2007 installations must be running the same software update. For example, if one of the servers is updated to Post Service Pack 1 rollup, you should update all of the Office SharePoint Server 2007 servers in the server farm to that software update.
59
60
Required accounts
The following table lists the accounts used to configure SQL Server and to install Office SharePoint Server 2007. For detailed information about the required accounts, including specific role memberships and permissions required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose Requirements
This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you are not using the default instance, these services will be shown as:
MSSQL$InstanceName SQLAgent$InstanceName
SQL Server prompts for this account during SQL Server Setup. You have two options: Assign one of the built-in system accounts (Local System, Network Service, or Local Service) to the logon for the configurable SQL Server services. For more information about these accounts and security considerations, refer to the Setting Up Windows Service Accounts topic (http://go.microsoft.com/fwlink/?LinkId=121664& clcid=0x409) in the SQL Server documentation. Assign a domain user account to the logon for the service. However, if you use this option you must take the additional steps required to configure Service Principal Names (SPNs) in Active Directory in order to support Kerberos authentication, which SQL Server uses. Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role
The Setup user account is used to run the following: Setup on each server The SharePoint Products and Technologies Configuration Wizard The PSConfig command-line tool
dbcreator fixed server role The Stsadm commandIf you run Stsadm command-line tool commands that line tool read from or write to a database, this account must be a member of the db_owner fixed database role for the database.
61
Account
Purpose
Requirements
The Server farm account is used to: Act as the application pool identity for the SharePoint Central Administration application pool. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, this account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm
If you use a domain user account for the SQL Server service account, you must make sure that a valid service principal name (SPN) for that account and instance of SQL Server on their database server exists in their environment. This is the case regardless of whether you use NTLM or Kerberos authentication for Office SharePoint Server 2007. You must configure the SPN for that account in the domain using the Setspn.exe command-line tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the following command on a computer that is joined to the same domain as the user/service account. setspn -a <http/<farmclusterdnsname> <serviceaccountname> You only have to complete this task once for this account.
Windows SharePoint Services 3.0 SP1 and Office SharePoint Server 2007 SP1. For more information about using the updates folder to create a slipstreamed source, see the topic Create an installation source that includes software updates (http://technet.microsoft.com/enus/library/cc261890.aspx). Note: If you have not created an updated installation source, you must first install Office SharePoint Server 2007 without any software updates, and then, without running the SharePoint Products and Technologies Configuration Wizard at the end of the installation, install SP1. After the installations are complete, you can run the SharePoint Products and Technologies Configuration Wizard. The server farm is established when you configure Office SharePoint Server 2007 on the first server. You must join additional servers in the server farm to this farm. Setting up the first server involves two steps: installing the Office SharePoint Server 2007 and SP1 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The SharePoint Products and Technologies Configuration Wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site.
64
1. From the slipstreamed installation source, run Setup.exe on one of your Web servers. For more information about slipstreaming, see Create an installation source that includes software updates (http://technet.microsoft.com/en-us/library/cc261890.aspx). 2. On the Enter your Product Key page, enter your product key, and then click Continue.
Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and alerts you that the key is incorrect.
65
3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue.
66
4. On the Choose the installation you want page, click Advanced. (The Basic option is for stand-alone installations.)
67
68
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location.
69
7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
70
9. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is not selected.
10. Click Close. Note: You should wait to run the SharePoint Products and Technologies Configuration Wizard until you have installed Office SharePoint Server 2007 and Office SharePoint Server 2007 SP1 and performed the rest of the procedures in this section on all the servers in the server farm. Use the following procedure to add the SharePoint Central Administration Web site to the list of trusted sites. Add the SharePoint Central Administration Web site to the list of trusted sites. 1. In Windows Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings
71
box, click Trusted sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration Web site, and then click Add. 5. Click Close to close the Trusted sites dialog box. 6. Click OK to close the Internet Options dialog box. Use the following procedure to configure proxy server settings to bypass the proxy server for local addresses. Configure proxy server settings to bypass the proxy server for local addresses 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. Type the address of the proxy server in the Address box. 6. Type the port number of the proxy server in the Port box. 7. Select the Bypass proxy server for local addresses check box. 8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.
Additional servers
We recommend that you install and configure Office SharePoint Server 2007 on all of your front end Web servers and the index server before you configure Office SharePoint Server 2007 services and create sites. If you want to build a minimal server farm configuration, and incrementally add front-end Web servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a single Web server, and configure the Web server as both a frontend Web server and an application server. Regardless of how many servers you have in your server farm, you must have SQL Server 2005 running on at least one back-end database server before you install Office SharePoint Server 2007 on your front-end Web servers. Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first.
72
Run Setup on additional servers front-end Web servers 1. From the slipstreamed installation source, run Setup.exe on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Web Front End.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location.
73
7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the following section. Use the following procedure to run Setup on additional servers in your server farm. Run Setup on additional servers index or query server 1. From the slipstreamed installation source, run Setup.exe on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced.
74
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
75
76
3. In the dialog box that notifies you that some services might need to be restarted during configuration, click Yes.
77
4. On the Connect to a server farm page, click No, I want to create a new server farm, and then click Next.
78
5. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server.
6. Type a name for your configuration database in the Database name box, or use the default database name. The default name is SharePoint_Config. 7. In the User name box, type the user name of the server farm account. (Be sure to type the user name in the format <DOMAIN>\<user name>.) Important: The server farm account is used to access your configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool, and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. The user account that you specify as the service account must be a domain user account, but it does not need to be a member of
79
any specific security group on your Web servers or your back-end database servers. We recommend that you follow the principle of least privilege, and specify a user account that is not a member of the Administrators group on your Web servers or your back-end servers. 8. In the Password box, type the user's password, and then click Next. 9. On the Configure SharePoint Central Administration Web Application page, select the Specify port number check box; type a port number if you want the SharePoint Central Administration Web application to use a specific port, or leave the Specify port number check box cleared if it does not matter which port number the SharePoint Central Administration Web application uses.
10. In the Configure SharePoint Central Administration Web Application dialog box, do one of the following: If you want to use NTLM authentication (the default), click Next. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next.
80
Note: In most cases, use the default setting (NTLM). Use Negotiate (Kerberos) only if Kerberos authentication is supported in your environment. Using the Negotiate (Kerberos) option requires you to configure a service principal name (SPN) for the domain user account. To do this, you must be a member of the Domain Admins group. For more information, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409). 11. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next.
81
The SharePoint Central Administration Web site home page opens. Notes If you are prompted for your user name and password, you might need to add the SharePoint Central Administration Web site to the list of trusted sites, and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps. If a proxy server error message appears, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring thi s setting are provided later in this section.
82
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
After Setup finishes, use the SharePoint Products and Technologies Configuration Wizard to configure Windows SharePoint Services 3.0. The configuration wizard automates several configuration tasks, including: installing and configuring the configuration database, and installing Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Wizard 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard. 2. On the Welcome to SharePoint Products and Technologies page, click Next. 3. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 4. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 5. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 6. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 7. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format <DOMAIN>\<user name>.) This must be the same user account you used when configuring the first server. 8. In the Password box, type the user's password, and then click Next. 9. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 10. On the Configuration Successful page, click Finish.
SharePoint Services Search service. 4. Next to Window SharePoint Services Search, click Start. 5. On the Configure Windows SharePoint Services Search Service Settings page, in the Service Account section, specify the user name and password for the user account under which the Search service will run. 6. In the Content Access Account section, specify the user name and password for the user account that the Search service will use to search content. This account must have read access to all the content you want it to search. If you do not enter credentials, the same account used for the Search service will be used. 7. In the Indexing Schedule section, either accept the default settings, or specify the schedule that you want the Search service to use when searching content. 8. After you have configured all the settings, click Start.
4. On the Web Application List Web page, in the URL column, the server name with port number is listed for each Web application. You should use Windows Firewall with Advanced Security to open the ports required for your server farm as identified in the Determine ports used by Web Applications (http://technet.microsoft.com/enus/library/cc263408.aspx#BKMK_DeterminePortsUsedByWebApplications) procedure. For ease in managing the rules, we recommend that you create one rule per Web application and one for the two SSP ports. Alternatively, for more centralized rule management you can create one rule to manage all the ports. For Web applications you only need to create a rule to open a port for incoming connections, the rule for the two SSP ports must be configured to enable both incoming and outgoing traffic. Configure Windows Firewall with Advanced Security 1. Click Start, point to All Programs, point to Administrative Tools, and then click Windows Firewall with Advanced Security. 2. In the User Account Control dialog box, click Continue. 3. On the details pane, in the Overview section, verify that the domain profile is active by noting if the domain network location entry displays Domain Profile is Active. 4. In the Domain Profile is Active area, depending on how the inbound connections rule is configured, choose one of these options. If it is Inbound connections that do not match a rule are allowed, then you do not need to complete this procedure. If it is Inbound connections that do not match a rule are blocked, then you must proceed to the next step in this procedure to configure the firewall to allow Office SharePoint Server 2007 traffic.
5. On the Console Tree, select Inbound Rules, and then in the Actions pane click New Rule. 6. Complete the New Inbound Rule Wizard using the settings from the following table.
Wizard page Settings
Select Port. Select TCP. Select Specific local ports. In the Specific local ports text box, type all the port numbers that you need. Select Allow the connection. Enable Domain. Clear Private and Public.
85
Action Profile
Name
In the Name and Description text boxes, type information that is both descriptive and meaningful for your network administrators. As a best practice, we recommend that you assign each firewall rule a unique name. When unique names are assigned, it is easier to use Windows Server 2008 Network Shell (Netsh) commands to manage the network.
7. On the Console Tree, select Outbound Rules, in the Actions pane click. New Rule. 8. Complete the New Outbound Rule Wizard using the settings from the following table.
Wizard page Settings
Select Port. Select TCP. Select Specific local ports. In the Specific local ports text box, type all the port numbers that you need.
Action Profile
Select Allow the connection. Enable Domain. Clear Private and Public.
Name
In the Name and Description text boxes, type information that is both descriptive and meaningful for your network administrators. As a best practice, we recommend that you assign each firewall rule a unique name. When unique names are assigned, it is easier to use Windows Server 2008 Network Shell (Netsh) commands to manage the network.
For more information about Windows Firewall with Advanced Security, see Windows Firewall (http://go.microsoft.com/fwlink/?LinkID=84639).
Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save documents, and send meeting requests to site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming e-mail settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail settings for all Web applications or for only one Web application. For more information, see Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web application. Configure workflow settings You can configure workflow settings to enable end users to create their own workflows by using code pre-generated by administrators. You can also configure whether internal users without site access can receive workflow alerts, and whether external users can participate in workflows by receiving copies of documents by e-mail. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. These include enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configuring diagnostic logging settings. Configure single sign-on You can configure single sign-on settings in the farm. Single sign-on enables you to connect to external data sources by using Excel Calculation Services or the Business Data Catalog. For more information, see Configure single sign-on. Configure antivirus settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings allow you to control whether documents are scanned on upload or on download, and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings.
You can use the following procedure to configure optional administrative settings using SharePoint Central Administration. Configure administrative settings using SharePoint Central Administration 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the SharePoint Central Administration home page, in the Administrator Tasks list, click the administrative task that you want to perform. 3. On the Administrator Tasks page, next to Action, click the task.
87
d. In the Host Header box, type the URL you wish to use to access the Web application. This is an optional field. e. In the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path. 6. In the Security Configuration section, configure authentication and encryption for your
88
Web application. a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. Note: To enable Kerberos authentication, you must perform additional configuration tasks. For more information about authentication methods, see Plan authentication methods (http://technet.microsoft.com/enus/library/cc262350.aspx). b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site using the computer-specific anonymous access account (that is, IUSR_<computername>). Note: If you want users to be able to access any site content anonymously, you must enable anonymous access for the entire Web application. Later, site owners can configure how anonymous access is used within their sites. For more information about anonymous access, see Determine which Windows security groups and accounts to use for granting access to sites. c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate. Important: If you use SSL, you must add the appropriate certificate on each server by using IIS administration tools. For more information about using SSL, see Plan for secure communication within a server farm (http://technet.microsoft.com/en-us/library/cc263077.aspx). 7. In the Load Balanced URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the box is populated with the current server name and port. The Zone box is automatically set to Default for a new Web application, and cannot be changed from this page. To change the zone for a Web application, see Extend an existing Web application. 8. In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application. To use an existing application pool, select Use existing application pool. Then select the application pool you wish to use from the drop-down menu. a. To create a new application pool, select Create a new application pool. b. In the Application pool name box, type the name of the new application pool, or keep the default name. c. In the Select a security account for this application pool section, select
89
Predefined to use an existing application pool security account, and then select the security account from the drop-down menu. d. Select Configurable to use an account that is not currently being used as a security account for an existing application pool. In the User name box, type the user name of the account you wish to use, and then, in the Password box, type the password for the account. 9. In the Reset Internet Information Services section, choose whether to allow Windows SharePoint Services to restart IIS on other farm servers. The local server must be restarted manually for the process to finish. If this option is not selected, and you have more than one server in the farm, you must wait until the IIS Web site is created on all servers and then run iisreset /noforce on each Web server. The new IIS site is not usable until that action is completed. The choices are unavailable if your farm only contains a single server. 10. In the Database Name and Authentication section, choose the database server, database name, and authentication method for your new Web application.
Item Action
Database Server
Type the name of the database server and SQL Server instance you want to use in the format <SERVERNAME>\<instance>. You may also use the default entry. Type the name of the database, or use the default entry. Choose whether to use Windows authentication (recommended) or SQL authentication. If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
Database Name
Database Authentication
11. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page.
90
Use the following procedure to create a site collection. Create a site collection 1. On the top link bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application menu, if the Web application in which you want to create the site collection is not selected, click Change Web Application on the Web Application, and then on the Select Web Application page, click the Web application in which you want to create the site collection. 4. In the Title and Description section, type the title and description for the site collection. 5. In the Web Site Address section, in the URL area, select the path to use for your URL (such as an included path like /sites/ or the root directory, /). If you select a wildcard inclusion path, such as /sites/, you must also type the site name to use in your site's URL. Note: The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions. For more information about managed paths, see Define managed paths in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system. 6. In the Template Selection section, in the Select a template list, select the template that you want to use for the top-level site in the site collection. 7. In the Primary Site Collection Administrator section, enter the user name (in the form DOMAIN\user name) for the user who will be the site collection administrator. 8. If you want to identify a user as the secondary owner of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, enter the user name for the secondary administrator of the site collection. 9. If you are using quotas to limit resource use for site collections, in the Quota Template section, click a template in the Select a quota template list. 10. Click OK. Use the following procedure to create a SharePoint site. Create a SharePoint site 1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the SharePoint Site Management section, click Site collection list. 3. On the Site Collection List page, in the URL column, click the URL for the site collection to which you want to add a site. The full URL path for the site collection appears in the
91
URL box. 4. Copy and paste the full URL path into your browser, and then, on the home page of the top-level site for the site collection, on the Site Actions menu, click Create. 5. On the Create page, in the Web Pages section, click Sites and Workplaces. 6. On the New SharePoint Site page, in the Title and Description section, type a title and description for the site. 7. In the Web Site Address section, type a URL for the site. 8. In the Template Selection section, select a template from the tabbed template control. 9. Either change other settings, or click Create to create the site. The new site opens. After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to display the correct site. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
92
Configure the trace log to save seven days of events 1. In Central Administration, on the Operations tab, in the Logging and Reporting section, click Diagnostic logging. 2. On the Diagnostic Logging page, in the Trace Log section, do the following:
Tip:
In the Number of log files box, type 336. In the Number of minutes to use a log file box, type 30.
To save 10,080 minutes (seven days) of events, you can use any combination of number of log files and minutes to store in each log file. 3. Ensure that the path specified in the Path box has enough room to store the extra log files, or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK.
7. Type Application Support, and then press ENTER. 8. Select the Application Support key, and then on the Edit menu, click New, and then click Key. 9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press ENTER. This is the GUID for the WSS Writer. 10. Select the new key, and then on the Edit menu, click New, and then click String Value. 11. Type Application Identifier as the new value, and then press ENTER. 12. Right-click the Application Identifier value, and then click Modify. 13. In the Value Data box, type Windows SharePoint Services, and then click OK. 14. On the Edit menu, click New, and then click DWORD (32-bit) Value. 15. Type UseSameVssContext as the new value name, and then press ENTER. 16. Right-click the UseSameVssContext value, and then click Modify. 17. In the Value Data box, type 00000001, and then click OK.
94
This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007 on a stand-alone server or on a server farm by using command-line tools. The command-line tools enable you to customize the configuration of Office SharePoint Server 2007. Additionally, you can streamline deployment by using command-line installations in combination with other administrator tools to automate unattended installations. To install Office SharePoint Server 2007 on a server farm, you have to complete the following steps: 1. Plan the deployment and ensure that you have installed all the software requirements. 2. Determine the required accounts that are used during installation. 3. Install Office SharePoint Server 2007 by running Setup at a command prompt, and specifying a configuration file. 4. Configure the server by using the Psconfig command-line tool with the appropriate options. 5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only applies on server-farm installations). 6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm installations).
Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=122586&clcid=0x409). Note: All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both English and Japanese versions of Office SharePoint Server 2007 in the same farm. The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508). ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all servers that are running Office SharePoint Server 2007. Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service pack running on at least one database server before you install Office SharePoint Server 2007 on the Web servers.
To deploy a server farm, you must have at least one server computer acting as a Web server and an application server, and one server computer acting as a database server.
96
The following table describes the accounts that are used during installation and configuration of Office SharePoint Server 2007. These accounts must be created and configured before you run Setup.
Account Purpose Requirements
The Setup user account is used to run the following: Setup on each server. The SharePoint Products and Technologies Configuration Wizard. The Psconfig commandline tool. The Stsadm commandline tool.
Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer that is running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role
If you run Stsadm command-line tool commands that read from or write to a database, the Setup user account must be a member of the db_owner fixed database role for the database.
97
Account
Purpose
Requirements
The server farm account is used to: Configure and manage the server farm. Act as the application pool identity for the SharePoint Central Administration application pool. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, the server farm account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that is running SQL Server, and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm
Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt
After you have determined the required accounts for the installation, you can install Office SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files. These example files are stored under the \Files folder in the root directory of the DVD, in folders that correspond to different scenarios. These example files are described in the following table.
98
Configuration file
Description
Setup\Config.xml
Stand-alone server installation, using Microsoft SQL Server 2005 Express Edition Server farm installation Gradual upgrade of an existing farm Server farm installation in silent mode In-place upgrade of an existing farm Stand-alone server installation, using SQL Server 2005 Express Edition, in silent mode In-place upgrade of an existing single-server installation
SetupSingleUpgrade\Config.xml
Important: The example configuration files that are included with Office SharePoint Server 2007 omit the <Setting Id="SETUP_REBOOT"Value="Never"/> setting. You must include this setting if you want to suppress restarts during a command-line installation. Example The following example shows the configuration file for setting up a single server in silent mode (SetupSilent). <Configuration> <Package Id="sts"> <Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/> </Package> <Package Id="spswfe"> <Setting Id="SETUPCALLED" Value="1"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="OFFICESERVERPREMIUM" Value="1" /> </Package> <Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/> <Display Level="none" CompletionNotice="no" /> <PIDKEY Value="Enter PID Key Here" /> <Setting Id="SERVERROLE" Value="SINGLESERVER"/>
99
<Setting Id="USINGUIINSTALLMODE" Value="0"/> </Configuration> Run Setup with a Config.xml file at a command prompt 1. On the drive on which the Office SharePoint Server 2007 product DVD is located, change to the root directory to locate the setup.exe file. 2. Run Setup with the selected Config.xml file. setup /config<path and file name> Note: You can select one of the example files, or customize your own configuration file. 3. Press ENTER. Setup is now finished. Example To run Setup in silent mode, type one of the following commands at a command prompt, and then press ENTER: setup /config Files\SetupSilent\config.xml (for a single server deployment) setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize your own configuration file. To control the installation, first edit the Config.xml file in a text editor to include the elements that you want with the appropriate settings for those elements. Then run setup /config<path and file name> to specify that Setup runs and uses the options that you set in the Config.xml file. Some typical configuration options include the following: Bypassing the prompt for the product key by providing the key as a value, <PIDKEY Value="Enter PID Key Here" />, in the Config.xml file. Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose" Path="path"Template="file name.log"/>, which you can view if command-line installation fails. Important: Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose XML editor such as Microsoft Office Word 2007. For more information about the options available for customizing the configuration file, see Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx). For more information about the command-line options for Setup, see Setup.exe command-line reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).
100
101
Note: Ensure that you follow the procedure in the order that it is written to avoid configuration problems. Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Create the configuration database: psconfig-cmd configdb -create -server<database server name>-database<database name> [-dbuser<domain\user name>-dbpassword<password>] -user<domain\user name>-password<password> -addomain<domain name>-adorgunit<org unit> -admincontentdatabase<Central Administration Web application content database name> Note: The dbuser and dbpassword parameters are only used in deployments that use SQL Server authentication. If you are using Windows authentication, these parameters are not required. 3. Install all Help collections: psconfig-cmd helpcollections -installall 4. Perform resource security enforcement: psconfig-cmd secureresources 5. Register services in the server farm: psconfig-cmd services -install Note: After installing services, you must start and configure two services, Windows SharePoint Services Search and Office SharePoint Server Search, by using the Stsadm command-line tool: a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> farmservicepassword<password>[-database name<content database name>][database server<server instance>][-search server<search server name>] For more information, see Spsearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc288507.aspx). b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount <domain\user name> -farmservicepassword<password> farmcontactemail<user@domain.com>
102
For more information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). c. Provision the services of the farm: psconfig -cmd services -provision 6. Register all features: psconfig-cmd installfeatures 7. Provision the SharePoint Central Administration Web application: psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm 8. Install shared application data: psconfig-cmd applicationcontent -install The SharePoint Central Administration Web site has now been created. We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you create sites. Note: If any of these commands fail, look in the post-setup configuration log files. The log files are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Logs, and can be identified by a file name that begins with PSC and the .log file name extension. To connect to an existing configuration database and join the server to an existing server farm, you have to run the configdb command together with the -connect parameter instead of the create parameter. psconfig -cmd configdb -connect -server<server name>-database<database name> Note: Omit the -admincontentdatabase command because you have already included this command when you created the configuration database. Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm command if you want to provision the SharePoint Central Administration Web application on additional servers, which reduces the risk if the server that is running the SharePoint Central Administration Web application fails. To successfully complete the command-line installation on a server farm, you must use the Stsadm command-line tool to create the Shared Services Provider (SSP), and then a site collection for the farm. However, before you create the SSP and a site collection, we recommend that you first perform some additional configuration tasks.
Configure outgoing e-mail settings. Configure workflow settings. Configure diagnostic logging settings. Configure antivirus settings.
Create a Shared Services Provider (SSP) by using the Stsadm command-line tool
After you create and configure Office SharePoint Server 2007 on a farm, you must use the Stsadm command-line tool to create the SSP for the farm. The Stsadm command-line tool is available on the installation drive for Office SharePoint Server 2007 at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. Important: To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer. The recommended procedure for creating an SSP is to create a Web application for the My Site host location, and a separate Web application for the Shared Services Administration Web site. To create a new Web application, use the following procedure. Create a Web application by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description]
104
[-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService}] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx). The extendvs operation creates the Web application. The donotcreatesite parameter creates the Web application without creating a site collection on the Web application. After creating the Web applications for the My Site host location and for the Shared Services Administration Web site, you create the SSP. Create an SSP by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o createssp -title<SSP name> -url<Web application URL> -mysiteurl<My Site Web application URL> -ssplogin<user name> -indexserver<index server name> -indexlocation<index file path> [-ssppassword<password>] [-sspdatabaseserver<SSP database server name>] [-sspdatabasename<SSP database name>] [-sspsqlauthlogin<SQL user name] [-sspsqlauthpassword <SQL password>] [-searchdatabaseserver<search database server name>] [-searchdatabasename<search database name>] [-searchsqlauthlogin<SQL user name>] [-searchsqlauthpassword<SQL password>] [-ssl {Yes | No}] For more information, see Createssp: Stsadm operation (http://technet.microsoft.com/enus/library/cc262773.aspx).
105
Example The following command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP Administration site. stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name> databasename <SSP content database> -donotcreatesite -apidname <SSP application pool name> -apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd <password> Similarly, you can create another Web application as the My Site host location by using the following command: stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name > databasename <My Sites content database name> -donotcreatesite -apidname <My Sites application pool name>-apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd <password> Then you create the SSP, named MySSP1_db: stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <SSP database server name > -sspdatabasename MySSP1_db -indexserver <index server name> indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications" -searchdatabaseserver <search database server name> searchdatabasename <search database name> For more information, see Stsadm command-line tool (http://technet.microsoft.com/enus/library/cc261956.aspx).
stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description] [-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService}] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx) and Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx). Example The following command creates a site collection at http://intranet that uses the corporate intranet site template. stsadm -o extendvs -url http://intranet -ownerlogin<domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname "SharePoint AppPool" -apidtype {configurableID | NetworkService} -apidlogin< domain\user name> -apidpwd <password> If you do not specify the site template to use, site owners can choose the site template when they first browse to the site. The following table lists common templates.
Parameter value Description
STS#0 STS#1
Parameter value
Description
Document workspace Basic meeting workspace Blank meeting workspace Decision meeting workspace Social meeting workspace Multipage meeting workspace Blog Wiki site
If you want to create additional Web applications or site collections by using the Stsadm command-line tool, you can use either the extendvs operation or the createsite operation. The extendvs operation extends a Web application and creates a new content database. The createsite operation creates a site collection at a specific URL with a specified user as a site owner. Note: The createsite operation does not create a new content database. If you want to create a new content database with the new site, use the createsiteinnewdb operation. For more information, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx) and Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262407.aspx). The extendvs operation also enables site collection administrators to specify the language of the site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used for the top-level site collection. For more information about the available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409). After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
108
109
Install Office SharePoint Server 2007 with least privilege administration by using the command line
In this section: Install software requirements Determine required accounts for least-privilege administration Install Microsoft Office SharePoint Server 2007 by using least-privilege administration Configure the server by using the Psconfig command-line tool Perform additional configuration tasks Create a Shared Services Provider by using the Stsadm command-line tool Create a site collection by using the Stsadm command-line tool Configure the trace log
This section discusses how to install Microsoft Office SharePoint Server 2007 on a stand-alone server or on a server farm by using least-privilege administration. The Office SharePoint Server 2007 standard configuration uses a set of user accounts and installation settings for both stand-alone servers and server farms to simplify the installation process. However, enterprises are often required to use least-privilege administration in which each service or user is provided with only the minimum permissions and group memberships that they need to accomplish the tasks that they are authorized to perform. Installing Office SharePoint Server 2007 with least-privilege administration requires additional preparation and configuration steps. We strongly recommend that you use least-privilege administration. To install Office SharePoint Server 2007 by using least-privilege administration on either a standalone server or a server farm, you complete the following steps: 1. Plan the deployment and ensure that you have installed all the software requirements. 2. Determine the required accounts that are used during installation. 3. Use the least-privilege Setup user account to install Office SharePoint Server 2007 by using Setup at a command prompt and specifying a configuration file. 4. Configure the server by using the Psconfig command-line tool with the appropriate options. 5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only applies on server-farm installations). 6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm installations).
110
111
Many requirements and configuration steps for installing Office SharePoint Server 2007 by using least-privilege administration resemble the standard farm installation. For more information about the standard farm installation, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environment. The following table describes the accounts that are used to install Office SharePoint Serve r 2007 for least-privilege administration compared to the standard account requirements for farm installation.
Account Purpose Server farm standard requirement Least-privilege administration using domain user accounts requirements
The Setup user account is used to run the following: Setup on each server. The SharePoint Products and Technologies Configuration Wizard. The Psconfig command-line tool. The Stsadm command-line tool.
Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer that is running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role
Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. The Setup user account should not be a member of the Administrators group on the computer that is running SQL Server.
If you run Stsadm commandline commands that read from or write to a database, the Setup user account must be a member of the db_owner fixed database role for the database.
112
Account
Purpose
The server farm account is used to: Configure and manage the server farm. Act as the application pool identity for the SharePoint Central Administration Web site. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, this account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. The server farm account is not a member of the Administrators group on any server in the server farm. This includes the computer that is running SQL Server.
Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server account is automatically added as a SQL Server login on the computer that is running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm.
The server farm account does not require permissions to SQL Server before you create the configuration database.
113
The minimum requirements to achieve least-privilege administration include the following: Separate accounts are used for different services and processes. No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions assigned to each account, you reduce the opportunity for a malicious user or process to compromise the environment. Least-privilege administration can be implemented in many ways, depending on the security configuration of each scenario. The configurations for least-privilege administration include: Separate domain user accounts SQL Server authentication Domain user accounts connecting to existing databases
Setup\Config.xml
Stand-alone server installation, using Microsoft SQL Server 2005 Express Edition Server farm installation Gradual upgrade of an existing farm Server farm installation in silent mode In-place upgrade of an existing farm Stand-alone server installation, using SQL Server 2005 Express Edition, in silent mode In-place upgrade of an existing single-server installation
SetupSingleUpgrade\Config.xml
Important: The example configuration files that are included with Office SharePoint Server 2007 omit the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this setting if you want to suppress restarts during a command-line installation.
114
Example The following example shows the configuration for setting up a single server in silent mode (SetupSilent). <Configuration> <Package Id="sts"> <Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/> </Package> <Package Id="spswfe"> <Setting Id="SETUPCALLED" Value="1"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="OFFICESERVERPREMIUM" Value="1" /> </Package> <Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/> <Display Level="none" CompletionNotice="no" /> <PIDKEY Value="Enter PID Key Here" /> <Setting Id="SERVERROLE" Value="SINGLESERVER"/> <Setting Id="USINGUIINSTALLMODE" Value="0"/> </Configuration> Run Setup with a Config.xml file at a command prompt 1. On the drive on which the Office SharePoint Server 2007 product DVD is located, change to the root directory to locate the setup.exe file. 2. Run Setup with the selected Config.xml file. setup /config<path and file name> Note: You can select one of the example files, or customize your own configuration file. 3. Press ENTER. Setup is now complete. Example To run Setup in silent mode, type the following command at a command prompt, and then press ENTER: setup /config Files\SetupSilent\config.xml (for a single server deployment) setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize the configuration file. To control the installation, first edit the Config.xml file in a text editor to include the elements that you want with the appropriate settings for those
115
elements. Then run setup /config<path and file name> to specify that Setup runs and uses the options that you set in the Config.xml file. Some typical configuration options include: Bypassing the prompt for the product key by providing the key as a value, <PIDKEY Value="Enter PID Key Here" />, in the Config.xml file. Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose" Path="path name"Template="file name.log"/>, which you can view if command-line installation fails. Important: Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose XML editor such as Microsoft Office Word 2007. For more information about the options available for customizing the configuration file, see Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx). For more information about the command-line options for Setup, see Setup.exe command-line reference (http://technet.microsoft.com/en-us/library/cc262897.aspx). For more information about command-line installation, see Install Office SharePoint Server 2007 by using the command line.
following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: psconfig -cmd The Psconfig command-line tool describes the configuration steps as they occur, and notes the successful completion of configuration. For a stand-alone-server installation, this is the final step in a command-line installation.
5. Perform resource security enforcement: psconfig-cmd secureresources 6. Register services in the server farm: psconfig-cmd services -install Note: After installing services, you must start and configure two services, Windows SharePoint Services Search and Office SharePoint Server Search, by using the Stsadm command-line tool: a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> farmservicepassword<password>[-database name<content database name>][database server<server instance>][-search server<search server name>] For more information, see Spsearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc288507.aspx). Note: Use the domain and user account information for the server farm account that you previously created and configured. b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount <domain\user name>-farmservicepassword<password>farmcontactemail<user@domain.com> For more information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). Note: Use the domain and user account information for the server farm account that you created and configured previously. c. Provision the services of the farm: psconfig -cmd services -provision 7. Register all features: psconfig-cmd installfeatures 8. Provision the SharePoint Central Administration Web application: psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm 9. Install shared application data: psconfig-cmd applicationcontent -install The Central Administration Web site has now been created. We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you create sites.
118
Note: If any of these commands fail, look in the post-Setup configuration log files. The log files are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Logs. They can be identified by a file name starting with PSC and the .log file name extension. To connect to an existing configuration database and join the server to an existing server farm, you must run the configdb command together with the -connect parameter instead of the create parameter. psconfig -cmd configdb -connect -server<server name>-database<database name> Note: Omit the -admincontentdatabase command because you have already included this command when you created the configuration database. Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm command if you want to provision the SharePoint Central Administration Web application on additional servers, which reduces the risk if the server that is running the SharePoint Central Administration Web application fails. To successfully complete command-line installation on a server farm, you must use the Stsadm command-line tool to create an SSP, and then a site collection for the farm. However, before you create a Shared Services Provider and a site collection, we recommend that you first perform some additional configuration tasks.
The recommended procedure for creating an SSP is to create a Web application for the My Sites host location, and a separate Web application for the Shared Services Administration Web site. Create a Web application by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description] [-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService}] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information, see Stsadm command-line tool (http://technet.microsoft.com/enus/library/cc261956.aspx). The extendvs operation creates the Web application. The donotcreatesite parameter creates the Web application without creating a site collection on the Web application. After creating the Web applications for the My Sites host location and for the Shared Services Administration Web site, you create the SSP. Create an SSP by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
120
extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o createssp -title<SSP name> -url<Web application URL> -mysiteurl<My Sites Web application URL> -ssplogin<user name> -ssppassword<password> -sspdatabaseserver<SSP database server> -sspdatabasename<SSP database name> -indexserver<index server name> -indexlocation<index file path> [-ssppassword<SSP password>] [-sspdatabaseserver<SSP database server name>] [-sspdatabasename<SSP database name>] [-sspsqlauthlogin<SQL user name>] [-sspsqlauthpassword<SQL password>] [-searchdatabaseserver<search database server name>] [-searchdatabasename<search database name>] [-searchsqlauthlogin<SQL user name>] [-searchsqlauthpassword<SQL password>] [-ssl {Yes | No}] Example The following command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP Administration site. stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name > databasename <SSP content database name> -donotcreatesite -apidname <SSP application pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd<password> Similarly, you can create another Web application as the My Sites host location by using the following command: stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <SQL Server> -databasename <site content database name> -donotcreatesite -apidname <site application pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password> Then you create the SSP, named MySSP1_db:
121
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <database server name > -sspdatabasename MySSP1_db -indexserver <index server name> indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications"-searchdatabaseserver<search database server name>searchdatabasename<search database name> For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx) and Createssp: Stsadm operation (http://technet.microsoft.com/enus/library/cc262773.aspx).
[-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService} ] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information about how to create a site collection, see Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx). Example The following example creates a site collection at http://intranet that uses the corporate intranet site template. stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname "SharePoint AppPool" -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password> This command can also be used to add other site collections and sites. If you do not specify the site template to use, the site collection administrator can choose the site template when he or she first browses to the site. The extendvs operation also enables you to specify the language of the site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used for the top-level site collection. For more information about the available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409). For more information about the Stsadm command-line tool, see Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx). After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
are using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain, and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify where the log files are written or accept the default path. Trace log files can help you troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes. Store these log files for an extended period of time in a safe location that will not be overwritten. We recommend that you store log files on a hard disk drive partition that is used to store log files only. See Also Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx) Plan for administrative and service accounts (http://technet.microsoft.com/enus/library/cc263445.aspx) Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?LinkId=110493&clcid=0x409)
124
Installing Microsoft Office SharePoint Server 2007 as a stand-alone installation on a single server computer simplifies deployment. A stand-alone installation of Microsoft Office SharePoint Server 2007 is a good choice for: A low-capacity deployment with a small number of Web sites A small number of concurrent users The initial evaluation of Office SharePoint Server 2007 before you begin testing and implementing a more complex deployment.
Many deployments have greater performance and capacity requirements that can only be achieved with a farm deployment. You can migrate a stand-alone installation of Office SharePoint Server 2007 to a server farm installation to meet expanded performance, capacity, or scalability requirements. Migration enables you to meet these requirements while also retaining the data, content, and sites from your single-server installation. A direct upgrade from a stand-alone server to a farm is not available. It is usually easier to expand an existing farm deployment by adding servers to meet performance, capacity, or scalability requirements than it is to migrate a stand-alone deployment to a farm deployment. If you know that your organization is going to require a server farm eventually, it is a better idea to start with a simple farm deployment. For more information about installing Office SharePoint Server 2007 on a simple server farm, see Deploy in a simple server farm. For more information about installing Office SharePoint Server 2007 on a stand-alone server, see Install Office SharePoint Server 2007 on a stand-alone computer. You have two options for a migration from a stand-alone installation to a farm installation of Office SharePoint Server 2007: SQL Backup and Restore, followed by using the Stsadm command-line tool to attach the databases Central Administration Backup and Restore
This section describes the first option. For more information about using Central Administration to migrate from a stand-alone installation to a farm installation, see Migrate to another farm by using the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx).
125
To migrate from a stand-alone server to a server farm, you perform the following steps: 1. Install Office SharePoint Server 2007 on a new farm. 2. Migrate data from the stand-alone server to the Microsoft SQL Server 2005 database server that is part of the new server farm by using SQL Backup and Restore. 3. Create and attach data from the Shared Services Provider (SSP) by using the Stsadm command-line tool. 4. Attach the restored databases to the new server farm by using the Stsadm command-line tool.
You must enable ASP.NET 2.0 in the Internet Information Services (IIS) Manager on all Office SharePoint Server 2007 servers. You must have Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack running on at least one database server before you install Office SharePoint Server 2007 on your Web servers. SQL Server service account Setup user account Server farm account
It is possible to use the same account for each of these account roles, unless you are using least privilege administration. For more information about these required accounts and other account requirements for Office SharePoint Server 2007, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx). For more information about preparing servers for installation, see the following articles: Chapter overview: Install Office SharePoint Server 2007 in a server farm environmentChapter overview: Install Office SharePoint Server 2007 in a server farm environment Prepare the database servers Prepare the Web and application servers Deploy in a simple server farm
Install SharePoint Server 2007 and configure the server by using the SharePoint Products and Technologies configuration wizard
You can install Office SharePoint Server 2007 by using the Setup wizard or running Setup.exe from a command prompt. After completing Setup, you configure the server by using the SharePoint Products and Technologies configuration wizard. The SharePoint Products and Technologies configuration wizard creates the Central Administration site. When you have completed the wizard, do not create an SSP or other site collection until you have finished migrating data from the stand-alone server and have attached the restored databases to the new server farm. For more information about installing and configuring SharePoint Server 2007, see the following articles: Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard Install Office SharePoint Server 2007 by using the command line
from the stand-alone server to the database server in the farm by using SQL Server Management Studio Express and Microsoft SQL Server Management Studio. SQL Server Management Studio Express is installed on the stand-alone server by running Setup for SQL Server Express with Advanced Services or SQL Server Express Toolkit. It is used to enable a connection from the database server that is running SQL Server Management Studio. SQL Server Management Studio is used to back up databases from the stand-alone server and restore the databases to the database server in the farm. For more information about managing SQL Server Express, see Managing SQL Server Express with SQL Server 2005 Management Studio Express Edition (http://go.microsoft.com/fwlink/?LinkId=110559&clcid=0x409). To download SQL Server Management Studio Express, visit the Visual Studio Download Center (http://go.microsoft.com/fwlink/?LinkId=110560&clcid=0x409). Migrate data from the stand-alone server to the database server on the farm 1. Set the databases on the stand-alone server to be read-only: a. In SQL Server Management Studio Express, right-click the name of the database that you want to set to read-only, and then click Properties. b. In the Select a page section, click Options. c. In the Other options section of the right pane, expand State, click the drop-down arrow for the values of Database Read-Only, and then click True.
2. Connect to the stand-alone server by using SQL Server Management Studio and back up the following databases: Shared Services DB Shared Services Search DB Shared Services Content DB WSS Content DB All additional content databases associated with Web applications on the stand-alone server:
d. On your database server, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. e. In the Connect to Server box, fill in the connection information, and then click Connect. f. After connecting to the appropriate instance of the SQL Server 2005 Database Engine, in Object Explorer, expand the server tree by clicking the plus sign next to the server name.
128
Note: The SQL Server Express instance name that is used to connect to the databases on the stand-alone server is set to OfficeServers by default. g. Expand Databases, right-click the database that you want to back up, point to Tasks, and then click Back Up. The Back Up Database dialog box appears. h. In the Source section, in the Database box, verify the database name. i. j. k. l. In the Backup type box, click the drop-down arrow for the values, and then click Full. Under Backup component, select Database. In the Backup set section, in the Name box, either accept the default value or type a different name. In the Destination section, specify the type of backup destination by selecting Disk or Tape, and then specify a destination. To create a different destination, click Add.
m. Click OK to start the backup process. 1. Restore databases to the database server on the farm by using Microsoft SQL Server Management Studio: a. After connecting to the appropriate instance of the SQL Server 2005 Express, in Object Explorer, expand the server tree by clicking the plus sign next to the server name. b. c. Right-click Databases, and then click New Database. In the Database name box, type the name of the database you want to restore.
d. In the Owner box, specify an owner if desired. e. In the Database files section, in the Logical Name box for the Data file type, verify that the logical name is the one you want to use. f. In the Initial Size (MB) box, adjust the size to approximately the size of the database you want to restore.
g. In the Logical Name box for the Log file type, verify that the logical name is the one you want to use. h. In the Initial Size (MB) box, adjust the size to approximately three or four times the size of the log file for the database you want to restore. Make the log file large to accommodate entries during the upgrade process. You can always shrink the transaction log after you have completed the upgrade. i. In the Autogrowth column for the log file, set the value to By 10 percent, unrestricted growth. You can change this setting after you perform the upgrade, but again, you do not want to have the log file run out of space during the upgrade process.
129
j.
For more information about migrating databases including different backup and restore options for different versions of SQL Server, see Migrate databases (http://technet.microsoft.com/enus/library/cc263299.aspx).
130
Create and attach data from the Shared Services Provider (SSP)
After you migrate data from the stand-alone server to the farm, you must use the Stsadm command-line tool to create the SSP Web application for the farm and attach the restored SSP database to the farm. The Stsadm command-line tool is available on the installation drive for Office SharePoint Server 2007 at %Common Program Files%\Microsoft Shared\Web Server Extensions\12\bin. You create the SSP Web application by using the following command: stsadm -o extendvs -url <URL> -ownerlogin <domain/username> -owneremail <emailed> -exclusivelyusentlm -databaseserver <DBservername> -databasename <NewcontentDBname> -apcreatenew -apidname <Apppoolname> -apidtype configurableid -apidlogin <domain/username> -apidpwd <Password> Example stsadm -o extendvs -url http://intranet:8080 -ownerlogin domain\username -owneremail user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename SSPContentDB -apcreatenew -apidname SSPAppPool -apidtype configurableid -apidlogin domain\username -apidpwd MyPassword This command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP. Note: The databasename parameter is the Shared Services content database that was restored from the stand-alone server. The stand-alone installation uses the default Web application for the My Site host location. When you migrate to a farm, we recommend that the My Site host location use a separate Web application. Example stsadm -o extendvs -url http://intranet:8090 -ownerlogin domain\username -owneremail user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename
131
MySiteContentDB -apcreatenew -apidname MySiteAppPool -apidtype configurableid apidlogin domain\username -apidpwd MyPassword After creating both Web applications, you restore the SSP by using the restoressp command. The sspdatabasename and searchdatabasename for the databases that were restored to the farm from the stand-alone server: stsadm o restoressp title <SSP name> -url <Web application url> -mysiteurl <MySite Web application url> -ssplogin <username> -ssppassword <password> -sspdatabaseserver <SSP database server> -sspdatabasename <SSP database name> -searchdatabaseserver <Search database server> -searchdatabasename <Search database name) -indexserver <index server> -indexlocation <index file path> Example stsadm -o restoressp -title Migrated_SSP1 -url http://intranet:8080 -mysiteurl http://intranet:8090 -ssplogin domain\username -ssppassword MyPassword sspdatabaseserver SQLServer -sspdatabasename MySSP1_db -searchdatabaseserver SearchServer-searchdatabasename SharedServices1_Search indexserver MyServer -indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications" For more information about the Stsadm command-line tool, see Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx). For additional information about how to perform this procedure using the Stsadm command-line tool, see Restoressp (http://technet.microsoft.com/en-us/library/cc262163.aspx), Extendvs (http://technet.microsoft.com/en-us/library/cc263040.aspx), and Createssp (http://technet.microsoft.com/en-us/library/cc262773.aspx).
-owneremail <emailed> -exclusivelyusentlm -databaseserver <DBservername> -databasename <NewcontentDBname> -apcreatenew -apidname <Apppoolname> -apidtype configurableid -apidlogin <domain/username> -apidpwd <Password> Example stsadm -o extendvs -url http://intranet -ownerlogin domain\username -owneremail user@domain.com -exclusivelyusentlm -databaseserver intranet-databasename WSSContent -apcreatenew -apidname SharePoint_80_AppPool -apidtype configurableid -apidlogin domain\username -apidpwd MyPassword This command restores the top-level site collection http://intranet that also contains the My Site content. The databasename parameter is the restored database from the stand-alone installation that will now be attached to the top-level site. For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx). See Also Chapter overview: Install Office SharePoint Server 2007 in a server farm environment Deploy in a simple server farm Install Office SharePoint Server 2007 on a stand-alone computer Migrate to another farm by using the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx) Install Office SharePoint Server 2007 by using the command line Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx).
133
Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008
In this section: Hardware and software requirements Perform installation steps Perform post-installation steps Configure the trace log Configure Windows Server Backup
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the Windows Server 2003 operating system, you must download and run Setup and the SharePoint Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server 2007 without service packs on Windows Server 2008. Important: This section discusses how to perform a clean installation of Office SharePoint Server 2007 with SP1 in a stand-alone environment on Windows Server 2008. It does not cover upgrading the operating system from Windows Server 2003 to Windows Server 2008. Note: This section does not cover installing Office SharePoint Server 2007 in a server farm on Windows Server 2008. For more information, see Deploy a simple farm on the Windows Server 2008 operating system. Note: There is no direct upgrade from a stand-alone installation to a farm installation. You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration, document management, and search. A stand-alone configuration is also useful if you are deploying a small number of Web sites and you want to minimize administrative overhead. When you deploy Office SharePoint Server 2007 on a single server using the default settings, the Setup program automatically installs the Windows Internal Database and uses it to create the configuration database and an initial content database for your SharePoint sites. In addition, Setup installs the SharePoint Central Administration Web site and creates your first SharePoint site collection and site.
134
Important: Office SharePoint Server 2007 requires the following components: the Web Server role, Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint Server 2007 will cease to run if you uninstall these components.
Install Microsoft .NET Framework version 3.0 1. Click Start, point to Administrative Tools, and then click Server Manager. 2. In Server Manager, on the Action menu, click Add features. 3. In the Features list, select the .NET Framework 3.0 Features check box, and then click Next. 4. Follow the wizard steps to install the.NET Framework version 3.0. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508).
136
Install Office SharePoint Server 2007 with SP1 1. From your slipstreamed installation source, run Setup.exe. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup places a red circle next to the text box and displays a message that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Basic to install to the default location. To install to a different location, click Advanced, and then on the File Location tab, specify the location you want to install to and finish the installation. 5. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Make sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 6. Click Close to start the configuration wizard. The SharePoint Products and Technologies Configuration Wizard starts, and you can go directly to the procedure "To run the SharePoint Products and Technologies Configuration Wizard." Note: Do not add any server roles in Windows Server 2008 Server Manager before the setup for Office SharePoint Server 2007 is complete. If you add a server role, the setup process will fail, and you will need to uninstall and reinstall Office SharePoint Server 2007.
provided in the following procedure. Note: If you see a proxy server error message, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring proxy server settings are provided later in this section. If you want to configure the installation from the command line, use the following procedure. Run the SharePoint Products and Technologies Configuration Wizard from the command line Type the following command, and then press ENTER: psconfig.exe -cmd setup -cmd standaloneconfig -lcid 0 -cmd configdb -create server<servername>\OfficeServers -cmd helpcollections -installall -cmd secureresources -cmd services -install -provision -cmd installfeatures -cmd adminvs -provision -cmd evalprovision -provision -cmd applicationcontent -install After you have configured the Office SharePoint Server 2007 installation, you should add the SharePoint site to the list of trusted sites, using the following steps. Add the SharePoint site to the list of trusted sites 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted Sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL of your site, and then click Add. 5. Click Close to close the Trusted Sites dialog box. 6. Click OK to close the Internet Options dialog box. If you are using a proxy server in your organization, use the following steps to configure Internet Explorer to bypass the proxy server for local addresses. Configure proxy server settings to bypass the proxy server for local addresses 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. In the Address box, type the address of the proxy server. 6. In the Port box, type the port number of the proxy server. 7. Select the Bypass proxy server for local addresses check box.
138
8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.
139
applications. For more information, see Deploy a simple farm on the Windows Server 2008 operating system. Perform administrator tasks by using the Central Administration site 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, under Administrator Tasks, click the task you want to perform. 3. On the Administrator Tasks page, next to Action, click the task.
To save 10,080 minutes (seven days) of events, you can use any combination of number of log files and minutes to store in each log file. 3. Ensure that the path specified in the Path box has enough room to store the extra log files or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK.
13. In the Value Data box, type Windows SharePoint Services, and then click OK. 14. On the Edit menu, click New, and then click DWORD (32-bit) Value. 15. Type UseSameVssContext as the new value name, and then press ENTER. 16. Right-click the UseSameVssContext value, and then click Modify. 17. In the Value Data box, type 00000001, and then click OK.
142
143
Chapter overview: Install Office SharePoint Server 2007 in a server farm environment
In this section: Suggested topologies Before you begin deployment Overview of the deployment process Important: This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007 in a server farm environment. It does not cover upgrading from previous releases of Office SharePoint Server 2007 or how to upgrade from Microsoft Office SharePoint Portal Server 2003. For more information about upgrading from SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc303420.aspx). Note: This section does not cover installing Office SharePoint Server 2007 on a single computer as a stand-alone installation. For more information, see Install Office SharePoint Server 2007 on a stand-alone computer. You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to running the Office SharePoint Server 2007 application. Note: There is no direct upgrade from a stand-alone installation to a farm installation. Because a server farm deployment of Office SharePoint Server 2007 is more complex than a stand-alone deployment, we recommend that you plan your deployment. Planning your deployment can help you to gather the information you need and to make important decisions before beginning to deploy. For information about planning, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Suggested topologies
Server farm environments can encompass a wide range of topologies, and can include many servers or as few as two servers. A small server farm typically consists of a database server running either Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers running Internet Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end servers are configured as Web servers and application servers. The
144
Web server role provides Web content to clients. The application server role provides Office SharePoint Server 2007 services such as servicing search queries, and crawling and indexing content. A medium server farm typically consists of a database server, an application server running Office SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server 2007 and IIS. In this configuration, the application server provides indexing services and Excel Calculation Services, and the front-end Web servers service search queries and provide Web content. A large server farm typically consists of two or more clustered database servers, several load balanced front-end Web servers running Office SharePoint Server 2007, and two or more application servers running Office SharePoint Server 2007. In this configuration, each of the application servers provides specific Office SharePoint Server 2007 services such as indexing or Excel Calculation Services, and the front-end servers provide Web content. Note: All of the Web servers in your server farm must have the same SharePoint Products and Technologies installed. For example, if all of the servers in your server farm are running Office SharePoint Server 2007, you cannot add to your farm a server that is running only Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office SharePoint Server 2007 in your server farm, you must install Office Project Server 2007 and Office SharePoint Server 2007 on each of your Web servers. To enhance the security of your farm and reduce the surface area that is exposed to a potential attack, you can turn off services on particular servers after you install SharePoint Products and Technologies.
To deploy Office SharePoint Server 2007 in a server farm environment, you must provide credentials for several different accounts. For information about these accounts, see Plan for administrative and service accounts in the Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.
145
You must install Office SharePoint Server 2007 on the same drive on all load-balanced frontend Web servers. You must install Office SharePoint Server 2007 on a clean installation of the Microsoft Windows Server 2003 operating system with the most recent service pack. If you uninstall a previous version of Office SharePoint Server 2007, and then install Office SharePoint Server 2007, Setup might fail to create the configuration database and the installation will fail. Note: We recommend that you read the Known Issues/Readme documentation before you install Office SharePoint Server 2007 on a domain controller. Installing Office SharePoint Server 2007 on a domain controller requires additional configuration steps that are not discussed in this section.
You must install the same language packs on all servers in the farm. For more information about installing language packs, see Deploy language packs. All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both an English version of Office SharePoint Server 2007 and a Japanese version of Office SharePoint Server 2007 in the same farm. You must use the Complete installation option on all computers you want to be index servers, query servers, or servers that run Excel Calculation Services. If you place a query server beyond a firewall from its index server, you must open the NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls that separate these servers. If your environment does not use NetBIOS, you must use directhosted server message block (SMB); this requires that you open the TCP/UDP 445 port. If you want to have more than one index server in a farm, you must use a different Shared Services Provider (SSP) for each index server.
Preparing the database server. Preinstalling the databases (optional). Verifying that the servers meet hardware and software requirements. Running Setup on all servers you want to be in the farm. Installing available language template packs on front-end Web servers (optional). For more information about installing language template packs, see Deploy language packs. Running the SharePoint Products and Technologies Configuration Wizard.
If you want to search over the Help content for Office SharePoint Server 2007, starting the Windows SharePoint Services Search service.
For more information about creating and configuring SSPs, see III. Create and configure Shared Services Providers.
For more information about creating site collections and sites, see Deploy and configure SharePoint sites (http://technet.microsoft.com/en-us/library/cc262442.aspx).
147
Before installing Microsoft Office SharePoint Server 2007, you must prepare the database server. The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack. The Office SharePoint Server 2007 Setup program automatically creates the necessary databases when you install and configure Office SharePoint Server 2007. Optionally, you can preinstall the required databases if your IT environment or policies require this. For more information about prerequisites, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). If you are using SQL Server 2005, you must also change the surface area settings. Configure surface area settings in SQL Server 2005 1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Surface Area Configuration. 2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area Configuration for Services and Connections. 3. In the tree view, expand the node for your instance of SQL Server, expand the Database Engine node, and then click Remote Connections. 4. Select Local and Remote Connections, select Using both TCP/IP and named pipes, and then click OK.
148
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and to install Office SharePoint Server 2007. For more information about the required accounts, including specific privileges required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose
SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT
If you are not using the default instance, these services will be shown as: Setup user account Server farm account MSSQL$InstanceName SQLAgent$InstanceName
The user account that is used to run Setup on each server. This account is also referred to as: Database access account The application pool account for the Central Administration site The process account for the Windows SharePoint Services Timer (SPAdmin) service This account is:
149
Before you install and configure Microsoft Office SharePoint Server 2007, be sure that your servers have the recommended hardware and software. To deploy a server farm, you need at least one server acting as a Web server and an application server, and one server acting as a database server. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).
150
Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard
In this section: Recommended order of configuration Run Setup on the first server Run the SharePoint Products and Technologies Configuration Wizard Add the SharePoint Central Administration Web site to the list of trusted sites Configure proxy server settings to bypass the proxy server for local addresses Add servers to the farm Run the SharePoint Products and Technologies Configuration Wizard on additional servers Start the Windows SharePoint Services Search service Stop the Central Administration service on all index servers Disable the Windows SharePoint Services Web Application service on all servers not serving content
After preparing your database and the servers in your farm, run Setup and then run the SharePoint Products and Technologies Configuration Wizard on all your farm servers. Do this on all farm servers before going on to create a Shared Services Provider (SSP). Note: We recommend that you run Setup on all the servers that will be in the farm before you configure the farm. You can add servers to the farm at this point, or after you have created and configured an SSP. You can add servers after you have created and configured an SSP to add redundancy, such as additional load-balanced Web servers or additional query servers. It is recommended that you run Setup and the configuration wizard on all your application servers before you create and configure the SSP.
151
application server, install Office SharePoint Server 2007 on that server first; this also installs the Central Administration Web site. 2. All your front-end Web servers. 3. The index server (if using a separate server for search queries and indexing). 4. The query servers, if separate from the index server. Note: To configure more than one query server in your farm, you cannot configure your index server as a query server. 5. Other application servers (optional). Because the SSP configuration requires an index server, you must start the Office SharePoint Server Search service on the computer that you want to be the index server, and configure it as an index server before you can create an SSP. Because of this, you must deploy and configure an index server before other servers. You can choose any server to be the first server on which you install Office SharePoint Server 2007. However, the Central Administration Web site is automatically installed on the first server on which you install Office SharePoint Server 2007. You can configure different features on different servers. The following table shows which installation type should be used for each feature set.
Server type Installation type
Central Administration Web application Application server (such as Excel Calculation Services) Search index server Search query server Web server
Complete Complete Complete or front-end Web (subsequent servers must join an existing farm) Note: If you choose the front-end Web installation option, you will not be able to run additional services, such as search, on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any servers that you add you will join to this farm. Setting up the first server involves two steps: installing the Office SharePoint Server 2007 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The SharePoint Products and Technologies Configuration Wizard automates
152
several configuration tasks, including installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site.
5. On the Server Type tab, select Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
SQL Server Security Administrators server role. The user account that you specify for this service account must be a domain user account. Because this account does not require a high level privilege, we recommend that you follow the principle of least privilege, and specify a user account that is not a member of the Administrators group on your Web servers or your back-end servers. 7. In the Password box, type the user's password, and then click Next. 8. On the Configure SharePoint Central Administration Web Application page, select the Specify port number check box; type a port number if you want the SharePoint Central Administration Web application to use a specific port, or leave the Specify port number check box cleared if you do not care which port number the SharePoint Central Administration Web application uses. 9. In the Configure SharePoint Central Administration Web Application dialog box, do one of the following: If you want to use NTLM authentication (the default), click Next. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next. Note: In most cases, use the default setting (NTLM). Use Negotiate (Kerberos) only if Kerberos authentication is supported in your environment. Using the Negotiate (Kerberos) option requires you to configure a Service Principal Name (SPN) for the domain user account. To do this, you must be a member of the Domain Admins group. For more information, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409). 10. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 11. On the Configuration Successful page, click Finish. The SharePoint Central Administration Web site home page opens. Notes If you are prompted for your user name and password, you might need to add the SharePoint Central Administration Web site to the list of trusted sites, and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps. If a proxy server error message appears, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring this setting are provided later in this section.
155
Add the SharePoint Central Administration Web site to the list of trusted sites
Add the SharePoint Central Administration Web site to the list of trusted sites 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration Web site, and then click Add. 5. Click Close to close the Trusted sites dialog box. 6. Click OK to close the Internet Options dialog box.
Configure proxy server settings to bypass the proxy server for local addresses
Configure proxy server settings to bypass the proxy server for local addresses 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. Type the address of the proxy server in the Address box. 6. Type the port number of the proxy server in the Port box. 7. Select the Bypass proxy server for local addresses check box. 8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.
2005 running on at least one back-end database server before you install Office SharePoint Server 2007 on your Web servers. Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first. Run Setup on additional servers front-end Web servers 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Web Front End. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the following section. Run Setup on additional servers index or query server 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key
157
is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including installing Office SharePoint Server 2007 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard on additional servers 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. In the dialog box that notifies you that some services might need to be restarted during configuration, click Yes. 3. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 6. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format DOMAIN\username.) This must be the same user account you used when you configured
158
the first server. 7. In the Password box, type the user's password, and then click Next. 8. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 9. On the Configuration Successful page, click Finish.
Before stopping the service on the index server, make sure that the service is running another server. Stop the Central Administration service on an index server 1. On the Services on Server page, select the index server from the Server drop-down list. 2. Under Select server role to display services you will need to start in the table below, select the Custom option. 3. In the table of services, next to Central Administration, in the Action column, click Stop.
Disable the Windows SharePoint Services Web Application service on all servers not serving content
Disable the Windows SharePoint Services Web Application service on all servers that are not serving content, especially index servers. On the other hand, you must be sure that this service is enabled on the servers that are serving content. Disable the Windows SharePoint Services Web Application service on a server 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Windows SharePoint Services Web Application, click Stop.
160
Language packs enable site owners and site collection administrators to create SharePoint sites and site collections in multiple languages without requiring separate installations of Microsoft Office SharePoint Server 2007. You install language packs, which contain language-specific site templates, on your front-end Web servers. When an administrator creates a site or a site collection based on a language-specific site template, the text that appears on the site or the site collection is displayed in the site template's language. Language packs are typically used in multinational deployments where a single server farm supports people in different locations or in situations where sites and Web pages must be duplicated in one or more languages. For more information about language packs, see Plan for multilingual sites (http://technet.microsoft.com/enus/library/cc262055.aspx). Note: You cannot change an existing site, site collection, or Web page from one language to another by applying different language-specific site templates; once you choose a language-specific site template for a site or a site collection, the site or site collection will always display content in the language of the original site template. Word breakers and stemmers enable you to efficiently and effectively search across content on SharePoint sites and site collections in multiple languages without requiring separate installations of Office SharePoint Server 2007. Word breakers and stemmers are not installed with language packs. Instead, they are automatically installed on your front-end Web servers by the Setup wizard. For more information about word breakers and stemmers, see the "Plan word breakers and stemmers" section in Plan to crawl content (http://technet.microsoft.com/enus/library/cc262926.aspx). You can install language packs for Microsoft Office Server products from the Microsoft Download site, at 2007 Office System Language Packs (http://www.microsoft.com/downloads/details.aspx?FamilyId=2447426B-8689-4768-BFF0CBB511599A45&displaylang=en). Important: If you are uninstalling a Microsoft Office Server product, you must uninstall all language packs before you uninstall the product.
161
Although a site administrator specifies a language ID for a site, some user interface elements such as error messages, notifications, and dialog boxes do not display in the language that was specified. This is because Office SharePoint Server 2007 relies on several supporting technologies for example, the Microsoft .NET Framework, Microsoft Windows Workflow Foundation, Microsoft ASP.NET, and Microsoft SQL Server 2005 some of which are localized into only a limited number of languages. If a user interface element is generated by any of the
162
supporting technologies that is not localized into the language that the site administrator specified for the site, the user interface element appears in English. For example, if a site administrator creates a site in Hebrew, and the.NET Framework component displays a notification message, the notification message will not display in Hebrew because the .NET Framework is not localized into Hebrew. This situation can occur when sites are created in any language except the following: Chinese, French, German, Italian, Japanese, Korean, and Spanish. In some cases, some text might originate from the original installation language, which can create a mixed-language experience. This type of mixed-language experience is typically seen only by content creators or site administrators and is not seen by site users.
Language files are used by the operating system and provide support for displaying and entering text in multiple languages. Language files include: Keyboard files Input Method Editors (IMEs) TrueType font files Bitmap font files Code page conversion tables National Language Support (.nls) files Script engines for rendering complex scripts
Most language files are installed by default on the Microsoft Windows Server 2003 operating system. However, you must install supplemental language files for East Asian languages and languages that use complex script or require right-to-left orientations. The East Asian languages include Chinese, Japanese, and Korean; the complex script and right-to-left oriented languages include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese. Instructions for installing these supplemental language files are provided in the following procedure. We recommend that you install these language files only if you need them. The East Asian files require about 230 megabytes of hard disk space. The complex script and right-to-left languages do not use much disk space, but installing either set of files might reduce performance when entering text.
163
Note: You must be a member of the Administrators group on the computer to install these language files. After the language files are installed, the languages are available to all users of the computer. Note: You will need your Windows Server 2003 product disc to perform this procedure, or you will need to know the location of a shared folder that contains your operating system installation files. Note: You must restart your computer after you install supplemental language files. Install additional language files 1. On your front-end Web server, click Start, point to Settings and then Control Panel, and then click Regional and Language Options. 2. In the Regional and Language Options dialog box, on the Languages tab, in the Supplemental Language Support section, select one or both of the following checkboxes: Install files for complex script and right-to-left languages Install files for East Asian languages
3. Click OK in the dialog box that alerts you that additional disk space is required for the files. 4. Click OK to install the additional language files. 5. When prompted, insert your Windows Server 2003 product disc or provide the location of your Windows Server 2003 installation files. 6. When prompted to restart your computer, click Yes. After you install the necessary language files on your front-end servers, you need to install Office SharePoint Server 2007 and run the SharePoint Products and Technologies Configuration Wizard. The wizard creates and configures the configuration database and performs other configuration tasks that must be done before you install language packs. For more information about installing Office SharePoint Server 2007 and running the SharePoint Products and Technologies Configuration Wizard, see Deploy in a simple server farm and Install Office SharePoint Server 2007 on a stand-alone computer.
packs to support multiple languages, you must install the language packs on each of your front end Web servers. Important: The language pack installs in its native language, for example the Russian language pack executable file is localized into Russian. The procedure provided below is for the English language pack. Install a language pack 1. Run setup.exe. 2. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 3. The setup wizard runs and installs the language pack. 4. Rerun the SharePoint Products and Technologies Configuration Wizard, using the default settings. If you do not run the SharePoint Products and Technologies Configuration Wizard after you install a language pack, the language pack will not be installed properly. Rerun the SharePoint Products and Technologies Configuration Wizard 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard. 2. On the Welcome to SharePoint Products and Technologies page, click Next. 3. Click Yes in the dialog box that alerts you that some services might need to be restarted during configuration. 4. On the Modify server farm settings page, click Do not disconnect from this server farm, and then click Next. 5. If the Modify SharePoint Central Administration Web Administration Settings page appears, do not modify any of the default settings, and then click Next. 6. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 7. On the Configuration Successful page, click Finish. When you install language packs, the language-specific site templates are installed in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\template\number directory, where number is the Language ID for the language that you are installing. For example, the US English language pack installs to the \Program Files\Common Files\Microsoft Shared\web server extensions\12\template\1033 directory. After you install a language pack, site owners and site collection administrators can create sites and site collections based on the language-specific site templates by specifying a language when they are creating a new SharePoint site or site collection.
165
166
167
168
your front-end servers or on your back-end database servers. You can use the user account that you specified as the Microsoft Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username. 11. In the Database Name and Authentication section, verify the database information and make sure that Windows Authentication (recommended) is selected. 12. In the Search Server section, do not modify the default settings. 13. Click OK. Upon successful creation of the Web application, the New Shared Services Provider page appears. 14. In the SSP Name section, in Web Application, select the Web application that you created for the SSP, and do not modify any of the default settings in this section. 15. In My Site Location section, choose the correct Web application. Note: It is recommended that you run My Sites and the SSP administration site in different Web applications so that you can back up and restore My Sites separately from the SSP administration site. 16. In the SSP Service Credentials section, in User name and Password, type the user name and password for the user account under which you want the SSP to run. The user account must be a domain user account, but the user account does not have to be a member of any particular security group. It is recommended that you use the principle of least privilege and select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers. You can use the user account that you specified as the Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username. 17. In the SSP Database section, you can either accept the default settings (recommended), or specify your own settings for the database server, the database name, or the SQL authentication credentials. 18. In the Search Database section, you can either accept the default settings (recommended), or specify your own settings for the search database server, the database name, or the SQL Server authentication credentials. 19. In the Index Server section, in Index Server, click the server on which you configured the Search service. If there is no index server listed in the Index Server section, then no server in your farm has been assigned the index server role. To assign the index server role to a server in your farm, follow the instructions in Configure a dedicated front-end Web server for crawling (http://technet.microsoft.com/en-us/library/cc261810.aspx).
170
20. In the SSL for Web Services section, click No. 21. Click OK. Upon successful creation of the SSP, the Success page appears. 22. On the Success page, click OK to return to the Manage this Farm's Core Services page. For information about how to perform this procedure using the Stsadm command-line tool, see Shared Services Provider: Stsadm operation (http://technet.microsoft.com/enus/library/cc262916.aspx).
each server in the farm by using the IIS administration tool. Until this is done, the Web services will not be available. 11. Click OK to create the SSP.
172
This section describes the process of deploying the search features for Microsoft Office SharePoint Server 2007 that are related to crawling content. If you have not already done so, we highly recommend that you first read the topics described in Plan search (http://technet.microsoft.com/en-us/library/cc263400.aspx) and fill out the companion Plan to crawl content worksheet (http://go.microsoft.com/fwlink/?LinkID=73748&clcid=0x409). As you proceed through this section, refer to this worksheet so that you have the information you need to configure these search features. For information about how to perform this procedure using the Stsadm command-line tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).
Server-level configuration
The procedures in this section are performed at the server level. To perform these procedures, you must be a member of the Administrators group for each server on which you want to perform them.
Refer to the Protocol handlers section of the Plan to crawl content worksheet to review your decisions for installing additional protocol handlers. When installing the protocol handlers on your index server, follow the appropriate installation instructions provided by the manufacturer of each protocol handler. Note: You must be a member of the Administrators group on each server on which you want to install an additional protocol handler.
Add the OneNote file extension to the File Types list 1. Open the administration page for the Shared Services Provider (SSP). To open the administration page for the SSP, do the following: a. In Central Administration, on the top link bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. c. On the Manage this Farm's Shared Services page, click the SSP for which you want to open the administration page.
2. On the Shared Services Administration page, in the Search section, click Search settings. 3. On the Configure Search Settings page, in the Crawl Settings section, click File Types. 4. On the Manage File Types page, click New File Type. 5. On the Add File Type page, in the File extension box, type one, and then click OK. Note: Do not type the period character "." before the file extension. Register the OneNote IFilter 1. On the index server, click Start, and then click Run. 2. In the Open box, type notepad, and then click OK. 3. Type or copy the following text into Notepad: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Setup\Filters\.one] "Extension"="one" "FileTypeBucket"=dword:00000001 "MimeTypes"="application/msonenote" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Setup\ContentIndexCommon\Filters\Extension\.one] @="{B8D12492-CE0F-40AD-83EA-099A03D493F1}" 4. In Notepad, on the File menu, click Save As. 5. In the Save As dialog box, in the File name box, type onenote.reg, and then click Save. 6. On the index server, double-click the onenote.reg file that you just created. Note: This step starts the process of setting the necessary registry keys for registering
175
the OneNote IFilter. 7. If the Open File - Security Warning dialog box appears, click Run. 8. In the Registry Editor dialog box, click Yes. 9. Click OK to close the Registry Editor box. 10. Restart the index server. Note: The index server must be restarted for the IFilter registration to take effect. After you restart the index server, you must start a full crawl of the locations that contain Office OneNote 2007 files before they can appear in search queries. If your document libraries require check-out to edit the files, Office OneNote 2007 files will often be in checked-out state. Any updates to the checked-out files that are saved to the library will not be crawled until the files are checked in. In general, we recommend that administrators do not require that files be checked out before they can be edited for document libraries that are intended for storing OneNote files.
Farm-level configuration
The procedures in this section are performed at the farm level. To perform these procedures, you must be a farm administrator.
176
SharePoint Services Search service can make at one time when crawling this URL. Request one document at a time and wait the specified time between requests. You can specify a delay (in seconds) between requests, when crawling this URL. When this option is selected, the Office SharePoint Services Search service makes one request per site at one time, and then it waits for the specified amount of time before making the next request. In the Time to wait (in seconds) box, type the time to wait (in seconds) between requests. The minimum time to wait between requests is one second, and the maximum time is 1,000 seconds.
6. Click OK.
6. In the SSL Certificate Warning Configuration section, select the Ignore SSL
177
certificate name warnings check box if you want to trust that sites are legitimate even if their certificate names are not exact matches. Otherwise, ensure that this check box is unselected. 7. Click OK.
make any configuration changes related to either search service. Store these log files for an extended period of time in a safe location that will not be overwritten. See step 3 in the procedure above to determine the location where the system stores trace log files for your system.
SSP-level configuration
The procedures in this section are performed at the Shared Services Provider (SSP) level. To perform these procedures, you must be an SSP administrator for Search.
179
Use the following procedure to create a content source of any of the following content source types: SharePoint sites Web sites File shares Microsoft Exchange public folders Create content sources 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, click New Content Source. 4. On the Add Content Source page, in the Name section, in the Name box, type a name for the content source. Note: Each content source name must be unique within the SSP in which it is created. 5. In the Content Source Type section, select the type of content you want to crawl by using this content source. 6. In the Start Addresses section, in the Type start addresses below (one per line) box, type the URLs from which the search system should start crawling. Note: For performance reasons, you cannot add the same start addresses to multiple content sources. 7. In the Crawl Settings section, select the behavior for the type of content you selected. 8. In the Crawl Schedules section, you can specify when to start full and incremental crawls. You can create a full crawl schedule by clicking the Create Schedule link below the Full Crawl list. You can create an incremental crawl schedule by clicking the Create Schedule link below the Incremental Crawl list.
9. Click OK. 10. Repeat steps 4 through 10 for any additional content sources you want to create. Use the following procedure to create a content source of the business data content source type. Create content source for business data 1. On the Shared Services Administration page, in the Search section, click Search settings.
180
2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, click New Content Source. 4. On the Add Content Source page, in the Name section, in the Name box, type a name for the content source. Note: Each content source name must be unique within the SSP in which it is created. 5. In the Content Source Type section, select Business Data. 6. In the Applications section, select Crawl entire Business Data Catalog to crawl all applications registered in the Business Data Catalog or select Crawl selected applications and select the specific applications you want to crawl. 7. In the Crawl Schedules section, you can specify when to start full and incremental crawls. You can create a full crawl schedule by clicking the Create Schedule link below the Full Crawl list. You can create an incremental crawl schedule by clicking the Create Schedule link below the Incremental Crawl list.
8. Click OK. 9. Repeat steps 4 through 9 for any additional content sources you want to create.
be crawled. 6. If you chose to exclude all items in this path, skip to step 8. Otherwise, you can further refine the inclusion by selecting any combination of the following: Follow links on the URL without crawling the URL itself. Select this option if you want to crawl links contained within the URL, but not the URL itself. Crawl complex URLs (URLs that contain a question mark (?)). Select this option if you want to crawl URLs that contain parameters that use the question mark (?) notation. Crawl SharePoint content as HTTP pages. Normally, SharePoint content is crawled by using a special protocol. Select this option if you want SharePoint content to be crawled as HTTP pages instead. When the content is crawled by using the HTTP protocol, item permissions are not stored. To use the default content access account when crawling URLs affected by this crawl rule, select Use the default content access account. If you want to use a different content access account, select Specify a different content access account, and then do the following: In the Account box, type the account name that can access the paths defined by this crawl rule. Examples are user_name and DOMAIN\user_name. In the Password and Confirm Password boxes, type the password for this account. If you want to prevent basic authentication from being used, select the Do not allow Basic Authentication check box. To use a client certificate for authentication, select Specify client certificate, and then click a certificate on the Certificate menu.
8. Click OK. 9. Repeat steps 4 through 8 for each new crawl rule you want to create.
settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, position the cursor over the content source you want to crawl, and then click Start full crawl on the menu that appears.
184
in the list that has a value for a given document. You can reorder the list by using the Move up and Move down buttons. 8. If you selected Include values from all crawled properties mapped, skip to step 12. 9. Click Add Mapping to add a mapping to the list. 10. The Crawled property selection dialog box appears. Configure the settings as follows: a. On the Select a category menu, click either All categories or a specific type of document category (for example, Office or SharePoint). b. In Select a crawled property, select a crawled property to map to the managed property that you are adding. Because the list of crawled properties is likely to be long, you can type the name (or the first part of the name) of the property that you are looking for in the Crawled property name box and then click Find. c. Click OK. 11. Repeat steps 9 through 10 for each additional crawled property that you want to map to this managed property. 12. On the New Managed Property page, in the Use in scopes section, select the Allow this property to be used in scopes check box if you want this managed property to be available for defining scopes. 13. Click OK. Note: Changes to the property mappings take effect on a document-by-document basis as soon as a document is crawled, regardless of the type of the crawl. A full crawl ensures that the changes are consistently applied to the entire index.
185
Note: These descriptions are not visible to users. 6. Your credentials are automatically entered in the read-only Last modified by box. Note: Last modified by settings are not visible to users. 7. In the Target Results Page section, select one of the following: Use the default Search Results Page. Select this option if you want search results from this scope to be presented by using the standard Search Results page. Specify a different page for searching this scope. Select this option if you want search results from this scope to be presented on a custom page. If you select this option, type the URL for the custom Search Results page in the Target results page box.
8. Click OK.
186
The following table describes the four scope rule types that you can choose from when creating a scope rule. For simplicity, a separate procedure is provided for each scope rule type.
Scope rule type Purpose
Web address
Select this option if you want the scope to include or exclude content from any resource in the search index that can be identified either by a URL (such as Web sites, file shares, and Exchange public folders) or by a host name, domain name, or subdomain name. Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope.
Property query
Select this option if you want the scope to include or exclude content that has a managed property with a particular value. For example, Author="John Doe". Select this option if you want the scope to include or exclude content that was crawled by using a particular content source. Select this option if the rule should not restrict the scope (the scope will include or exclude all content in the search index).
Content source
All content
Use the following procedure to open the Add Scope Rule page. Open the Add Scope Rule page 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Scopes section, click View scopes. 3. On the View Scopes page, position the cursor over the scope that you want to edit, click the arrow that appears, and then click Edit Properties and Rules on the menu that appears. 4. On the Scope Properties and Rules page, in the Rules section, click New rule.
187
Use the following procedure to create scope rules by using the Web address scope rule type. Create scope rules by using the Web address scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address. 2. In the Web Address section, select one of the following options and provide the address you want to associate with this rule: Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope. Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
4. Click OK. Use the following procedure to create scope rules by using the Property query scope rule type. Create scope rules by using the Property query scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Property Query. 2. In the Property Query section, select the managed property that you want to use to limit the scope from the Add property restrictions menu. 3. In the = box, type the string (value) that the managed property needs to match. 4. In the Behavior section, select one of the following options: Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
5. Click OK.
188
Use the following procedure to create scope rules by using the Content source scope rule type. Create scope rules by using the Content source scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Content source. 2. In the Content Source section, in the corresponding menu, select the content source from the list that you want to associate with this rule. 3. In the Behavior section, select one of the following options: Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
4. Click OK. Use the following procedure to create scope rules by using the All content scope rule type. Create scope rules by using the All content scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content. 2. Click OK.
you want to mark as unimportant when search results are returned (for example, URLs of sites that contain outdated information but are kept for record-keeping). Note: Any URL or item whose prefix matches the provided URLs in the Sites to demote box is demoted. 7. If you want the ranking calculations to begin after you click OK, in the Refresh Now section, select the Refresh now check box. If the check box is cleared, ranking calculations occur according to a predetermined schedule. 8. Click OK.
reference by site administrators. 5. Ignore the Display Groups section for now. We will assign display groups to scopes later in this section. 6. In the Target Results Page section, select one of the following: Use the default Search Results Page. Select this option if you want search results from this scope to be presented by using the standard Search Results page. Specify a different page for searching this scope. Select this option if you want search results from this scope to be presented on a custom page. If you select this option, type the URL for the custom Search Results page in the Target results page box.
7. Click OK.
Web address
Select this option if you want the scope to include or exclude content from any resource in the search index that can be identified either by a URL (such as Web sites, file shares, and Exchange public folders) or by a host name, domain name, or subdomain name. Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope.
Property query
Select this option if you want the scope to include or exclude content that has a managed property with a particular value. For example, Author="John Doe".
192
Purpose
All content
Select this option if the rule should not restrict the scope (the scope will include or exclude all content in the search index).
Use the following procedure to open the Add Scope Rule page. Open the Add Scope Rule page 1. On the top-level site of the site collection on which you want to create a scope rule, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search scopes. 3. On the View Scopes page, position the cursor over the scope that you want to edit, click the arrow that appears, and then click Edit Properties and Rules on the menu that appears. Note: You cannot add scope rules to shared scopes at the site collection level. 4. On the Scope Properties and Rules page, in the Rules section, click New rule. Use the following procedure to create scope rules by using the Web address scope rule type. Create scope rules by using the Web address scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address. 2. In the Web Address section, select one of the following options and provide the address you want to associate with this rule: Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope. Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
193
4. Click OK. Use the following procedure to create scope rules by using the Property Query scope rule type. Create scope rules by using the Property Query scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Property Query. 2. In the Property Query section, select the managed property that you want to use to limit the scope from the Add property restrictions list. 3. In the = box, type the string (value) that the managed property needs to match. 4. In the Behavior section, select one of the following options: Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
5. Click OK. Use the following procedure to create scope rules by using the All content scope rule type. Create scope rules by using the All content scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content. 2. Click OK.
scopes. 3. On the View Scopes page, click New Display Group. 4. On the Create Scope Display Group page, type a title and description that easily identifies the purpose of the group. 5. In the Scopes section, select the check box next to each scope that you want to include in this display group. You can manage the ordering of the scopes in the group by using the Position from Top lists. 6. In the Default Scope section, in the Default Scope list, select the scope that you want to be applied if users do not make a choice on their own. 7. Click OK.
Modify the Search Box Web Part for a new display group
Use the following procedure to modify the Search Box Web Part for a new display group.
195
Modify the Search Box Web Part for a new display group 1. Go to the Search Center page on the site collection on which you want to modify the Search Box Web Part. 2. Click Site actions, and then click Edit Page. 3. In the search box, click Edit, and then click Modify Shared Web Part. 4. In the Search Box tool pane, click the plus sign (+) next to Miscellaneous. 5. In the Scope Display Group text box, type the name of the display group that you want to use, and then click Apply. 6. Click OK to close the tool pane. 7. On the Search Center page, click either Publish or Check In to Share Draft, depending on your site permissions and workflow.
Best Bets are most helpful in situations in which a site administrator wants to promote specific pages. Because the Best Bet URLs are displayed prominently on the Search Results page, end users may be more inclined to view them. Use the following procedure, along with the decisions you recorded in the Keywords and Best Bets section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create keywords and Best Bets. Create keywords and Best Bets 1. On the top-level site of the site collection on which you want to create keywords and Best Bets, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search keywords. 3. On the Manage Keywords page, click Add Keyword. 4. On the Add Keyword page, in the Keyword Information section, in the Keyword Phrase box, type the keyword phrase you want to create. 5. In the Synonyms box, type the synonyms you want to associate with this keyword
196
phrase. You can type more than one synonym by separating them with semicolons. 6. If you want to associate a Best Bet with this keyword, in the Best Bets section, click Add Best Bet. Otherwise, skip to step 13. 7. If this is the first Best Bet you will create on this site collection, skip to step 9. Otherwise, in the Add Best Bet dialog box, do one of the following: To create a new Best Bet, select Add new best bet and then skip to step 9. To select an existing Best Bet, select Select existing best bet, click the Best Bet you want from the Select best bets from the list below box, and then click OK. Skip to step 13.
8. In the URL box, type the URL you want to associate with this Best Bet. 9. In the Title box, type the title you want to associate with this Best Bet. This title appears in the Select best bets from the list below box, when selecting an existing Best Bet. 10. In the Description box, type a description for this Best Bet. This description appears with the Best Bet on the Search Results page. 11. Click OK. 12. If you want to create a definition for this keyword, in the Keyword Definition section, type the definition that you want to appear next to Best Bets for this keyword on the Search Results page (optional). 13. In the Contact section, type the user name of the person to inform when the keyword is past its review date (optional). 14. In the Publishing section, you can optionally choose end and review dates for this keyword. 15. Click OK. 16. Repeat steps 4 through 16 to create additional keywords and best bets.
197
A. Configure personalization
Comment [A4]: Boilerplate section #4
198
The personalization service in Microsoft Office SharePoint Server 2007 uses information about users in your organization that is stored in directory services. That information can be supplemented with information about users from line-of-business applications. Personalization information can then be displayed in user profiles, and the properties in user profiles can be used to target content. Consult the plan for personalization in your initial deployment, and then configure the options that you have selected.
199
200
Before enabling personalization features in your deployment, you must first configure permissions to personalization features. Although some permissions are configured by default for deployments using Active Directory directory services, other configuration options vary according to the specific plan for deployment. Administrators of the Shared Services Provider (SSP) have limited ability to configure personalization services. The administration options for personalization services are associated with a set of permissions for different personalization features. Administrators can have access to some or all of these administration options. The users of the SSP have access to personal features associated with My Sites. Administrators of personalization permissions are responsible for configuring any changes to the default permissions for users.
By default, the account that was used to install Microsoft Office SharePoint Server 2007 on the server has all of these permissions. This account can be used to delegate permissions to other users. In some organizations, one SSP administrator will have all permissions, and access to every management task. In other organizations, the permissions will be distributed among more than one administrator. Refer to your deployment plan when adding permissions for administrators. Use the following procedure to configure administrator permissions to the SSP for personalization services.
201
Configure administrator permissions to the SSP for personalization sites 1. Open the administration page for the SSP. To open the administration page for the SSP, perform the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick Launch. 2. On the SSP Home page, in the User Profiles and My Sites section, click Personalization services permissions. 3. On the Manage Permissions page, click Add Users/Groups. 4. On the Add Users/Groups page, in the Choose Users section, type the name of the users and groups that you want to add. If a user or group is already on the list, select the check box for that user or group, and then click Modify Permissions of Selected Users. 5. In the Choose Permissions section, select the permissions that you want for the added users and groups: To enable administration of user profiles, select Manage user profiles. Users who have this permission can access the User profiles and properties page and the Profile services policies page. To enable administration of permissions to personalization services, select Manage permissions. To enable administration of audiences, select Manage Audiences. To enable administration of the portal usage reporting service, select Manage usage analytics.
6. Click Save.
Use the following procedure to configure access to SSP pages. Configure access to SSP pages 1. Open the administration page for the SSP. To open the administration page for the SSP, perform the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick Launch. 2. On the SSP Home page, click the Site Actions menu. 3. In the Site Action menu, click Site Settings. 4. On the Site Settings page, in the Users and Permissions section, click Site collection administrators. 5. On the Site Collection Administrators page, in the Site Collection Administrators section, perform the following: a. Type the name or account that you want to add to the Site Collection Administrators group. b. Click the Check Names icon. If the name or account is found in directory services, it will appear as a link in the text box. c. If the name or account was not found, or if you want to search for more users, click the Browse icon.
d. On the Select People dialog box, in the Find box, type part or all of the user's name or account name, and then press Enter. All accounts that match appear in the text box. e. Select one or more accounts that you want to add, and then click Add. f. When you are done adding SSP administrators, click OK. 6. On the Site Collection Administrators page, click OK.
203
Users who have the Use personal features permission can see personalized information in sites, including user profiles for other users. Users who have both the Use personal features permission and the Create personal site permission can create a My Site by clicking the My Site link in the top navigation bar. In some organizations, personalization features may not be enabled. In these scenarios, the administrator with permission to manage permissions would remove these permissions for all authenticated users. In other organizations, only some users will have access to personalization features. In these scenarios, the personalization permissions would be removed for the All Authenticated Users group, and another group would be created containing users who have both permissions. In some organizations, My Sites will be created on a case-by-case basis, or created by managers during deployment. In these scenarios, users would have the Use personal features permission, but not the Create personal site permission. Because these permissions are managed in the same place as administrator permissions, it is possible to create several groups with different combinations of permissions. It is recommended that you carefully plan group permissions during the initial deployment so that you can minimize administration tasks during regular operations. Use the following procedure to configure user permissions for personalization. Configure user permissions for personalization 1. On the SSP home page, in the User Profiles and My Sites section, click Personalization services permissions. 2. On the Manage Permissions page, click Add Users/Groups. 3. On the Add Users/Groups page, in the Choose Users section, type the name of the users and groups that you want to add. If a user or group is already on the list, select the check box for that user or group, and then click Modify Permissions of Selected Users. 4. In the Choose Permissions section, select the permissions that you want for the added users and groups: To enable creation of My Sites, select Create personal site. To enable access to personalization features, select Use personal features.
5. Click Save. Access to personalized information can also be modified by configuring profile services policies for users. For more information about configuring profile services policies, see Configure policies for Profile Services.
While good planning can avoid many situations where users need access to multiple My Sites, some scenarios may require that a user have access to more than one My Site host location. The typical scenario that requires multiple My Site host locations is a geographically distributed deployment with multiple sets of shared services in different locations. In these scenarios, it is common for each region to have its own set of My Sites and personalization features based on the needs of each region. Use the following procedure to add trusted My Site host locations. Add trusted My Site host locations 1. On the SSP home page, in the User Profiles and My Sites section, click Trusted My Site host locations. 2. On the Trusted My Site Host Locations page, click New to add another Trusted My Site host location. 3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the URL of the trusted My Site host location, and type a description for the location. 4. In the Target Audiences section, select one or more audiences to use. For trusted My Site locations, the relevant audiences typically represent the set of users that belong to each My Site host location. 5. Click OK. During regular operations, in response to changes in directory services, one or more users often end up with My Sites in different locations. Trusted My Site host locations can be used to provide access to personalization features targeted for only these users, without enabling access to all users. See Also Configure policies for Profile Services Configure targeted content
205
Personal information about the users in your organization is stored in directory services and line of-business applications and imported to the user profile store so that it can be used to present personalized or targeted content in sites, and to search for people in your organization. When the administrator of the Shared Services Provider (SSP) configures user profile imports, the import connections necessary for those settings are configured automatically except for custom connections. Custom import connections must be configured separately.
You can also access the SSP by clicking the link to the SSP home page in the Quick Launch. 2. On the SSP home page, in the User Profiles and My Sites section, click User profiles and properties. 3. On the User Profiles and Properties page, in the Profiles and Import Settings section, click Configure profile import. 4. On the Configure Profile Import page, in the Source section, select the source for the import. This is usually the current domain, or the entire forest.
206
Note: Changing this setting will delete any manually configured connections for the current source. 5. In the Default Access Account section, select Specify Account and type a name and password for the access account. Note: It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Content Access Account. 6. Depending on your plan for scheduling user profile imports, select Schedule full import in the Full Import Schedule section, or select Schedule incremental import in the Incremental Import Schedule section, and then select the day and time to schedule the import. 7. Click OK. Before continuing with configuration of personalization features, ensure that you have imported all user profiles at least once. To run a full import of user profiles: On the User Profiles and Properties page, in the Profile and Import Settings section, click Start full import.
links to the Web applications for each SSP. Click the link for the SSP that you want to open. You can also access the SSP by clicking the link to the SSP home page in the Quick Launch. 2. On the SSP home page, in the User Profiles and My Sites section, click User profiles and properties. 3. On the User Profiles and Properties page, in the Profile and Import Settings section, click View import connections. 4. On the View Import Connections page, click Create New Connection. 5. To add a connection to Active Directory directory services: a. On the Add Connection page, in the Connection Settings section, on the Type menu, click Active Directory. b. In the Domain name text box, type the domain name for the domain that contains the information that you want to import. c. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. e. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. Note: The Enable Server Side Incremental option must be selected if you are planning to perform incremental imports. 6. To add a connection to an Active Directory resource: a. In the Connection Settings section, on the Type menu, click Active Directory Resource. b. In the Domain name text box, type the domain name for the domain that contains the information that you want to import. c. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box.
208
e. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. f. In the Master Forest Connection Settings section, in the Domain name text box, type the domain name for the master forest associated with the Active Directory resource that you want to import.
g. Select Auto discover domain controller if the specific domain controller for the master forest is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller. h. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. Select Specify Account and type the account name and password that you want to use to import user profiles from this connection. Note: It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Account. 7. To add a connection to LDAP directory services: a. On the Add Connection page, in the Connection Settings section, in the Type menu, click LDAP Directory. b. In the Connection name text box, type the name of the connection. c. In the Directory service server name text box, type the name of the server for the directory service.
d. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. e. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. f. In the Providername text box, type the name of the provider for this connection. g. In the Username attribute text box, type the name of the attribute to import. Note: This attribute is the identification attribute for each entry in LDAP directory services, associated with a single user or account. By default, this is the uid attribute. 8. In the Search Settings section, in the Search base text box, type the distinguished name of the directory node from which to import the users. If you do not know the
209
distinguished name, click the Auto Fill Root Search Base button. 9. In the User filter text box, you can add new query clauses to the default query to filter which user profiles are imported. 10. Under Scope, select One level to import one level of user profiles, or Subtree to import all user profiles under the search base. 11. To improve performance, you can type a maximum number of user profiles to import in the Page Size text box, and type a maximum number of seconds for the import in the Page time out text box. 12. In the Authentication Information section, select Specify Account and type the account name and password that you want to use to import user profiles from this connection. Note: It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Account. 13. Click OK. For most connections, unless you have a specific need to narrow the scope of the import or limit the impact on the servers for directory services, you can accept the default values that appear on the Add Connection page. If you have non-user accounts in Active Directory, such as accounts used for testing, you might want to filter out those accounts. Configuration settings for connections can be modified to improve performance as part of regular operations. For more information about the exact settings to use when importing user profiles, see the technical reference documentation for Microsoft SharePoint Office Server 2007. For more information about Active Directory, see the documentation for Active Directory. After you have configured import connections to directory services, you can add a connection for additional properties imported from the Business Data Catalog. Unlike directory services, it is not possible to create user profiles from the Business Data Catalog. You can only add Business Data Catalog data to existing user profiles imported from directory services, although you can add as much or as little data as you want. Use the following procedure to add an import connection to the Business Data Catalog. Add an import connection to the Business Data Catalog 1. On the View Import Connections page, click Create New Connection. 2. On the Add Connection page, in the Connection Settings section, in the Type menu, click Business Data Catalog. 3. In the Connection name text box, type the name of the connection. 4. In the Domain name text box, type the domain name for the domain that contains the information that you want to import. 5. In the Business Data Catalog Entity menu, select the name of the business data type
210
that contains the data field to import as a user profile property. 6. Under Connection, select Connect User Profile Store to Business Data Catalog Entity as a 1:1 mapping, and then select a profile property that maps to the business data type in the Return items identified by this profile property menu. 7. To import multiple items for the business data type, select Connect User Profile Store to Business Data Catalog Entity as a 1:many mapping, select a property to filter by in the Filter items by menu, and then type a property for the filter value in the Use this profile property as the filter value menu. 8. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller. 9. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. 10. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. 11. In the Providername text box, type the name of the provider for this connection. 12. In the Username attribute text box, type the name of the attribute to import. Note: This attribute is the identification attribute for each entry in the Business Data Catalog for this business data type.
Language, selecting a language from the menu, and then typing the display name in the new language. You can add display names for any of the available languages. The display name that appears depends on the language used by the user viewing the property. 3. On the Type menu, select the data type for the property. 4. On the Length menu, type the maximum number of characters allowed for values for this property. 5. To allow multiple values for this property, select the Allow multiple values check box, and then select an option from the Multivalue Separator menu. Note: If you select the Allow multiple values check box, the property will be permanently set as a multi-valued property. You cannot change this setting after you have selected it. 6. To allow users to select values from a list of choices, select the Allow choice list check box 7. In the User Description section, type a description that provides instructions for users who are adding values for this property. Note: If your deployment uses multiple languages, you can provide alternative descriptions for each language by clicking the Edit Languages button, clicking Add Language, selecting a language from the menu, and then typing the display name in the new language. You can add descriptions for any of the available languages. The description that appears depends on the language used by the user viewing the property. 8. In the Policy Settings, Edit Settings, and Display Settings sections, select a policy setting and default privacy setting for this property, select whether users can edit values for this property, and configure display options. For more information about privacy policies, see Configure policies for Profile Services. 9. In the Choice List Settings section, choose whether the property uses a defined choice list, add the choices, and select whether users can add to the choice list. Note: This section is only available if you selected the Allow choice list check box in the Property Settings section. For more information about choice lists, see Plan for people and user profiles. 10. In the Search Settings section, select the Alias check box if the property is equivalent to the user's name for purposes of search. Select Indexed if this property is part of the search schema for users, so that it can be used to find users or is displayed in users search results. 11. In the Property Import Mapping section, select the data source and data type field to
212
See Also Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx) Configure policies for Profile Services Configure targeted content Configure personalization sites
213
In Microsoft Office SharePoint Server 2007, content in a site can be targeted to individuals and groups of users so that a site can provide a personalized experience for all users. This encourages collaboration across an organization. Content is primarily targeted by using audiences. Audiences are defined by using audience rules based on properties in user profiles or membership in distribution lists and SharePoint groups. Properties and distribution list membership information are imported from directory services or from line-of-business applications that are registered in the Business Data Catalog. SharePoint groups are configured within each site or site collection. SharePoint lists and Web Parts can be targeted by using audiences, so that only members of the targeted audience can view content. Links to certain sites can be targeted by audience. Examples of targeted links include published links to Office client applications and personalization site links. Targeted links appear in Office client applications and My Sites only for users who are members of the target audiences. Administrators of the Shared Services Provider (SSP) create and configure audiences, and then configure the compilation schedules for audiences. After audiences are created by SSP administrators, any other user with the correct permissions can use audiences to target content. SSP administrators also configure the settings for published links to the Office client applications and personalization site links. In configurations that have more than one My Site location, the SSP administrator for personalization services configures trusted My Site locations so that some groups of users can view personalized content across all My Site locations.
2. On the Manage Audiences page, click Create audience. 3. On the Create Audience page, type a name and description. 4. In the Owner text box, type or select a person to own this audience. 5. Select Satisfy all of the rules or Satisfy any of the rules depending on the rules you have planned for each audience. Note Complex rules containing AND and OR can be created by developers using the SharePoint object model. 6. Click OK. 7. On the Add Audience Rule page, to add a rule based on a user: a. In the Operand section, select User. b. In the Operator section, select Reports Under to create a rule based on organizational hierarchy or select Member Of to target by group or distribution list. c. Type or select the user that you want to use to test this rule. For a Reports Under rule, select the person who is the manager of the users that you want to include in the audience. For a Member Of audience, select the group or distribution list to include for the audience rule.
8. To add a rule based on a property of user profiles: a. In the Operand section, select Property, and then select a property from the menu. b. In the Operator menu, select an operator for the property. The operators vary by property, but common operators include =, Contains, and <>. Full descriptions of the operators are available in the planning and operations documentation for Office SharePoint Server 2007. c. Type a value to use when evaluating the property against this rule. 9. Click OK. Use the following procedure to configure audience compilation and compile audiences. Configure audience compilation and compile audiences 1. On the Manage Audiences page, click Specify compilation schedule. 2. On the Specify Compilation Schedule page, select Enable scheduling. 3. Select a start time in the Start at menu. To compile audiences at the same time each day, select Every day. To compile audiences at the same time once per week, select Every week on, and then select a day of the week To compile audiences once a month, select Every month on this date, and then select a day of the month.
4. Click OK. On the Manage Audiences page, click Start compilation at any time to compile audiences. All audiences will be compiled.
215
Note: You can compile audiences individually from the View Audiences page by clicking the audience, and then clicking Compile. Actual targeting of content based on audiences is performed by site administrators or contributors. As part of planning for your initial deployment, your planning team will identify the key content to target. Audience administrators should work with site administrators during deployment to ensure that content is targeted according to plan.
Every user who is a member of a targeted audience can see the personalization link when viewing their personal site, along with other relevant personalization sites. This enables each user to have a single access point for personalized content. The configuration page for personalization sites does not check the template of linked sites, so SSP administrators can theoretically create a link to any kind of sites. However, to focus the purpose of My Sites, it is recommended that only personalization site links or links to sites that use a similar template be added to the list on the Personalization site links page. SSP administrators select an owner for each personalization site link. This provides a contact for the personalization link, but does not configure any permissions for audiences. The visibility of each link can be modified by the relevant site administrator of each site during regular operations, by changing the targeted audiences. Audience creation and membership can only be configured by the audiences administrator from the SSP administration pages. Configure the personalization site links for the key personalization sites identified during site hierarchy and personalization planning. Additional links can be added as necessary as part of regular operations. Use the following procedure to configure personalization site links. Configure personalization site links 1. On the SSP Home page, in the User Profiles and My Sites section, click Personalization site links. 2. On the Personalization site links page, click New to add a link to a personalization site. 3. On the Personalization site links: New Item page, in the URL section, type the URL of the link that you want to appear in the My Site navigation bar, and type a description for the link. 4. In the Owner section, type the account name of an owner for the site link. This user is typically the site administrator for the personalization site. 5. In the Target Audiences section, select one or more audiences to use. Only members of these audiences will see the link in the My Site navigation bar. 6. Click OK.
Use the following procedure to add trusted My Site host locations. Add trusted My Site host locations 1. On the SSP Home page, in the User Profiles and My Sites section, click Trusted My Site host locations. 2. On the Trusted My Site Host Locations page, click New to add another Trusted My Site host location. 3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the URL of the trusted My Site host location, and type a description for the location. 4. In the Target Audiences section, select one or more audiences to use. For trusted My Site locations, the relevant audiences typically represent the set of users that belong to each My Site host location. 5. Click OK. During regular operations, in response to changes in directory services, one or more users can end up with My Sites in different locations. This can happen when an account is migrated from one SSP to another, such as when an employee changes geographic divisions in an organization that uses different SSPs for geographically distributed locations. Trusted My Site host locations can be used to provide access to personalization features targeted for only these users, without enabling access to all users. See Also Plan for audiences (http://technet.microsoft.com/en-us/library/cc261958.aspx) Configure personalization sites
218
Microsoft Office SharePoint Server 2007 provides a template for creating personalization sites. Personalization sites use a Current User Filter Web Part that can be connected to other Web Parts on the page to display content that is personalized for each user who visits the site. Unlike personal sites, which combine Web Parts that display information configured by Shared Services Provider (SSP) administrators by configuring user profiles and personalization policies with content customized by each user, personalization sites are designed to be customized by site owners for a larger audience. Site owners are selected during initial deployment by SSP administrators when they configure personalization links. The site owner of each site is typically the site administrator for the site, and decides which audiences to use when targeting the display of the personalization link on the My Site navigation bar. Site administrators, possibly working with site designers, create and customize personalization sites based on recognized business needs.
220
Personalization sites do not have to appear in the My Site navigation bar. However, users are much more likely to view a personalization site and work on the information they see on a personalization site if it is one of the sites that appears in the My Site navigation bar. Because the personalization sites created during initial deployment represent key business processes identified during planning, it is usually a good idea to include links to the sites in the My Site navigation bar and carefully consider how those links are targeted. Use the following procedure to configure personalization site links. Configure personalization site links 1. On the SSP home page, in the User Profiles and My Sites section, click Personalization site links. 2. On the Personalization Site Links page, click New to add a link to a personalization site. 3. On the Personalization Site Links: New Item page, in the URL section, type the URL of the link that you want to appear in the My Site navigation bar, and type a description for the link. 4. In the Owner section, type the account name of an owner for the site link. This user is typically the site administrator for the personalization site. 5. In the Target Audiences section, select one or more audiences to use. Only members of these audiences will see the link in the My Site navigation bar. 6. Click OK. For more information on configuring personalization site links, see Configure targeted content.
221
In Microsoft Office SharePoint Server 2007, Shared Services Provider (SSP) administrators for personalization services configure the policies that determine who can view personalized information and how that information can be shared. Every kind of personalized information is affected by these policies, including: Memberships in SharePoint sites and distribution lists. Social networking features, such as My Colleagues. Links on personal sites. Personalization site link pinning. User profile properties.
Consult your planning for personalization policies, and then configure settings for each of these personalization features.
222
property or feature. Select Required if the property must contain information. The visibility of the property is configured in the Default Privacy Settings menu. Select Optional if the property is not required. Each user decides whether optional properties contain information based on the user's preference.
4. In the Default Privacy Setting menu, select the people who can view information for the feature or property. Click Only Me to limit visibility to the user. Click My Manager to limit visibility to the user and the user's manager. Click My Workgroup to limit visibility to the user and all users who report to the same manager. Click My Colleagues to limit visibility to the user and all colleagues for that user. Click Everyone to share the information with all users who have the "use personal features" permission.
5. To enable users to change the default privacy setting, select the User can override check box. 6. To enable a property to be available in user information lists for SharePoint sites other than My Site, select the Replicable check box. This property and its values from the user profile will be replicated to other sites. Note: If you clear a check box that has already been selected, any information that was replicated before the change will remain on other SharePoint sites until it is changed on each site. This can occur during deployment if you clear a check box for a property that is replicable by default if the property has already been imported from directory services or the Business Data Catalog. 7. Click OK.
Setting menu, click the policy setting for the property. Select Required if the property must contain information. The visibility of the property is configured in the Default Privacy Settings menu, as discussed in step 5. Select Optional if the property is not required. Each user decides whether or not to provide values for optional properties. Select Disabled to prevent anyone but the SSP administrator from viewing the property or feature.
5. In the Default Privacy Setting menu, select the people who can view information for the feature or property. Click Only Me to limit visibility to the user. Click My Manager to limit visibility to the user and the user's manager. Click My Workgroup to limit visibility to the user and all users who report to the same manager. Click My Colleagues to limit visibility to the user and all colleagues for that user. Click Everyone to share the information with all users who have the Use personal features permission.
6. To enable users to change the default privacy setting, select the User can override check box. 7. To enable a property to be available in user information lists for SharePoint sites other than My Site, select the Replicable check box. This property and its values from the user profile will be replicated to other sites. Note: Replication occurs during profile imports. The information list is replaced by the values for the property in the imported user profile. Changes made to properties in the user profile that are not replicated will not appear on other sites. If you clear a Replicable check box that was previously selected, any information that was replicated before the change will remain on other SharePoint sites until it is changed on each site. This can occur during deployment if you clear a check box for a property that is replicable by default after the property has been imported from directory services or the Business Data Catalog. 8. In the Edit Settings section, click an option to allow or not allow users to edit values for properties in their user profiles. To allow users to edit values for the property in their user profiles, click Allow users to edit values for this property. To prevent users from editing values for the property, click Do not allow users to edit values for this property. To display the property in the profile properties section of the user's profile page, select Show in the profile properties section of the user's profile page.
9. In the Display Settings section, select where the property is displayed on My Site.
224
To display the property on the Edit Details page available from the personal page of My Site, select Show on the Edit Details page. To display changes to the property in the Colleagues section of My Site and all other instances of the Colleague Tracker Web Part, click Show changes in the Colleague Tracker web part.
10. Click OK. See Also Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx) Policies for Profile Services (http://technet.microsoft.com/en-us/library/cc263160.aspx)
225
226
Microsoft Office SharePoint Server 2007 enables the integration of data from line-of-business applications with features that enable that data to be found, displayed, and analyzed along with other content by users who use SharePoint sites. After you have planned the line-of-business applications, SharePoint lists, and sites for your organization, you must configure the connection between data in applications and the features in your deployment that use data.
227
228
In Microsoft Office SharePoint Server 2007, the Business Data Catalog enables users to find and analyze business data and take effective actions directly from SharePoint sites that use business data. When configuring the Business Data Catalog, it is critical that you protect the security and integrity of the data in line-of-business applications. One of the most important ways to protect your data is to carefully enable access to data to users who can use it effectively, and preventing access by other users. During planning for your deployment, you identify the purpose of your sites, the business applications associated with key business purposes, and the users who use each application. During deployment, you enable access to the groups of users identified during planning. To enable access to business data, you should: Configure Shared Services Provider (SSP) administrator rights for the Business Data Catalog. Configure access to the SSP pages. Configure single sign-on for the Business Data Catalog. Configure data warehouses for data security. Configure user permissions for business data.
b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick Launch. 2. On the SSP home page, in the Business Data Catalog section, click Business Data Catalog permissions. 3. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups. 4. On the Add Users/Groups: Business Data Catalog page, in the Choose Users section, enter the name or account of the user that you want to add. 5. In the Choose Permissions section, select one or more permissions for the user. For the main administrator of the Business Data Catalog, it is common to select all permissions. Edit: Select this permission to enable users to import application definitions and add, edit, or delete application definitions, business data types, and data fields for business data types. Execute: Select this permission to enable users to change the properties of business data. Select in Clients: Select this permission to enable the user to refer to business data types and fields in SharePoint lists, Web Parts, sites, and client applications. Set permissions: Select this permission to enable the user to configure permissions for other users.
6. Click Save.
230
Configure access to the SSP pages 1. Open the administration page for the SSP. To open the administration page for the SSP, do the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick Launch. 2. On the SSP home page, click the Site Actions menu. 3. On the Site Actions menu, click Site Settings. 4. On the Site Settings page, in the Users and Permissions section, click Site collection administrators. 5. On the Site Collection Administrators page, in the Site Collection Administrators section, do the following: a. Type the name or account that you want to add to the Site Collection Administrators group. b. Click the Check Names icon. If the name or account is found in directory services, it will appear as a link in the text box. c. If the name or account was not found, or if you want to search for more users, click the Browse icon.
d. On the Select People dialog box, in the Find box, type part or all of the user's name or account name, and then press Enter. All accounts that match appear in the text box. e. Select one or more accounts that you want to add, and then click Add. f. When you are done adding SSP administrators, click OK. 6. On the Site Collection Administrators page, click OK.
Configure application definitions and single signon for the Business Data Catalog
Line-of-business applications are added to the Business Data Catalog by importing application definitions authored in XML. In most scenarios, access to applications from a single account is accomplished by using the single-sign on (SSO) feature of Office SharePoint Server 2007. SSO maps permissions from external data sources including line-of-business applications to permissions in Office SharePoint Server 2007. This enables a user to access multiple data sources regardless of platform or authentication requirements without having to re-enter
231
credentials for each system. This enables more accessible use and sharing of data without sacrificing security. The Business Data Catalog is only one of several features and services that take advantage of SSO. SSO is also used by Excel Services in Microsoft Office SharePoint Server 2007, InfoPath Forms Services, and in a variety of Web Parts, lists, and search features that access external data sources. With SSO, all of these data sources can be accessed securely by using a single sign-on. The Business Data Catalog relies on application definitions to translate the data types and fields of data sources into metadata that is useful in sites and applications that use Office SharePoint Server 2007. The SSP administrator for the Business Data Catalog, or a Web designer author the XML file for the application definition, includes authentication information and the business data types and fields in the planned business data schema. The SSP administrator then imports the application definitions to the Business Data Catalog. This data can then be viewed and analyzed in SharePoint sites to improve business data collaboration and business intelligence. To use SSO for applications in the Business Data Catalog, the farm administrator must configure SSO on the server farm. Then, the farm administrator must create application definitions for each line-of-business application that match the separate application definitions already imported into the Business Data Catalog. By the end of server farm configuration of SSO, enterprise application definitions should exist for all of the line-of-business applications in the Business Data Catalog. The administrator of the Business Data Catalog should work closely with farm administrators to ensure that the necessary application definitions are created. For more information on the configuration of SSO on the server farm, see Configure single sign-on. After SSO is configured on the server farm and enterprise application definitions have been created for the line-of-business applications that will be added to the Business Data Catalog, the administrator of the Business Data Catalog imports the application definitions to the Business Data Catalog. Then, you can import the business data types and fields for those applications. For more information about importing application definitions, see Register business applications in the Business Data Catalog. For more information about managing single sign-on, see Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx).
During planning for your deployment, you considered these trade-offs, and identified the data that you want to copy to a data warehouse. To copy data from a line-of-business application to a data warehouse, follow the procedures for copying the data relevant to the particular application. When you configure the connections to business applications, use the location of the business data warehouse instead of the line-ofbusiness application. When configuring business data actions that are intended to update the underlying data, you will have to separately configure access to the business data application.
5. Click Save.
233
See Also Register business applications in the Business Data Catalog Customize business data lists, Web Parts, and sites Configure business data search Plan for business intelligence (http://technet.microsoft.com/en-us/library/cc262935.aspx)
234
Before you can use data from any line-of-business application in Microsoft Office SharePoint Server 2007, you must register that information in the Business Data Catalog. The Business Data Catalog is the service that manages connections among line-of-business applications and the SharePoint lists, Web Parts, and sites that use data from those applications. To register line-of-business applications in the business data catalog, you should: Create application definitions for each application or database in your organization. Application definitions contain connection settings, authentication mode, and definitions for the business data types and properties imported for a particular application. Import application definitions to the Business Data Catalog. Configure single sign-on (SSO) enterprise application definitions for applications that will be using SSO. Configure business data types and the fields for each business data type.
After completing these steps for each line-of-business application in your organization, you can then use the data from applications in SharePoint lists, Web Parts, and business data-enabled sites such as business dashboards and the Report Center site. Data can also be imported for use in user profiles or used in enterprise search to find business data.
Application definitions are XML files that are authored by Business Data Catalog administrators or Web designers who understand the business data schema established in the plan for business data. During deployment, an application definition is created for each line of business application. For each application, the business data types (also known as entities) and properties for each entity are defined within the application definition file according to the schema. The application
235
definition files can be imported into the Business Data Catalog, and can be exported as a backup for disaster recovery scenarios. For more information about authoring application definitions, see the Microsoft Office SharePoint Server 2007 Software Development Kit (SDK).
5. Click Import.
236
Use the following procedure to create an application definition. Create an application definition 1. In Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions. 4. On the Manage Enterprise Application Definitions page, click New Item. 5. On the Create Enterprise Application Definition page, in the Application and Contact Information section, in the Display name box, type the name that is displayed to users. 6. In the Application name box, type the name that Web Parts use to refer to the enterprise application definition. Single sign-on components use the application name to specify which enterprise application definition to use. This name should match the name used in the application definition in the Business Data Catalog. 7. In the Contact e-mail address box, type the e-mail address that users can contact for the enterprise application. 8. In the Account type section, select one of the following: a. Group. Select this option if users will connect to the enterprise application through a group account. If you select this option, you need to configure account information for the application definition. b. Individual. Select this option if each user has an account in the application definition. c. Group using restricted account. Select this option if users will connect to the enterprise application through a group that uses a restricted account. If you select this option, credentials are stored separately for regular credentials and a different API is used to access the credentials. Select this option only when all of the following is true:
9. The account is a group account. 10. An intermediary application such as Business Data Catalog imposes further security restrictions. 11. The data is highly sensitive. 12. In the Authentication type section, select the Windows authentication check box. Warning: If Windows authentication is not used, the logon credentials are not encrypted. 13. In the Logon Account Information section, configure each of the Field boxes for soliciting required logon information from users. Selecting Yes for Mask hides the text typed by the user. This helps to keep sensitive information such as passwords secret. 14. Click OK.
237
Administrators for the Business Data Catalog should work closely with farm administrators to ensure that the necessary application definitions are created that correspond to the configuration plans for the Business Data Catalog.
To add or edit fields for existing business data types or to import new business data types, you must edit the application definition file.
Users. 10. On the Modify Permissions page, in the Choose Permissions section, select the permissions that you want for the user or group. 11. Click OK. 12. To copy permissions for an application to all entities for that application, or to copy permissions for an entity to all child entities, click Copy all permissions to descendants, and click OK on the dialog box that appears. For more information about business data catalog permissions, see Configure access to business data.
d. Note: Properties assigned to parameters are sent to the target URL and can be processed by business data Web Parts on that page, such as filter Web Parts. 7. In the Icon section, to use a standard icon, select Standard icon, and then click the standard icon that is relevant for this action. 8. To use a custom icon, in the Icon section, select The image at this URL, and then type the URL of the image. 9. Click OK.
239
240
After configuring access to business data and registering applications in the Business Data Catalog, business data is available for use in lists, Web Parts, and sites in your deployment. The initial creation and customization of lists, Web Parts, and sites is performed by site administrators, designers, and contributors. While these tasks are daily operations for different users, and not the responsibility of IT professionals, it is important to set up key lists, Web Parts, and sites as part of an initial deployment of Microsoft Office SharePoint Server 2007. The relevant customization tasks during deployment include: Creating SharePoint lists that use business data that can be used by business data Web Parts and sites that use business data. Creating key performance indicators (KPIs) based on business data lists, other SharePoint lists, Excel workbooks, or data sources made available in data connection libraries. Creating reports and adding KPI lists and business data lists to the Reports Library of the Report Center site or any site that uses the Report Center template. Creating and configuring dashboard sites in the Report Center site. Creating additional Report Center sites and other sites that use business data.
3. On the list page, on the Settings menu, click Create Column. 4. On the Create Column page, in the Name and Type section, type a name and then select the Business data check box. 5. In the Additional Column Settings section, select the business data type and field that contains the data you want to add to the list. 6. To display the action menu for the selected business data type, click Display the actions menu. 7. To link the column to the business data profile for the type, click Link this column to the profile page. 8. Click OK. You can add as many business data columns as you want. For more information about business data lists, see the User's Guide.
242
open a list of dashboards in the Reports Library page of the Report Center site. 3. On the Reports Library page, click the New menu, and then click Dashboard Page. 4. On the New Dashboard page, in the Page Name section, provide a name, title, and description for the dashboard site. 5. In the Key Performance Indicator section, select Allow me to select an existing KPI later. Note: Alternatively, you can select Create a KPI list for me automatically, and then configure the KPI list later. 6. Click OK. 7. On the Dashboard page, in the Site Actions menu, click Edit Page. 8. For the Web Part Page zone in which you want to add a Web Part, click Add a Web Part. 9. On the Add Web Parts Web page, in the Suggested Web Parts section, select the check box for the type of Web Part you want to add, and then click Add. 10. To configure the Web Part, click the Edit menu, and then click Modify Shared Web Part. For more information about the configuration options for Business Data Web Parts, see Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx). Use the following procedure to configure filter Web Parts. Configure filter Web Parts 1. On the Add Web Parts Web page, select the checkbox for the filter Web Part that you want to add, and then click Add. 2. On the filter Web Part, click Edit, point to Connections, and then select the Web Part to connect to the filter. For more information about the configuration options for filter Web Parts, see Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx). For more information about configuring Excel Web Access Web Parts, see Chapter overview: Configure Excel Services.
244
See Also B. Configure business intelligence features Plan business data lists (http://technet.microsoft.com/en-us/library/cc261850.aspx) Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx) Plan key performance indicators (http://technet.microsoft.com/en-us/library/cc263321.aspx) Plan reports (http://technet.microsoft.com/en-us/library/cc263506.aspx) Plan business data actions (http://technet.microsoft.com/en-us/library/cc262684.aspx) Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx)
245
Administrators of the search service and administrators of individual site collections must configure several options before business data is available in search results. To make business data available for search, you should: Ensure that the data you want users to find is available in the Business Data Catalog, and ensure that users have the intended permissions. Configure and crawl business data content sources. Configure and customize query options for business data.
Most of these tasks are performed by the administrator of the search shared service or by the administrator of the Business Data Catalog. Some tasks are performed by site collection administrators. Both shared services administrators and site collection administrators will help plan search for business data.
line-of-business application, you must use the location of the copied data in the start address for the business data content source. Use the following procedure to configure business data content sources. Configure business data content sources 1. Create one or more content sources for the data in line-of-business applications, using one start address per application. Use a start address that respects your security configuration. 2. To use a crawling account other than the default content access account to crawl a particular business data start address, create a crawl rule for that start address. All content sources that include that start address will use that account. 3. To change how a particular start address is crawled, configure a crawl rule for that start address. 4. Crawl all business data content sources. 5. Some properties for business data might appear as crawled properties in the search schema. Based on search schema planning, select relevant properties in the Configure Search section of the Business Data Catalog and map them to managed properties for search. These properties will be available for use during search queries. 6. Crawl the content sources again to complete the mapping of managed properties.
247
See Also Configure access to business data Register business applications in the Business Data Catalog
248
249
250
251
8. In the External Data section, select the type of data connections that you will allow workbooks in this trusted file location to contain and click OK. In the External Data section, you can determine whether workbooks stored in trusted file locations and opened in Excel Calculation Services sessions can access an external data source. You can designate whether Allow External Data is set to None, Trusted data connection libraries only, or Trusted data connection libraries and embedded. If you select either Trusted data connection libraries only or Trusted data connection libraries and embedded, the workbooks stored in the trusted file locations are allowed to access external data sources. External data connections can be accessed only when they are embedded in or linked from a workbook. Excel Calculation Services checks the list of trusted file locations before opening a workbook. If you select None, Excel Calculation Services will block any attempt to access an external data source. If you manage data connections for a large number of workbook authors, you might want to select Trusted data connection libraries only. For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecsfiletrustedlocation (http://technet.microsoft.com/en-us/library/cc262818.aspx). See Also Add a trusted data connection library
252
253
255
For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecssafedataprovider (http://technet.microsoft.com/enus/library/cc263293.aspx).
256
6. On the Excel Services Trusted Data Connection Libraries page, click Add Trusted Data Connection Library. 7. Type the address of the data connection library that you want to configure as a trusted data connection library and click OK. For information about how to perform this procedure by using the Stsadm command-line tool, see Add-ecstrusteddataconnectionlibrary (http://technet.microsoft.com/en-us/library/cc261726.aspx). See Also Add a trusted file location
258
Excel Calculation Services application server (a local path), or to a network share (a UNC path). c. Ensure that the Enable Assembly check box is selected, and then click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/enus/library/cc262904.aspx).
260
261
a. In the Default data connection timeout box, enter the time in milliseconds that will elapse before a data connection times out. The default timeout is 10000 milliseconds. You can override this setting with code within a form template that specifies the data connection timeout value. b. In the Maximum data connection timeout box, enter the maximum time in milliseconds that will elapse before a data connection times out. The default timeout is 20000 milliseconds. This is an absolute setting, and it overrides any data connection timeout values specified within form template code. 6. In the Data Connection Response Size section, type a value in kilobytes in the box to specify the maximum size of responses data connections are allowed to process. Data connection responses that exceed this value will generate an error message. 7. In the HTTP data connections section, select the Require SSL for HTTP authentication to data sources box to require an SSL-encrypted connection for data connections that use Basic authentication or Digest authentication. You must have configured Secure Sockets Layer (SSL) properly in order for this setting to function. 8. In the Embedded SQL Authentication section, select the Allow embedded SQL authentication box to allow forms to use embedded SQL credentials. Forms that connect to databases may embed SQL user name and password data in the connection string. The connection string can be read in plaintext in the universal data connection file associated with the solution, or in the solution manifest. 9. In the Authentication to data sources (user form templates) section, select the Allow user form templates to use authentication information contained in data connection files box to allow user form templates to use embedded authentication information such as an explicit user name and password or a Microsoft Single Sign-On application ID.
10. In the Cross-Domain Access for User Form Templates section, select the Allow cross-domain data access for user form templates that use connection settings in a data connection file box to allow user form templates to access data from another domain. 11. In the Thresholds section, specify the thresholds at which to end user sessions and log error messages. Form operations that exceed these thresholds will terminate the user session, resulting in the loss of all form data entered during the session, and generate an error message. a. In the Number of postbacks per form session state box, type the maximum number of postbacks you want to allow. The default value is 75. b. In the Number of actions per postback box, type the maximum number of actions per postback you want to allow. The default value is 200. 12. Before you configure form session state, you should read Configure session state for InfoPath Forms Services. Correct configuration of form session state requires that you understand how session state is configured for Office SharePoint Server, and it can dramatically affect the behavior of InfoPath Forms Services operations and system
263
performance. Form session state stores data necessary to maintain a user session. File attachment data in the form will receive an additional 50 percent of session state space. Note: The default parameters should work for most scenarios. If you change the default settings, verify that form-filling sessions are working properly. 13. In the Form Session State section, configure the following parameters: a. In the Active sessions should be terminated after text box, type the maximum session duration in minutes. Form-filling sessions that exceed this value will terminate, an error message will be generated, and all form data entered during the session will be lost. The default value is 1440 minutes. b. In the Maximum size of form session state text box, type the maximum session state size in kilobytes. Form-filling sessions that exceed this value will terminate, an error message will be generated, and all form data entered during the session will be lost. The default value is 4096 kilobytes. c. In the Select the location to use for storing form session state section, choose from the following options:
Choose this option To do this
Session State Service (best for lowbandwidth users) Form view (reduces database load on server)
Store session state data on the computer running Microsoft SQL Server Store session state data on the client computer. If form session state is larger than the value specified in the associated text box, the Session State Service will be used instead.
d. In the associated text box, type the session state size in kilobytes at which form view will be automatically transitioned to the Session State Service. Once this threshold is reached, session state data will be saved to the SQL Server database, and the session will continue to use the Session State Service. The default value is 40 kilobytes. 14. Click OK to save your settings. See Also Configure session state for InfoPath Forms Services
264
InfoPath Forms Services uses session state to store the large amount of transient data generated while filling out a form. As a result, front-end Web servers can remain stateless between round trips, and each postback is not burdened with carrying large amounts of session state information over narrow bandwidth pipes. Other methods of state management, such as in process, are not supported for farms with multiple front-end Web servers. Session state can only be used with Web applications that are associated with a Shared Services Provider (SSP). For more information about SSPs, see Plan Shared Services Providers (http://technet.microsoft.com/enus/library/cc263276.aspx). Note: In order for the session state database to be properly maintained, the SQL Agent must be turned on for the instance of Microsoft SQL Server where session data is stored. If the SQL Agent is not turned on, expired sessions are not automatically expunged from the session table and may eventually pose a storage problem. Note: If you are deploying Microsoft Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition, such as in a single-server deployment, expired sessions must be expunged manually. SQL Server 2005 Express Edition does not include the SQL Agent, and it cannot run automated stored procedures.
configure InfoPath Forms Services to use the Session State service, all browser sessions are maintained on the SQL Server database, which uses little network bandwidth, but has a cumulative performance impact on the computer running SQL Server. When you are using Form view, sessions are maintained on the client browser, and all session data is included in each postback to the server, up to 40 KB of session data. This approach uses more bandwidth than using session state does, but it does not affect the performance of the computer running SQL Server. Once session data reaches 40 KB in size, the session automatically transitions to session-state management. We recommend the use of Form view in environments with smaller groups of users, because it reduces the impact on the computer running SQL Server. If your InfoPath Forms Services deployment will have many users, particularly if session data is below 40 KB for many high -usage form templates, session state is likely a better choice. If Form view is used, the bandwidth used by browser sessions of 40 KB or fewer can be monitored if there is a concern that network performance might be adversely affected. See Also Manage session state for Microsoft Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc263527.aspx) Configure InfoPath Forms Services for Office SharePoint Server
266
267
268
269
270
you to control whether documents are scanned on upload or on download, and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. You can use the following procedure to configure optional administrative settings using SharePoint Central Administration. Configure administrative settings using SharePoint Central Administration 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the SharePoint Central Administration home page, under Administrative Tasks, click the administrative task that you want to perform. 3. On the Administrative Tasks page, next to Action, click the task.
271
Use this procedure to configure the incoming e-mail settings for Microsoft Office SharePoint Server 2007. The features of Office SharePoint Server 2007 that use incoming e-mail are not available until these settings are configured. Before you configure incoming e-mail settings in Office SharePoint Server 2007, confirm that: You have read the topic Plan incoming e-mail (http://technet.microsoft.com/enus/library/cc263260.aspx). One or more servers in your server farm are running the Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server that is running the SMTP service. This server must be configured to accept relayed e-mail from the mail server for the domain. One or more servers in your server farm are running the Microsoft SharePoint Directory Management Service, or you know the name of another server that is running the SharePoint Directory Management Web Service. The application pool account for the SharePoint Central Administration Web site has the Create, delete, and manage user accounts right to the container in the Active Directory directory service. The application pool account for Central Administration, the logon account for the Windows SharePoint Services Timer service, and the application pool accounts for your Web applications have the correct permissions to the e-mail drop folder. The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS Manager for the mail server that you plan to use for incoming e-mail. Note: All of these configuration steps are described in detail in the following sections.
272
4. In the Application Server dialog box, in the Subcomponents of Application Server box, click Internet Information Services (IIS), and then click the Details button. 5. In the Internet Information Services (IIS) dialog box, select the SMTP Service check box. 6. Click OK to return to the Application Server dialog box. 7. Click OK to return to the main page of the Windows Components Wizard. 8. Click Next. 9. When Windows has finished installing the SMTP service, on the Completing the Windows Components Wizard page, click Finish.
c.
10. Click OK to close the Relay Restrictions dialog box. 11. Click OK to close the Properties dialog box.
275
Create an organizational unit in Active Directory 1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, right-click the folder for the second-level domain that contains your server farm, point to New, and then click Organizational Unit. 3. Type the name of the organizational unit, and then click OK. After creating the organization unit, we recommend that you delegate the Create, delete, and manage user accounts right to the container. Important: Membership in the Domain Administrators group or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Delegate right to the application pool account 1. In Active Directory Users and Computers, find the organizational unit that you just created. 2. Right-click the organizational unit, and then click Delegate control. 3. On the Welcome page of the Delegation of Control Wizard, click Next. 4. On the Users and Groups page, click Add, and then type the name of the application pool identity account that the Web application uses. 5. In the Select Users, Computers, and Groups dialog box, click OK. 6. On the Users or Groups page of the Delegation of Control Wizard, click Next. 7. On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create, delete, and manage user accounts check box, and then click Next. 8. On the last page of the Delegation of Control Wizard, click Finish to exit the wizard. If you must add permissions for the application pool identity account directly, complete the following procedure. Important: Membership in the Account Operators group, Domain Administrators group, or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Add permissions for the application pool account 1. In Active Directory Users and Computers, click the View menu, and then click Advanced Features. 2. Right-click the organizational unit that you just created, and then click Properties. 3. In the Properties dialog box, click the Security tab, and then click Advanced. 4. Click Add, and then type the name of the application pool identity account for the Web
276
application. 5. Click OK. 6. In the Permission Entries section, double-click the application pool identity account. 7. In the Permissions section, under Allow, select the Modify permissions check box. 8. Click OK to close the Permissions dialog box. 9. Click OK to close the Properties dialog box. 10. Click OK to close the Active Directory Users and Computers plug-in. If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you must know the URL for the Web service. This URL is typically in the following format: http://server:adminport/_vti_bin/SharePointEmailWS.asmx.
To delegate full control of the organizational unit to the Central Administration application pool account
Important: Membership in the Domain Administrators group or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Delegate full control of the organizational unit to the Central Administration application pool account 1. Right-click the organizational unit, and then click Delegate control. 2. In the Delegation of Control wizard, click Next. 3. Click Add, and then type the name of the application pool account for Central
277
Administration. 4. Click OK. 5. Click Next. 6. On the Tasks to Delegate page of the Delegation of Control wizard, select Create a custom task to delegate, and then click Next. 7. Select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next. 8. In the Permissions section, select Create all Child Objects and Delete all Child Objects. 9. Click Next. 10. On the last page of the Delegation of Control wizard, click Finish to exit the wizard. Delegating full control of the organizational unit to the Central Administration application pool account enables administrators to enable e-mail for a list. Administrators cannot disable email for the list or document library after delegating full control because the Central Administration account tries to delete the contact from the entire organizational unit rather than deleting the contact from the list.
To add the Delete Subtree permission for the Central Administration application pool account
To enable administrators to disable incoming e-mail on a list, you must add the Delete Subtree permission for the Central Administration application pool account. Important: Membership in the Account Operators group, Domain Administrators group, or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Add the Delete Subtree permission for the Central Administration application pool account 1. In Active Directory Users and Computers, click the View menu, and then click Advanced Features. 2. Right-click the organizational unit and then click Properties. 3. In the Properties dialog box, click the Security tab, and then click Advanced. 4. In the Permission Entries section, double-click the Central Administration application pool account. 5. In the Permissions section, under Allow, select Delete Subtree. 6. Click OK to close the Permissions dialog box. 7. Click OK to close the Properties dialog box. 8. Click OK to close the Active Directory Users and Computers plug-in.
278
After adding the permission, you must restart Internet Information Services (IIS) for the farm. For more information about Active Directory, see the Help documentation for Active Directory.
Configure e-mail drop folder permissions for the logon account for the Windows SharePoint Services Timer service
Ensure that the logon account for the Windows SharePoint Services Timer service has the Modify permission on the e-mail drop folder. If the logon account for the service does not have the Modify permission, e-mail enabled document libraries will receive duplicate e-mail messages. Important: Membership in the Administrators group on the local computer that contains the e-mail drop folder is required to complete this procedure. Configure e-mail drop folder permissions 1. In Windows Explorer, right-click the drop folder, click Properties, and then click the Security tab. 2. On the Security tab, under the Group or user names box, click the Add button. 3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select box, type the name of the logon account for the Windows SharePoint Services Timer service, and then click OK. Note: This account is listed on the Log On tab of the Properties dialog box for the service in the Services console. 4. In the Permissions for User or Group box, next to Modify, select the Allow check box. 5. Click OK.
Configure e-mail drop folder permissions for the application pool account for a Web application
If your deployment uses different application pool accounts for Central Administration and one or more Web applications for front-end Web servers, each application account must have permissions to the e-mail drop folder. If the application pool account for the Web application does not have the required permissions, e-mail will not be delivered to document libraries on that Web application. In most cases, when you configure incoming e-mail settings and select an e-mail drop folder, permissions are added for two worker process groups:
279
WSS_Admin_WPG, which includes the application pool account for Central Administration and the logon account for the Windows SharePoint Services Timer service, has Full Control permission. WSS_WPG, which includes the application pool accounts for Web applications, has Read & Execute, List Folder Contents, and Read permissions.
In some cases, these groups might not be configured automatically for the e-mail drop folder. For example, if Central Administration is running as the Network Service account, the groups or accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It is a good idea to check whether these groups have been added automatically to the e-mail drop folder. If the groups have not been added automatically, you can add them or add the specific accounts that are required. Important: Membership in the Administrators group on the local computer that contains the e-mail drop folder is required to complete this procedure. Configure e-mail drop folder permissions 1. In Windows Explorer, right-click the drop folder, click Properties, and then click the Security tab. 2. On the Security tab, under the Group or user names box, click the Add button. 3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select box, type the name of the worker process group or application pool account for the Web application, and then click OK. Note: This account is listed on the Identity tab of the Properties dialog box for the application pool in IIS. 4. In the Permissions for User or Group box, next to Modify, select the Allow check box. 5. Click OK.
subdomain for Office SharePoint Server 2007. 2. Right-click the zone, and then click New Mail Exchanger. 3. In the Host or domain text box, type the host or subdomain name for Office SharePoint Server 2007. 4. In the Fully qualified domain name (FQDN) of mail server text box, type the fully qualified domain name for the server that is running Office SharePoint Server 2007. This is typically in the format subdomain.domain.com. 5. Click OK.
OU=ContainerName, DC=domain, DC=com, where ContainerName is the name of the organizational unit in Active Directory, domain is the second-level domain, and com is the top-level domain. Note: The Central Administration application pool account must be delegated the Create, delete, and manage user accounts task for the container. Access is configured in the properties for the organizational unit in Active Directory. b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail server. The server name must match the fully qualified domain name in the MX entry for the mail server in DNS Manager. c. To accept only messages from authenticated users, click Yes for Accept messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow creation of distribution groups from SharePoint sites. Otherwise, click No. e. Under Distribution group request approval settings, select the actions that will require approval. Actions include the following: Create new distribution group Change distribution group e-mail address Change distribution group title and description Delete distribution group
6. If you want to use a remote SharePoint Directory Management Web Service, select Use remote. a. In the Directory Management Service URL box, type the URL of the Microsoft SharePoint Directory Management Service that you want to use. b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail server. The server name must match the fully qualified domain name in the MX entry for the mail server in DNS Manager on the domain server. c. To accept messages from authenticated users only, click Yes for Accept messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow creation of distribution groups from SharePoint sites. Otherwise, click No. 7. If you do not want to use the Microsoft SharePoint Directory Management Service, click No. 8. In the Incoming E-Mail Server Display Address section, type a display name for the email server (for example, mail.fabrikam.com) in the E-mail server display address box. Tip: You can specify the e-mail server address that is displayed when users create an incoming e-mail address for a list or group. Use this setting together with the Microsoft SharePoint Directory Management Service to provide an e-mail server
282
address that is more user-friendly. 9. In the Safe E-Mail Servers section, select one of the following options: Accept mail from all e-mail servers Accept mail from these safe e-mail servers. If you select this option, type the IP addresses (one per line) of the e-mail servers that you want to specify as safe in the corresponding box.
10. In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of the folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from the SMTP service. This option is available only if you selected advanced mode. 11. Click OK.
283
Use this procedure to configure the default outgoing e-mail settings for all Web applications. You can override the default outgoing e-mail settings for specific Web applications by using the procedure that is described in Configure outgoing e-mail settings for a specific Web application.
286
Use this procedure to configure the outgoing e-mail settings for a specific Web application. Before using this procedure, you must first configure the default outgoing e-mail settings for all Web applications by using the procedure described in Configure outgoing e-mail settings.
8. Click Next. 9. When Windows has finished installing the SMTP service, on the Completing the Windows Components Wizard page, click Finish.
288
10. Click OK to close the Relay Restrictions dialog box. 11. Click OK to close the Properties dialog box.
289
sent an e-mail alert when a task is assigned to them, select No. 6. Under Allow external users to participate in workflow by sending them a copy of the document, select Yes if you want documents to be sent to external users by e-mail when those users are part of the workflow but they do not have access permissions to the documents. If you do not want documents to be sent to external users who do not have access permissions, select No. Note: If the object in the workflow is not a document but a list item, the list item properties are displayed in a table as part of the e-mail message. 7. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Workflow management: Stsadm operation (http://technet.microsoft.com/enus/library/cc263153.aspx).
291
Use this procedure to configure the diagnostic logging settings for Microsoft Office SharePoint Server 2007. You can configure how diagnostic events are logged according to their criticality. Additionally, you can set the maximum number of log files that can be maintained, and you can set how long to capture events to a single log file. You can also indicate whether or not to provide Microsoft with continuous improvement and Dr. Watson event data.
Error reports
Error reports are created when your system encounters hardware or software problems. Microsoft and its partners actively use these reports to improve the reliability of your software. Error reports include the following: information regarding the condition of the server when the problem occurs; the operating system version and computer hardware in use; and the Digital Product ID, which can be used to identify your license. The IP address of your computer is also sent because you are connecting to an online service to send error reports; however, the IP address is used only to generate aggregate statistics. Microsoft does not intentionally collect any personal information. However, error reports could contain data from log files, such as user names, IP addresses, URLs, file or path names, and e mail addresses. Although this information, if present, could potentially be used to determine your identity, the information will not be used in this way. The data that Microsoft collects will be used only to fix problems and to improve software and services. Error reports will be sent by using encryption technology to a database with limited access, and will not be used for marketing purposes.
292
For more information, see the Microsoft Error Reporting Service privacy statement (http://go.microsoft.com/fwlink/?LinkId=85028&clcid=0x409). If you want to provide error reports to Microsoft and its partners, select the option to collect error reports. Base your decision on your organization's policies about sharing the information collected by error reports, and the potential impact of error collection on users and administrators. Two options are available for error reports: You can choose to periodically download a file from Microsoft that can help identify system problems based on the error reports that you provide to Microsoft. You can change the error collection policy to silently send all reports. This changes the computer's error reporting behavior to automatically send reports to Microsoft without prompting users when they log on.
Event throttling
You can configure the diagnostic options for event logging. Events can be logged in either the Windows event log or the trace log. You can configure event throttling settings to control how many events are recorded in each log, according to the criticality of the events. To provide more control in event throttling, you can decide to throttle events for all events, or for any single category of events. Several categories of events are available, based on different services and features of SharePoint Products and Technologies. Categories of events can be defined by individual services or by groupings of related events. Selected event categories include: All Categories defined by product, such as Office SharePoint Server 2007 and Microsoft Office Project Server 2007 Administrative functions such as Administration, Backup and Recovery, Content Deployment, and Setup and Upgrade Feature areas such as Document Management, E-Mail, Forms Services, Information Policy Management, Information Rights Management, Publishing, Records Center, Site Directory, Site Management, User Profiles, and Workflow SharePoint Services and other services such as the Load Balancer Service Shared services such as all Office Server Shared Services, Business Data, and Excel Calculation Services
For the selected category, select the least-critical event to record, for both the Windows event log and the trace log. Events that are equally critical to or more critical than the selected event will be recorded in each log. The list entries are sorted in order from most-critical to least-critical. The levels of events for the Windows event log include: None Error Warning
293
Audit Failure Audit Success Information None Unexpected Monitorable High Medium Verbose
For more information about the Windows event log or the trace log, see the Windows documentation.
If you select Yes, users can decide whether they want to report Customer Experience Improvement Program events to Microsoft. 4. In the Error Reports section, under Error reporting, select one of the following: Collect error reports. If you select this option, you can also select or clear two options to control how error reports are collected: Periodically download a file that can help identify system problems. Change this computer's error collection policy to silently send all reports. This changes the computer's error reporting behavior to automatically send reports to
294
Microsoft without prompting users when they log on. Ignore errors and don't collect information. 5. In the Event Throttling section, in the Select a category menu, select a category of events: a. In the Least critical event to report to the event log menu, select the least-critical event to report to the event log for the selected category. b. In the Least critical event to report to the trace log menu, select the least-critical event to report to the trace log for the selected category. 6. In the Trace Log section, in the Path text box, type the local path to use for the trace log on all servers in the farm. The location must exist on all servers in the farm. a. In the Number of log files text box, type the maximum number of files that you want to maintain. b. In the Number of minutes to use a log file text box, type the number of minutes to use each log file. 7. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Setlogginglevels (http://technet.microsoft.com/en-us/library/cc261740.aspx) and Listlogginglevels (http://technet.microsoft.com/en-us/library/cc262133.aspx).
295
Note that you must be logged into the SharePoint Central Administration Web site on a farm server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to configure SSO on a workstation or any computer that is not a farm server, you will see an error message that reads "Single sign-on cannot be configured from this server. To configure single sign-on, go to the computer running the single sign-on service and specify these settings locally." Follow the procedures in the sections that follow to configure SSO for your Office SharePoint Server 2007 environment.
296
Must be either the same as the single sign-on administrator account, or a member of the group account that is the single sign-on administrator account. Configure and start the Microsoft Single Sign-On service 1. On the server, click Start, Control Panel, Administrative Tools, and then click Computer Management. 2. In the Computer Management console, expand Services and Applications, and then click Services. 3. Right-click Microsoft Single Sign-On Service, and then choose Properties. 4. On the General tab, change the Startup type to Automatic. 5. On the General tab, under Service Status, click Start. 6. Click OK to save your changes and close the Properties window. 7. Repeat steps 1 through 6 for each applicable server in the farm.
Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list. The same account as the single sign-on service account, if a user is specified. If a group is specified, the single sign-on service account must be a member of that group. The same as the configuration account for single sign-on, if a user is specified. If a group is specified, the configuration account for single sign-on must be a member of that group. A member of the Farm Administrators group on Central Administration.
If a group is specified, all users who are added to the group for the purpose of administering single sign-on must be members of the local Administrators group on the encryption-key server. Do not make this account a member of the local Administrators group on the encryption-key server. 5. In the Enterprise Application Definition Administrator Account section, in the Account name box, type the account name of the group or user who can set up and manage enterprise application definitions. Type the name by using the form domain/group or domain/username. The enterprise application definition administrator account can manage credentials of an enterprise application definition, including changing the password of a group enterprise application definition and changing or deleting credentials for an individual enterprise application definition. The user or group that you specify must be the following: Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list. A member of the Reader SharePoint group on Central Administration.
6. In the Database Settings section, in the Server name box, type the NetBIOS name of the single sign-on database server (for example, computer_name or computer_name\SQL_Server_instance). Do not type the fully qualified domain name. 7. In the Database name box, enter the name of the single sign-on database server. Note: Unless you are pre-creating databases, we recommend that you use the default database server and single sign-on database server. 8. In the Time Out Settings section, in the Ticket time out (in minutes) box, type a value for how many minutes passes before a single sign-on ticket expires. The time-out should be long enough to last between the time that the ticket is issued and the time that the enterprise application redeems the ticket. Two minutes is the recommended value. 9. In the Delete audit log records older than (in days) box, type a value for how many days the audit log holds records before deleting them. 10. Click OK.
298
If you do not re-encrypt the existing credentials with the new encryption key, users must retype their credentials for individual application definitions, and administrators must retype group credentials for group application definitions. 3. Click OK.
1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Restore section, click the removable media drive from which you want to restore the encryptionkey backup. 2. Click Restore.
1. On Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions.
300
1. On Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, in the Enterprise Application Definition Settings section, click Manage account information for enterprise application definitions. 4. On the Manage Account Information for an Enterprise Application Definition page, in the Enterprise application definition list in the Account Information section, click the application definition for which you want to manage account information. 5. In the Group account name box, type the name of the group that is allowed access to the enterprise application. 6. In the Enterprise Application Definition section, select one of the following:
Option Purpose
Enter credentials for the first time or update the credentials used to connect to the enterprise application. Delete the credentials currently used to connect to the enterprise application.
Delete stored credentials for this account from this enterprise application definition Delete stored credentials for this account from all enterprise application definitions
Delete the credentials currently used to connect the selected enterprise application from all enterprise application definitions. Deleting stored credentials deletes credentials only for individual accounts; it does not delete credentials for group accounts.
If you select Update account information, complete the following steps: a. Click Set. b. On the Provide Account Information page, in the Logon Information section, type
301
the user name and password of the account that will be used to connect to the enterprise application. c. Click OK. 7. Click Done.
302
Administrative credentials
Membership in the Administrators group of the Central Administration site is required to complete this procedure. Configure antivirus settings 1. On the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Antivirus. 3. On the Antivirus page, in the Antivirus Settings section, select one or all of the following: Scan documents on upload Scan documents on download Allow users to download infected documents Attempt to clean infected documents
4. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Antivirus: Stsadm properties (http://technet.microsoft.com/en-us/library/cc261683.aspx).
303
Configure authentication
In this section: Configure anonymous access Configure digest authentication Configure forms-based authentication Configure Web SSO authentication by using ADFS Configure Kerberos authentication
Authentication is the process of validating client identity, usually by means of a designated authority. Web site authentication helps establish that a user who is trying to access Web site resources can be verified as an authenticated entity. An authentication application obtains credentials from a user who is requesting Web site access. Credentials can be various forms of identification, such as user name and password. The authentication application tries to validate the credentials against an authentication authority. If the credentials are valid, the user who submitted the credentials is considered to be an authenticated identity.
Microsoft Office SharePoint Server is a distributed application that is logically divided into three tiers: the front-end Web server tier, the application server tier, and the back-end database tier. Each tier is a trusted subsystem and authentication can be required for access to each tier. Credential validation requires an authentication provider. Authentication providers are software components that support specific authentication mechanisms. Office SharePoint Server 2007 authentication for is built on the ASP.NET authentication model and includes three authentication providers:
304
You can use the Active Directory directory service for authentication, or you can design your environment to validate user credentials against other data stores, such as a Microsoft SQL Server database, a lightweight directory access protocol (LDAP) directory, or any other directory that has an ASP.NET 2.0 membership provider. The membership provider specifies the type of data store you are going to use. The default ASP.NET 2.0 membership provider uses a SQL Server database. Office SharePoint Server 2007 includes an LDAP v3 membership provider, and ASP.NET 2.0 includes a SQL Server membership provider. You can also deploy multiple authentication providers to enable, for example, intranet access by using Windows authentication and external access by using forms authentication. Using multiple authentication providers requires the use of multiple Web applications. Each Web application must have a designated zone and a single authentication provider. The authentication providers are used to authenticate against user and group credentials that are stored in Active Directory, in a SQL Server database, or in a Non-Active Directory LDAP directory service (such as NDS). For more information about ASP.NET membership providers, see Configuring an ASP.NET Application to Use Membership (http://go.microsoft.com/fwlink/?LinkId=87014&clcid=0x409).
305
Digest authentication Digest authentication provides the same functionality as basic authentication, but with increased security. User credentials are encrypted instead of being sent over the network in plaintext. User credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. The MD5 Message-Digest Algorithm is described in detail in Internet Engineering Task Force (IETF) RFC 1321 (http://www.ietf.org). To use digest authentication, note the following requirements: The user and IIS server must be members of, or trusted by, the same domain. Users must have a valid Windows user account stored in Active Directory on the domain controller. The domain must use a Microsoft Windows Server 2003 domain controller. You must install the IISSuba.dll file on the domain controller. This file is copied automatically during Windows Server 2003 Setup.
Integrated Windows authentication Integrated Windows authentication can be implemented using either NTLM or constrained Kerberos delegation. Constrained Kerberos delegation is the most secure authentication method. Integrated Windows authentication works well in an intranet environment where users have Windows domain accounts. In Integrated Windows authentication, the browser attempts to use the current user's credentials from a domain logon, and if the attempt is unsuccessful, the user is prompted to enter a user name and password. If you use Integrated Windows authentication, the user's password is not transmitted to the server. If the user has logged on to the local computer as a domain user, the user does not have to authenticate again when the user accesses a network computer in that domain.
Kerberos authentication This method is for servers that are running Active Directory on Microsoft Windows 2000 Server and more recent versions of Windows. Kerberos is a secure protocol that supports ticketing authentication. A Kerberos authentication server grants a ticket in response to a client computer authentication request that contains valid user credentials. The client computer then uses the ticket to access network resources. To enable Kerberos authentication, the client and server computers must have a trusted connection to the domain Key Distribution Center (KDC). The client and server computers must also be able to access Active Directory. For more information about configuring a virtual server to use Kerberos authentication, see Microsoft Knowledge Base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkId=115572&clcid=0x409).
306
Constrained Kerberos delegation Constrained authentication is the most secure configuration for communication between multiple application tiers. You can use constrained delegation to pass the original caller's identity through multiple application tiers: for example, from a Web server to an application server to a database server. Constrained Kerberos delegation is also the most secure configuration for accessing back-end data sources from application servers. Impersonation enables a thread to run in a security context other than the context of the process that owns the thread. In most server farm deployments in which front-end Web servers and application servers run on different computers, impersonation will require constrained Kerberos delegation.
Impersonation and Kerberos delegation Kerberos delegation enables an authenticated entity to impersonate the credentials of a user or computer within the same forest. When impersonation is enabled, the impersonating entity is allowed to use credentials for performing tasks on behalf of the impersonated user or computer. During impersonation, ASP.NET applications can run by using the credentials of another authenticated entity. By default, ASP.NET impersonation is disabled. If impersonation is enabled for an ASP.NET application, then that application runs using the credentials of the access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_computername identity). When impersonation is enabled, only your application code runs under the context of the impersonated user. Applications are compiled and configuration information is loaded by using the identity of the ASP.NET process. For more information about impersonation, see ASP.NET Impersonation (http://go.microsoft.com/fwlink/?LinkId=115573&clcid=0x409).
NTLM authentication This method is for Windows servers that are not running Active Directory on a domain controller. NTLM authentication is required for networks that receive authentication requests from client computers that do not support Kerberos authentication. NTLM is a secure protocol that supports user credential encryption and transmission over a network. NTLM is based on encrypting user names and passwords before sending the user names and passwords over the network. NTLM authentication is required in networks where the server receives requests from client computers that do not support Kerberos authentication. NTLM is the authentication protocol that is used in Windows NT Server and in Windows 2000 Server workgroup environments, and in many Active Directory deployments. NTLM is used in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. When Windows 2000 Server is converted to native mode where no down-level Windows NT domain controllers exist, NTLM is disabled. Kerberos then becomes the default authentication protocol for the enterprise.
307
308
Anonymous access enables users to find resources in the public areas of Web sites without having to provide authentication credentials.
Enable anonymous access for a zone of a Web application 1. From Administrative Tools, open the SharePoint Central Administration Web site application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Application Security section, click Authentication providers. 4. On the Authentication Providers page, make sure the Web application that is listed in the Web Application box (under Site Actions) is the one that you want to configure. If the listed Web application is not the one that you want to configure, click the drop-down arrow to the right of the Web Application drop-down list box and select Change Web Application. 5. In the Select Web Application dialog box, click the Web application that you want to configure. 6. On the Authentication Providers page, click the zone of the Web application on which you want to enable anonymous access. The zones that are configured for the selected Web application are listed on the Authentication Providers page. 7. On the Edit Authentication page, in the Anonymous Access section, select Enable Anonymous Access, and then click Save. At this point, the Web application zone has been enabled for anonymous access.
5. Click OK.
310
At this point, your site is configured for anonymous access based on the options that you have selected.
311
312
corresponds to the Web application zone on which you want to configure digest authentication, and then click Properties. 3. On the Web Site Properties page, click the Directory Security tab. 4. In the Anonymous access and authentication control section, click the Edit button. 5. In the Authenticated access section of the Authentication Methods dialog box, select Digest authentication for Windows domain servers. A dialog box is displayed informing you that digest authentication only works with Active Directory domain accounts, and asking you if you want to continue. Click Yes. 6. In the Realm section of the of the Authentication Methods dialog box, click the Select button. 7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK. At this point, your Web site is configured to use digest authentication.
314
Microsoft Office SharePoint Server 2007 authentication is performed by an authentication mechanism that is supported by one of the available authentication providers. Providers are modules that contain the code necessary to authenticate the credentials of a requestor Authentication for Office SharePoint Server 2007 is built on the ASP.NET authentication model and includes three authentication providers: Windows authentication provider Forms-based authentication provider Web Single Sign-On (SSO) authentication provider
In addition, ASP.NET supports the use of pluggable authentication providers, which means that you can write an authentication provider to support any credential store that you want to use.
To enable forms-based authentication for a Office SharePoint Server 2007 Web site and add users to the user account database, perform the following procedures.
315
Create a new site 1. On the home page of the SharePoint Central Administration Web site, click Application Management. 2. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 3. On the Create or Extend Web Application page, click Create a new Web application. 4. On the Create New Web Application page, in the Security Configuration section, make sure NTLM is selected under Authentication provider. Also, select Yes under Allow Anonymous. 5. Use the default entries to complete the new Web application creation procedure and click OK. At this point, you have created a new site placeholder. Use the following procedure to create a site collection. Create a site collection 1. On the top link bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application section, verify that the Web application in which you want to create the site collection is selected. If it is not, click Change Web Application on the Web Application menu. Then, on the Select Web Application page, click the Web application in which you want to create the site collection. 4. In the Title and Description section, type the title and description for the site collection. 5. In the Web Site Address section, under URL, select the path to use for your URL. Note: If you select a wildcard inclusion path, you must also type the site name to use in the URL of your site. The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions. 6. In the Template Selection section, in the Select a template list, select the template that you want to use for the top-level site in the site collection. 7. In the Primary Site Collection Administrator section, enter the user name (in the form domain\username) for the user who will be the site collection administrator. 8. If you want to identify a user as the secondary owner of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, enter the user name for the secondary administrator of the site collection. 9. If you are using quotas to limit resource use for site collections, in the Quota Template section, click a template in the Select a quota template list. 10. Click OK.
316
At this point, you have created a site collection. Use the following procedure to configure a forms based authentication provider. Configure a forms-based authentication provider 1. On the home page of the SharePoint Central Administration Web site, click Application Management. 2. On the Application Management page, in the SharePoint Web Application Management section, click Web application list. 3. On the Web Application List page, double-click the new Web application that you created in the previous procedure. 4. On the Application Management page, in the Application Security section, click Authentication providers. 5. On the Authentication Providers page, click the zone name for the authentication provider whose settings you want to configure. 6. On the Edit Authentication page, in the Authentication Type section, select Forms. If you need to explicitly grant anonymous access to a site collection, in the Anonymous Access section, select the Enable anonymous access check box for all sites within the Web application. To disable anonymous access for all sites within the Web application, clear the Enable anonymous access check box. Note: If you enable anonymous access here, anonymous access can still be denied at the site collection level or at the site level. However, if you disable anonymous access here, it is disabled at all levels within the Web application. 7. In the Membership Provider Name section, in the Membership provider name box, type the name of the membership provider that you want to use. Note: If the Web application is going to support forms-based authentication, the membership provider must be correctly configured in the Web.config file for the IIS Web application that hosts SharePoint content on each Web server. The membership provider must also be added to the Web.config file for the IIS Web application that hosts Central Administration. 8. In the Client Integration section, under Enable Client Integration, make sure No is selected, and then click Save. If you select Yes, features that start client applications according to document types will be enabled. This option will not work correctly with some types of forms-based authentication. If you select No, features that start client applications according to document types will be disabled. Users will have to download documents and then upload them after they make changes.
317
Notes For forms-based authentication, client integration is disabled by default. When client integration is disabled, links to client applications are not visible and documents cannot be opened in client applications; documents can only be opened in a Web browser. However, users can download documents, edit them in client applications locally, and then upload them to the site. Client integration is disabled by default when you use forms-based authentication. This is because client integration does not natively support forms-based authentication. You might be able to use many client integration features with forms-based authentication, and there are workarounds available to implement varying levels of client integration functionality with forms-based authentication. However, if published workarounds are inadequate, or if you find unexpected issues using workarounds, we do not provide support and there are no product changes to address these issues. If you plan to use client integration with forms-based authentication, you must fully test any available solutions or workarounds to determine if the performance and functionality are acceptable in your environment. Product Support can provide commercially reasonable support to help you troubleshoot published workarounds. After a user provides credentials, the system issues a cookie that identifies the user. On subsequent requests, the system first checks the cookie to see whether the user has already been authenticated, so the user does not have to supply credentials again. If the user has not selected the Remember me? box on the logon page, the credential information is not cached on the client computer, and is valid only during the current session. This is especially important in a scenario where users are connecting from public computers or kiosks, where you would not want user credentials to be cached. Users are required to reauthenticate if they close the browser, log off from a session, or navigate to another Web site. Also, you can configure a maximum idle session time-out value to force reauthentication if a user is idle for a prolonged period of time during a session.
Default zone Intranet zone Internet zone Custom zone Extranet zone
Note: If you use forms-based authentication and the Office SharePoint Server 2007 search crawler polls a zone that is configured to support Kerberos authentication, the Office SharePoint Server 2007 search crawler will fail. If you use forms-based authentication and the Office SharePoint Server 2007 search crawler polls a zone that is configured to support basic or certificate authentication, you have to configure a crawl rule and provide credentials or certificates in the Shared Services Provider (SSP) search settings. If a crawl rule is not configured, the crawler will cycle through all of the zones until it finds a zone that is configured with NTLM. If the crawler finds a zone configured with NTLM, the crawl will succeed. If the crawler finds a zone configured with Kerberos or Digest authentication, the crawl will fail and polling will stop. Office SharePoint Server 2007 does not allow a Web application to work with the same provider name across multiple zones. You can configure the Web.config file to use the same provider for each zone; however, the name of the provider has to be unique for each zone. For additional information on authentication mechanisms and samples for configuring formsbased authentication with multiple providers, see Plan for authentication (http://technet.microsoft.com/en-us/library/cc263434.aspx).
319
3. To ensure that the crawler can access the content, configure the extended content Web application for forms-based authentication by selecting the Web application from the Web Application list in Central Administration, as shown in the following figure:
4. Follow the link to Create or Extend Web Application and choose the option to extend a Web application. Type in the details, such as choosing a port number where the new Web application will be hosted in IIS, and choosing the zone that this extended Web application will reside under. The following figure shows the original Web application, which is always created in the Default zone, and the extended Web application created under the Custom zone.
Each of the zones identifies the logical separation of access restrictions to the same content. Note: You cannot increase the number of zones. 5. Configure the membership provider name of the extended Web application for forms-based authentication, as shown in the following figure.
After extending the content Web application to a different zone, you can configure authentication providers and enable different authentication mechanisms using different
320
URLs. At this point, add a provider section in the Web.config file of the extended Web application. Note: Adding the provider section in the Web.config file for the default zone will have no impact on Office SharePoint Server 2007 awareness of the provider for the new zone. Practically, the two zones are isolated from each other as far as IIS Web sites are concerned, even though they will still share the same application pool. 6. Modify the authentication provider by following the link to the Authentication Providers page. This page displays all of the zones on which the Web application has been extended. Select the appropriate zone and configure the authentication provider. In the preceding example, the authentication provider is configured as the PeopleDCLDAPMemberShipProvider for the Custom zone. 7. Add the first administrative user who will have administrative access on all site collections within the Web application. In this example, the content is the same and the site collections are identical across all the extended zones (Default and Custom), even though the URLs are different. When the Web application is first created, the application pool identity is granted Full Read permissions on the Web application for all zones. For the Default zone, access is controlled by the primary site collection administrator who was specified during the creation of the site collection at the root of the Web application. For the extended zone, you have to add a specific user with Full Control on the Web application to enable initial logon to the site collections and to perform administrative tasks. To add a user, click Add Users on the Policy for Web Application page, and select a zone. Run the People Picker and resolve the name of the user. Note: The user will be added as provider:username because the People Picker will resolve the user by using the provider configured in the Web.config file for the extended Web application. Office SharePoint Server 2007 ignores the custom provider if All Zones is selected in the Zone drop-down list. Therefore, it is very important to ensure that the appropriate zone is selected. 8. After the user has been added, verify that forms-based authentication is functioning and browse to the URL for the extended zone. In this example, the content Web application is in the Default zone on port 2000 and is extended to the Custom zone on port 2001. Browse to the extended port. 9. At this point, the forms-based authentication logon screen is displayed. Type the credentials for the user you added earlier, and click Submit. You are then redirected to the Default.aspx page of the site. The Default.aspx page is very similar to a standard Default.aspx page of a default zone site. However, in this example, the My Site creation link is not displayed. My Sites and personalization are services provided by the Shared Services Provider (SSP). There is an existing SSP that provides these services to this Web application. At this point in the procedure, the SSP is unaware of the new user, whose credentials you used to log in. Because links are security
321
trimmed, they are not displayed and, in this example, the current user is not recognized by the SSP. To correct this situation, enable the SSP for forms-based authentication, as described in the following procedure.
322
Note: Make sure the welcome control displays the identity of the Windows user. 4. Browse to the Personalization Services Permissions page, and launch the People Picker. 5. Try resolving the forms-based authenticated user here. The People Picker will not resolve the forms-based authenticated user because this zone is not aware that there is another provider that can be queried to find these users. 6. To make this zone aware of the provider, modify the Web.config file for this zone and add the same provider section that you added for enabling forms-based authentication. Important: In the Web.config file, do not set the defaultProvider attribute. If you set this attribute, the People Picker and security trimmer will always use this provider to resolve and authenticate users. 7. Browse back to the Personalization Services Permissions page and launch the People Picker, which now resolves the forms-based authentication user and displays all users who meet the same criteria. 8. Select a user and a choose the permissions you want to assign to this user: Create Personal Site: This permission is required to make the My Site link visible, and enables users to create a My Site. Use Personal Features: This permission enables users to access SSP and My Site features. Manage user profiles: This permission enables users to view and manage user profiles from the Profile Store. Manage Audiences: This permission enables users to manage audiences. Manage Permissions: This permission enables permission management on an SSP. Manage Usage Analytics: This permission enables users to manage and configure usage analysis.
9. Click Save. At this point, you can log back on to the Custom zone SSP site as a forms-based authenticated user and add additional users. In addition, you can configure sets of permissions for these additional users. After the user is enabled with the Create Personal Site permissions, the My Site link will be displayed. You can browse to the Custom zone portal using the forms-based authenticated user and note the Welcome control suite displays the My Site link. However, clicking the link will not actually create a My Site. This is because the SSP still only refers to the default zone for the My Site host, even though the SSP is extended on the Custom zone. The Web application is not yet aware of the forms authenticated users. You can address this by extending the My Site Web application and configuring it for forms-based authentication. Because you can manually set the My Site host from within the SSP, it does not matter if the My Site host is extended to a different zone than the SSP administration Web application. If you are implementing a scenario in which these two zones have to be different, you can browse to the SSP, using forms-based authentication, and manually set the My Site host. Browse to the SSP
323
administration Web site using forms-based authentication and then browse to the My Site Settings page. Now you can edit the personal site provider to point to the newly extended My Site Web application. If you extend the My Site Web application onto the same zone as the SSP administration Web application, Office SharePoint Server 2007 will automatically realign the My Sites and this manual configuration is not necessary. In addition, you can go to the content site, log on by using forms-based authentication, and create a My Site for the forms-based authenticated user.
324
6. Verify that the profiles are imported by clicking View User Profiles, as shown in the following figure:
After the import is performed, the user profile store in Office SharePoint Server 2007 is updated with the new profiles. To enable people search, perform the next procedure. 7. Initiate a crawl of the people content source. When the crawl is complete, you will be able to perform a people search on the forms-based authentication site.
325
326
Note: When you use the People Picker to add users to Windows SharePoint Services 3.0, Windows SharePoint Services 3.0 validates the users against the provider, which in this example is ADFS. Therefore, you should configure the Federation Server before you configure Windows SharePoint Services 3.0. Important: The setup process has been captured in a VBScript file that you can use to configure Office SharePoint Server 2007 to use ADFS for authentication. This script file is contained in the file (SetupSharePointADFS.zip) and is available on the Microsoft SharePoint Products and Technologies blog, listed in the Attachments section. For more information, see the blog page A script to configure SharePoint to use ADFS for authentication (http://go.microsoft.com/fwlink/?LinkId=113894).
d. Click Use Secure Sockets Layer (SSL), and change the port number to 443. ADFS requires that sites be configured to use SSL. e. In the Load Balanced URL box, delete the text string :443. Internet Information Services (IIS) will automatically use port 443 because you specified the port number in the previous step. f. Complete the rest of the steps on the page to finish extending the Web application.
327
5. On the Alternate Access Mappings (AAM) page, verify that the URLs resemble the following table.
Internal URL Zone Public URL for Zone
http://trey-moss https://extranet.treyresearch.net
Default Extranet
http://trey-moss https://extranet.treyresearch.net
6. Add an SSL certificate to the Extranet Web Site in IIS. Make sure that this SSL certificate is issued to extranet.treyresearch.net, because this is the name that clients will use when they access the sites. 7. Configure the Authentication provider for the extranet zone on your Web application to use Web SSO by doing the following: a. On the Application Management page of your farms Central Administration site, click Authentication Providers. b. Click Change in the upper-right corner of the page, and then select the Web application on which you want to enable Web SSO. c. In the list of two zones that are mapped for this Web application (both of which should say Windows), click the Windows link for the Extranet zone.
d. In the Authentication Type section, click Web Single Sign On. e. In the Membership provider name box, type SingleSignOnMembershipProvider2 Make a note of this value; you will be adding it to the name element of the <membership> section in the web.config files that you will edit later in this procedure. f. In the Role manager name box, type SingleSignOnRoleProvider2 Make a note of this value; you will be adding it to the name element of the <roleManager> section in the web.config files you will edit later in this procedure. g. Make sure the Enable Client Integration setting is set to No. h. Click Save. Your extranet Web application is now configured to use Web SSO. However, at this point, the site will be inaccessible because no one has permissions to it. The next step is to assign permissions to users so that they can access this site. Note: After selecting WebSSO as the Authentication Provider, Anonymous Authentication will be automatically enabled for the SharePoint site in IIS (no user action is required). This setting is required for the site to allow access using only claims.
328
329
d. To add a user claim, specify their e-mail address or User Principal Name in the Users/Groups section. If both UPN and e-mail claims are sent from the federation server, then SharePoint will use UPN to verify against the MembershipProvider. Therefore, if you want to use e-mail, you will have to disable the UPN claim in your federation server. See Working with UPN and e-mail Claims for more information. e. To add a group claim, type the name of the claim you want the SharePoint site to use in the Users/Groups section. For example, create an organizational group claim named Adatum Contributers on the Federation Server. Add the claim name Adatum Contributers to the Sharepoint site as you would a Windows user or group. You can assign this claim Home Members [Contribute], and then any user who accesses the SharePoint site by using this group claim will have Contributor access to the site. f. Select the appropriate permission level or SharePoint group. g. Click OK. 5. Use the text editor of your choice to open the web.config file for the extranet site, and add the following entry in the <configSections> node. <sectionGroup name="system.web"> <section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" /> </sectionGroup> 6. Add the following entry to the <httpModules> node <add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" /> Note: The ADFS authentication module should always be specified after the Sharepoint SPRequest module in the <httpModules> node of the web.config file. It is safest to add it as the last entry in that section. 7. Add the following entry anywhere under the <system.web> node. <membership defaultProvider="SingleSignOnMembershipProvider2"> <providers> <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </providers> </membership>
330
<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2"> <providers> <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 /> </providers> </roleManager> <websso> <authenticationrequired /> <auditlevel>55</auditlevel> <urls> <returnurl>https://your_application</returnurl> </urls> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> <isSharePoint /> </websso> Note: Change the value for fs-server to your Federation Server computer, and change the value of your_application to reflect the URL of your extranet Web application. 8. Browse to the https://extranet.treyresearch.net Web site as an ADFS user who has permissions to the extranet web site.
As you extend Web applications by using different providers, you can configure one or more of them to be able to find users and groups from various providers that you are using on that Web application. In this scenario, we configured our site that uses Windows authentication in a way that allows users of that site to select other Windows users, Windows groups, and ADFS claims, all from one site.
</roleManager> </system.web> </configuration> Note: Change the value of fs-server to your resource Federation Server (adfsresource.treyresearch.net).
1. From Administrative Tools on your Federation Server, open the ADFS snap-in. Note: You can also open the ADFS snap-in by typing ADFS.MSC in the Run dialog box. 2. Select your Office SharePoint Server 2007 application node (your application should already be added to the list of nodes). 3. In the claims list on the right, right-click E-mail, and select Enable or Disable. 4. In the claims list on the right, right-click UPN, and select Enable or Disable. Note: If both UPN and E-mail are enabled, Office SharePoint Server 2007 will use UPN to perform user claim verification. Therefore, when configuring the Office SharePoint Server 2007, be careful about which user claim you enter. Also note that the UPN claim will only work consistently if the UPN suffixes and the e-mail suffixes that are accepted by the Federation Server are identical. This is because the membership provider is e-mail based. Because of this complexity in configuring UPN claims, e-mail is the recommended user claim setting for membership authentication.
When you use ADFS as a role provider in Office SharePoint Server 2007, the process is different. There is no way for the Web SSO provider to directly resolve an Active Directory group; instead, it resolves groups by using organizational group claims. When you use ADFS with Office SharePoint Server 2007, you must create a set of organizational group claims in ADFS. You can then associate multiple Active Directory groups with an ADFS organizational group claim. For group claims to work with the latest version of ADFS, you need to edit the web.config file for the ADFS application in IIS on your ADFS server. Open the web.config file and add <getGroupClaims /> to the <FederationServerConfiguration> node inside the <System.Web> node, as shown in the following example. <configuration> <system.web> <FederationServerConfiguration> <getGroupClaims /> </FederationServerConfiguration> </system.web> </configuration> In the Adatum (Account Forest), do the following: 1. Create an Active Directory group named Trey SharePoint Readers. 2. Create an Active Directory group named Trey SharePoint Contributors. 3. Add Alansh to the Readers group and Adamcar to the Contributors group. 4. Create an organizational group claim named Trey SharePoint Readers. 5. Create an organizational group claim named Trey SharePoint Contributors. 6. Right-click the Active Directory account store, and then click New Group Claim Extraction. a. Select the Trey SharePoint Readers organizational group claim, and then associate it with the Trey SharePoint Readers Active Directory group. b. Repeat step 6, and then associate the Trey SharePoint Contributors organizational group claim with the Trey SharePoint Contributors Active Directory group. 7. Right-click the Trey Research Account Partner, and then create the outgoing claim mappings: a. Select the Trey SharePoint Reader claim, and then map to outgoing claim adatum-treyreaders. b. Select the Trey SharePoint Contributor claim, and then map to outgoing claim adatumtrey-contributors. Note: The claim mapping names must be agreed on between the organizations, and they must match exactly.
334
On the Trey Research side, start ADFS.MSC, and then do the following: 1. Create an organizational group claim named Adatum SharePoint Readers. 2. Create an organizational group claim named Adatum SharePoint Contributors. 3. Create incoming group mappings for your claims: a. Right-click the Adatum account partner, and then click Incoming Group Claim Mapping. b. Select Adatum SharePoint Readers, and then map it to the incoming claim name adatum-trey-readers. c. Select Adatum SharePoint Contributors, and then map it to the incoming claim name adatum-trey-contributors.
4. Right-click the Office SharePoint Server 2007 Web application, and then click Enable on both the Reader and Contributor claims. Browse to the http://trey-moss site on the Trey Research side as the site administrator, and then do the following: 1. Click the Site Actions menu, point to Site Settings, and then click People and Groups. 2. If it is not already selected, click the Members group for your site. 3. Click New, and then click Add Users on the toolbar. 4. Click the address book icon next to the Users/Groups box. 5. In the Find box in the People Picker dialog box, type Adatum SharePoint Readers In the Give Permission section, select SharePoint group homeVisitors [Readers]. 6. In the Find box, type Adatum SharePoint Contributors In the Give Permission section, select SharePoint group homeMembers [Contribute].
335
336
computers must also be able to access Active Directory directory services. For Active Directory, the forest root domain is the center of Kerberos authentication referrals. To deploy a server farm running Microsoft Office SharePoint Server 2007 using Kerberos authentication, you must install and configure a variety of applications on your computers. T his section describes an example server farm running Office SharePoint Server 2007 and provides guidance for deploying and configuring the farm to use Kerberos authentication to support the following functionality: Communication between Office SharePoint Server 2007 and Microsoft SQL Server database software. Access to the SharePoint Central Administration Web application. Access to other Web applications, including a portal site Web application, a My Site Web application, and an SSP Administration site Web application. Access to the shared services for the Office SharePoint Server 2007 Web applications in the Office SharePoint Server 2007 Shared Services Provider (SSP) infrastructure.
Kerberos authentication for the SSP infrastructure in Office SharePoint Server 2007 requires the installation of the Infrastructure Update for Microsoft Office Servers. Note: An SSP is a logical grouping of a common set of services and service data that can be provided to Web applications and their associated Web sites. An SSP infrastructure enables the sharing of services across server farms, Web applications, and site collections. The Office Server Web Services Web site is the SSP infrastructure. The SSP infrastructure exists on any server running Office SharePoint Server 2007 that is deployed using the Complete installation option. Kerberos authentication does not work with the Office Server Web Services Web site unless the Infrastructure Update for Microsoft Office Servers is installed. This section does not provide an in-depth examination of Kerberos authentication. Kerberos is an industry-standard authentication method that is implemented in Active Directory. This section does not provide detailed, step-by-step instructions for installing Office SharePoint Server 2007 or using the SharePoint Products and Technologies Configuration Wizard. This section does not provide detailed, step-by-step instructions for using Central Administration to create Office SharePoint Server 2007 Web applications.
You should also make sure that your Active Directory domain controllers are running Windows Server 2003 SP2 with the latest updates applied from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409).
Known issues
Kerberos authentication cannot be configured to work with the SSP infrastructure in Office SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed. Therefore, if you do not have the Infrastructure Update for Microsoft Office Servers installed, disregard the guidance in this section for configuring Kerberos authentication for the SSP infrastructure. Office SharePoint Server 2007 can crawl Web applications configured to use Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to default
338
ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, Office SharePoint Server 2007 Search cannot crawl Office SharePoint Server 2007 Web applications that are configured to use Kerberos authentication if the Web applications are hosted on IIS virtual servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443). Currently, Office SharePoint Server 2007 Search can only crawl Office SharePoint Server 2007 Web applications hosted on IIS virtual servers bound to non-default ports that are configured to use either NTLM authentication or Basic authentication. For end-user access using Kerberos authentication, if you need to deploy Web applications that can only be hosted on IIS virtual servers that are bound to non-default ports, and if you want endusers to get search query results, then: The same Web applications must be hosted on other IIS virtual servers on non-default ports. The Web applications must be configured to use either NTLM or Basic authentication. Search Indexing must crawl the Web applications using NTLM or Basic authentication. Configuring the Central Administration Web application using Kerberos authentication hosted on an IIS virtual server bound to non-default ports. Configuring portal and My Site applications, and shared services using Kerberos authentication hosted on IIS virtual servers bound to default ports and with an IIS host header binding. Ensuring that Search Indexing successfully crawls Office SharePoint Server 2007 Web applications using Kerberos authentication. Ensuring that users accessing Kerberos-authenticated Web applications can successfully get search query results for those Web applications. Configuring Kerberos authentication for the SSP infrastructure (if the Infrastructure Update for Microsoft Office Servers is installed).
Additional background
It is important to understand that when you use Kerberos authentication, accurate authentication functionality is dependant in part on the behavior of the client that is attempting to authenticate using Kerberos. In an Office SharePoint Server 2007 farm deployment using Kerberos authentication, Office SharePoint Server 2007 is not the client. Before you deploy a server farm running Office SharePoint Server 2007 using Kerberos authentication, you must understand the behavior of the following clients: The browser (in the context of this section, the browser is always Windows Internet Explorer). The Microsoft .NET Framework.
The browser is the client used when browsing to a Web page in an Office SharePoint Server 2007 Web application. When Office SharePoint Server 2007 performs tasks such as crawling the local Office SharePoint Server 2007 content sources or making calls to the SSP infrastructure, the .NET Framework is functioning as the client.
339
For Kerberos authentication to work correctly, you must create SPNs in Active Directory. If the services to which these SPNs correspond are listening on non-default ports, the SPNs should include port numbers. This is to ensure that the SPNs are meaningful. It is also required to prevent the creation of duplicate SPNs. When a client (Internet Explorer or the .NET Framework) attempts to access a resource using Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos authentication process. If the client does not construct an SPN that matches the SPN that is configured in Active Directory, Kerberos authentication will fail, usually with an access denied error. There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are using Office SharePoint Server 2007 Web applications that are bound to non-default port numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs that it constructs. In a farm running Office SharePoint Server 2007, the Central Administration Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port. Therefore, this section addresses both IIS port-bound and IIS host-header-bound Web sites, and it provides a link to instructions for directing Internet Explorer to include port numbers in SPNs. In a farm running Office SharePoint Server 2007, by default the .NET Framework does not construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports. It is also the reason why Kerberos authentication cannot be correctly configured and made to work for the SSP infrastructure unless the Infrastructure Update for Microsoft Office Servers is installed.
This section provides guidance for configuring one SSP in the farm.
340
Active Directory A front-end Web server running Office SharePoint Server 2007 A front-end Web server running Office SharePoint Server 2007 Office SharePoint Server 2007 Central Administration Search Indexing running Office SharePoint Server 2007
mydomain.net mossfe1.mydomain.net
mossfe2.mydomain.net
mossadmin.mydomain.net
mosscrawl.mydomain.net
Search Query running Office SharePoint Server mossquery.mydomain.net 2007 SQL Server host running Office SharePoint Server 2007 mosssql.mydomain.net
An NLB VIP is assigned to mossfe1.mydomain.net and mossfe2.mydomain.net as a result of configuring NLB on these systems. A set of DNS host names that point to this address is registered in your DNS system. For example, if your NLB VIP is 192.168.100.200, you have a set of DNS records that resolve the following DNS names to this IP address (192.168.100.200): kerbportal.mydomain.net kerbmysite.mydomain.net kerbsspadmin.mydomain.net
341
Local administrator account On all servers running Office SharePoint Server 2007 (but not on the host computer running SQL Server) For Office SharePoint Server 2007 setup and for the SharePoint Products and Technologies Configuration Wizard run-as user
mydomain\pscexec
Local administrator account on the SQL Server host computer SQL Server service account used to run the SQL Server service on the SQL host Office SharePoint Server 2007 farm administrator account
mydomain\sqladmin
mydomain\mosssqlsvc
mydomain\mossfarmadmin This is used as the application pool identity for Central Administration and as the service account for the SharePoint Timer Service. mydomain\portalpool
Office SharePoint Server 2007 application pool identity for the portal site Web application Office SharePoint Server 2007 application pool identity for the My Site Web application Office SharePoint Server 2007 application pool identity for the Shared Services Administration Web site Office SharePoint Server 2007 SSP service account Windows SharePoint Services 3.0 search service account Windows SharePoint Services 3.0 search content access account Office SharePoint Server 2007 search service account
342
mydomain\mysitepool
mydomain\sspadminpool
mydomain\sspsvc
mydomain\wsssearch
mydomain\wsscrawl
mydomain\mosssearch
Name
mydomain\mosscrawl
343
The following list contains examples of SPNs for a default instance of SQL Server running on a computer named mosssql and listening on port 1433: MSSQLSvc/mosssql:1433 MSSQLSvc/mosssql.mydomain.com:1433
These are the SPNs that you will create for the instance of SQL Server on the SQL host that will be used by the farm described in this section. You should always create SPNs that have both a NetBIOS name and a full DNS name for a host on your network. There are different methods that you can use to set an SPN for an account in an Active Directory domain. One method is to use the SETSPN.EXE utility that is part of the resource kit tools for Windows Server 2003. Another method is to use the ADSIEDIT.MSC snap-in on your Active Directory domain controller. This section addresses using the ADSIEDIT.MSC snap-in. There are two core steps for configuring Kerberos authentication for SQL Server: Create SPNs for your SQL Server service account. Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to servers running SQL Server.
Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to SQL Server
Install the SQL Client Tools on one of your servers running Office SharePoint Server 2007, and use the tools to connect from your server running Office SharePoint Server 2007 to those running SQL Server. This section does not address the steps for installing the SQL Client Tools on one of
344
your servers running Office SharePoint Server 2007. The confirmation procedures are based on the following assumptions: You are using SQL Server 2005 SP2 on your SQL host. You have logged on to one of your servers running Office SharePoint Server 2007, using the account mydomain\pscexec, and have installed the SQL 2005 Client Tools on the server running Office SharePoint Server 2007.
1. Run the SQL Server 2005 Management Studio. 2. When the Connect to Server dialog box appears, type the name of the SQL host computer (in this example, the SQL host computer is mosssql), and click Connect to connect to the SQL host computer. 3. To confirm that Kerberos authentication was used for this connection, run the event viewer on the SQL host computer and examine the Security event log. You should see a Success Audit record for a Logon/Logoff category event that is similar to the data shown in the following tables: Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Workstation Name Logon GUID {36d6fbe0-2cb8-916c-4fee-4b02b0d3f0fb} pscexec MYDOMAIN (0x0,0x6F1AC9) 3 Kerberos Success Audit Security Logon/Logoff 540 10/31/2007 4:12:24 PM MYDOMAIN\pscexec MOSSSQL
345
Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port Examine the log entry to confirm that: 1. The user name is correct. The mydomain\pscexec account logged on over the network to the SQL host. 2. The logon type is 3. A type 3 logon is a network logon. 3. The logon process and authentication package both use Kerberos authentication. This confirms that your server running Office SharePoint Server 2007 is using Kerberos authentication to communicate with the SQL host. 4. The Source Network Address matches the IP address of the computer from which the connection was made. If your connection to the SQL host fails with an error message similar to Cannot generate SSPI context, it is likely that there is an issue with the SPN being used for your instance of SQL Server. To troubleshoot and correct this, please refer to the article How to troubleshoot the "Cannot generate SSPI context" error message (http://go.microsoft.com/fwlink/?LinkId=76621) from the Microsoft Knowledge Base. 192.168.100.100 2465
SPNs that it constructs, because the SPN that you add to your Active Directory for the Central Administration Web application will contain a port number.
Create Service Principal Names for your Web applications using Kerberos authentication
As far as Kerberos authentication is concerned, there is nothing special about IIS-based Office SharePoint Server 2007 Web applicationsKerberos authentication treats them as just another IIS Web site. This process requires knowledge of the following items: The Service Class for the SPN (in the context of this section, for Office SharePoint Server 2007 Web applications, this is always HTTP). The URL for all of your Office SharePoint Server 2007 Web applications using Kerberos authentication. The host name portion of the SPN (either real or virtual; this section addresses both). The port number portion of the SPN (in the scenario described in this section, both IIS portbased and IIS host-header-based Office SharePoint Server 2007 Web applications are used). The Windows Active Directory accounts for which your SPNs must be created.
The following table lists the information for the scenario described in this section:
URL Active Directory account SPN
http://mossadmin.mydomain.net:10000
http://kerbportal.mydomain.net
portalpool
HTTP/kerbportal.mydomain.net HTTP/kerbportal
http://kerbmysite.mydomain.net
mysitepool
HTTP/kerbmysite.mydomain.net HTTP/kerbmysite
sspadminpool
HTTP/kerbsspadmin.mydomain.net HTTP/kerbsspadmin
The first URL listed above is for Central Administration, and uses a port number. You dont have to use port 10000. This is just an example used for consistency throughout this section.
347
The next three URLs are for the portal site, My Site, and Shared Services Administration site, respectively.
Use the guidance provided above to create the SPNs you need in Active Directory to support Kerberos authentication for your Office SharePoint Server 2007 Web applications. You need to log on to a domain controller in your environment using an account that has domain administrative permissions. To create the SPNs, you can use either the SETSPN.EXE utility mentioned previously, or you can use the ADSIEDIT.MSC snap-in mentioned previously. If using the ADSIEDIT.MSC snap-in, please refer to the instructions provided earlier in this section for creating the SPNs. Be sure to create the correct SPNs for the correct accounts in Active Directory.
5. Create Web applications that are used for the portal site, My Site, and the Shared Services Administration site using Kerberos authentication. 6. Create a site collection using the Collaboration Portal template in the portal site Web application. 7. Create a Shared Services Provider for your farm. 8. Confirm successful access to the Web applications using Kerberos authentication. 9. Confirm correct Search Indexing functionality. 10. Confirm correct Search Query functionality. 11. Configure your SSP infrastructure for Kerberos authentication. This is an optional step that requires the installation of the Infrastructure Update for Microsoft Office Servers. 12. Confirm SSP functionality using Kerberos authentication. This is an optional step that requires the installation of the Infrastructure Update for Microsoft Office Servers.
348
Run the SharePoint Products and Technologies Configuration Wizard and create a new farm
For the scenario described in this section, run the SharePoint Products and Technologies Configuration Wizard from the MOSSADMIN Search Indexing server first, so that MOSSADMIN hosts the Office SharePoint Server 2007 Central Administration Web application. On the server named MOSSCRAWL, when setup completes, a Setup Complete dialog box appears with a check box selected to run the SharePoint Products and Technologies Configuration Wizard. Leave this check box selected and close the setup dialog box to run the SharePoint Products and Technologies Configuration Wizard. When running the SharePoint Products and Technologies Configuration Wizard on this computer, direct the Wizard to create a new farm using the following settings: Provide the database server name (in this section, it is the server named MOSSSQL). Provide a configuration database name (you can use the default, or stipulate a name of your choice). Provide the database access (farm administrator) account information. Using the scenario in this section, that account is mydomain\mossfarmadmin. Provide the information required for the Office SharePoint Server 2007 Central Administration Web application. Using the scenario in this section, that information is: Central Administration Web application port number: 10000 Authentication Method: Negotiate
When you have provided all the required information, the SharePoint Products and Technologies Configuration Wizard should finish successfully. If it completes successfully, confirm that you can access the Office SharePoint Server 2007 Central Administration Web application home page using Kerberos authentication. To do this, perform the following steps: 1. Log on to a different server running Office SharePoint Server 2007 or another computer in the domain mydomain as mydomain\pscexec. You should not verify correct Kerberos authentication behavior directly on the computer hosting the Office SharePoint Server 2007 Central Administration Web application. This should be done from a separate computer in the domain. 2. Start Internet Explorer on this server and attempt to go to the following URL: http://mossadmin.mydomain.net:10000. The home page of Central Administration should render.
349
3. To confirm that Kerberos authentication was used to access Central Administration, go back to the computer named MOSSADMIN and run the event viewer and look in the security log. You should see a Success Audit record that looks similar to the following table: Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Authentication Package Workstation Name Logon GUID Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port 192.168.100.100 2505 {fad7cb69-21f8-171b-851b-3e0dbf1bdc79} pscexec MYDOMAIN (0x0,0x1D339D3) 3 Kerberos Kerberos Success Audit Security Logon/Logoff 540 11/1/2007 2:22:20 PM MYDOMAIN\pscexec MOSSADMIN
350
Examination of this log record shows the same type of information as in the previous log entry: Confirm that the user name is correct; it is the mydomain\pscexec account that logged on over the network to the server running Office SharePoint Server 2007 that is hosting Central Administration. Confirm that the logon type is 3; a logon type 3 is a network logon. Confirm that the logon process and authentication package both use Kerberos authentication. This confirms that Kerberos authentication is being used to access your Central Administration Web application. Confirm that the Source Network Address matches the IP address of the computer from which the connection was made.
If the Central Administration home page fails to render and instead an unauthorized error message is displayed, Kerberos authentication is failing. There are usually only two causes for this failure: The SPN in Active Directory was not registered for the correct account. It should have been registered for mydomain\mossfarmadmin. The SPN in Active Directory does not match the SPN being constructed by Internet Explorer or is otherwise invalid. The most common cause of this is that Internet Explorer is not constructing an SPN containing the correct port number. See the previous section titled Configure Internet Explorer to include port numbers in Service Principal Names to correct this problem. You also might have omitted the port number from the SPN that you registered in Active Directory. Either way, ensure that this is corrected and that Central Administration is working, using Kerberos authentication, before proceeding. Note: A diagnostic aid you could use to see what is going on over the network is a network sniffer, such as Microsoft Network Monitor, to take a trace during browsing to Central Administration. After the failure, examine the trace and look for KerberosV5 Protocol packets. Find a packet with an SPN constructed by Internet Explorer. If that SPN does not contain a port number, you need to apply the fix described in the section titled Configure Internet Explorer to include port numbers in Service Principal Names. If the SPN in the trace looks correct, either the SPN in Active Directory is invalid, or it has been registered for the wrong account.
Run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm
Now that your farm has been created and you can successfully access Central Administration using Kerberos authentication, you need to run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm. On each of the other four servers running Office SharePoint Server 2007 (mossfe1, mossfe2, mossquery, and mosscrawl), Office SharePoint Server 2007 installation should have completed, and the setup completion dialog box should appear with the SharePoint Products and
351
Technologies Configuration Wizard check box selected. Leave this check box selected and close the setup completion dialog box to run the SharePoint Products and Technologies Configuration Wizard. Perform the procedure to join each of these servers to the farm. Upon completion of the SharePoint Products and Technologies Configuration Wizard on each server you add to the farm, verify that each of these servers can render Central Administration, which is running on the server, MOSSADMIN. If any of these servers fail to render Central Administration, take the appropriate steps to solve the problem before you proceed.
Index server
On the Services on Server page in Central Administration: 1. Select the server MOSSCRAWL. 2. In the list of services that appears close to the middle of the page, locate the Office SharePoint Server 2007 Search service, and then click Start in the Action column. On the subsequent page, check the Use this server for indexing content check box and then provide the credentials for the Office SharePoint Server 2007 search service account. In the scenario in this section, the Office SharePoint Server 2007 search service account is
352
mydomain\mosssearch. Type the account names and passwords in the appropriate locations on the page, and then click Start.
Query server
On the Services on Server page in Central Administration: 1. Select the server MOSSQUERY. 2. In the list of services that appears close to the middle of the page, locate the Office SharePoint Server 2007 Search service, and then click the service name in the Service column. On the subsequent page, check the Use this server for serving search queries check box and click OK.
4. Make sure Negotiate is selected as the authentication provider for this Web application. 5. Create this Web application in the Default zone. Do not modify the zone for this Web application. 6. Make sure Create new application pool is selected. In the Application Pool Name field, type PortalAppPool. Make sure Configurable is selected. In the User name field, type the account mydomain\portalpool.
7. Click OK.
353
8. Confirm that the Web application is successfully created. Note: If you want to use an SSL connection and bind the Web application to port 443, type 443 in the Port field and select Use SSL on the Create New Web Application page. In addition, you must install an SSL wildcard certificate. When using an IIS host header binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate. For more information about SSL host headers in IIS, see Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
4. Make sure Negotiate is selected as the authentication provider for this Web application. 5. Create this Web application in the Default zone. Do not modify the zone for this Web application. 6. Make sure Create new application pool is selected. In the Application Pool Name field, type MySiteAppPool. Make sure Configurable is selected. In the User name field, type the account mydomain\mysitepool.
7. Click OK. 8. Confirm that the Web application is successfully created. Note: If you want to use an SSL connection and bind the Web application to port 443, type 443 in the Port field and select Use SSL on the Create New Web Application page. In addition, you must install an SSL wildcard certificate. When using an IIS host header binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate. For more information about SSL host headers in IIS, see Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
3. On the subsequent page, make sure Create a new IIS Web site is selected. In the Description field, type SSPAdminSite. In the Port field, type 80. In the Host Header field, type kerbsspadminsite.mydomain.net.
4. Make sure Negotiate is selected as the authentication provider for this Web application. 5. Create this Web application in the Default zone. Do not modify the zone for this Web application. 6. Make sure Create new application pool is selected. In the Application pool name field, type SSPAdminSiteAppPool. Make sure Configurable is selected. In the User name field, type the account mydomain\sspadminpool.
7. Click OK. 8. Confirm that the Web application is successfully created. Note: If you want to use an SSL connection and bind the Web application to port 443, type 443 in the Port field and select Use SSL on the Create New Web Application page. In addition, you must install an SSL wildcard certificate. When using an IIS host header binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate. For more information about SSL host headers in IIS, see Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Create a site collection using the Collaboration Portal template in the portal site Web application
In this section, you create a site collection on the portal site in the Web application that you created for this purpose. Note: This section does not provide an in-depth description of the user interface. Only highlevel instructions are provided. You should be familiar with Central Administration and how to perform the required steps before you proceed. 1. On the Application Management page in Central Administration, click Create site collection. 2. On the subsequent page, make sure you select the correct Web application. For the example in this section, select http://kerbportal.mydomain.net. 3. Provide the title and description you want to use for this site collection. 4. Leave the Web site address unchanged. 5. In the Template Selection section under Select a Template, click the Publishing tab and select the Collaboration Portal template. 6. In the Primary Site Collection Administrator section, type mydomain\pscexec.
355
7. Specify the Secondary Site Collection Administrator you want to use. 8. Click OK. 9. Confirm that the portal site collection is successfully created.
To confirm that Kerberos authentication was used to access the portal site, go to one of the load balanced front-end Web servers and run the event viewer and look in the security log. You should see a Success Audit record, similar to the following table, on one of the front-end Web servers. Note that you may have to look on both front-end Web servers before you find this, depending on which system handled the load-balanced request. Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Workstation Name Logon GUID Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port 192.168.100.100 2505 {fad7cb69-21f8-171b-851b-3e0dbf1bdc79} pscexec MYDOMAIN (0x0,0x1D339D3) 3 Kerberos authentication Success Audit Security Logon/Logoff 540 11/1/2007 5:08:20 PM MYDOMAIN\pscexec mossfe1
357
Examination of this log record shows the same type of information as in the previous log entry: Confirm that the user name is correct; it is the mydomain\pscexec account that logged on over the network to the front-end Web server running Office SharePoint Server 2007 that is hosting the portal site. Confirm that the logon type is 3; a logon type 3 is a network logon. Confirm that the logon process and authentication package both use Kerberos authentication. This confirms that Kerberos authentication is being used to access your portal site. Confirm that the Source Network Address matches the IP address of the computer from which the connection was made.
If the home page of the portal site fails to render, and displays an unauthorized error message, then Kerberos authentication is failing. There are usually only a couple of causes for this: The SPN in Active Directory was not registered for the correct account. It should have been registered for mydomain\portalpool, for the Web application of the portal site. The SPN in Active Directory does not match the SPN being constructed by Internet Explorer or is invalid for another reason. In this case, because you are using IIS host headers without explicit port numbers, the SPN registered in Active Directory differs from the IIS host header specified when you extended the Web application. You need to correct this to get Kerberos authentication working. Note: A diagnostic aid you could use to see what is going on over the network is a network sniffer such as Microsoft Network Monitor to take a trace during browsing to Central Administration. After the failure, examine the trace and look for KerberosV5 Protocol packets. You should find a packet with an SPN constructed by Internet Explorer. If that SPN does not contain a port number, then you need to apply the fix described in the section Configure Internet Explorer to include port numbers in Service Principal Names. If the SPN in the trace looks correct, then either the SPN in Active Directory is invalid or the SPN has been registered for the wrong account. After you have Kerberos authentication working for your portal site, go to your Kerberosauthenticated My Site and the Shared Services Administration site using the following URLs: http://kerbmysite.mydomain.net http://kerbsspadmin.mydomain.net/ssp/admin Note: The first time you access the My Site URL, it will take some time for Office SharePoint Server 2007 to create a My Site for the logged-on user. However, it should succeed, and the My Site page for that user should render. These should both work correctly. If they dont, refer to the preceding troubleshooting steps.
358
359
the configuration of the Office SharePoint Server 2007 Search service settings at the Services on Server level in Office SharePoint Server 2007 Central Administration. The virtual-directory-level Search shared service corresponds to a specific SSP in your farm, and is used when configuring Search settings specific to that SSP on the Shared Services Administration site. When performing the steps to verify Kerberos authentication for root-level shared services access, you will not see the generation or use of the newformat SPNs. You will only see the new-format SPNs when accessing the virtual directory level Web service; however, you need to verify that access to the shared service works at both levels.
Register new custom-format SPNs for your SSP service account in Active Directory
In this section, the SSP service account is mydomain\sspsvc, and the name of the SSP you created is SSP1. The SSP infrastructure exists on all servers in the farm; therefore, SPNs that refer to all servers running Office SharePoint Server 2007 must be created. Because the SSP infrastructure is bound to TCP port 56737 and SSL port 56738, you need SPNs that include both port numbers. Because of this, two SPNs are required for each application server. For the examples used in this section, you need to create 10 SPNs. Perform the following procedure to create the SPNs for your SSP infrastructure: 1. Log on to your Active Directory domain controller using the credentials of a user that has domain administrative permissions. 2. In the Run dialog box, type ADSIEDIT.MSC. 3. In the Management Console dialog box, expand the domain container folder. 4. Expand the container folder containing user accounts, for example CN=Users. 5. Locate the container for the SSP service account, for example CN=sspsvc. 6. Right-click the SSP service account, and then click Properties. 7. Scroll down the list of properties in the SSP Service account dialog box until you find servicePrincipalName. 8. Select the servicePrincipalName property and click Edit. 9. In the Value to Add field, in the Multi-Valued String Editor dialog box, add the following SPNs: MSSP/mossfe1:56737/SSP1 MSSP/mossfe1:56738/SSP1 MSSP/mossfe2:56737/SSP1 MSSP/mossfe2:56738/SSP1 MSSP/mossadmin:56737/SSP1 MSSP/mossadmin:56738/SSP1 MSSP/mosscrawl:56737/SSP1
361
Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication
To configure your SSP infrastructure to use Kerberos authentication, perform the following procedure: 1. Log on to your Active Directory domain controller using the credentials of a user that has domain administrative permissions. 2. On one of your servers running Office SharePoint Server 2007, open a command prompt. 3. Change to the following directory: %COMMONPROGRAMFILES%\microsoft shared\web server extensions\12\bin. 4. Type the following command: stsadm o setsharedwebserviceauthn negotiate, and then press ENTER. Ensure that this command runs successfully before proceeding. When you have completed this procedure, the command applies to all of the SSPs that you create in your farm, including SSPs that you create after you have successfully run this command.
Add a new registry key to all of your servers running Office SharePoint Server to enable generation of the new custom-format SPNs
The generation of the new, custom-format SPNs is controlled through the setting of a new registry key introduced with the Infrastructure Update for Microsoft Office Servers. To enable the generation of the new, custom-format SPNs, this registry key must be added to all servers in the farm, and all servers must be restarted. Perform the following steps to enable the new behavior. On each server in the farm: 1. Log on as a local administrator. 2. Run the Registry Editor, and add the following new registry key: HKLM\Software\Microsoft\Office Server\12.0\KerberosSpnFormat (REG_DWORD) = 1 3. Restart the server. It is important to be aware that you must restart the server for the new registry key to take effect. Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
362
363
An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Authentication Package Workstation Name Logon GUID Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port Important: Repeat this procedure for your Search Indexing server to confirm that the page renders and that there is a security event viewer log record indicating that the Kerberos authentication package was used for accessing the page. 192.168.100.100 1964 {a96a9450-3af5-d82e-3bb3-8cd65c8e5c49} pscexec MYDOMAIN (0x0,0x7252B10) 3 Kerberos Kerberos
4. Start a Network Monitor sniff. 5. On the Shared Services Administration site home page, click Search Settings. 6. Confirm that the Search Settings page is displayed. 7. Stop the sniff and examine captured packets. You should see Kerberos protocol packets with descriptions that are similar to those shown in the following example: The Sname value in the preceding example (MSSP/mosscrawl:56738/SSP1) is the new-format SPN being generated and sent to the Kerberos KDC as a result of the changes included in the Infrastructure Update for Microsoft Office Servers. Log on to your index server (in the example in this section, the index server is MOSSCRAWL). Run the event viewer and examine the security log. You should see an entry that is similar to the data shown in the following table: Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Authentication Package Workstation Name Logon GUID Caller User Name {2f1cccb3-c10d-27e5-9896-0f918e8ad796} sspadminpool MOSSCRAWL (0x0,0xD84A6) 3 Kerberos Kerberos Success Audit Security Logon/Logoff 540 5/6/2008 1:21:04 PM MYDOMAIN\sspadminpool MOSSCRAWL
365
Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port 192.168.150.100 1513
Configuration limitations
There are a few configuration limitations with respect to utilizing Kerberos authentication for the SSP infrastructure using the Infrastructure Update for Microsoft Office Servers: The host name portion of the new-format SPNs that are created will be the NetBIOS name of the host running the service, for example: MSSP/kerbtest4:56738/SSP1. This is because the host names are fetched from the Office SharePoint Server 2007 configuration database, and only NetBIOS computer names are stored in the Office SharePoint Server 2007 configuration database. This might be ambiguous in certain scenarios. Currently, the Stsadm commandline tool to rename a server running Office SharePoint Server 2007 cannot be successfully used to rename a server running Office SharePoint Server 2007, so there is no workaround for this issue. Do not use SSP names containing extended characters. An SPN with an SSP name containing extended characters cannot be selected as the target for delegation. Therefore, avoid using extended characters in your SSP names.
Event ID 10017 error messages are logged in the System log after you install Windows SharePoint Services 3.0 (http://go.microsoft.com/fwlink/?LinkId=120456&clcid=0x409) How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005 (http://go.microsoft.com/fwlink/?LinkId=85942&clcid=0x409)
SQL Server
366
Product/technology
Resource
SQL Server
How to troubleshoot the "Cannot generate SSPI context" error message (http://go.microsoft.com/fwlink/?LinkId=82932&clcid=0x409) How to configure SQL Server 2005 Analysis Services to use Kerberos authentication (http://go.microsoft.com/fwlink/?LinkId=120459&clcid=0x409) AuthenticationManager.CustomTargetNameDictionary Property (http://go.microsoft.com/fwlink/?LinkId=120460&clcid=0x409) Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=99681&clcid=0x409) Error message in Internet Explorer when you try to access a Web site that requires Kerberos authentication on a Windows XP-based computer: "HTTP Error 401 Unauthorized: Access is denied due to invalid credentials" (http://go.microsoft.com/fwlink/?LinkId=120462&clcid=0x409) Kerberos Authentication Technical Reference (http://go.microsoft.com/fwlink/?LinkId=78646&clcid=0x409) Troubleshooting Kerberos Errors (http://go.microsoft.com/fwlink/?LinkId=93730&clcid=0x409) Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=100941&clcid=0x409) Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=120463&clcid=0x409)
SQL Server
.NET Framework
Kerberos authentication
Kerberos authentication
Kerberos authentication
IIS
About the author Mark Grossbard is a Test Engineer, MOSS Core Test, for Office SharePoint Server at Microsoft.
367
368
SSP administrators for the search service can view a search usage reports page that tracks the following information. Number of queries per day over the previous 30 days. Number of queries per month over the previous 12 months. Top queries over the previous 30 days. Top site collections originating queries over the previous 30 days.
369
Site collection administrators for the SSP site can view a usage summary page that tracks the following information: Total amount of storage used by the site collection. Percent of storage space used by Web Discussions. Maximum storage space allowed. Number of users for all sites in the hierarchy. Total hits and recent bandwidth usage across all sites.
Site collection administrators can also view a site usage report that includes monthly and daily page hit totals filtered by the following criteria: Page User Operating system Browser Referrer URL
Usage reporting is very useful for managing complex site hierarchies with many sites, a large number of page hits, and a large number of search queries, and it is recommended that the service be enabled for deployments of complex site hierarchies. For less complex deployments, usage reporting might not be necessary. It is also possible to disable the service temporarily to conserve resources when other those resources are needed for other processes.
371
372
373
374
Enable access for end users After you have created your site, you can add users and grant them access to the site. This section helps you add users to a site collection.
375
d. In the Host Header box, type the URL you wish to use to access the Web application. This is an optional field. e. In the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path. 6. In the Security Configuration section, configure authentication and encryption for your Web application.
376
a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site using the computer-specific anonymous access account (that is, IUSR_<computername>). c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate.
7. In the Load Balanced URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the box is populated with the current server name and port. The Zone box is automatically set to Default for a new Web application, and cannot be changed from this page. To change the zone for a Web application, see Extend an existing Web application later in this section. 8. In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application. To use an existing application pool, select Use existing application pool. Then select the application pool you wish to use from the drop-down menu. a. To create a new application pool, select Create a new application pool. b. In the Application pool name box, type the name of the new application pool, or keep the default name. c. In the Select a security account for this application pool section, select Predefined to use an existing application pool security account, and then select the security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a security account for an existing application pool. In the User name box, type the user name of the account you wish to use, and type the password for the account into the Password box. 9. In the Reset Internet Information Services section, choose whether to allow Windows SharePoint Services to restart IIS on other farm servers. The local server must be restarted manually for the process to finish. If this option is not selected and you have more than one server in the farm, you must wait until the IIS Web site is created on all servers and then run iisreset /noforce on each Web server. The new IIS site is not usable until that action is completed. The choices are unavailable if your farm only contains a single server. 10. Under Database Name and Authentication, choose the database server, database name, and authentication method for your new Web application.
377
Item
Action
Database Server
Type the name of the database server and SQL Server instance you want to use in the format <SERVERNAME\instance>.You may also use the default entry. Type the name of the database, or use the default entry. Choose whether to use Windows authentication (recommended) or SQL authentication. If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
Database Name
Database Authentication
11. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page.
5. On the Extend Web Application to Another IIS Web Site page, in the Web Application section, click the Web application link and then click Change Web application. 6. On the Select Web Application page, click the Web application you want to extend. 7. On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site section, you can select Use an existing IIS Web site to use a Web site that has already been created, or you can choose to leave Create a new IIS Web site selected. The Description, Port, and Path boxes are populated for either choice. You can choose to use the default entries or type the information you want into the boxes. 8. In the Security Configuration section, configure authentication and encryption for the extended Web application. a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site using the computer-specific anonymous access account (that is, IUSR_<computername>). c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate.
9. Under Load Balanced URL, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the text box is populated with the current server name and port. 10. In the Load Balanced URL section, under Zone, select the zone for the extended Web application from the drop-down menu. You can choose Intranet, Internet, Custom, or Extranet. 11. Click OK to extend the Web application, or click Cancel to cancel the process and return to the Application Management page. For information about how to perform this procedure using the Stsadm command-line tool, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx).
379
380
5. Click Save.
3. In the URL protocol, host and port box, type the initial URL. 4. Click Save.
382
383
A quota template consists of storage limit values that specify how much data can be stored in a site collection and the storage size that triggers an e-mail alert to the site collection administrator when that size is reached. You can create a quota template that can be applied to any site collection in the farm. Note: When you apply a quota template to a site collection, the storage limit applies to the site collection as a whole. In other words, the storage limit applies to the sum of the content sizes for the top-level site and all subsites within the site collection. You can also modify existing quota templates. When a quota template is modified, the new storage limits you defined in the template will apply to any new site collection you create that uses that quota template. However, existing site collections to which the quota template has been previously applied will not be automatically updated to reflect the new storage limits.
6. In the Storage Limit Values section, set the values you want to apply to the template. a. If you want to restrict the amount of data that can be stored, click the Limit site storage to a maximum of check box and type the storage limit in megabytes into the text box. b. If you want an e-mail to be sent to the site collection administrator when a certain storage threshold is reached, click the Send warning E-mail when site storage reaches check box and type the threshold in megabytes into the text box.
384
7. Click OK to create the new quota template, or click Cancel to cancel the operation and return to the Application Management page.
385
386
10. Click OK. For information about how to perform this procedure by using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx).
387
Template section, select a template in the Select a quota template list. 11. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx) and Addpath: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263161.aspx).
389
There are several methods that you can use to add content to sites, including:
Depending on your scenario, you may find particular methods more appropriate. Use Web site designers to design and add content when you are working with: A published intranet portal site A published Internet Web site A published Internet site in which authors create content in the authoring site. After you migrate content, you use content deployment to deploy the content to the production site. A site or set of sites that is being reorganized. A collaboration site in which the site owner can create the lists and libraries that are needed, and then grant site members access so that they can begin contributing content. A blog site in which the blog owner can set up the structure for the blog, and then start creating posts. A wiki site in which the wiki site owner can grant access to users and the users can start creating topics in the wiki.
Migrate content from another site when you are working with:
Allow users to add content directly when you are working with:
The Content Migration object model to programmatically move content at any level in the site (Web site, list, library, folder, file, or list item). For more information about using the Content Migration object model, see "Content Migration Overview" in the Windows SharePoint Services 3.0 Software Development Kit (http://go.microsoft.com/fwlink/?LinkId=86999&clcid=0x409).
Microsoft Office SharePoint Designer 2007 to migrate individual lists or libraries to the appropriate place in the new site hierarchy. For more information about using Office SharePoint Designer 2007, see the following articles in the Office SharePoint Designer 2007 Help system: Export or import a Web package (http://go.microsoft.com/fwlink/?LinkId=87002&clcid=0x409) Back up, restore, or move a SharePoint site (http://go.microsoft.com/fwlink/?LinkId=87003&clcid=0x409)
391
After you create your site collection and populate it with content, you are ready to grant access to end users. This section helps you configure administrative and user permissions for a site collection. Note that you can also configure permissions for the following securable objects within a site collection: site, list, library, folder, document, or item. For more information about assigning permissions for different securable objects within a site collection, see Plan site security (http://technet.microsoft.com/en-us/library/cc262778.aspx). In Microsoft Office SharePoint Server 2007, you can enable access to the site collection by using different methods, based on the type of site collection. The following list describes some examples of these methods: If this is a published site collection intended for an Internet audience, you can publish it to the blank site collection that you created as a destination by using the content deployment features. After you publish it, you can then configure the appropriate permissions for the new environment. For more information about publishing a site collection by using content deployment, see Plan content deployment (http://technet.microsoft.com/enus/library/cc263428.aspx) and the Content Deployment topics in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system. If this is a site collection in a development or pilot environment, you can migrate the site collection to your production environment by using import and export, and then configure the appropriate permissions for the new environment. For more information about using import and export, see Export: Stsadm operation (http://technet.microsoft.com/enus/library/cc262759.aspx) and Import: Stsadm operation (http://technet.microsoft.com/enus/library/cc261866.aspx). If this is a site collection intended to facilitate collaboration on the intranet, you can easily add the users and groups that need access to the site collection. This section describes how to perform these actions.
In most cases, these actions are not performed by farm administrators, but are performed by site collection administrators or site owners. Moreover, these steps are performed in the site collection itself, not in Central Administration. (However, you can add site collection administrators by using Central Administration and by using the Site Settings page in the site collection.) Nonetheless, this information is presented in the Deployment Guide because it is truly the final stage of deployment the stage when the site collection is made available for end users.
392
This section does not cover how to enable anonymous access. When you create a Web application, you decide whether to allow anonymous access for site collections on that Web application. For more information about anonymous access, see the following resources: Overview: Plan environment-specific security (http://technet.microsoft.com/enus/library/cc262974.aspx) Plan authentication settings for Web applications in Office SharePoint Server (http://technet.microsoft.com/en-us/library/cc263304.aspx) Choose which security groups to use (http://technet.microsoft.com/enus/library/cc261972.aspx) "Enable anonymous access in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
4. In either the Primary site collection administrator box or the Secondary site collection administrator box, enter the user name of the user to whom you want to assign that role. 5. Click OK.
393
recommend that you use groups as much as possible to efficiently manage site access. 7. Click OK. For more information about managing users and groups, see "Grant access to the portal site" in the Help system for Office SharePoint Server 2007.
395