AF010163853

Deployment for Office SharePoint Server 2007
Microsoft Corporation Published: March 2009 Author: Microsoft Office System and Servers Team (o12ITdx@microsoft.com)
Abstract
This book provides deployment instructions for Microsoft Office SharePoint Server 2007. The audiences for this book include application specialists, line-of-business application specialists, and IT administrators who are ready to deploy Office SharePoint Server 2007 and want installation steps. Before using the instructions in this book you should read the Planning and architecture for Office SharePoint Server (http://technet.microsoft.com/enus/library/cc261834.aspx) and plan your deployment. For a complete list of downloadable books for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc262788.aspx). The content in this book is a copy of selected content in the Office SharePoint Server technical library (http://go.microsoft.com/fwlink/?LinkId=84739) as of the publication date. For the most current content, see the technical library on the Web.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e -mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ii
Contents
Getting Help ............................................................................................................................. xv Roadmap to Office SharePoint Server 2007 content ................................................................ 1 Office SharePoint Server 2007 content by audience ................................................................ 1 Office SharePoint Server 2007 IT professional content by stage of the IT life cycle ................ 2 Evaluate .............................................................................................................................. 3 Plan ..................................................................................................................................... 3 Deploy ................................................................................................................................. 5 Operate ............................................................................................................................... 6 Security and Protection ....................................................................................................... 7 Technical Reference ........................................................................................................... 7 Deployment worksheets for Office SharePoint Server 2007 ..................................................... 8 Deployment worksheets by task ................................................................................................ 8 Deployment worksheets by title ................................................................................................. 9 I. End-to-end deployment scenarios ........................................................................................ 11 Chapter overview: End-to-end deployment scenarios ............................................................ 12 Install Office SharePoint Server 2007 on a stand-alone computer ......................................... 14 Hardware and software requirements ..................................................................................... 14 Configure the server as a Web server ..................................................................................... 15 Install and configure IIS .................................................................................................... 15 Install the Microsoft .NET Framework version 3.0 ............................................................ 15 Enable ASP.NET 2.0......................................................................................................... 16 Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition .................................................................................................................................. 16 Post-installation steps .............................................................................................................. 18 Deploy in a simple server farm ................................................................................................ 20 Deployment overview .............................................................................................................. 20 Suggested topologies ....................................................................................................... 21 Before you begin deployment ........................................................................................... 21 Overview of the deployment process ................................................................................ 23 Deploy and configure the server infrastructure ....................................................................... 23 Security account requirements ......................................................................................... 23 Prepare the database server ............................................................................................ 24 Verify that servers meet hardware and software requirements ........................................ 26 Run Setup and build the farm ........................................................................................... 28 Run Setup on the first server ............................................................................................ 30 Run the SharePoint Products and Technologies Configuration Wizard ........................... 31
iii
Add the SharePoint Central Administration Web site to the list of trusted sites ............... 32 Configure proxy server settings to bypass the proxy server for local addresses ............. 33 Add servers to the farm ..................................................................................................... 33 Run the SharePoint Products and Technologies Configuration Wizard on additional servers ........................................................................................................................... 35 Start the Windows SharePoint Services Search service (optional) .................................. 35 Stop the Central Administration service on all index servers ............................................ 36 Disable the Windows SharePoint Services Web Application service on all servers not serving content .............................................................................................................. 36 Create and configure a Shared Services Provider .................................................................. 37 Start the Office SharePoint Server Search service ........................................................... 37 Create a Web application to host the SSP and create the SSP ....................................... 39 Perform additional configuration tasks .................................................................................... 40 Create a site collection and a SharePoint site ......................................................................... 41 Configure the trace log ............................................................................................................ 45 Deploy using DBA-created databases .................................................................................... 47 About deploying by using DBA-created databases ................................................................. 47 Required database hardware and software ............................................................................ 48 Required accounts ................................................................................................................... 48 Create and configure the databases ....................................................................................... 50 Deploy a simple farm on the Windows Server 2008 operating system ................................... 57 Deployment overview .............................................................................................................. 57 Suggested topologies........................................................................................................ 58 Before you begin deployment ........................................................................................... 58 Overview of the deployment process ................................................................................ 59 Deploy and configure the server infrastructure ....................................................................... 60 Prepare the database server ............................................................................................ 60 Verify that servers meet hardware and software requirements ........................................ 62 Run Setup on all servers in the farm ................................................................................. 63 Run the SharePoint Products and Technologies Configuration Wizard.................................. 76 Run the SharePoint Products and Technologies Configuration Wizard on additional servers ........................................................................................................................... 83 Start the Windows SharePoint Services Search Service .................................................. 83 Configure Windows Firewall with Advance Security ......................................................... 84 Perform additional configuration tasks .................................................................................... 86 Create a site collection and a SharePoint site ......................................................................... 88 Configure the trace log ............................................................................................................ 92 Configure Windows Server Backup .................................................................................. 93 Install Office SharePoint Server 2007 by using the command line ......................................... 95 Install software requirements ................................................................................................... 95 Determine required accounts for installation ........................................................................... 96 Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt ..... 98
iv
Configure the server by using the Psconfig command-line tool ............................................ 101 Configure SharePoint Server 2007 on a stand-alone server .......................................... 101 Configure SharePoint Server 2007 on a farm ................................................................. 101 Perform additional configuration tasks .................................................................................. 103 Create a Shared Services Provider (SSP) by using the Stsadm command-line tool ............ 104 Create a site collection by using the Stsadm command-line tool .......................................... 106 Configure the trace log .......................................................................................................... 109 Install Office SharePoint Server 2007 with least privilege administration by using the command line ..................................................................................................................... 110 Install software requirements................................................................................................. 111 Determine required accounts for least-privilege administration ............................................ 111 Install Microsoft Office SharePoint Server 2007 by using least-privilege administration ...... 114 Configure the server by using the Psconfig command-line tool ............................................ 116 Configure SharePoint Server 2007 on a stand-alone server .......................................... 116 Configure SharePoint Server 2007 on a farm ................................................................. 117 Perform additional configuration tasks .................................................................................. 119 Create a Shared Services Provider by using the Stsadm command-line tool ...................... 119 Create a site collection by using the Stsadm command-line tool .......................................... 122 Configure the trace log .......................................................................................................... 123 Migrate a stand-alone installation to a server farm installation ............................................. 125 Install SharePoint Portal Server 2007 on a new farm ........................................................... 126 Prepare servers for installation ....................................................................................... 126 Install SharePoint Server 2007 and configure the server by using the SharePoint Products and Technologies configuration wizard ........................................................ 127 Migrate data from the stand-alone server ............................................................................. 127 Stsadm Command-Line Tool .......................................................................................... 130 Create and attach data from the Shared Services Provider (SSP) ....................................... 131 Attach site collection data from content databases ............................................................... 132 Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008 ........................................................................................................................................... 134 Hardware and software requirements ................................................................................... 135 IIS 6.0 Management Compatibility role service .............................................................. 135 Microsoft .NET Framework version 3.0........................................................................... 135 Perform installation steps ...................................................................................................... 136 Configure SharePoint Products and Technologies ......................................................... 137 Perform post-installation steps .............................................................................................. 139 Configure the trace log .......................................................................................................... 140 Configure Windows Server Backup ....................................................................................... 141 II. Install Office SharePoint Server 2007 in a server farm environment ................................ 143 Chapter overview: Install Office SharePoint Server 2007 in a server farm environment ...... 144
v
Suggested topologies ............................................................................................................ 144 Before you begin deployment ................................................................................................ 145 Overview of the deployment process .................................................................................... 146 Phase 1: Deploy and configure the server infrastructure ................................................ 146 Phase 2: Create and configure a Shared Services Provider .......................................... 147 Phase 3: Deploy and configure SharePoint site collections and sites ............................ 147 Prepare the database servers ............................................................................................... 148 SQL Server and database collation ....................................................................................... 148 Required accounts ................................................................................................................. 149 Preinstall databases (optional) .............................................................................................. 149 Prepare the Web and application servers ............................................................................. 150 Install the Microsoft .NET Framework version 3.0 ................................................................. 150 Enable ASP.NET 2.0 ............................................................................................................. 150 Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard ........................................................................................................... 151 Recommended order of configuration ................................................................................... 151 Add servers to the farm ................................................................................................... 153 Run Setup on the first server ................................................................................................. 153 Run the SharePoint Products and Technologies Configuration Wizard................................ 154 Add the SharePoint Central Administration Web site to the list of trusted sites .................... 156 Configure proxy server settings to bypass the proxy server for local addresses .................. 156 Add servers to the farm ......................................................................................................... 156 Run the SharePoint Products and Technologies Configuration Wizard on additional servers ............................................................................................................................................ 158 Start the Windows SharePoint Services Search service (optional) ....................................... 159 Stop the Central Administration service on all index servers ................................................ 159 Disable the Windows SharePoint Services Web Application service on all servers not serving content ................................................................................................................................ 160 Deploy language packs ......................................................................................................... 161 About language IDs and language packs .............................................................................. 162 Preparing your front-end Web servers for language packs ................................................... 163 Installing language packs on your front-end Web servers .................................................... 164 III. Create and configure Shared Services Providers ............................................................ 167 Chapter overview: Create and configure Shared Services Providers ................................... 168 Configure the primary Shared Services Provider .................................................................. 169 Create the Shared Services Provider .................................................................................... 169 Create a new SSP ................................................................................................................. 171 Associate an SSP with a Web application ............................................................................. 172
vi
Configure the Office SharePoint Server Search service ....................................................... 173 Server-level configuration ...................................................................................................... 173 Install protocol handlers .................................................................................................. 173 Install and register IFilters ............................................................................................... 174 Farm-level configuration ........................................................................................................ 176 Create crawler impact rules ............................................................................................ 176 Configure farm-level search settings .............................................................................. 177 Configure the trace log .................................................................................................... 178 SSP-level configuration ......................................................................................................... 179 Open the administration page for the SSP ..................................................................... 179 Specify the default content access account .................................................................... 179 Create content sources ................................................................................................... 179 Create crawl rules ........................................................................................................... 181 Reorder your crawl rules ................................................................................................. 182 Configure the file type inclusions list ............................................................................... 183 Crawl the content ............................................................................................................ 183 Create managed properties ............................................................................................ 184 Create shared scopes ..................................................................................................... 185 Create scope rules .......................................................................................................... 186 Specify authoritative pages ............................................................................................. 189 Create server name mappings ........................................................................................ 190 Manage search-based alerts .......................................................................................... 190 Site collectionlevel configuration ......................................................................................... 191 Create scopes at the site collection level ........................................................................ 191 Create scope rules at the site collection level ................................................................. 192 Manage display groups ................................................................................................... 194 Create keywords and Best Bets...................................................................................... 196 A. Configure personalization ................................................................................................. 198 Chapter overview: Configure personalization ........................................................................ 199 Configure personalization permissions ................................................................................. 199 Configure connections to personalization services ............................................................... 199 Configure targeted content .................................................................................................... 200 Configure personalization sites ............................................................................................. 200 Configure policies for Profile Services ................................................................................... 200 Configure personalization permissions ................................................................................. 201 Configure SSP administrator permissions for Profile Services ............................................. 201 Configure access to the SSP pages ...................................................................................... 202 Configure user permissions for personalization .................................................................... 203 Configure access to trusted My Site host locations............................................................... 204 Configure connections to Profile Services ............................................................................. 206 Configure import settings ....................................................................................................... 206
vii
Add import connections ......................................................................................................... 207 Configure user profiles .......................................................................................................... 211 Configure targeted content .................................................................................................... 214 Create and configure audiences ............................................................................................ 214 Configure published links to Office client applications .......................................................... 216 Configure personalization site links ....................................................................................... 216 Configure access to trusted My Site host locations ............................................................... 217 Configure personalization sites ............................................................................................. 219 Create personalization sites .................................................................................................. 219 Design personalization sites .................................................................................................. 220 Target personalization site links ............................................................................................ 220 Configure policies for Profile Services ................................................................................... 222 Configure policies for personalization features ..................................................................... 222 Configure policies for user profiles ........................................................................................ 223 B. Configure business intelligence features .......................................................................... 226 Chapter overview: Configure business intelligence features ................................................ 227 Configure access to business data........................................................................................ 227 Register line-of-business applications in the Business Data Catalog ................................... 227 Customize business data lists, Web Parts, and sites ............................................................ 228 Configure business data search ............................................................................................ 228 Configure access to business data........................................................................................ 229 Configure SSP administrator rights for the Business Data Catalog ...................................... 229 Configure access to the SSP pages ...................................................................................... 230 Configure application definitions and single sign-on for the Business Data Catalog ............ 231 Configure data warehousing .................................................................................................. 232 Configure permissions for business data .............................................................................. 233 Register business applications in the Business Data Catalog .............................................. 235 Create application definitions ................................................................................................ 235 Import application definitions ................................................................................................. 236 Configure enterprise application definitions for single sign-on .............................................. 236 Configure business data types and fields .............................................................................. 238 Manage permissions for an application or entity ............................................................ 238 Add business data actions for an entity .......................................................................... 239 Edit the profile page template ......................................................................................... 240 Customize business data lists, Web Parts, and sites ............................................................ 241 Create business data lists ..................................................................................................... 241 Create KPIs and KPI lists ...................................................................................................... 242 Create and configure reports in the Report Center site......................................................... 243
viii
Create and configure dashboard sites .................................................................................. 243 Create other business data sites ........................................................................................... 244 Configure business data search ............................................................................................ 246 Ensure availability of business data ...................................................................................... 246 Configure and crawl business data content sources ............................................................. 246 Configure and customize query options for business data ................................................... 247 C. Configure Excel Services .................................................................................................. 249 Chapter overview: Configure Excel Services ........................................................................ 250 About Excel Services configuration ....................................................................................... 250 Add a trusted file location ...................................................................................................... 251 About trusted file locations .................................................................................................... 251 Add a trusted file location ...................................................................................................... 251 Start the Single Sign-On service ........................................................................................... 253 About single sign-on authentication ...................................................................................... 253 Start the Single Sign-On service ........................................................................................... 253 Manage settings for single sign-on ........................................................................................ 254 About single sign-on settings................................................................................................. 254 Manage single sign-on settings ............................................................................................. 254 Add a trusted data provider ................................................................................................... 255 About trusted data providers ................................................................................................. 255 Add a trusted data provider ................................................................................................... 255 Add a trusted data connection library .................................................................................... 257 About trusted data connection libraries ................................................................................. 257 Add a trusted data connection library .................................................................................... 257 Enable user-defined functions ............................................................................................... 259 About user-defined functions ................................................................................................. 259 Enable user-defined functions ............................................................................................... 259 Enable user-defined functions for workbooks in a trusted file location ................................. 260 D. Configure InfoPath Forms Services .................................................................................. 261 Configure InfoPath Forms Services for Office SharePoint Server ........................................ 262 Configure InfoPath Forms Services using Central Administration ........................................ 262 Configure session state for InfoPath Forms Services ........................................................... 265 Configure session state for Forms Services .......................................................................... 265 Session state versus Form view ............................................................................................ 265 E. Configure Office Project Server ........................................................................................ 267
ix
Deploy Project Server 2007 with Office SharePoint Server 2007 ......................................... 268 IV. Perform additional configuration tasks ............................................................................. 269 Chapter overview: Additional configuration tasks .................................................................. 270 Configure additional administrative settings .......................................................................... 270 Configure incoming e-mail settings ....................................................................................... 272 Install and configure the SMTP service ................................................................................. 273 Start the Windows SharePoint Services Web Application service ................................. 273 Install the SMTP service ................................................................................................. 273 Configure the SMTP service ........................................................................................... 274 Add an SMTP connector in Exchange Server ................................................................ 275 Configure Active Directory ..................................................................................................... 275 Configure Active Directory under atypical circumstances ............................................... 277 To delegate full control of the organizational unit to the Central Administration application pool account ................................................................................................................ 277 To add the Delete Subtree permission for the Central Administration application pool account ........................................................................................................................ 278 Configure permissions to the e-mail drop folder .................................................................... 279 Configure e-mail drop folder permissions for the logon account for the Windows SharePoint Services Timer service ............................................................................. 279 Configure e-mail drop folder permissions for the application pool account for a Web application .................................................................................................................... 279 Configure DNS Manager ....................................................................................................... 280 Configure attachments from Outlook 2003 ............................................................................ 281 Configure incoming e-mail settings ....................................................................................... 281 Configuring incoming e-mail on SharePoint sites .................................................................. 283 Configure outgoing e-mail settings ........................................................................................ 284 Install and configure the SMTP service ................................................................................. 284 Install the SMTP service ................................................................................................. 284 Configure the SMTP service ........................................................................................... 285 Configure outgoing e-mail settings ........................................................................................ 286 Configure outgoing e-mail settings for a specific Web application ........................................ 287 Install and configure the SMTP service ................................................................................. 287 Install the SMTP service ................................................................................................. 287 Configure the SMTP service ........................................................................................... 288 Configure outgoing e-mail settings ........................................................................................ 289 Configure workflow settings ................................................................................................... 290 Configuring workflow settings ................................................................................................ 290 Configure diagnostic logging settings .................................................................................... 292 Customer Experience Improvement Program ....................................................................... 292
x
Error reports........................................................................................................................... 292 Event throttling ....................................................................................................................... 293 Configuring diagnostic logging settings ................................................................................. 294 Configure single sign-on ........................................................................................................ 296 Configure and start the Microsoft Single Sign-On service .................................................... 296 Configure Single Sign-On for Office SharePoint Server 2007 .............................................. 297 Manage the encryption key ................................................................................................... 299 Create a new encryption key .......................................................................................... 299 Back up an encryption key .............................................................................................. 300 Restore an encryption key .............................................................................................. 300 Manage enterprise application definitions ............................................................................. 300 Manage account information for an enterprise application definition .................................... 301 Configure antivirus settings ................................................................................................... 303 Administrative credentials ...................................................................................................... 303 Configure authentication ........................................................................................................ 304 Office SharePoint Server authentication ............................................................................... 304 Windows authentication provider........................................................................................... 305 Forms authentication provider ............................................................................................... 308 Web single sign-on (SSO) authentication provider ............................................................... 308 Configure anonymous access ............................................................................................... 309 About anonymous access ..................................................................................................... 309 Enable anonymous access for a zone .................................................................................. 309 Enable anonymous access for individual sites ...................................................................... 310 Enable anonymous access for individual lists ....................................................................... 311 Configure digest authentication ............................................................................................. 312 About digest authentication ................................................................................................... 312 Enable digest authentication for a zone of a Web application .............................................. 313 Configure IIS to enable digest authentication ........................................................................ 313 Configure forms-based authentication .................................................................................. 315 About forms-based authentication ......................................................................................... 315 Configure forms-based authentication across multiple zones ............................................... 318 Configure forms-based authentication for My Sites Web applications .................................. 319 Configure the SSP for forms-based authentication ............................................................... 322 Configure user profiles and people search ............................................................................ 324 Configure Web SSO authentication by using ADFS ............................................................. 326 About federated authentication systems ............................................................................... 326 Before you begin ................................................................................................................... 326 Configuring your extranet Web application to use Web SSO authentication ........................ 327 Allowing users access to your extranet Web site .................................................................. 329
xi
About using Central Administration ................................................................................. 331 Working with the People Picker ............................................................................................. 332 Working with E-mail and UPN claims .................................................................................... 333 Working with groups and organizational group claims .......................................................... 333 Configure Kerberos authentication ........................................................................................ 336 About Kerberos authentication .............................................................................................. 336 Before you begin.................................................................................................................... 337 Software version requirements ....................................................................................... 338 Known issues .................................................................................................................. 338 Additional background..................................................................................................... 339 Server farm topology ....................................................................................................... 340 Active Directory, computer naming, and NLB conventions ............................................. 341 Active Directory domain account conventions ................................................................ 342 Preliminary configuration requirements .......................................................................... 343 Configure Kerberos authentication for SQL communications ............................................... 343 Create the SPNs for your SQL Server service account .................................................. 344 Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to SQL Server ......................................................................................... 344 Configure Internet Explorer to include port numbers in Service Principal Names ................ 346 Create Service Principal Names for your Web applications using Kerberos authentication . 347 Deploy the server farm .......................................................................................................... 348 Install Office SharePoint Server 2007 on all of your servers .......................................... 349 Run the SharePoint Products and Technologies Configuration Wizard and create a new farm .............................................................................................................................. 349 Run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm ....................................................................................................... 351 Configure services on servers in your farm ........................................................................... 352 Windows SharePoint Services Search ........................................................................... 352 Index server .................................................................................................................... 352 Query server ................................................................................................................... 353 Create Web applications using Kerberos authentication ...................................................... 353 Create the portal site Web application ............................................................................ 353 Create the My Site Web application ................................................................................ 354 Create the Shared Services Administration site Web application .................................. 354 Create a site collection using the Collaboration Portal template in the portal site Web application .......................................................................................................................... 355 Create a Shared Services Provider for your farm ................................................................. 356 Confirm successful access to the Web applications using Kerberos authentication ............ 356 Confirm correct Search Indexing functionality ....................................................................... 359 Confirm correct Search Query functionality ........................................................................... 359 Configure your SSP infrastructure for Kerberos authentication ............................................ 360 Register new custom-format SPNs for your SSP service account in Active Directory ......... 361
xii
Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication ..................................................................................................................... 362 Add a new registry key to all of your servers running Office SharePoint Server to enable generation of the new custom-format SPNs ...................................................................... 362 Confirm Kerberos authentication for root-level shared services access ............................... 363 Confirm Kerberos authentication for virtual-directory-level shared services access ............. 364 Configuration limitations ........................................................................................................ 366 Additional resources and troubleshooting guidance.............................................................. 366 Run the Best Practices Analyzer tool .................................................................................... 368 Configure usage reporting ..................................................................................................... 369 About usage reporting ........................................................................................................... 369 Enable Windows SharePoint Services usage logging .......................................................... 370 Enable usage reporting ......................................................................................................... 371 Activate usage reporting ........................................................................................................ 371 Monitor usage reporting ......................................................................................................... 372 V. Deploy and configure SharePoint sites ............................................................................. 373 Chapter overview: Deploy and configure SharePoint sites ................................................... 374 Create or extend Web applications ....................................................................................... 376 Create a new Web application............................................................................................... 376 Extend an existing Web application ...................................................................................... 378 Configure alternate access mapping ..................................................................................... 380 Manage alternate access mappings ...................................................................................... 380 Add an internal URL .............................................................................................................. 380 Edit or delete an internal URL ............................................................................................... 381 Edit public URLs .................................................................................................................... 381 Map to an external resource .................................................................................................. 381 Create zones for Web applications ....................................................................................... 383 Create a new zone ................................................................................................................ 383 View existing zones ............................................................................................................... 383 Create quota templates ......................................................................................................... 384 Create a new quota template ................................................................................................ 384 Edit an existing quota template ............................................................................................. 385 Delete a quota template ........................................................................................................ 385 Create a site collection .......................................................................................................... 386 Create a site collection .......................................................................................................... 386 Create a blank site to migrate content into ............................................................................ 388 Create a site collection .......................................................................................................... 388
xiii
Add site content ..................................................................................................................... 390 Use Web site designers to design and add content .............................................................. 390 Migrate content from another site .......................................................................................... 391 Allow users to add content directly ........................................................................................ 391 Enable access for end users ................................................................................................. 392 Add site collection administrators .......................................................................................... 393 Add site owners or other users .............................................................................................. 394
xiv
Getting Help
Every effort has been made to ensure the accuracy of this book. This content is also available online in the Office System TechNet Library, so if you run into problems you can check for updates at: http://technet.microsoft.com/office If you do not find your answer in our online content, you can send an e-mail message to the Microsoft Office System and Servers content team at: o12ITdx@microsoft.com If your question is about Microsoft Office products, and not about the content of this book, please search the Microsoft Help and Support Center or the Microsoft Knowledge Base at: http://support.microsoft.com
xv
Roadmap to Office SharePoint Server 2007 content

In this section: Office SharePoint Server 2007 content by audience Office SharePoint Server 2007 IT professional content by stage of the IT life cycle
Office SharePoint Server 2007 content by audience

Each audience for Microsoft Office SharePoint Server 2007 can go to a specific Web site for content that is tailored for that audience. The following table lists the audiences and provides links to the content for each audience.
Information Workers IT Professionals Developers
Content available on Office Online

Home page - a central portal for Information Worker resources (http://go.microsoft.com/fwlin k/?LinkId=89166&clcid=0x40 9) Help and How To - an index for Information Worker content (http://go.microsoft.com/fwlin k/?LinkId=89167&clcid=0x40 9)
Content available on TechNet

TechCenter - a central portal for IT professional resources (http://go.microsoft.com/fwlink/?Link ID=80125&clcid=0x409) Technical Library - an index for IT professional content (http://go.microsoft.com/fwlink/?Link Id=89168&clcid=0x409) Newly published content - an article that lists new or updated content in the Technical Library (http://go.microsoft.com/fwlink/?Link Id=89171&clcid=0x409) Downloadable books an article that lists the books available for download (http://go.microsoft.com/fwlink/?Link Id=89172&clcid=0x409)
Content available on MSDN

Developer Portal - a central portal for developer resources (http://go.microsoft.com/f wlink/?LinkID=88846&cl cid=0x409) MSDN Library - an index for developer content (http://go.microsoft.com/f wlink/?LinkID=88847&cl cid=0x409)
Additionally, there is information for all users of SharePoint Products and Technologies at the community and blog sites listed in the following table.
Community content and blogs
SharePoint Products and Technologies community portal a central place for community information (blogs, newsgroups, and so on) about SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=88915&clcid=0x409) SharePoint Products and Technologies team blog a group blog from the teams who develop the SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=88916&clcid=0x409) Support Center for Microsoft Office SharePoint Server 2007 a central place for issues and solutions from Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkId=89555&clcid=0x409)
Office SharePoint Server 2007 IT professional content by stage of the IT life cycle
IT Professional content for Office SharePoint Server 2007 follows the IT life cycle and includes content appropriate for each stage in that cycle evaluate, plan, deploy, and operate plus technical reference content. The following sections describe each stage in the IT life cycle and list the content available to assist IT professionals during that stage. The most up-to-date content is always available on the TechNet Web site. We also offer downloadable books that cover each stage in the IT life cycle, plus books that cover all stages of the lifecycle for a specific solution. For an updated list of all downl oadable books available for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=89172&clcid=0x409).
Evaluate
During the evaluation stage, IT professionals (including decision makers, solution architects, and system architects) focus on understanding a new technology and evaluate how it can help them address their business needs. The following table lists resources that are available to help you evaluate Office SharePoint Server 2007.
Content Description Links
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content. Provides overview, what's new, and conceptual information for understanding Office SharePoint Server 2007.
Product evaluation for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89180&clcid=0x409)
Evaluation Guide
Evaluation guide for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=83060&clcid=0x409)
Evaluation Guide for Search
Provides Evaluation guide for search in Office SharePoint Server overview, what's 2007 new, and (http://go.microsoft.com/fwlink/?LinkID=79614&clcid=0x409) conceptual information for understanding how searching works in Office SharePoint Server 2007.
Plan
During the planning stage, IT professionals have different needs depending on their role within an organization. If you are focused on designing a solution, including determining the structure, capabilities, and information architecture for a site, you might want information that helps you to
3
determine which capabilities of Office SharePoint Server 2007 you want to take advantage of, and that helps you to plan for those capabilities and to tailor the solution to your organization's needs. On the other hand, if you are focused on the hardware and network environment for your solution, you might want information that helps you to structure the server topology, plan authentication methods, and understand system requirements for Office SharePoint Server 2007. We have planning content, including worksheets, to address both of these needs. The following table lists resources that are available to help you plan for using Office SharePoint Server 2007.
Online content Includes the most Planning and architecture for Office SharePoint Server up-to-date content. 2007 The Technical (http://go.microsoft.com/fwlink/?LinkId=89404&clcid=0x409) Library on TechNet is continually refreshed with new and updated content. Planning Guide, Part 1 Provides in-depth planning information for application administrators designing a solution based on Office SharePoint Server 2007. Provides in-depth planning information for IT professionals designing the environment to host a solution based on Office SharePoint Server 2007.
Planning and architecture for Office SharePoint Server, part 1
(http://go.microsoft.com/fwlink/?LinkID=79552)
Planning Guide, Part 2
Planning and architecture for Office SharePoint Server, part 2
(http://go.microsoft.com/fwlink/?LinkID=85548)
Deploy
During the deployment stage, you configure your environment, install Office SharePoint Server 2007, and then start creating SharePoint sites. Depending on your environment and your solution, you may have several configuration steps to perform for your servers, for your Shared Services Providers, and for your sites. Additionally, you may have templates, features, or other custom elements to deploy into your environment. The process of upgrading from a previous version product, such as Microsoft Office SharePoint Portal Server 2003, Microsoft Content Management Server 2002, or Windows SharePoint Services, is also part of the deployment stage of the IT life cycle, and we have content that addresses planning for upgrade, performing the upgrade, and performing post-upgrade steps. The following table lists resources that are available to help you deploy or upgrade to Office SharePoint Server 2007.
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content. Provides indepth deployment information for Office SharePoint Server 2007.
Deployment for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=76139&clcid=0x409)
Deployment Guide
Deployment for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=79589)
Content
Description
Links
Upgrade Guide
Provides Upgrading to Office SharePoint Server 2007 overview and in- (http://go.microsoft.com/fwlink/?LinkId=85556) depth information for upgrading from a previous version product to Office SharePoint Server 2007. Provides cross- Migration and Upgrade Information for SharePoint audience (IT Developers and developer) (http://go.microsoft.com/fwlink/?LinkId=89129&clcid=0x409) information for migration and upgrade from a previous version product to Office SharePoint Server 2007.
Migration and Upgrade for SharePoint Developers
Operate
After deployment, in which you install and configure your environment, you move to the operations stage. During this stage, you are focused on the day-to-day monitoring, maintenance and tuning of your environment. The following table lists resources that are available to help with day-to-day operations for Office SharePoint Server 2007.
Online content
Includes the most up-to-date content. The Technical Library on TechNet is continually refreshed with new and updated content.
Operations for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89407&clcid=0x409)
Security and Protection

Because security and protection are concerns during all phases of the IT life cycle, appropriate content for security and protection is included in the content for each life cycle stage. However, an aggregate view of this content is provided in a Security and Protection section of the documentation. The following table lists resources that are available to help you understand security and protection for Office SharePoint Server 2007.
Online content
Security and protection for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89408&clcid=0x409)
Technical Reference
Technical reference information supports the content for each of the IT life cycle stages by providing the technical information you need to work with Office SharePoint Server 2007. For example, the Technical Reference content has information about how permissions work, how to perform operations from the command line, and how to use Setup.exe from the command line. The following table lists resources that are available to help you use Office SharePoint Server 2007.
Online content
Technical Reference for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89445&clcid=0x409)
Deployment worksheets for Office SharePoint Server 2007

In this section: Deployment worksheets by task Deployment worksheets by title
This section provides links to worksheets that you can use to record information that you gather and decisions that you make as you perform your deployment of Microsoft Office SharePoint Server 2007. Use these worksheets in conjunction with not as a substitute for Deployment for Office SharePoint Server 2007.
Deployment worksheets by task

For this task Use this worksheet To do this
Chapter overview: Create and configure Shared Services Providers Deploy and configure SharePoint sites Upgrading to Office SharePoint Server 2007 Custom templates and mapping files worksheet Record which (http://go.microsoft.com/fwlink/?LinkId=73751&clcid=0x409) custom site definitions and page templates need mapping files, and record file names and paths for mapping files.
For this task
Use this worksheet
To do this
Estimate database space and time for upgrade worksheet Record current (http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) database sizes and estimate how much space you need for upgrade. Supported topologies for upgrade worksheet Record current (http://go.microsoft.com/fwlink/?LinkId=73753&clcid=0x409) topologies and any changes needed before upgrade. Upgrade server requirements worksheet List servers in the (http://go.microsoft.com/fwlink/?LinkId=73754&clcid=0x409) farm, hardware capacities, and identify requirements before upgrading.
Deployment worksheets by title

Use this worksheet For this task To do this
Custom templates and mapping files worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73751&clcid=0x409) Office SharePoint Server 2007
Record which custom site definitions and page templates need mapping files, and record file names and paths for mapping files. Record current database sizes and estimate how much space you need for upgrade.
Estimate database space and time for upgrade worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) Office SharePoint Server 2007
Use this worksheet
For this task
To do this
Supported topologies for upgrade worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73753&clcid=0x409) Office SharePoint Server 2007
Record current topologies and any changes needed before upgrade. List servers in the farm, hardware capacities, and identify requirements before upgrading.
Upgrade server requirements worksheet Upgrading to (http://go.microsoft.com/fwlink/?LinkId=73754&clcid=0x409) Office SharePoint Server 2007
10
I. End-to-end deployment scenarios

Comment [A1]: Boilerplate section #1
11
Chapter overview: End-to-end deployment scenarios

This chapter provides information and directions for deploying Microsoft Office SharePoint Server 2007 as an end-to-end solution, whether on a single computer or on a simple server farm. This chapter does not discuss more complex deployments. For information about deploying Office SharePoint Server 2007 in a large server farm, see Deploy in a simple server farm. The articles in this chapter include: Install Office SharePoint Server 2007 on a stand-alone computer discusses how to install Office SharePoint Server 2007 on a single-server computer running the Windows Server 2003 operating system. A stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration, document management, and search. A stand-alone configuration is also useful if you are deploying a small number of Web sites and you want to minimize administrative overhead. Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008 discusses how to install Office SharePoint Server 2007 on a single-server computer running the Windows Server 2008 operating system. A stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration, document management, and search. A stand-alone configuration is also useful if you are deploying a small number of Web sites and you want to minimize administrative overhead. Deploy in a simple server farm discusses how to do a clean installation of Office SharePoint Server 2007 in a server farm environment on the Windows Server 2003 operating system. You can deploy in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to running the Office SharePoint Server 2007 applications. Deploy a simple farm on the Windows Server 2008 operating system discusses how to do a clean installation of Office SharePoint Server 2007 in a server farm environment on the Windows Server 2008 operating system. You can deploy in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to running the Office SharePoint Server 2007 applications. Deploy using DBA-created databases discusses how to deploy Office SharePoint Server 2007 in an environment in which database administrators (DBAs) create and manage databases. This section discusses how DBAs can create these databases and how farm administrators configure them. The deployment includes all the required databases, one portal site, a Shared Services Administration Web site, My Sites, and one Shared Services Provider (SSP).
12
Install Office SharePoint Server 2007 by using the command line discusses how to use the command-line tools Setup.exe, Psconfig.exe, and Config.xml, to install and configure Office SharePoint Server 2007 from the command prompt window. Install Office SharePoint Server 2007 with least privilege administration by using the command line discusses how to install Office SharePoint Server 2007 from the command prompt window while granting the user the least privileges necessary. Migrate a stand-alone installation to a server farm installation discusses the process for moving from a stand-alone installation to a server farm installation. This process consists of creating a new server farm, and then migrating the data from your stand-alone server to the new farm.
13
Install Office SharePoint Server 2007 on a stand-alone computer

In this section: Hardware and software requirements Configure the server as a Web server Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition Post-installation steps
Important: This section discusses how to install Microsoft Office SharePoint Server 2007 on a single computer as a stand-alone installation. It does not cover installing Office SharePoint Server 2007 in a farm environment, upgrading from previous releases of Office SharePoint Server 2007, or how to upgrade from SharePoint Portal Server 2003. For information about how to do this, see the following: Deploy in a simple server farm Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/enus/library/cc303420.aspx) You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration, document management, and search. A stand-alone configuration is also useful if you are deploying a small number of Web sites and you want to minimize administrative overhead. When you deploy Office SharePoint Server 2007 on a single server using the default settings, the Setup program automatically installs Microsoft SQL Server 2005 Express Edition and uses it to create the configuration database and content database for your SharePoint sites. In addition, the Setup program creates a Shared Services Provider (SSP), installs the SharePoint Central Administration Web site and creates your first SharePoint site collection and site. Note: There is no direct upgrade from a stand-alone installation to a farm installation.
Hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your servers have the required hardware and software. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/enus/library/cc262485.aspx).
14
Configure the server as a Web server

Before you install and configure Office SharePoint Server 2007, you must install and configure the required software. This includes installing and configuring Internet Information Services (IIS) so your computer acts as a Web server, installing the Microsoft .NET Framework version 3.0, and enabling ASP.NET 2.0.
Install and configure IIS

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows Server 2003 operating system. To make your server a Web server, you must install and enable IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode. Install and configure IIS 1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard. On the Welcome to the Configure Your Server Wizard page, click Next. On the Preliminary Steps page, click Next. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next. On the Application Server Options page, click Next. On the Summary of Selections page, click Next. Click Finish. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the Web Sites folder, and then click Properties.
10. In the Web Sites Properties dialog box, click the Service tab. 11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK. Note: The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.
Install the Microsoft .NET Framework version 3.0

Go to the Microsoft Download Center Web site (http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409), and on the Microsoft .NET Framework 3.0 Redistributable Package page, follow the instructions for downloading and installing the .NET Framework version 3.0. There are separate downloads for x86-based
15
computers and x64-based computers. Be sure to download and install the appropriate version for your computer. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=110508).
Enable ASP.NET 2.0

ASP.NET 2.0 is required for proper functioning of Web content, the Central Administration Web Site, and many other features and functions of Office SharePoint Server 2007. Enable ASP.NET 2.0 1. 2. 3. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the Internet Information Services tree, click the plus sign (+) next to the server name, and then click the Web Service Extensions folder. In the details pane, right-click ASP.NET v2.0.50727, and then click Allow.
Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition
When you install Office SharePoint Server 2007 on a single server, run the Setup program using the Basic option. This option uses the Setup program's default parameters to install Office SharePoint Server 2007 and SQL Server 2005 Express Edition. Notes If you uninstall Office SharePoint Server 2007 and then later install Office SharePoint Server 2007 on the same computer, the Setup program could fail when creating the configuration database causing the entire installation process to fail. You can prevent this failure by either deleting all the existing Office SharePoint Server 2007 databases on the computer or by creating a new configuration database. You can create a new configuration database by running the following command: psconfig -cmd configdb -create -database <uniquename>
Run Setup 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe. 2.
16
On the Enter your Product Key page, enter your product key, and then click Continue.
Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup places a red circle next to the text box and displays a message that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Basic to install to the default location. To install to a different location, click Advanced, and then on the File Location tab, specify the location you want to install to and finish the installation.
5. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 6. Click Close to start the configuration wizard. Run the SharePoint Products and Technologies Configuration Wizard 1. 2. 3. On the Welcome to SharePoint Products and Technologies page, click Next. In the dialog box that notifies you that some services might need to be restarted or reset during configuration, click Yes. On the Configuration Successful page, click Finish. Your new SharePoint site opens. Note: If you are prompted for your user name and password, you might need to add the SharePoint site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the following procedure. Note: If you see a proxy server error message, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring proxy server settings are provided later in this section. Add the SharePoint site to the list of trusted sites 1. 2. 3. 4. 5. In Internet Explorer, on the Tools menu, click Internet Options. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted Sites, and then click Sites. Clear the Require server verification (https:) for all sites in this zone check box. In the Add this Web site to the zone box, type the URL to your site, and then click Add. Click Close to close the Trusted Sites dialog box.
17
6.
Click OK to close the Internet Options dialog box.
If you are using a proxy server in your organization, use the following steps to configure Internet Explorer to bypass the proxy server for local addresses. Configure proxy server settings to bypass the proxy server for local addresses 1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Explorer, on the Tools menu, click Internet Options. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. In the Automatic configuration section, clear the Automatically detect settings check box. In the Proxy Server section, select the Use a proxy server for your LAN check box. Type the address of the proxy server in the Address box. Type the port number of the proxy server in the Port box. Select the Bypass proxy server for local addresses check box. Click OK to close the Local Area Network (LAN) Settings dialog box. Click OK to close the Internet Options dialog box.
Post-installation steps
After Setup finishes, your browser window opens to the home page of your new SharePoint site. Although you can start adding content to the site or you can start customizing the site, we recommend that you perform the following administrative tasks by using the SharePoint Central Administration Web site. Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save emailed documents, and show e-mailed meetings on site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming email settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. For more information, see Configure outgoing e-mail settings. Create SharePoint sites When Setup finishes, you have a single Web application that contains a single SharePoint site collection that hosts a SharePoint site. You can create more SharePoint sites collections, sites, and Web applications if your site design requires multiple sites or multiple Web applications.
18
Configure Workflow settings Specify whether users can assemble new workflows and if participants without site access should be sent documents in email attachments so they can participate in document workflows. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. This includes enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configure diagnostic logging settings. Configure antivirus protection settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings enable you to control whether documents are scanned on upload or download and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. Configure search You can configure several search and index settings to customize how Office SharePoint Server 2007 crawls your site content or external content. For more information, see Configure the Office SharePoint Server Search service (http://technet.microsoft.com/en-us/library/cc262700.aspx). Configure Excel Services Before you can use Excel Services, you must start the service and add at least one trusted location. For more information about doing this, see C. Configure Excel Services. Perform administrator tasks by using the Central Administration site 1. 2. 3. Click Start, point to All Programs, point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. On the Central Administration home page, under Administrator Tasks, click the task you want to perform. On the Administrator Tasks page, next to Action, click the task.
19
Deploy in a simple server farm

In this section: Deployment overview Deploy and configure the server infrastructure Create and configure a Shared Services Provider Perform additional configuration tasks Create a site collection and a SharePoint site Configure the trace log
Deployment overview
Important: This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007 in a server farm environment. It does not cover upgrading from previous releases of Office SharePoint Server 2007 or how to upgrade from Microsoft SharePoint Portal Server 2003. For more information about upgrading from Microsoft Office SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc303420.aspx). Note: This section does not cover installing Office SharePoint Server 2007 on a single computer as a stand-alone installation. For more information, see Install Office SharePoint Server 2007 on a stand-alone computer. You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalabil ity of a multi-tier topology. A server farm consists of one or more servers dedicated to running the Office SharePoint Server 2007 application. Note: There is no direct upgrade from a stand-alone installation to a farm installation. Because a server farm deployment of Office SharePoint Server 2007 is more complex than a stand-alone deployment, we recommend that you plan your deployment. Planning your deployment can help you to gather the information you need and to make important decisions before beginning to deploy. For information about planning, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Deploying Office SharePoint Server 2007 in a DBA environment

In many IT environments, database creation and management are handled by the database administrator (DBA). Security and other policies might require that the DBA create the databases
20
required by Office SharePoint Server 2007. This topic provides details about how the DBA can create these databases before beginning the Office SharePoint Server 2007 installation or creation of a Shared Services Provider (SSP). For more information about deploying using DBAcreated databases, including detailed procedures, see Deploy using DBA-created databases.
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many servers or as few as two servers. A small server farm typically consists of a database server running either Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers running Internet Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end servers are configured as Web servers and application servers. The Web server role provides Web content to clients. The application server role provides Office SharePoint Server 2007 services such as servicing search queries, and crawling and indexing content. A medium server farm typically consists of a database server, an application server running Office SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server 2007 and IIS. In this configuration, the application server provides indexing services and Excel Calculation Services, and the front-end Web servers service search queries and provide Web content. A large server farm typically consists of two or more clustered database servers, several loadbalanced front-end Web servers running Office SharePoint Server 2007, and two or more application servers running Office SharePoint Server 2007. In this configuration, each of the application servers provides specific Office SharePoint Server 2007 services such as indexing or Excel Calculation Services, and the front-end servers provide Web content. Note: All of the Web servers in your server farm must have the same SharePoint Products and Technologies installed. For example, if all of the servers in your server farm are running Office SharePoint Server 2007, you cannot add to your farm a server that is running only Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office SharePoint Server 2007 on your server farm, you must install Office Project Server 2007 and Office SharePoint Server 2007 on each of your Web servers. To enhance the security of your farm and reduce the surface area that is exposed to a potential attack, you can turn off services on particular servers after you install SharePoint Products and Technologies.
Before you begin deployment

This section provides information about actions that you must perform before you begin deployment.
21
Important The account that you select for installing Office SharePoint Server 2007 needs to be a member of the Administrators group on every server on which you install Office SharePoint Server 2007. You can, however, remove this account from the Administrators group on the servers after installation. For information about assigning users to be SSP administrators, see Shared Services Providers in Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
To deploy Office SharePoint Server 2007 in a server farm environment, you must provide credentials for several different accounts. For information about these accounts, see Shared Service Providers in the Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide. You must install Office SharePoint Server 2007 on the same drive on all load-balanced frontend Web servers. You must install Office SharePoint Server 2007 on a clean installation of the Microsoft Windows Server 2003 operating system with the most recent service pack. If you uninstall a previous version of Office SharePoint Server 2007, and then install Office SharePoint Server 2007, Setup might fail to create the configuration database and the installation will fail. Note: We recommend that you read the Known Issues/Readme documentation before you install Office SharePoint Server 2007 on a domain controller. Installing Office SharePoint Server 2007 on a domain controller requires additional configuration steps that are not discussed in this document.
You must install the same language packs on all servers in the farm. For more information about installing language packs, see Deploy language packs. All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both an English version of Office SharePoint Server 2007 and a Japanese version of Office SharePoint Server 2007 in the same farm. You must use the Complete installation option on all computers you want to be index servers, query servers, or servers that run Excel Calculation Services. If you place a query server beyond a firewall from its index server, you must open the NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls that separate these servers. If your environment does not use NetBIOS, you must use directhosted server message block (SMB). This requires that you open the TCP/UDP 445 port. If you want to have more than one index server in a farm, you must use a different Shared Services Provider (SSP) for each index server.
22
Overview of the deployment process

The deployment process consists of three phases: deploying and configuring the server infrastructure, creating and configuring one or more Shared Services Providers (SSPs), and deploying and configuring SharePoint sites.
Phase 1: Deploy and configure the server infrastructure

Deploying and configuring the server infrastructure consists of the following steps: Preparing the database server. Verifying that the servers meet hardware and software requirements. Running Setup on each server you want to be in the farm, including running the SharePoint Products and Technologies Configuration Wizard. If you want to search over the Help content for Office SharePoint Server 2007, starting the Windows SharePoint Services Search service.
Phase 2: Create and configure a Shared Services Provider

Creating and configuring a Shared Services Provider consists of the following steps: Creating a Web application to host the SSP. Creating the SSP. Configuring the Web application and the SSP. Configuring services on servers.
Phase 3: Create site collections and SharePoint sites

Creating SharePoint site collections and SharePoint sites consists of the following steps: Creating a Web Application to host the site collections and SharePoint sites. Creating site collections. Creating SharePoint sites.
Deploy and configure the server infrastructure

Security account requirements
To deploy Office SharePoint Server 2007 in a server farm environment, you must provide credentials for several different accounts. For information about these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx) in the Planning and architecture for Office SharePoint Server 2007 guide.
23
Prepare the database server

The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack. The Office SharePoint Server 2007 Setup program automatically creates the necessary databases when you install and configure Office SharePoint Server 2007. Optionally, you can preinstall the required databases if your IT environment or policies require this. For more information about prerequisites, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). If you are using SQL Server 2005, you must also change the surface area settings. Configure surface area settings in SQL Server 2005 1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Surface Area Configuration. 2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area Configuration for Services and Connections. 3. In the tree view, expand the node for your instance of SQL Server, expand the Database Engine node, and then click Remote Connections. 4. Select Local and Remote Connections, select Using both TCP/IP and named pipes, and then click OK.
SQL Server and database collation

The SQL Server collation must be configured for case-insensitive. The SQL Server database collation must be configured for case-insensitive, accent-sensitive, Kana-sensitive, and widthsensitive. This is used to ensure file name uniqueness consistent with the Windows operating system. For more information about collations, see Selecting a SQL Collation (http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup (http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.
24
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and to install Office SharePoint Server 2007. For more information about the required accounts, including specific privileges required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose Requirements
SQL Server Service Account
This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT If you are not using the default instance, these services will be shown as:
MSSQL$InstanceName SQLAgent$InstanceName
SQL Server prompts for this account during SQL Server Setup. You have two options: Assign one of the built-in system accounts (Local System, Network Service, or Local Service) to the logon for the configurable SQL Server services. For more information about these accounts and security considerations, refer to the Setting Up Windows Service Accounts topic (http://go.microsoft.com/fwlink/?LinkId=121664&clc id=0x409) in the SQL Server documentation. Assign a domain user account to the logon for the service. However, if you use this option you must take the additional steps required to configure Service Principal Names (SPNs) in Active Directory in order to support Kerberos authentication, which SQL Server uses. Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role
Setup user account
The Setup user account is used to run the following: Setup on each server The SharePoint Products and Technologies Configuration Wizard The PSConfig command-line tool The Stsadm command-line tool
If you run Stsadm command-line tool commands that read from or write to a database, this account must be a member of the db_owner fixed database role for the database.
25
Account
Purpose
Requirements
Server farm account/ Database access account
The Server farm account is used to: Act as the application pool identity for the SharePoint Central Administration application pool. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, this account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Additional permissions are automatically granted for this account on Web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm
Verify that servers meet hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your servers have the recommended hardware and software. To deploy a server farm, you need at least one server computer acting as a Web server and an application server, and one server computer acting as a database server. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). Important: Office SharePoint Server 2007 requires Active Directory directory services for farm deployments. Therefore Office SharePoint Server 2007 cannot be installed in a farm on a Microsoft Windows NT Server 4.0 domain.
Install and configure IIS

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows Server 2003 operating system. To make your server a Web server, you must install and enable IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode. Install and configure IIS 1. Click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard.
26
2. On the Welcome to the Configure Your Server Wizard page, click Next. 3. On the Preliminary Steps page, click Next. 4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next. 5. On the Application Server Options page, click Next. 6. On the Summary of Selections page, click Next. 7. Click Finish. 8. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the Web Sites folder, and then click Properties. 10. In the Web Sites Properties dialog box, click the Service tab. 11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK. Note: The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.

Go to the Microsoft Download Center Web site (http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409). On the Microsoft .NET Framework 3.0 Redistributable Package page, follow the instructions for downloading and installing the Microsoft .NET Framework version 3.0. There are separate downloads for x86-based computers and x64-based computers; be sure to download and install the appropriate version for your computer. The Microsoft .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=110508).
Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all Office SharePoint Server 2007 servers. Enable ASP.NET 2.0 1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click the
27
Web Service Extensions folder. 3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
Run Setup and build the farm

Run Setup and then the SharePoint Products and Technologies Configuration Wizard on all your farm servers. Do this on all farm servers before going on to create a Shared Services Provider (SSP). Note: We recommend that you run Setup on all the servers that will be in the farm before configuring the farm. You can add servers to the farm at this point, or after you have created and configured an SSP. You can add servers after you have created and configured an SSP to add redundancy, such as additional load-balanced Web servers or additional query servers. It is recommended that you run Setup and the configuration wizard on all your application servers before you create and configure the SSP.
Recommended order of configuration

We recommend that you configure Office SharePoint Server 2007 in the order listed below. This order makes configuration easier and ensures that services and applications are in place before they are required by server types. Recommended Order of installation 1. We recommend that the Central Administration site be installed on an application server. In a server farm that includes more than one application server, install the Central Administration site on the application server with the least overall performance load. If your farm will have an application server, install Office SharePoint Server 2007 on that server first. This also installs the Central Administration site. 2. All your front-end Web servers. 3. The index server (if using a separate server for search queries and indexing). 4. The query servers, if separate from the index server. Note: To configure more than one query server in your farm, you cannot configure your index server as a query server. 5. Other application servers (optional). Because the SSP configuration requires an index server, you must start the Office SharePoint Server Search service on the computer that you want to be the index server, and configure it as an index server before you can create an SSP. Because of this, you must deploy and configure an index server before other servers. You can choose any server to be the first server on which you install Office SharePoint Server 2007. However, the Central Administration Web site is automatically installed on the first server on which you install Office SharePoint Server 2007.
28
You can configure different features on different servers. The following table shows which installation type you should use for each feature set.
Server type Installation type
Central Administration Web application Application server (such as Excel Calculation Services) Search index server Search query server Web server
Complete or Web Front End Complete
Complete Complete Web Front End (subsequent servers must join an existing farm) or Complete Note: If you choose the Web Front End installation option you will not be able to run additional services, such as search, on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any servers that you add you will join to this farm. Setting up the first server involves two steps: installing the Office SharePoint Server 2007 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The SharePoint Products and Technologies Configuration Wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site.
Add servers to the farm

We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you configure Office SharePoint Server 2007 services and create sites. Regardless of how many Web servers you have in your server farm, you must have SQL Server running on at least one database server before you install Office SharePoint Server 2007 on your Web servers. By default, when you add servers to the farm and run the SharePoint Products and Technologies Configuration Wizard, the wizard does not create additional Central Administration sites on the servers that you add, nor does it create any databases on your database server. However, you can use the wizard to create additional Central Administration sites on the servers that you add.
29
Run Setup on the first server

Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first. Note: Setup installs the Central Administration Web site on the first server on which you run Setup. Therefore, we recommend that the first server on which you install Office SharePoint Server 2007 is a server from which you want to run the Central Administration Web site. Run Setup on the first server 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web server computers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. The Basic option is for stand-alone installations. 5. On the Server Type tab, select Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
30
Run the SharePoint Products and Technologies Configuration Wizard

After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 3. On the Connect to a server farm page, click No, I want to create a new server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Type a name for your configuration database in the Database name box, or use the default database name. The default name is "SharePoint_Config". 6. In the User name box, type the user name of the Server farm account. (Be sure to type the user name in the format DOMAIN\username.) Important: The server farm account is used to access your configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool, and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. The user account that you specify as the service account must be a domain user account, but it does not need to be a member of any specific security group on your Web servers or your back-end database servers. We recommend that you follow the principle of least privilege and specify a user account that is not a member of the Administrators group on your Web servers or your back-end servers. 7. In the Password box, type the user's password, and then click Next. 8. On the Configure SharePoint Central Administration Web Application page, select the Specify port number check box and type a port number if you want the SharePoint Central Administration Web application to use a specific port, or leave the Specify port number check box cleared if you do not care which port number the SharePoint Central Administration Web application uses. 9. In the Configure SharePoint Central Administration Web Application dialog box, do
31
one of the following: If you want to use NTLM authentication (the default), click Next. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next. Note: In most cases, use the default setting (NTLM). Use Negotiate (Kerberos) only if Kerberos authentication is supported in your environment. Using the Negotiate (Kerberos) option requires you to configure a Service Principal Name (SPN) for the domain user account. To do this, you must be a member of the Domain Admins group. For more information, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409). 10. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 11. On the Configuration Successful page, click Finish. The SharePoint Central Administration Web site home page opens. Note: If you are prompted for your user name and password, you might need to add the SharePoint Central Administration site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps. Note: If a proxy server error message appears, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring this setting are provided later in this section.
Add the SharePoint Central Administration Web site to the list of trusted sites
1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration Web site, and then click Add. 5. Click Close to close the Trusted sites dialog box.
32
6. Click OK to close the Internet Options dialog box.
Configure proxy server settings to bypass the proxy server for local addresses
1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. Type the address of the proxy server in the Address box. 6. Type the port number of the proxy server in the Port box. 7. Select the Bypass proxy server for local addresses check box. 8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.

We recommend that you install and configure Office SharePoint Server 2007 on all of your Web servers and the index server before you configure Office SharePoint Server 2007 services and create sites. If you want to build a minimal server farm configuration, and incrementally add Web servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a single Web server and configure the Web server as both a Web server and an application server. Regardless how many Web servers you have in your server farm, you must have SQL Server running on at least one back-end database server before you install Office SharePoint Server 2007 on your Web servers. Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first. Run Setup on additional servers front-end Web servers 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web server computers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to
33
the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Web Front End. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the following section. Run Setup on additional servers index or query server 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web server computers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the
34
configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including installing Office SharePoint Server 2007 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard on additional servers 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 3. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 6. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format DOMAIN\username.) This must be the same user account you used when configuring the first server. 7. In the Password box, type the user's password, and then click Next. 8. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 9. On the Configuration Successful page, click Finish.
Start the Windows SharePoint Services Search service (optional)

You must start the Windows SharePoint Services Search service on every computer that you want to search over Help content. If you do not want users to be able to search over Help content, you do not need to start this service. Start the Windows SharePoint Services Search service (optional) 1. On the SharePoint Central Administration home page, click the Operations tab on the
35
top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Window SharePoint Services Search, click Start. 4. On the Configure Windows SharePoint Services Search Service Settings page, in the Service Account section, type the user name and password for the user account under which the Windows SharePoint Services Search service account will run. 5. In the Content Access Account section, type the user name and password for the user account that the search service will use to search over content. This account must have read access to all the content you want it to search over. If you do not specify credentials, the same account used for the search service will be used. 6. In the Indexing Schedule section, either accept the default settings, or specify the schedule that you want the search service to use when searching over content. 7. After you have configured all the settings, click Start.
Stop the Central Administration service on all index servers

In farms with more than one index server, you should stop the Central Administration service on all index servers. This service is used for the Central Administration site and is not required on index servers. Stopping this service on index servers can help avoid URL resolution problems with indexing. On the other hand, you must be sure that this service is started on the server that hosts the Central Administration Web site, even if that server is also an index server. You do not need to stop this service for installations where the farm has only one index server. Before stopping the service on the index server, make sure that the service is running another server. Stop the Central Administration service on an index server 1. On the Services on Server page, select the index server from the Server drop-down list. 2. Under Select server role to display services you will need to start in the table below, select the Custom option. 3. In the table of services, next to Central Administration, in the Action column, click Stop.
Disable the Windows SharePoint Services Web Application service on all servers not serving content
You should disable the Windows SharePoint Service Web Application service on all servers that are not serving content, especially index servers. On the other hand, you must be sure that this service is enabled on the servers that are serving content.
36
Disable the Windows SharePoint Services Web Application service on a server 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Window SharePoint Services Web Application, click Stop.
Create and configure a Shared Services Provider

This section covers how to create and configure a single Shared Services Provider (SSP). An SSP is a logical grouping of shared services and their supporting resources. In Office SharePoint Server 2007, the SSP enables sharing services across multiple server farms, Web applications, and site collections. For more information about configuring and using SSPs, see Chapter overview: Create and configure Shared Services Providers. In this phase, you create one or more SSPs and configure them to meet the needs of your farm. Each server farm can host one or more SSPs, or consume services provided by an SSP on another server farm. Each SSP runs in its own Web application, which contains one or more site collections. Other Web applications on a server farm can be associated with any of the SSPs on the farm. Shared services cannot be enabled or disabled separately from other shared services. Web applications on a farm consume either all of the services of an SSP or none of them. For more information about SSPs, see Plan Shared Services Providers (http://technet.microsoft.com/en-us/library/cc263276.aspx).
Start the Office SharePoint Server Search service

You must start the Office SharePoint Server Search service on at least one computer that was set up by using the Complete option during Setup. This service must be started on the computer that you want to use as your index server and optionally as a query server before you can create an SSP. Start the Office SharePoint Server Search service on the index server 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. In the Server list, select the server that you want to configure as an index server and optionally as a query server. 4. On the Services on Server page, next to Office SharePoint Server Search, click Start. 5. Select the Use this server for indexing content check box. This expands the page and adds the Index Server Default File Location, Indexer Performance, and Web Front
37
End and Crawling sections. 6. If you want to use this server to service search queries, select the Use this server for servicing search queries check box. This expands the page and adds the Query Server Index File Location section. If not, skip to the next step. 7. In the Contact E-mail Address section, type the e-mail address you want external site administrators to use to contact your organization if problems arise when their sites are being crawled by your index server. 8. In the Farm Search Service Account section, specify the User name and Password of the account under which the search service will run. This domain account should not be a member of the Farm Administrators group in the Central Administration Web site (the WSS_ADMIN_WPG Windows security group). For least privilege scenarios, this should be a separate domain account, used only for this service. For more information about this account, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx). 9. Optionally, you can also configure other settings or accept the default settings. 10. When you have configured all the settings, click Start. You can optionally use the following steps to start the Office SharePoint Server Search service on computers that were set up by using the Complete option during Setup to deploy query servers. Important: If you selected the Use this server for serving search queries option in step 6 of the previous procedure, you cannot deploy additional query servers unless you first remove the query server role from the index server. For information about how to perform this procedure using the Stsadm command-line tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). Start the Office SharePoint Server Search service on query servers 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. In the Server list, select the server that you want to configure as a query server. 4. On the Services on Server page, next to Office SharePoint Server Search, click Start. 5. Select the Use this server for servicing search queries check box. This expands the page and adds the Query Server Index File Location section. 6. In the Farm Search Service Account section, specify the User name and Password of the account under which the search service will run. This domain account should not be a member of the Farm Administrators group in the Central Administration Web site (the WSS_ADMIN_WPG Windows security group). For least privilege scenarios, this should be a separate domain account, used only for this service. For more information about this account, see Plan for administrative and service accounts
38
(http://technet.microsoft.com/en-us/library/cc263445.aspx). 7. In the Query Server Index File Location section, in the Query server index file location box, either type the location on the local drive of the query server on which you want to store the propagated index, or accept the default path. 8. In the Query Server Index File Location section, select one the following: Configure share automatically Select this option to automatically configure the share on which you want to store the propagated index, and type the user name and password of the account that you want to use to propagate the index (recommended). Important: This account must a member of the Administrators group and a member of the WSS_ADM_WPG group on the query server before you proceed to the next step, or propagation of the index will fail. I will configure the share with STSAdm Select this option if you want to use the Stsadm command-line tool to create this share at a later time. Do nothing. The share is already configured Select this option if the share already exists and the permissions to the share are configured as described above.
9. When you have configured all the settings, click Start. For information about how to perform this procedure using the Stsadm command-line tool, see Osearch: Stsadm operation (http://technet.microsoft.com/enus/library/cc262920.aspx).
Create a Web application to host the SSP and create the SSP
1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. 3. On the Manage this Farm's Shared Services page, click New SSP. 4. On the New Shared Services Provider page, in the SSP Name section, click Create a new Web application. Note: If you see any items in the Web application drop-down list, a Web application has already been created. You can either use this Web application or create another. 5. On the Create New Web Application page, in the Application Pool section, specify the User name and Password for the user account that the Web application pool will run under.
39
6. You can also configure other settings on this page, or click OK to create the new Web application. Note: By default, the Web application uses the default Web site in IIS and port 80. This port might be used by other Web applications. Ensure that this port is open for use, or choose another port before you click OK. Note: By default, Restart IIS Manually is selected. If you use this setting, you must restart the default Web site in IIS, or restart the W3C service by using the command line. 7. On the New Shared Services Provider page, in the SSP Service Credentials section, type the user name and password for the user account that the SSP service will run under. 8. Optionally, you can also configure other settings. 9. When you have configured all the settings, click OK. 10. If you used the same Web application for the SSP administration site and the My Sites site collection, you will be prompted to use separate Web applications for these site collections. If you want to use the same Web application, click OK. For more information about site planning, see Plan Web site structure and publishing (http://technet.microsoft.com/en-us/library/cc262789.aspx). 11. After the SSP has been created, click OK on the confirmation page that appears.
Perform additional configuration tasks

After Setup finishes, your browser window opens to the home page of your new SharePoint site. Although you can start adding content to the site or customizing the site, we recommend that you first perform the following administrative tasks by using the SharePoint Central Administration Web site. Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save emailed documents, and show e-mailed meetings on site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming email settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. For more information, see Configure outgoing e-mail settings.
40
Configure workflow settings Specify whether users can assemble new workflows, and if participants without site access should be sent documents in e-mail attachments so they can participate in document workflows. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. This includes enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configure diagnostic logging settings. Configure antivirus protection settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings enable you to control whether documents are scanned on upload or download, and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. Configure search Before search queries can be serviced, content must first be crawled. You can configure several search and index settings to customize how Office SharePoint Server 2007 crawls your site content or external content. For more information, see Configure the Office SharePoint Server Search service. Configure Excel Calculation Services Before you can use Excel Services, you must start the service and add at least one trusted location. For more information, see C. Configure Excel Services. Perform administrator tasks by using the Central Administration site 1. Click Start, point to All Programs, point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, in the Administrator Tasks section, click the task you want to perform. 3. On the Administrator Tasks page, next to Action, click the task.
Create a site collection and a SharePoint site

This section guides you through the process of creating a single site collection containing a single SharePoint site. You can create many site collections, and many sites under each site collection. For more information, see V. Deploy and configure SharePoint sites. You can create new portal sites or migrate pre-existing sites or content from a previous version of Windows SharePoint Services. For information about planning SharePoint sites and site collections, see Plan Web site structure and publishing (http://technet.microsoft.com/enus/library/cc262789.aspx). For information about migrating content, see Deploy new server farm and migrate content (http://technet.microsoft.com/en-us/library/cc303436.aspx).
41
You can also migrate content from a pre-existing Microsoft Content Management Server 2002 source. For information, see Migrate from Microsoft Content Management Server 2002 to Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261812.aspx). Before you can create a site collection or a site, you must first create a Web application. A Web application is comprised of an Internet Information Services (IIS) site with a unique application pool. Create a new Web application 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 4. On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Create a new Web application. 5. On the Create New Web Application page, in the IIS Web Site section, you can configure the settings for your new Web application. a. To choose to use an existing Web site, select Use an existing Web site, and specify the Web site on which to install your new Web application by selecting it from the drop-down menu. b. To choose to create a new Web site, select Create a new IIS Web site, and type the name of the Web site in the Description box. c. In the Port box, type the port number you want to use to access the Web application. If you are creating a new Web site, this field is populated with a suggested port number. If you are using an existing Web site, this field is populated with the current port number.
d. In the Host Header box, type the URL you wish to use to access the Web application. This is an optional field. e. In the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path. 6. In the Security Configuration section, configure authentication and encryption for your Web application. a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site by using the computer-specific anonymous access account (that is, IUSR_<computername>). c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an
42
SSL certificate. 7. In the Load Balanced URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the box is populated with the current server name and port. The Zone box is automatically set to Default for a new Web application and cannot be changed from this page. 8. In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application. To use an existing application pool, select Use existing application pool. Then select the application pool you wish to use from the drop-down menu. a. To create a new application pool, select Create a new application pool. b. In the Application pool name box, type the name of the new application pool, or keep the default name. c. In the Select a security account for this application pool section, select Predefined to use an existing application pool security account, and then select the security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a security account for an existing application pool. In the User name box, type the user name of the account you wish to use, and type the password for the account into the Password box. 9. In the Reset Internet Information Services section, choose whether to allow Office SharePoint Server 2007 to restart IIS on other farm servers. The local server must be restarted manually for the process to finish. If this option is not selected and you have more than one server in the farm, you must wait until the IIS Web site is created on all servers and then run iisreset/noforce on each Web server. The new IIS site is not usable until that action is completed. These choices are unavailable if your farm only contains a single server. 10. Under Database Name and Authentication, choose the database server, database name, and authentication method for your new Web application.
Item Action
Database Server
Type the name of the database server and SQL Server instance you want to use in the format <SERVERNAME\instance>. You may also use the default entry. Type the name of the database, or use the default entry.
Database Name
43
Database Authentication
Choose whether to use Windows authentication (recommended) or SQL authentication. If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
11. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page. For information about how to perform this procedure using the Stsadm command-line tool, see Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/enus/library/cc262407.aspx). Create a site collection 1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application section, either select a Web application to host the site collection from the Web Application drop-down list, or create a new Web application to host the site collection. 4. In the Title and Description section, type a title and description for the site collection. 5. In the Web Site Address section, select a URL type, and specify a URL for the site collection. 6. In the Template Selection section, select a template from the tabbed template control. 7. In the Primary Site Collection Administrator section, type the user account name for the user you want to be the primary administrator for the site collection. You can also browse for the user account by clicking the Book icon to the right of the text box. You can verify the user account by clicking the Check Names icon to the right of the text box. 8. Optionally, in the Secondary Site Collection Administrator section, type the user account for the user you want to be the secondary administrator for the site collection. You can also browse for the user account by clicking the Book icon to the right of the text
44
box. You can verify the user account by clicking the Check Names icon to the right of the text box. 9. Click Create to create the site collection. For information about how to perform this procedure using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx). Create a SharePoint site 1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the SharePoint Site Management section, click Site collection list. 3. On the Site Collection List page, in the URL column, click the URL for the site collection to which you want to add a site. The full URL path for the site collection appears in the URL box. 4. Copy and paste the full URL path into your browser, and then, on the home page of the top-level site for the site collection, on the Site Actions menu, click Create. 5. On the Create page, in the Web Pages section, click Sites and Workplaces. 6. On the New SharePoint Site page, in the Title and Description section, type a title and description for the site. 7. In the Web Site Address section, specify a URL for the site. 8. In the Template Selection section, select a template from the tabbed template control. 9. Either change other settings, or click Create to create the site. 10. The new site opens. After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx). For information about how to perform this procedure using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).
Configure the trace log

The trace log can be useful for analyzing problems that might occur. You can use events that are written to the trace log to identify what configuration changes were made in Office SharePoint Server 2007 before the problem occurred.
45
By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. Whether you are using the Office SharePoint Server Search service or the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify the location where the log files are written or accept the default path. Configure the trace log to save seven days of events 1. In Central Administration, on the Operations tab, in the Logging and Reporting section, click Diagnostic logging. 2. On the Diagnostic Logging page, in the Trace Log section, do the following: In the Number of log files box, type 336. In the Number of minutes to use a log file box, type 30. Tip: To save 10,080 minutes (seven days) of events, you can use any combination of number of log files and minutes to store in each log file. 3. Ensure that the path specified in the Path box has enough room to store the extra log files or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK. Trace log files can help you to troubleshoot issues related to configuration changes of either the Office SharePoint Server Search service or the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes related to either search service. Store these log files for an extended period of time in a safe location that will not be overwritten. See step 3 in the previous procedure to determine the location that the system stores trace log files for your system. For information about how to perform this procedure using the Stsadm command-line tool, see Logging and events: Stsadm operations (http://technet.microsoft.com/enus/library/cc262191.aspx).
46
Deploy using DBA-created databases

In this topic: About deploying by using DBA-created databases Required database hardware and software Required accounts Create and configure the databases
About deploying by using DBA-created databases

In many IT environments, database administrators (DBAs) create and manage databases. Security policies and other policies in your organization might require that DBAs create the databases required by Microsoft Office SharePoint Server 2007. This section discusses how DBAs can create these databases and farm administrators configure them. This section describes how to deploy Office SharePoint Server 2007 in an environment in which DBAs create and manage databases. The deployment includes all the required databases, one portal site, a Shared Services Administration Web site, My Sites, and one Shared Services Provider (SSP). This section only applies to farms that use Microsoft SQL Server 2000 with the most recent service pack or Microsoft SQL Server 2005 database software. Some procedures in this section use the Psconfig or Stsadm command-line tools. These tools are located in the following folder: Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN. Note: This section does not cover using the Office SharePoint Server 2007 graphical user interface tools to create or configure databases. For information about creating and configuring databases by using the Office SharePoint Server 2007 graphical user interface tools, see Deploy in a simple server farm. Using these procedures, the DBA will create databases and the farm administrator will perform other configuration actions in the following order: The configuration database (only one per farm). The content database for Central Administration (only one per farm). Central Administration Web application (only one per farm, created by Setup). The Windows SharePoint Services search database (only one per farm). Start the Office SharePoint Search service. Portal site Web application content database.
For each portal site: For each SSP:

47
A content database for the My Sites Web application (if the SSP is using its own Web application). A content database for the Shared Services Administration Web application (if the SSP is using its own Web application). SSP Search database (one per SSP). SSP Web application (created by Setup if the SSP is using its own Web application). Note: As part of the Web site and application pool creation process, a Web application is also created in Internet Information Services (IIS). Extending a Web application will create an additional Web site in IIS, but not an additional application pool.
Required database hardware and software

Before you install and configure the databases, be sure that your database servers have the recommended hardware and software. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/enus/library/cc262485.aspx). There are also requirements specific to the database server, and, if you are using SQL Server 2005 database software, the DBA must configure surface area settings so that local and remote connections use TCP/IP only. All of the databases required by Office SharePoint Server 2007 use the Latin1_General_CI_AS_KS_WS collation. All of the databases require that the Setup user account be assigned to them as the database owner (dbo, or db_owner). For more information about the security requirements for these databases, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Required accounts
The DBA needs to create SQL Server logins for the accounts that are used to access the databases for Office SharePoint Server 2007 and add them to roles For more information about the required accounts, including specific permissions and roles required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
48
The following table describes the accounts that are used to access the databases for Office SharePoint Server 2007.
SQL Server prompts for this account during SQL Server Setup. You have two options: Assign one of the built-in system accounts (Local System, Network Service, or Local Service) to the logon for the configurable SQL Server services. For more information about these accounts and security considerations, refer to the Setting Up Windows Service Accounts topic (http://go.microsoft.com/fwlink/?LinkId=121664& clcid=0x409) in the SQL Server documentation. Assign a domain user account to the logon for the service. However, if you use this option you must take the additional steps required to configure Service Principal Names (SPNs) in Active Directory in order to support Kerberos authentication, which SQL Server uses. Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role
Setup user account
The Setup user account is used to run the following: Setup on each server The SharePoint Products and Technologies Configuration Wizard The PSConfig command-line tool
dbcreator fixed server role The Stsadm commandIf you run Stsadm command-line tool commands that line tool read from or write to a database, this account must be a member of the db_owner fixed database role for the database.
49
Account
Purpose
Requirements
Server farm account/ Database access account
Note: If you are using the least-privilege principle for added security, use a different account for each service, process, and application pool identity for each Web application. Each SSP will use two accounts, one for the SSP service account and one for the application pool identity for the Shared Services Administration Web application.
Create and configure the databases

Use the procedures in this section to create the required databases and give the accounts membership in the database Users security group and database roles. The procedures require action by the DBA and the Setup user account. Each step is labeled [DBA] or [Setup] to indicate which role performs the action. The following procedure will only have to be performed once for the farm, on the server you want to run the Central Administration Web site. The farm only has one configuration database and one content database for Central Administration. Create and configure the configuration database, the Central Administration content database, and the Central Administration Web application 1. [DBA] Create the configuration database and the Central Administration content database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [Setup] Run Setup on each server computer in the farm. You must run Setup on at least
50
one of these computers by using the Complete installation option. Note: The rest of the farm servers will be configured after the procedures in the article are finished and the farm is established. You will run the SharePoint Products and Technologies Configuration Wizard on these servers by selecting the Yes, I want to connect to an existing server farm option, instead of by using the commands used in this procedure. 3. [Setup] On the server on which you used the Complete installation option, do not run the SharePoint Products and Technologies Configuration Wizard after Setup. Instead open the command line, and then run the following command to configure the databases: Psconfig cmd configdb create server <SqlServerName> database <SqlDatabaseName> user <DomainName\UserName> password <password> admincontentdatabase <SqlAdminContentDatabaseName> Note: <SqlDatabaseName> is the configuration database. -user is the server farm account. <SqlAdminContentDatabaseName> is the Central Administration content database. 4. [Setup] After the command has completed, run the SharePoint Products and Technologies Configuration Wizard and complete the remainder of the configuration for the server. This creates the Central Administration Web application and performs other setup and configuration tasks. 5. [DBA] After the SharePoint Products and Technologies Configuration Wizard has completed, perform the following actions for both the configuration database and the Central Administration content database: Add the Office SharePoint Server Search account, default content access account, and the SSP service account to the Users group. Add the Office SharePoint Server Search account, default content access account, and the SSP service account to the WSS_Content_Application_Pools role.
6. [Setup] To confirm that the databases were created and correctly configured, verify that the home page of the Central Administration Web site can be accessed. However, do not configure anything by using Central Administration at this time. If the Central Administration page does not render, verify the accounts used in this procedure and ensure that they are properly assigned.
51
The following procedure will only have to be performed once for the farm. The farm has only one Windows SharePoint Services search database. Create and configure the Windows SharePoint Services Search database and start the Windows SharePoint Services Search service 1. [DBA] Create the Windows SharePoint Services Search database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [Setup] Open the command line, and then run the following command to configure the database and start the Windows SharePoint Services Search service: stsadm -o spsearch -action start -farmserviceaccount <DomainName\UserName> farmservicepassword <password> -farmcontentaccessaccount <DomainName\UserName> -farmcontentaccesspassword <password> databaseserver <server\instance> -databasename <DatabaseName> Note: -farmserviceaccount is the server farm account. -farmcontentaccessaccount is the Office SharePoint Services Search service account. For -databaseserver, if you are using the default instance of SQL Server, you only have to specify the name of the computer running SQL Server. The following procedure must be performed once for each server running indexing or search queries in the farm. Start the Office SharePoint Server Search service on each server that will run search queries or indexing 1. [Setup] Open the command line, and then run the following command: stsadm -o osearch -action start -role <OsearchRole>-farmcontactemail <FarmContactEmail> -farmserviceaccount <DomainName\UserName> farmservicepassword <password> For additional information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). Note: farmserviceaccount is the server farm account. role specifies what type of server role the server plays. The values for OsearchRole can be "Index", "Query", or "IndexQuery". For more information about these options, see Add query servers to expand a farm (http://technet.microsoft.com/en-us/library/cc297192.aspx). The following procedure will only have to be performed once for the farm. The farm only has one My Sites database. The My Sites Web application typically is hosted by its own SSP. Create and configure the content database and Web application for My Sites 1. [DBA] Create the My Sites content database using the LATIN1_General_CI_AS_KS_WS
52
collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Add the SSP service account to the db_owner role for the My Sites Web application content database. 3. [Setup] Open the command line, and then run the following command to configure the My Sites content database: stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm databaseserver <DatabaseServerName> -databasename <DatabaseName> apidtype configurableid -description <IISWebSiteName> -apidname <AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password> For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263040.aspx). Note: url is the URL (in the form http://hostname:port) of the My Sites Web application. databasename is the content database for the My Sites Web application. description is the text name you give to the Web site in IIS. apidname is the text name that you give to the Web application pool in IIS. apidlogin is the identity for the application pool in IIS. This is the application pool process account. If you are using Kerberos v5 authentication rather than NTLM authentication, use the negotiate parameter rather than the exclusivelyusentlm parameter Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the My Sites Web application. The host name and port combination must not describe a Web application that already exists or an error will result without creating the Web application. 4. [Setup] Open the command line, and then run the following command to restart IIS: iisreset /noforce. You must create a Shared Services Administration site Web application for every SSP in the farm. Create the content database and the Web application for the Shared Services Administration site 1. [DBA] Create the Shared Services Administration site content database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Using SQL Server Management Studio, add the SSP service account to the Users group and then to the db_owner role for the Shared Services Administration site content database. 3. [Setup] Open the command line, and then run the following command to create the
53
Shared Services Administration site Web application and configure the content database: stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm databaseserver <DatabaseServerName> -databasename <DatabaseName> apidtype configurableid -description <IISWebSiteName> -apidname <AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password> For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263040.aspx). Note: url is the URL (in the form http://hostname:port) of the Shared Services Administration site Web application. databasename is the content database for the Shared Services Administration site Web application. description is the text name you give to the Web site in IIS. apidname is the text name that you give to the application pool in IIS. apidlogin is the identity for the application pool in IIS. This is the application pool process account. If you are using Kerberos v5 authentication rather than NTLM authentication, use the negotiate parameter rather than the exclusivelyusentlm parameter Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the Shared Services Administration Web application. The host name and port combination must not describe a Web application that already exists or an error results and the Web application is not created. 4. [Setup] Open the command line, and then run the following command to restart IIS: iisreset /noforce. The following procedure will have to be performed once for each portal site in the farm. Create and configure the portal site Web application content database 1. [DBA] Create the portal site Web application content database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Using Microsoft SQL Server Management Studio, add the SSP Service account to the Users group and then to the db_owner role for the portal site Web application content database. 3. [Setup] Open the command line, and then run the following command to configure the portal site Web application content database: stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm databaseserver <DatabaseServerName> -databasename <DatabaseName> apidtype configurableid -description <IISWebSiteName> -apidname <AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password> For additional information, see Extendvs: Stsadm operation
54
(http://technet.microsoft.com/en-us/library/cc263040.aspx). Note: url is the URL (in the form http://hostname:port) of the portal site Web application. databasename is the content database for the portal site Web application. description is the text name you give to the Web site in IIS. apidname is the text name that you give to the Web application pool in IIS. apidlogin is the identity for the application pool in IIS. This is the application pool process account. If you are using Kerberos v5 authentication rather than NTLM authentication, use the negotiate parameter rather than the exclusivelyusentlm parameter. Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the Web application. The host name and port combination must not describe a Web application that already exists or an error results and the Web application is not created. 4. [Setup] Open the command line, and then run the following command to restart IIS: iisreset /noforce. The following procedure must be performed once for each SSP in the farm. Create and configure the SSP content database and SSP Search database, and then create and configure the SSP 1. [DBA] Create the SSP content database and the SSP Search database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo) to be the Setup user account. 2. [DBA] Using Microsoft SQL Server Management Studio, add the following accounts to the Users group and then to the db_owner role in both databases: Server farm account SSP Service account Windows SharePoint Services Search service account Office SharePoint Server Search service account Application pool process account. This is the Web application pool identity for each Web application associated with the SSP. In this section, these are the Shared Services Administration Web application and the My Sites site Web application.
3. [Setup] Open the command line, and then run the following command to create the SSP (the SSP will use the DBA-created SSP content database and the SSP Search database): stsadm -o createssp -title <SSPName> -url <url> -mysiteurl <url>-ssplogin <UserName> -ssppassword <password> -indexserver <IndexServerName>indexlocation <IndexFilePath>-sspdatabaseserver <SSPDatabaseServerName> sspdatabasename <SSPDatabaseName> -searchdatabaseserver
55
<SearchDatabaseServer> -searchdatabasename <SearchDatabaseName> For additional information, see Createssp: STSadm operation (http://technet.microsoft.com/en-us/library/cc262773.aspx). Note: url is the URL (in the format http://hostname:port/ssp/admin) of the Shared Services Administration site. mysiteurl is the URL (in the format http://hostname:port) of the My Sites Web site. ssplogin is the SSP service account in the format domain\username. indexserver is the name of the server that the index is hosted on. indexlocation is the directory on the index server where the farm administrator specified the index to be stored. By default this is SystemDrive:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications. Important: This command must be run on the same computer that is indicated in the url parameter. This is the same computer that is running the Web applications. In this section, this is the server where the Shared Services Administration site Web application and the My Sites Web application are running. Note: For more information about properly sizing these databases, see Estimate performance and capacity requirements (http://technet.microsoft.com/enus/library/cc261716.aspx) and Estimate performance and capacity requirements for portal collaboration environments (http://technet.microsoft.com/enus/library/cc263100.aspx).
56
Deploy a simple farm on the Windows Server 2008 operating system

In this section: Deployment overview Deploy and configure the server infrastructure Perform additional configuration tasks Create a site collection and a SharePoint site Configure the trace log
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the Windows Server 2003 operating system, you must download and run Setup and the SharePoint Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server 2007 without service packs on Windows Server 2008. Important: Office SharePoint Server 2007 requires the following components: the Web Server role, Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint Server 2007 will cease to run if you uninstall these components.
Deployment overview
You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to running Office SharePoint Server 2007. Note: There is no direct upgrade from a stand-alone installation to a farm installation.
Important: This section discusses how to perform a clean installation of Office SharePoint Server 2007 with SP1 in a server farm environment on Windows Server 2008. It does not cover upgrading the operating system from Windows Server 2003 to Windows Server 2008.
Note: This section does not cover installing Office SharePoint Server 2007 on a single computer as a stand-alone installation on Windows Server 2008. For more information,
57
see Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008. Because a server farm deployment of Office SharePoint Server 2007 is more complex than a stand-alone deployment, we recommend that you plan your deployment. Planning your deployment can help you to gather the information you need and to make important decisions before beginning to deploy. For information about planning, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Deploying Office SharePoint Server 2007 in a DBA environment

In many IT environments, database creation and management are handled by the database administrator (DBA). Security and other policies might require that the DBA create the databases required by Office SharePoint Server 2007. For more information about deploying using DBAcreated databases, including detailed procedures that describe how the DBA can create these databases, see Deploy using DBA-created databases.
Server farm environments can encompass a wide range of topologies and can include many servers or as few as two servers. A server farm typically consists of a database server and one or more servers running Internet Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front -end servers are configured as Web servers. The Web server role provides Web content and services such as search. A large server farm typically consists of two or more clustered database servers, several loadbalanced front-end Web servers running IIS and Office SharePoint Server 2007, and two or more servers providing Search services. When you install Office SharePoint Server 2007, you can decide if you want to perform a complete installation, which results in an application server, or to install just a front -end Web server. The main difference between an application server installation and a front-end Web server installation is the ability to run services such as the Search service. Since the front-end Web server installation is a subset of the application server installation, if necessary, you can use an application server as a front-end Web server; however, you should note that this configuration increases the attack surface area on the server.

This section provides information about actions that you must perform before you begin deployment. To deploy Office SharePoint Server 2007 in a server farm environment on computers running Windows Server 2008, you must provide credentials for several different accounts. For information about these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
58
All the Office SharePoint Server 2007 installations in the server farm must be in the same language. For example, you cannot have both an English version of Office SharePoint Server 2007 and a Japanese version of Office SharePoint Server 2007 in the same server farm. Note: We recommend that you read the Known Issues and the Readme documentation before you install Office SharePoint Server 2007 on a domain controller. Installing Office SharePoint Server 2007 on a domain controller requires additional configuration steps that are not discussed in this section.
All of the Office SharePoint Server 2007 installations must be running the same software update. For example, if one of the servers is updated to Post Service Pack 1 rollup, you should update all of the Office SharePoint Server 2007 servers in the server farm to that software update.

The deployment process consists of two phases: deploying and configuring the server infrastructure, and deploying and configuring SharePoint site collections and sites.

Deploying and configuring the server infrastructure consists of the following steps: Preparing the database server. Pre-installing databases (optional). Verifying that the servers meet hardware and software requirements. Running Setup on all servers you want to be in the server farm, installing SP1, and then running the SharePoint Products and Technologies Configuration Wizard. Starting the Windows SharePoint Services Search service. This is an optional step, but we recommend you start the Search service because it is used to search the Office SharePoint Server 2007 Help.
Phase 2: Deploy and configure SharePoint site collections and sites

Deploying and configuring SharePoint site collections and sites consists of the following steps: Creating site collections. Creating SharePoint sites.
59
Deploy and configure the server infrastructure

Prepare the database server
The Office SharePoint Server 2007 Setup program automatically creates the necessary databases when you install and configure Office SharePoint Server 2007. Optionally, if your IT environment or policies require, you can preinstall the required databases. For more information about prerequisites, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). We recommend that you run Microsoft SQL Server 2005 on the database server. However, both Microsoft SQL Server 2005 and Microsoft SQL Server 2000 database software with the most recent service pack are supported. If you are using SQL Server 2005, you must also change the surface area settings. Configure surface area settings in SQL Server 2005 1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Surface Area Configuration. 2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area Configuration for Services and Connections. 3. In the tree view, expand the node for your instance of SQL Server, expand the Database Engine node, and then click Remote Connections. 4. Select Local and Remote Connections, select Using both TCP/IP and named pipes, and then click OK.

The SQL Server collation must be configured for case-insensitive. The SQL Server database collation must be configured for case-insensitive, accent-sensitive, Kana-sensitive, and widthsensitive. This is used to ensure file name uniqueness consistent with the Windows operating system. For more information about collations, see Selecting a SQL Collation (http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup (http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.
60
Required accounts
The following table lists the accounts used to configure SQL Server and to install Office SharePoint Server 2007. For detailed information about the required accounts, including specific role memberships and permissions required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
SQL Server prompts for this account during SQL Server Setup. You have two options: Assign one of the built-in system accounts (Local System, Network Service, or Local Service) to the logon for the configurable SQL Server services. For more information about these accounts and security considerations, refer to the Setting Up Windows Service Accounts topic (http://go.microsoft.com/fwlink/?LinkId=121664& clcid=0x409) in the SQL Server documentation. Assign a domain user account to the logon for the service. However, if you use this option you must take the additional steps required to configure Service Principal Names (SPNs) in Active Directory in order to support Kerberos authentication, which SQL Server uses. Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role
Setup user account
The Setup user account is used to run the following: Setup on each server The SharePoint Products and Technologies Configuration Wizard The PSConfig command-line tool
dbcreator fixed server role The Stsadm commandIf you run Stsadm command-line tool commands that line tool read from or write to a database, this account must be a member of the db_owner fixed database role for the database.
61
Account
Purpose
Requirements
Server farm account/Dat abase access account
If you use a domain user account for the SQL Server service account, you must make sure that a valid service principal name (SPN) for that account and instance of SQL Server on their database server exists in their environment. This is the case regardless of whether you use NTLM or Kerberos authentication for Office SharePoint Server 2007. You must configure the SPN for that account in the domain using the Setspn.exe command-line tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the following command on a computer that is joined to the same domain as the user/service account. setspn -a <http/<farmclusterdnsname> <serviceaccountname> You only have to complete this task once for this account.
Verify that servers meet hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your servers have the recommended hardware and software. To deploy a server farm, you need at least one server computer acting as a Web server and an application server, and one server computer acting as a database server. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). Also, make sure the Management Compatibility role service is added to your server and the .NET Framework is installed, as described below. Important: Office SharePoint Server 2007 requires Active Directory Domain Services for farm deployments in a Windows Server 2008 environment.
62
IIS 6.0 Management Compatibility role service

If you use the Windows Server 2008 Server Manager to perform a default Internet Information Services (IIS) 7.0 installation, the IIS 6.0 Management Compatibility role service is not included. Since this is a required role service, you must use the following procedure. Add the IIS 6.0 Management Compatibility role service 1. Click Start, point to Administrative Tools, and then click Server Manager. 2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and select Add Role Services. 3. In the Add Role Services wizard, in the Role services area, select IIS 6 Management Compatibility. 4. In the Select Role Services pane, click Next, and then in the Confirm Installations Selections pane, click Install. 5. To complete the Add Role Services wizard, click Close.
Install Microsoft .NET Framework

Before you install Office SharePoint Server 2007 on Windows Server 2008, you must install the Microsoft .NET Framework. You do not need to install the Web Server role or the Windows Process Activation Service; these are installed automatically, along with the Windows Internal Database when you install Office SharePoint Server 2007 SP1. Use the following procedure to install Microsoft .NET Framework version 3.0. Install Microsoft .NET Framework version 3.0 1. Click Start, point to Administrative Tools, and then click Server Manager. 2. In Server Manager, on the Action menu, click Add features. 3. In the Features list, select the .NET Framework 3.0 Features check box, and then click Next. 4. Follow the wizard steps to install Microsoft .NET Framework version 3.0. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=110508).
Run Setup on all servers in the farm

You can only install Office SharePoint Server 2007 with SP1 on Windows Server 2008, so on each server in the server farm you must run the Office SharePoint Server 2007 Setup and then install SP1 before you run the SharePoint Products and Technologies Configuration Wizard. To save time and effort on setup tasks, we recommend that you create a slipstreamed installation source for Office SharePoint Server 2007. This installation source must include the files from both
63
Windows SharePoint Services 3.0 SP1 and Office SharePoint Server 2007 SP1. For more information about using the updates folder to create a slipstreamed source, see the topic Create an installation source that includes software updates (http://technet.microsoft.com/enus/library/cc261890.aspx). Note: If you have not created an updated installation source, you must first install Office SharePoint Server 2007 without any software updates, and then, without running the SharePoint Products and Technologies Configuration Wizard at the end of the installation, install SP1. After the installations are complete, you can run the SharePoint Products and Technologies Configuration Wizard. The server farm is established when you configure Office SharePoint Server 2007 on the first server. You must join additional servers in the server farm to this farm. Setting up the first server involves two steps: installing the Office SharePoint Server 2007 and SP1 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The SharePoint Products and Technologies Configuration Wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site.
The first server

We recommend that you install and configure Office SharePoint Server 2007 and Office SharePoint Server 2007 SP1 on all of the servers in your server farm before you configure Office SharePoint Server 2007 services and create sites. You must have SQL Server database software running on at least one back-end database server before you install Office SharePoint Server 2007 on your farm servers. Note: Setup installs the Central Administration Web site on the first server on which you run Setup. Therefore, we recommend that the first server on which you install Office SharePoint Server 2007 be a server on which you want to run the Central Administration Web site.
64
1. From the slipstreamed installation source, run Setup.exe on one of your Web servers. For more information about slipstreaming, see Create an installation source that includes software updates (http://technet.microsoft.com/en-us/library/cc261890.aspx). 2. On the Enter your Product Key page, enter your product key, and then click Continue.
Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and alerts you that the key is incorrect.
65
3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue.
66
4. On the Choose the installation you want page, click Advanced. (The Basic option is for stand-alone installations.)
67
5. On the Server Type tab, select Complete.
68
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location.
69
7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
70
9. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is not selected.
10. Click Close. Note: You should wait to run the SharePoint Products and Technologies Configuration Wizard until you have installed Office SharePoint Server 2007 and Office SharePoint Server 2007 SP1 and performed the rest of the procedures in this section on all the servers in the server farm. Use the following procedure to add the SharePoint Central Administration Web site to the list of trusted sites. Add the SharePoint Central Administration Web site to the list of trusted sites. 1. In Windows Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings
71
box, click Trusted sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration Web site, and then click Add. 5. Click Close to close the Trusted sites dialog box. 6. Click OK to close the Internet Options dialog box. Use the following procedure to configure proxy server settings to bypass the proxy server for local addresses. Configure proxy server settings to bypass the proxy server for local addresses 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. Type the address of the proxy server in the Address box. 6. Type the port number of the proxy server in the Port box. 7. Select the Bypass proxy server for local addresses check box. 8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.
Additional servers
We recommend that you install and configure Office SharePoint Server 2007 on all of your front end Web servers and the index server before you configure Office SharePoint Server 2007 services and create sites. If you want to build a minimal server farm configuration, and incrementally add front-end Web servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a single Web server, and configure the Web server as both a frontend Web server and an application server. Regardless of how many servers you have in your server farm, you must have SQL Server 2005 running on at least one back-end database server before you install Office SharePoint Server 2007 on your front-end Web servers. Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first.
72
Run Setup on additional servers front-end Web servers 1. From the slipstreamed installation source, run Setup.exe on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Web Front End.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location.
73
7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the following section. Use the following procedure to run Setup on additional servers in your server farm. Run Setup on additional servers index or query server 1. From the slipstreamed installation source, run Setup.exe on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced.
74
5. On the Server Type tab, click Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
75

After you have run Setup and both Office SharePoint Server 2007 and Office SharePoint Server 2007 SP1 are installed on all the servers in your server farm, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard. 2. On the Welcome to SharePoint Products and Technologies page, click Next.
76
3. In the dialog box that notifies you that some services might need to be restarted during configuration, click Yes.
77
4. On the Connect to a server farm page, click No, I want to create a new server farm, and then click Next.
78
5. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server.
6. Type a name for your configuration database in the Database name box, or use the default database name. The default name is SharePoint_Config. 7. In the User name box, type the user name of the server farm account. (Be sure to type the user name in the format <DOMAIN>\<user name>.) Important: The server farm account is used to access your configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool, and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. The user account that you specify as the service account must be a domain user account, but it does not need to be a member of
79
any specific security group on your Web servers or your back-end database servers. We recommend that you follow the principle of least privilege, and specify a user account that is not a member of the Administrators group on your Web servers or your back-end servers. 8. In the Password box, type the user's password, and then click Next. 9. On the Configure SharePoint Central Administration Web Application page, select the Specify port number check box; type a port number if you want the SharePoint Central Administration Web application to use a specific port, or leave the Specify port number check box cleared if it does not matter which port number the SharePoint Central Administration Web application uses.
10. In the Configure SharePoint Central Administration Web Application dialog box, do one of the following: If you want to use NTLM authentication (the default), click Next. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next.
80
Note: In most cases, use the default setting (NTLM). Use Negotiate (Kerberos) only if Kerberos authentication is supported in your environment. Using the Negotiate (Kerberos) option requires you to configure a service principal name (SPN) for the domain user account. To do this, you must be a member of the Domain Admins group. For more information, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409). 11. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next.
81
12. On the Configuration Successful page, click Finish.
The SharePoint Central Administration Web site home page opens. Notes If you are prompted for your user name and password, you might need to add the SharePoint Central Administration Web site to the list of trusted sites, and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps. If a proxy server error message appears, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring thi s setting are provided later in this section.
82
After Setup finishes, use the SharePoint Products and Technologies Configuration Wizard to configure Windows SharePoint Services 3.0. The configuration wizard automates several configuration tasks, including: installing and configuring the configuration database, and installing Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Wizard 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard. 2. On the Welcome to SharePoint Products and Technologies page, click Next. 3. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 4. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 5. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 6. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 7. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format <DOMAIN>\<user name>.) This must be the same user account you used when configuring the first server. 8. In the Password box, type the user's password, and then click Next. 9. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 10. On the Configuration Successful page, click Finish.
Start the Windows SharePoint Services Search Service

You must start the Windows SharePoint Services Search service on every computer that you want to search content. You must start it on at least one of your servers. Start the Windows SharePoint Services Search service on computers used to search content 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Servers in farm. 3. On the Servers in Farm page, click the server on which you want to start the Windows
83
SharePoint Services Search service. 4. Next to Window SharePoint Services Search, click Start. 5. On the Configure Windows SharePoint Services Search Service Settings page, in the Service Account section, specify the user name and password for the user account under which the Search service will run. 6. In the Content Access Account section, specify the user name and password for the user account that the Search service will use to search content. This account must have read access to all the content you want it to search. If you do not enter credentials, the same account used for the Search service will be used. 7. In the Indexing Schedule section, either accept the default settings, or specify the schedule that you want the Search service to use when searching content. 8. After you have configured all the settings, click Start.
Configure Windows Firewall with Advance Security

After you create Web applications in your server farm, you must use Windows Firewall with Advanced Security in Windows Server 2008 to open ports on computers that host Web Applications. You only need to open the ports for the SSP on computers that do not host any Web applications. By default, port 80 is open on Web servers, but to be able to communicate with other computers you must open the port for Central Administration and, for the SSP, you must open ports 56737 and 56738. You must also open the ports for any additional Web applications that you create in your server farm. The default configuration of the Windows Server 2008 firewall is to deny all connections unless there is an exception. Make sure you create the exceptions for the currently enabled profile (Private, Public, or Domain) when you are making changes to ports. If you create the exceptions in the wrong profile they will not work. Note: If you configure host headers in IIS, the ports for the Web Applications will be created on port 80 and you may not have to perform the procedures in this section. If, however, you use the host header mode in Windows SharePoint Services 3.0 to create multiple domain-named sites in a single Web application you will need to perform the procedures in this section to determine which ports the Web applications, including Central Administration, will use in your server farm. Determine ports used by Web Applications 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration site, click Application Management. 3. On the Application Management Web page, in the SharePoint Web Application Management section, click Web application list.
84
4. On the Web Application List Web page, in the URL column, the server name with port number is listed for each Web application. You should use Windows Firewall with Advanced Security to open the ports required for your server farm as identified in the Determine ports used by Web Applications (http://technet.microsoft.com/enus/library/cc263408.aspx#BKMK_DeterminePortsUsedByWebApplications) procedure. For ease in managing the rules, we recommend that you create one rule per Web application and one for the two SSP ports. Alternatively, for more centralized rule management you can create one rule to manage all the ports. For Web applications you only need to create a rule to open a port for incoming connections, the rule for the two SSP ports must be configured to enable both incoming and outgoing traffic. Configure Windows Firewall with Advanced Security 1. Click Start, point to All Programs, point to Administrative Tools, and then click Windows Firewall with Advanced Security. 2. In the User Account Control dialog box, click Continue. 3. On the details pane, in the Overview section, verify that the domain profile is active by noting if the domain network location entry displays Domain Profile is Active. 4. In the Domain Profile is Active area, depending on how the inbound connections rule is configured, choose one of these options. If it is Inbound connections that do not match a rule are allowed, then you do not need to complete this procedure. If it is Inbound connections that do not match a rule are blocked, then you must proceed to the next step in this procedure to configure the firewall to allow Office SharePoint Server 2007 traffic.
5. On the Console Tree, select Inbound Rules, and then in the Actions pane click New Rule. 6. Complete the New Inbound Rule Wizard using the settings from the following table.
Wizard page Settings
Rule Type Protocol and Ports
Select Port. Select TCP. Select Specific local ports. In the Specific local ports text box, type all the port numbers that you need. Select Allow the connection. Enable Domain. Clear Private and Public.
85
Action Profile
Name
In the Name and Description text boxes, type information that is both descriptive and meaningful for your network administrators. As a best practice, we recommend that you assign each firewall rule a unique name. When unique names are assigned, it is easier to use Windows Server 2008 Network Shell (Netsh) commands to manage the network.
7. On the Console Tree, select Outbound Rules, in the Actions pane click. New Rule. 8. Complete the New Outbound Rule Wizard using the settings from the following table.
Wizard page Settings
Rule Type Protocol and Ports
Select Port. Select TCP. Select Specific local ports. In the Specific local ports text box, type all the port numbers that you need.
Action Profile
Select Allow the connection. Enable Domain. Clear Private and Public.
Name
In the Name and Description text boxes, type information that is both descriptive and meaningful for your network administrators. As a best practice, we recommend that you assign each firewall rule a unique name. When unique names are assigned, it is easier to use Windows Server 2008 Network Shell (Netsh) commands to manage the network.
For more information about Windows Firewall with Advanced Security, see Windows Firewall (http://go.microsoft.com/fwlink/?LinkID=84639).

After the initial installation and configuration of Office SharePoint Server 2007, you can configure several additional settings. The configuration of additional settings is optional, but many key features are not available unless these settings are configured.
86
Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save documents, and send meeting requests to site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming e-mail settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail settings for all Web applications or for only one Web application. For more information, see Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web application. Configure workflow settings You can configure workflow settings to enable end users to create their own workflows by using code pre-generated by administrators. You can also configure whether internal users without site access can receive workflow alerts, and whether external users can participate in workflows by receiving copies of documents by e-mail. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. These include enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configuring diagnostic logging settings. Configure single sign-on You can configure single sign-on settings in the farm. Single sign-on enables you to connect to external data sources by using Excel Calculation Services or the Business Data Catalog. For more information, see Configure single sign-on. Configure antivirus settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings allow you to control whether documents are scanned on upload or on download, and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings.
You can use the following procedure to configure optional administrative settings using SharePoint Central Administration. Configure administrative settings using SharePoint Central Administration 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the SharePoint Central Administration home page, in the Administrator Tasks list, click the administrative task that you want to perform. 3. On the Administrator Tasks page, next to Action, click the task.
87
Create a site collection and a SharePoint site

This section guides you through the process of creating a single site collection containing a single SharePoint site. You can create many site collections and many sites under each site collection. For more information, see Chapter overview: Deploy and configure SharePoint sites. For information about planning SharePoint sites and site collections, see Plan Web site structure and publishing (http://technet.microsoft.com/en-us/library/cc262789.aspx). Before you can create a site or a site collection, you must first create a Web application. A Web application is composed of an Internet Information Services (IIS) site with a unique application pool. When you create a new Web application, you also create a new database and define the authentication method used to connect to the database. If you are in an extranet environment where you want different users to access content by using different domains, you might also need to extend a Web application to another IIS Web site. This action exposes the same content to different sets of users by using an additional IIS Web site to host the same content. Create a new Web application 1. Click Start, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 4. On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Create a new Web application. 5. On the Create New Web Application page, in the IIS Web Site section, you can configure the settings for your new Web application. a. To choose to use an existing Web site, select Use an existing Web site, and specify the Web site on which to install your new Web application by selecting it from the drop-down menu. b. To create a new Web site, select Create a new IIS Web site, and then type the name of the Web site in the Description box. c. In the Port box, type the port number you want to use to access the Web application. If you are creating a new Web site, this field is populated with a suggested port number. If you are using an existing Web site, this field is populated with the current port number.
d. In the Host Header box, type the URL you wish to use to access the Web application. This is an optional field. e. In the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path. 6. In the Security Configuration section, configure authentication and encryption for your
88
Web application. a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. Note: To enable Kerberos authentication, you must perform additional configuration tasks. For more information about authentication methods, see Plan authentication methods (http://technet.microsoft.com/enus/library/cc262350.aspx). b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site using the computer-specific anonymous access account (that is, IUSR_<computername>). Note: If you want users to be able to access any site content anonymously, you must enable anonymous access for the entire Web application. Later, site owners can configure how anonymous access is used within their sites. For more information about anonymous access, see Determine which Windows security groups and accounts to use for granting access to sites. c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate. Important: If you use SSL, you must add the appropriate certificate on each server by using IIS administration tools. For more information about using SSL, see Plan for secure communication within a server farm (http://technet.microsoft.com/en-us/library/cc263077.aspx). 7. In the Load Balanced URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the box is populated with the current server name and port. The Zone box is automatically set to Default for a new Web application, and cannot be changed from this page. To change the zone for a Web application, see Extend an existing Web application. 8. In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application. To use an existing application pool, select Use existing application pool. Then select the application pool you wish to use from the drop-down menu. a. To create a new application pool, select Create a new application pool. b. In the Application pool name box, type the name of the new application pool, or keep the default name. c. In the Select a security account for this application pool section, select
89
Predefined to use an existing application pool security account, and then select the security account from the drop-down menu. d. Select Configurable to use an account that is not currently being used as a security account for an existing application pool. In the User name box, type the user name of the account you wish to use, and then, in the Password box, type the password for the account. 9. In the Reset Internet Information Services section, choose whether to allow Windows SharePoint Services to restart IIS on other farm servers. The local server must be restarted manually for the process to finish. If this option is not selected, and you have more than one server in the farm, you must wait until the IIS Web site is created on all servers and then run iisreset /noforce on each Web server. The new IIS site is not usable until that action is completed. The choices are unavailable if your farm only contains a single server. 10. In the Database Name and Authentication section, choose the database server, database name, and authentication method for your new Web application.
Item Action
Database Server
Type the name of the database server and SQL Server instance you want to use in the format <SERVERNAME>\<instance>. You may also use the default entry. Type the name of the database, or use the default entry. Choose whether to use Windows authentication (recommended) or SQL authentication. If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
Database Name
11. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page.
90
Use the following procedure to create a site collection. Create a site collection 1. On the top link bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application menu, if the Web application in which you want to create the site collection is not selected, click Change Web Application on the Web Application, and then on the Select Web Application page, click the Web application in which you want to create the site collection. 4. In the Title and Description section, type the title and description for the site collection. 5. In the Web Site Address section, in the URL area, select the path to use for your URL (such as an included path like /sites/ or the root directory, /). If you select a wildcard inclusion path, such as /sites/, you must also type the site name to use in your site's URL. Note: The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions. For more information about managed paths, see Define managed paths in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system. 6. In the Template Selection section, in the Select a template list, select the template that you want to use for the top-level site in the site collection. 7. In the Primary Site Collection Administrator section, enter the user name (in the form DOMAIN\user name) for the user who will be the site collection administrator. 8. If you want to identify a user as the secondary owner of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, enter the user name for the secondary administrator of the site collection. 9. If you are using quotas to limit resource use for site collections, in the Quota Template section, click a template in the Select a quota template list. 10. Click OK. Use the following procedure to create a SharePoint site. Create a SharePoint site 1. On the SharePoint Central Administration home page, click the Application Management tab on the top link bar. 2. On the Application Management page, in the SharePoint Site Management section, click Site collection list. 3. On the Site Collection List page, in the URL column, click the URL for the site collection to which you want to add a site. The full URL path for the site collection appears in the
91
URL box. 4. Copy and paste the full URL path into your browser, and then, on the home page of the top-level site for the site collection, on the Site Actions menu, click Create. 5. On the Create page, in the Web Pages section, click Sites and Workplaces. 6. On the New SharePoint Site page, in the Title and Description section, type a title and description for the site. 7. In the Web Site Address section, type a URL for the site. 8. In the Template Selection section, select a template from the tabbed template control. 9. Either change other settings, or click Create to create the site. The new site opens. After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to display the correct site. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).

Trace log files can help you to troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. The trace log can also be useful for analyzing problems that might occur. For example, you can use events that are written to the trace log to identify what configuration changes were made in Office SharePoint Server 2007 before the problem occurred. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes related to the Search service. Store these log files for an extended period of time in a safe location that will not be overwritten. By default, Office SharePoint Server 2007 saves two days of events in the trace log files; trace log files that contain events that are older than two days are deleted. When using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain and the duration (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify where the log files are written or accept the default path. See step 3 in this procedure to determine where the system stores trace log files for your system.
92
Configure the trace log to save seven days of events 1. In Central Administration, on the Operations tab, in the Logging and Reporting section, click Diagnostic logging. 2. On the Diagnostic Logging page, in the Trace Log section, do the following:
Tip:
In the Number of log files box, type 336. In the Number of minutes to use a log file box, type 30.
To save 10,080 minutes (seven days) of events, you can use any combination of number of log files and minutes to store in each log file. 3. Ensure that the path specified in the Path box has enough room to store the extra log files, or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK.
Configure Windows Server Backup

If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must configure the following registry keys. If you do not configure these registry keys, Windows Server Backup will not work properly with Windows SharePoint Services 3.0. Important: You must be logged on as a member of the Administrators group on the local server computer to edit the registry. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Configure registry keys for Windows Server Backup 1. Click Start, click Run, and in the Open box, type regedit, and then click OK. 2. In the User Account Control dialog box, click Continue to open the Registry Editor. 3. In the Registry Editor, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ 4. On the Edit menu, click New, and then click Key. 5. Type WindowsServerBackup, and then press ENTER. 6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and then click Key.
93
7. Type Application Support, and then press ENTER. 8. Select the Application Support key, and then on the Edit menu, click New, and then click Key. 9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press ENTER. This is the GUID for the WSS Writer. 10. Select the new key, and then on the Edit menu, click New, and then click String Value. 11. Type Application Identifier as the new value, and then press ENTER. 12. Right-click the Application Identifier value, and then click Modify. 13. In the Value Data box, type Windows SharePoint Services, and then click OK. 14. On the Edit menu, click New, and then click DWORD (32-bit) Value. 15. Type UseSameVssContext as the new value name, and then press ENTER. 16. Right-click the UseSameVssContext value, and then click Modify. 17. In the Value Data box, type 00000001, and then click OK.
94
Install Office SharePoint Server 2007 by using the command line

In this section: Install software requirements Determine required accounts for installation Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt Configure the server by using the Psconfig command-line tool Perform additional configuration tasks Create a Shared Services Provider (SSP) by using the Stsadm command-line tool Create a site collection by using the Stsadm command-line tool Configure the trace log
This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007 on a stand-alone server or on a server farm by using command-line tools. The command-line tools enable you to customize the configuration of Office SharePoint Server 2007. Additionally, you can streamline deployment by using command-line installations in combination with other administrator tools to automate unattended installations. To install Office SharePoint Server 2007 on a server farm, you have to complete the following steps: 1. Plan the deployment and ensure that you have installed all the software requirements. 2. Determine the required accounts that are used during installation. 3. Install Office SharePoint Server 2007 by running Setup at a command prompt, and specifying a configuration file. 4. Configure the server by using the Psconfig command-line tool with the appropriate options. 5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only applies on server-farm installations). 6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm installations).
Install software requirements

Before you run Setup, you must perform several actions to prepare the deployment. For more information about the complete list of actions you must perform before installation, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you have the following software requirements before you run Setup: Office SharePoint Server 2007 on a clean installation of the Windows Server 2003 operating system with the most recent service pack. To install Office SharePoint Server 2007 on
95
Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=122586&clcid=0x409). Note: All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both English and Japanese versions of Office SharePoint Server 2007 in the same farm. The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508). ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all servers that are running Office SharePoint Server 2007. Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service pack running on at least one database server before you install Office SharePoint Server 2007 on the Web servers.
To deploy a server farm, you must have at least one server computer acting as a Web server and an application server, and one server computer acting as a database server.
Determine required accounts for installation

Before installing Office SharePoint Server 2007 at a command prompt, you should understand the three-tier security model for Office SharePoint Server 2007 and the detailed account permissions that are required for each configuration. For more information, see the following resources: Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx) Plan for administrative and service accounts (http://technet.microsoft.com/enus/library/cc263445.aspx) Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409)
96
The following table describes the accounts that are used during installation and configuration of Office SharePoint Server 2007. These accounts must be created and configured before you run Setup.
Setup user account
The Setup user account is used to run the following: Setup on each server. The SharePoint Products and Technologies Configuration Wizard. The Psconfig commandline tool. The Stsadm commandline tool.
Domain user account. Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer that is running SQL Server. Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role
If you run Stsadm command-line tool commands that read from or write to a database, the Setup user account must be a member of the db_owner fixed database role for the database.
97
Account
Purpose
Requirements
Server farm account or database access account
The server farm account is used to: Configure and manage the server farm. Act as the application pool identity for the SharePoint Central Administration application pool. Run the Windows SharePoint Services Timer service.
Domain user account. If the server farm is a child farm with Web applications that consume shared services from a larger farm, the server farm account must be a member of the db_owner fixed database role on the configuration database of the larger farm.
Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that is running SQL Server, and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm
Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt
After you have determined the required accounts for the installation, you can install Office SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files. These example files are stored under the \Files folder in the root directory of the DVD, in folders that correspond to different scenarios. These example files are described in the following table.
98
Configuration file
Description
Setup\Config.xml
Stand-alone server installation, using Microsoft SQL Server 2005 Express Edition Server farm installation Gradual upgrade of an existing farm Server farm installation in silent mode In-place upgrade of an existing farm Stand-alone server installation, using SQL Server 2005 Express Edition, in silent mode In-place upgrade of an existing single-server installation
SetupFarm\Config.xml SetupFarmSidebySide\Config.xml SetupFarmSilent\Config.xml SetupFarmUpgrade\Config.xml SetupSilent\Config.xml
SetupSingleUpgrade\Config.xml
Important: The example configuration files that are included with Office SharePoint Server 2007 omit the <Setting Id="SETUP_REBOOT"Value="Never"/> setting. You must include this setting if you want to suppress restarts during a command-line installation. Example The following example shows the configuration file for setting up a single server in silent mode (SetupSilent). <Configuration> <Package Id="sts"> <Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/> </Package> <Package Id="spswfe"> <Setting Id="SETUPCALLED" Value="1"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="OFFICESERVERPREMIUM" Value="1" /> </Package> <Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/> <Display Level="none" CompletionNotice="no" /> <PIDKEY Value="Enter PID Key Here" /> <Setting Id="SERVERROLE" Value="SINGLESERVER"/>
99
<Setting Id="USINGUIINSTALLMODE" Value="0"/> </Configuration> Run Setup with a Config.xml file at a command prompt 1. On the drive on which the Office SharePoint Server 2007 product DVD is located, change to the root directory to locate the setup.exe file. 2. Run Setup with the selected Config.xml file. setup /config<path and file name> Note: You can select one of the example files, or customize your own configuration file. 3. Press ENTER. Setup is now finished. Example To run Setup in silent mode, type one of the following commands at a command prompt, and then press ENTER: setup /config Files\SetupSilent\config.xml (for a single server deployment) setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize your own configuration file. To control the installation, first edit the Config.xml file in a text editor to include the elements that you want with the appropriate settings for those elements. Then run setup /config<path and file name> to specify that Setup runs and uses the options that you set in the Config.xml file. Some typical configuration options include the following: Bypassing the prompt for the product key by providing the key as a value, <PIDKEY Value="Enter PID Key Here" />, in the Config.xml file. Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose" Path="path"Template="file name.log"/>, which you can view if command-line installation fails. Important: Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose XML editor such as Microsoft Office Word 2007. For more information about the options available for customizing the configuration file, see Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx). For more information about the command-line options for Setup, see Setup.exe command-line reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).
100
Configure the server by using the Psconfig command-line tool

You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web Server Extensions\12\bin. The configuration options are different depending on whether you install Office SharePoint Server 2007 on a stand-alone server or on a server farm. For more information about the Psconfig command-line tool and its operations and parameters, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (http://technet.microsoft.com/en-us/library/cc263093.aspx). For more information about the services and features that are registered during the configuration, see Using PSConfig.exe command-line options to complete SharePont Server Configuration (http://go.microsoft.com/fwlink/?LinkId=122627&clcid=0x409).
Configure SharePoint Server 2007 on a stand-alone server

In stand-alone server deployments, you can run the Psconfig command-line tool with the setup command. After you have logged on by using the Setup user account that you previously created and configured, you configure Office SharePoint Server 2007. Configure SharePoint Server 2007 on a stand-alone server by using the Psconfig command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: psconfig -cmd setup The Psconfig command-line tool describes the configuration steps as they occur, and notes the successful completion of configuration. For a stand-alone server installation, this is the final step in a command-line installation.
Configure SharePoint Server 2007 on a farm

In server farm deployments, you use the Psconfig command-line tool to create a new farm or connect to an existing farm. The Psconfig command-line tool installs the SharePoint Central Administration Web site on the first server in the farm. Therefore, we recommend that the first server on which you install Office SharePoint Server 2007 is a server from which you want to run the Central Administration Web site. The following procedure describes how to configure the first server in the farm. How to add servers to the farm is described at the end of this procedure.
101
Note: Ensure that you follow the procedure in the order that it is written to avoid configuration problems. Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Create the configuration database: psconfig-cmd configdb -create -server<database server name>-database<database name> [-dbuser<domain\user name>-dbpassword<password>] -user<domain\user name>-password<password> -addomain<domain name>-adorgunit<org unit> -admincontentdatabase<Central Administration Web application content database name> Note: The dbuser and dbpassword parameters are only used in deployments that use SQL Server authentication. If you are using Windows authentication, these parameters are not required. 3. Install all Help collections: psconfig-cmd helpcollections -installall 4. Perform resource security enforcement: psconfig-cmd secureresources 5. Register services in the server farm: psconfig-cmd services -install Note: After installing services, you must start and configure two services, Windows SharePoint Services Search and Office SharePoint Server Search, by using the Stsadm command-line tool: a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> farmservicepassword<password>[-database name<content database name>][database server<server instance>][-search server<search server name>] For more information, see Spsearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc288507.aspx). b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount <domain\user name> -farmservicepassword<password> farmcontactemail<user@domain.com>
102
For more information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). c. Provision the services of the farm: psconfig -cmd services -provision 6. Register all features: psconfig-cmd installfeatures 7. Provision the SharePoint Central Administration Web application: psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm 8. Install shared application data: psconfig-cmd applicationcontent -install The SharePoint Central Administration Web site has now been created. We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you create sites. Note: If any of these commands fail, look in the post-setup configuration log files. The log files are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Logs, and can be identified by a file name that begins with PSC and the .log file name extension. To connect to an existing configuration database and join the server to an existing server farm, you have to run the configdb command together with the -connect parameter instead of the create parameter. psconfig -cmd configdb -connect -server<server name>-database<database name> Note: Omit the -admincontentdatabase command because you have already included this command when you created the configuration database. Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm command if you want to provision the SharePoint Central Administration Web application on additional servers, which reduces the risk if the server that is running the SharePoint Central Administration Web application fails. To successfully complete the command-line installation on a server farm, you must use the Stsadm command-line tool to create the Shared Services Provider (SSP), and then a site collection for the farm. However, before you create the SSP and a site collection, we recommend that you first perform some additional configuration tasks.

After you have installed Office SharePoint Server 2007, we recommend that you perform the following administrative tasks: Configure incoming e-mail settings.
103
Configure outgoing e-mail settings. Configure workflow settings. Configure diagnostic logging settings. Configure antivirus settings.
Create a Shared Services Provider (SSP) by using the Stsadm command-line tool
After you create and configure Office SharePoint Server 2007 on a farm, you must use the Stsadm command-line tool to create the SSP for the farm. The Stsadm command-line tool is available on the installation drive for Office SharePoint Server 2007 at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. Important: To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer. The recommended procedure for creating an SSP is to create a Web application for the My Site host location, and a separate Web application for the Shared Services Administration Web site. To create a new Web application, use the following procedure. Create a Web application by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description]
104
[-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService}] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx). The extendvs operation creates the Web application. The donotcreatesite parameter creates the Web application without creating a site collection on the Web application. After creating the Web applications for the My Site host location and for the Shared Services Administration Web site, you create the SSP. Create an SSP by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o createssp -title<SSP name> -url<Web application URL> -mysiteurl<My Site Web application URL> -ssplogin<user name> -indexserver<index server name> -indexlocation<index file path> [-ssppassword<password>] [-sspdatabaseserver<SSP database server name>] [-sspdatabasename<SSP database name>] [-sspsqlauthlogin<SQL user name] [-sspsqlauthpassword <SQL password>] [-searchdatabaseserver<search database server name>] [-searchdatabasename<search database name>] [-searchsqlauthlogin<SQL user name>] [-searchsqlauthpassword<SQL password>] [-ssl {Yes | No}] For more information, see Createssp: Stsadm operation (http://technet.microsoft.com/enus/library/cc262773.aspx).
105
Example The following command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP Administration site. stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name> databasename <SSP content database> -donotcreatesite -apidname <SSP application pool name> -apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd <password> Similarly, you can create another Web application as the My Site host location by using the following command: stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name > databasename <My Sites content database name> -donotcreatesite -apidname <My Sites application pool name>-apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd <password> Then you create the SSP, named MySSP1_db: stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <SSP database server name > -sspdatabasename MySSP1_db -indexserver <index server name> indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications" -searchdatabaseserver <search database server name> searchdatabasename <search database name> For more information, see Stsadm command-line tool (http://technet.microsoft.com/enus/library/cc261956.aspx).
Create a site collection by using the Stsadm command-line tool

You create the top-level site collection by using the same extendvs command that you used to create the Web applications for My Sites and the Shared Services Administration Web site Important: To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer. Create a site collection by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER:
106
stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description] [-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService}] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx) and Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx). Example The following command creates a site collection at http://intranet that uses the corporate intranet site template. stsadm -o extendvs -url http://intranet -ownerlogin<domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname "SharePoint AppPool" -apidtype {configurableID | NetworkService} -apidlogin< domain\user name> -apidpwd <password> If you do not specify the site template to use, site owners can choose the site template when they first browse to the site. The following table lists common templates.
Parameter value Description
STS#0 STS#1
Team site Blank site

107
Parameter value
Description
STS#2 MPS#0 MPS#1 MPS#2 MPS#3 MPS#4 BLOG#0 WIKI#0
Document workspace Basic meeting workspace Blank meeting workspace Decision meeting workspace Social meeting workspace Multipage meeting workspace Blog Wiki site
If you want to create additional Web applications or site collections by using the Stsadm command-line tool, you can use either the extendvs operation or the createsite operation. The extendvs operation extends a Web application and creates a new content database. The createsite operation creates a site collection at a specific URL with a specified user as a site owner. Note: The createsite operation does not create a new content database. If you want to create a new content database with the new site, use the createsiteinnewdb operation. For more information, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx) and Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262407.aspx). The extendvs operation also enables site collection administrators to specify the language of the site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used for the top-level site collection. For more information about the available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409). After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
108

The trace log can be useful for analyzing problems that might occur. You can use events that are written to the trace log to determine what configuration changes were made in Office SharePoint Server 2007 before the problem occurred. By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. When you are using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain, and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify where the log files are written or accept the default path. Trace log files can help you troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes. Store these log files for some time in a safe location that will not be overwritten. We recommend that you store log files on a hard disk drive partition that is used to store log files only. See Also Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx) Plan for administrative and service accounts (http://technet.microsoft.com/enus/library/cc263445.aspx) Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?LinkID=110493&clcid=0x409)
109
Install Office SharePoint Server 2007 with least privilege administration by using the command line
In this section: Install software requirements Determine required accounts for least-privilege administration Install Microsoft Office SharePoint Server 2007 by using least-privilege administration Configure the server by using the Psconfig command-line tool Perform additional configuration tasks Create a Shared Services Provider by using the Stsadm command-line tool Create a site collection by using the Stsadm command-line tool Configure the trace log
This section discusses how to install Microsoft Office SharePoint Server 2007 on a stand-alone server or on a server farm by using least-privilege administration. The Office SharePoint Server 2007 standard configuration uses a set of user accounts and installation settings for both stand-alone servers and server farms to simplify the installation process. However, enterprises are often required to use least-privilege administration in which each service or user is provided with only the minimum permissions and group memberships that they need to accomplish the tasks that they are authorized to perform. Installing Office SharePoint Server 2007 with least-privilege administration requires additional preparation and configuration steps. We strongly recommend that you use least-privilege administration. To install Office SharePoint Server 2007 by using least-privilege administration on either a standalone server or a server farm, you complete the following steps: 1. Plan the deployment and ensure that you have installed all the software requirements. 2. Determine the required accounts that are used during installation. 3. Use the least-privilege Setup user account to install Office SharePoint Server 2007 by using Setup at a command prompt and specifying a configuration file. 4. Configure the server by using the Psconfig command-line tool with the appropriate options. 5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only applies on server-farm installations). 6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm installations).
110
Install software requirements

Before running Setup, you must perform several actions to prepare the deployment. For more information about the complete list of actions you must perform before installation, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you have the following software requirements before you run Setup in any deployment: Office SharePoint Server 2007 on a clean installation of the Windows Server 2003 operating system with the most recent service pack. To install Office SharePoint Server 2007 on Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=122586&clcid=0x409). Note: All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both English versions and Japanese versions of Office SharePoint Server 2007 in the same farm. The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508). ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all Office SharePoint Server 2007 servers. Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack running on at least one database server before you install Office SharePoint Server 2007 on the Web servers. Note: To deploy a server farm, you must have at least one server computer acting as a Web server and an application server, and one server computer acting as a database server.
Determine required accounts for least-privilege administration

Before installing Office SharePoint Server 2007 by using least-privilege administration in any security configuration, you should understand the three-tier security model for Office SharePoint Server 2007 and the detailed account permissions that are required for each configuration. F or more information, see the following topics: Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx) Plan for administrative and service accounts (http://technet.microsoft.com/enus/library/cc263445.aspx)
111
Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409)
Many requirements and configuration steps for installing Office SharePoint Server 2007 by using least-privilege administration resemble the standard farm installation. For more information about the standard farm installation, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environment. The following table describes the accounts that are used to install Office SharePoint Serve r 2007 for least-privilege administration compared to the standard account requirements for farm installation.
Account Purpose Server farm standard requirement Least-privilege administration using domain user accounts requirements
Setup user account
The Setup user account is used to run the following: Setup on each server. The SharePoint Products and Technologies Configuration Wizard. The Psconfig command-line tool. The Stsadm command-line tool.
Domain user account Member of the Administrators group on each server on which Setup is run SQL Server login on the computer that is running SQL Server Member of the following SQL Server security roles: securityadmin fixed server role dbcreator fixed server role
Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. The Setup user account should not be a member of the Administrators group on the computer that is running SQL Server.
If you run Stsadm commandline commands that read from or write to a database, the Setup user account must be a member of the db_owner fixed database role for the database.
112
Account
Purpose
Server farm standard requirement
Least-privilege administration using domain user accounts requirements
Server farm account or database access account
The server farm account is used to: Configure and manage the server farm. Act as the application pool identity for the SharePoint Central Administration Web site. Run the Windows SharePoint Services Timer service.
Server farm standard requirements with the following additions or exceptions: Use a separate domain user account. The server farm account is not a member of the Administrators group on any server in the server farm. This includes the computer that is running SQL Server.
Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server account is automatically added as a SQL Server login on the computer that is running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm.
The server farm account does not require permissions to SQL Server before you create the configuration database.
113
The minimum requirements to achieve least-privilege administration include the following: Separate accounts are used for different services and processes. No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions assigned to each account, you reduce the opportunity for a malicious user or process to compromise the environment. Least-privilege administration can be implemented in many ways, depending on the security configuration of each scenario. The configurations for least-privilege administration include: Separate domain user accounts SQL Server authentication Domain user accounts connecting to existing databases
Install Microsoft Office SharePoint Server 2007 by using least-privilege administration

After you have determined the required accounts for the installation, you can install Office SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files. These example files are stored under the \Files folder in the root directory of the DVD, in folders that correspond to different scenarios. These example files are described in the following table.
Configuration file Description
Setup\Config.xml
Stand-alone server installation, using Microsoft SQL Server 2005 Express Edition Server farm installation Gradual upgrade of an existing farm Server farm installation in silent mode In-place upgrade of an existing farm Stand-alone server installation, using SQL Server 2005 Express Edition, in silent mode In-place upgrade of an existing single-server installation
SetupFarm\Config.xml SetupFarmSidebySide\Config.xml SetupFarmSilent\Config.xml SetupFarmUpgrade\Config.xml SetupSilent\Config.xml
SetupSingleUpgrade\Config.xml
Important: The example configuration files that are included with Office SharePoint Server 2007 omit the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this setting if you want to suppress restarts during a command-line installation.
114
Example The following example shows the configuration for setting up a single server in silent mode (SetupSilent). <Configuration> <Package Id="sts"> <Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/> </Package> <Package Id="spswfe"> <Setting Id="SETUPCALLED" Value="1"/> <Setting Id="REBOOT" Value="ReallySuppress"/> <Setting Id="OFFICESERVERPREMIUM" Value="1" /> </Package> <Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/> <Display Level="none" CompletionNotice="no" /> <PIDKEY Value="Enter PID Key Here" /> <Setting Id="SERVERROLE" Value="SINGLESERVER"/> <Setting Id="USINGUIINSTALLMODE" Value="0"/> </Configuration> Run Setup with a Config.xml file at a command prompt 1. On the drive on which the Office SharePoint Server 2007 product DVD is located, change to the root directory to locate the setup.exe file. 2. Run Setup with the selected Config.xml file. setup /config<path and file name> Note: You can select one of the example files, or customize your own configuration file. 3. Press ENTER. Setup is now complete. Example To run Setup in silent mode, type the following command at a command prompt, and then press ENTER: setup /config Files\SetupSilent\config.xml (for a single server deployment) setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize the configuration file. To control the installation, first edit the Config.xml file in a text editor to include the elements that you want with the appropriate settings for those
115
elements. Then run setup /config<path and file name> to specify that Setup runs and uses the options that you set in the Config.xml file. Some typical configuration options include: Bypassing the prompt for the product key by providing the key as a value, <PIDKEY Value="Enter PID Key Here" />, in the Config.xml file. Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose" Path="path name"Template="file name.log"/>, which you can view if command-line installation fails. Important: Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose XML editor such as Microsoft Office Word 2007. For more information about the options available for customizing the configuration file, see Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx). For more information about the command-line options for Setup, see Setup.exe command-line reference (http://technet.microsoft.com/en-us/library/cc262897.aspx). For more information about command-line installation, see Install Office SharePoint Server 2007 by using the command line.
Configure the server by using the Psconfig command-line tool

You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. The configuration options are different depending on whether you install Office SharePoint Server 2007 on a stand-alone server or on a server farm. For more information about the Psconfig command-line tool and its operations and parameters, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (http://technet.microsoft.com/en-us/library/cc263093.aspx). For more information about the services and features that are registered during the configuration, see Using PSConfig.exe command-line options to complete SharePont Server Configuration (http://go.microsoft.com/fwlink/?LinkId=122627&clcid=0x409).
Configure SharePoint Server 2007 on a stand-alone server

In stand-alone server deployments that use least-privilege administration, you can run the Psconfig command-line tool with the setup command. After you have logged on by using the Setup user account that you previously created and configured, you configure Office SharePoint Server 2007. Configure SharePoint Server 2007 by using the Psconfig command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the
116
following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: psconfig -cmd The Psconfig command-line tool describes the configuration steps as they occur, and notes the successful completion of configuration. For a stand-alone-server installation, this is the final step in a command-line installation.
Configure SharePoint Server 2007 on a farm

In server farm deployments that use least-privilege administration, you use the Psconfig command-line tool to create a new farm or connect to an existing farm. The Psconfig commandline tool installs the SharePoint Central Administration Web site on the first server in the farm. Therefore, we recommend that the first server on which you install Office SharePoint Server 2007 is a server from which you want to run the Central Administration Web site. The following procedure describes how to configure the first server in the farm. Note: Ensure that you follow the procedure in the order that it is written to avoid configuration problems. Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool 1. Log on by using the Setup user account that you previously created and configured. 2. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 3. Create the configuration database: psconfig-cmd configdb -create -server <database server name>-database<database name> -dbuser<domain\user name>-dbpassword<password> -user<domain\user name>-password<password> -addomain<domain name>-adorgunit<org unit> -admincontentdatabase<Central Administration Web application content database name> Note: The dbuser and dbpassword parameters are only used in deployments that use SQL Server authentication. If you are using Windows authentication, these parameters are not required. 4. Install all Help collections: psconfig-cmd helpcollections installall
117
5. Perform resource security enforcement: psconfig-cmd secureresources 6. Register services in the server farm: psconfig-cmd services -install Note: After installing services, you must start and configure two services, Windows SharePoint Services Search and Office SharePoint Server Search, by using the Stsadm command-line tool: a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name> farmservicepassword<password>[-database name<content database name>][database server<server instance>][-search server<search server name>] For more information, see Spsearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc288507.aspx). Note: Use the domain and user account information for the server farm account that you previously created and configured. b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount <domain\user name>-farmservicepassword<password>farmcontactemail<user@domain.com> For more information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx). Note: Use the domain and user account information for the server farm account that you created and configured previously. c. Provision the services of the farm: psconfig -cmd services -provision 7. Register all features: psconfig-cmd installfeatures 8. Provision the SharePoint Central Administration Web application: psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm 9. Install shared application data: psconfig-cmd applicationcontent -install The Central Administration Web site has now been created. We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you create sites.
118
Note: If any of these commands fail, look in the post-Setup configuration log files. The log files are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Logs. They can be identified by a file name starting with PSC and the .log file name extension. To connect to an existing configuration database and join the server to an existing server farm, you must run the configdb command together with the -connect parameter instead of the create parameter. psconfig -cmd configdb -connect -server<server name>-database<database name> Note: Omit the -admincontentdatabase command because you have already included this command when you created the configuration database. Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm command if you want to provision the SharePoint Central Administration Web application on additional servers, which reduces the risk if the server that is running the SharePoint Central Administration Web application fails. To successfully complete command-line installation on a server farm, you must use the Stsadm command-line tool to create an SSP, and then a site collection for the farm. However, before you create a Shared Services Provider and a site collection, we recommend that you first perform some additional configuration tasks.

After you have installed Office SharePoint Server 2007, we recommend that you perform the following administrative tasks: Configure incoming e-mail settings Configure outgoing e-mail settings Configuring workflow settings Configuring diagnostic logging settings Configure antivirus settings
Create a Shared Services Provider by using the Stsadm command-line tool

After you create and configure Office SharePoint Server 2007 on a farm, you must use the Stsadm command-line tool to create the SSP and site collection for the farm. Important: To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer.
119
The recommended procedure for creating an SSP is to create a Web application for the My Sites host location, and a separate Web application for the Shared Services Administration Web site. Create a Web application by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description] [-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService}] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information, see Stsadm command-line tool (http://technet.microsoft.com/enus/library/cc261956.aspx). The extendvs operation creates the Web application. The donotcreatesite parameter creates the Web application without creating a site collection on the Web application. After creating the Web applications for the My Sites host location and for the Shared Services Administration Web site, you create the SSP. Create an SSP by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
120
extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o createssp -title<SSP name> -url<Web application URL> -mysiteurl<My Sites Web application URL> -ssplogin<user name> -ssppassword<password> -sspdatabaseserver<SSP database server> -sspdatabasename<SSP database name> -indexserver<index server name> -indexlocation<index file path> [-ssppassword<SSP password>] [-sspdatabaseserver<SSP database server name>] [-sspdatabasename<SSP database name>] [-sspsqlauthlogin<SQL user name>] [-sspsqlauthpassword<SQL password>] [-searchdatabaseserver<search database server name>] [-searchdatabasename<search database name>] [-searchsqlauthlogin<SQL user name>] [-searchsqlauthpassword<SQL password>] [-ssl {Yes | No}] Example The following command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP Administration site. stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <database server name > databasename <SSP content database name> -donotcreatesite -apidname <SSP application pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd<password> Similarly, you can create another Web application as the My Sites host location by using the following command: stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -databaseserver <SQL Server> -databasename <site content database name> -donotcreatesite -apidname <site application pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password> Then you create the SSP, named MySSP1_db:
121
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090 ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <database server name > -sspdatabasename MySSP1_db -indexserver <index server name> indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications"-searchdatabaseserver<search database server name>searchdatabasename<search database name> For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx) and Createssp: Stsadm operation (http://technet.microsoft.com/enus/library/cc262773.aspx).
Create a site collection by using the Stsadm command-line tool

You create the top-level site collection by using the same extendvs operation that you used to create the Web applications for My Sites and the Shared Services Administration Web site. Important: To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer. Create a site collection by using the Stsadm command-line tool 1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. 2. Type the following command, and then press ENTER: stsadm -o extendvs -url<URL name> -ownerlogin<domain\user name> -owneremail<e-mail address> [-exclusivelyusentlm] [-ownername<display name>] [-databaseuser<database user name>] [-databaseserver<database server name>] [-databasename<new content database name>] [-databasepassword<database password>] [-lcid<language>] [-sitetemplate<site template>] [-donotcreatesite] [-description]
122
[-sethostheader] [-apidname<application pool name>] [-apidtype {configurableID | NetworkService} ] [-apidlogin<domain\user name>] [-apidpwd <application pool password>] [-allowanonymous] For more information about how to create a site collection, see Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx). Example The following example creates a site collection at http://intranet that uses the corporate intranet site template. stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail <user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname "SharePoint AppPool" -apidtype configurableID -apidlogin <domain\user name> -apidpwd <password> This command can also be used to add other site collections and sites. If you do not specify the site template to use, the site collection administrator can choose the site template when he or she first browses to the site. The extendvs operation also enables you to specify the language of the site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used for the top-level site collection. For more information about the available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409). For more information about the Stsadm command-line tool, see Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx). After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Office SharePoint Server 2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for example). Alternate access mappings enable Office SharePoint Server 2007 to map Web requests to the correct Web applications and sites, and they enable Office SharePoint Server 2007 to serve the correct content back to the user. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).

The trace log can be useful for analyzing problems that might occur. You can use events that are written to the trace log to determine what configuration changes were made in Office SharePoint Server 2007 before the problem occurred. By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. When you
123
are using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain, and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify where the log files are written or accept the default path. Trace log files can help you troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes. Store these log files for an extended period of time in a safe location that will not be overwritten. We recommend that you store log files on a hard disk drive partition that is used to store log files only. See Also Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx) Plan for administrative and service accounts (http://technet.microsoft.com/enus/library/cc263445.aspx) Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?LinkId=110493&clcid=0x409)
124
Migrate a stand-alone installation to a server farm installation

In this section: Install Office SharePoint Server 2007 on a new farm Migrate data from the single-server installation Create and attach data from the Shared Services Provider (SSP) Attach site collection data from content databases
Installing Microsoft Office SharePoint Server 2007 as a stand-alone installation on a single server computer simplifies deployment. A stand-alone installation of Microsoft Office SharePoint Server 2007 is a good choice for: A low-capacity deployment with a small number of Web sites A small number of concurrent users The initial evaluation of Office SharePoint Server 2007 before you begin testing and implementing a more complex deployment.
Many deployments have greater performance and capacity requirements that can only be achieved with a farm deployment. You can migrate a stand-alone installation of Office SharePoint Server 2007 to a server farm installation to meet expanded performance, capacity, or scalability requirements. Migration enables you to meet these requirements while also retaining the data, content, and sites from your single-server installation. A direct upgrade from a stand-alone server to a farm is not available. It is usually easier to expand an existing farm deployment by adding servers to meet performance, capacity, or scalability requirements than it is to migrate a stand-alone deployment to a farm deployment. If you know that your organization is going to require a server farm eventually, it is a better idea to start with a simple farm deployment. For more information about installing Office SharePoint Server 2007 on a simple server farm, see Deploy in a simple server farm. For more information about installing Office SharePoint Server 2007 on a stand-alone server, see Install Office SharePoint Server 2007 on a stand-alone computer. You have two options for a migration from a stand-alone installation to a farm installation of Office SharePoint Server 2007: SQL Backup and Restore, followed by using the Stsadm command-line tool to attach the databases Central Administration Backup and Restore
This section describes the first option. For more information about using Central Administration to migrate from a stand-alone installation to a farm installation, see Migrate to another farm by using the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx).
125
To migrate from a stand-alone server to a server farm, you perform the following steps: 1. Install Office SharePoint Server 2007 on a new farm. 2. Migrate data from the stand-alone server to the Microsoft SQL Server 2005 database server that is part of the new server farm by using SQL Backup and Restore. 3. Create and attach data from the Shared Services Provider (SSP) by using the Stsadm command-line tool. 4. Attach the restored databases to the new server farm by using the Stsadm command-line tool.
Install SharePoint Portal Server 2007 on a new farm

Before you can migrate data from a single-server to a server farm, you must install Office SharePoint Server 2007 on the farm. A farm installation typically requires the following steps: 1. Prepare the database server and one or more Office SharePoint Server 2007 servers. 2. Install Office SharePoint Server 2007, and configure the server by using the SharePoint Products and Technologies configuration wizard or the PSConfig.exe command-line tool. 3. Create a Shared Services Provider (SSP). 4. Create a site collection for the top-level site. When you are installing Office SharePoint Server 2007 on a server farm for the purposes of migration from a stand-alone server, do not create an SSP or site collection until you have migrated data from the single-server installation by using SQL Backup and Restore. After restoring the databases, you create an SSP and attach the new SSP database and the content database to the new server farm. For more information about installing Office SharePoint Server 2007 on a server farm, see Chapter overview: Install Office SharePoint Server 2007 in a server farm environmentChapter overview: Install Office SharePoint Server 2007 in a server farm environment.
Prepare servers for installation

The following software is required before you run Setup: You must install Office SharePoint Server 2007 on a clean installation of Windows Server 2003 with the most recent service pack. You must install the Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508).
126
You must enable ASP.NET 2.0 in the Internet Information Services (IIS) Manager on all Office SharePoint Server 2007 servers. You must have Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack running on at least one database server before you install Office SharePoint Server 2007 on your Web servers. SQL Server service account Setup user account Server farm account
You must also create and configure the following accounts:
It is possible to use the same account for each of these account roles, unless you are using least privilege administration. For more information about these required accounts and other account requirements for Office SharePoint Server 2007, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx). For more information about preparing servers for installation, see the following articles: Chapter overview: Install Office SharePoint Server 2007 in a server farm environmentChapter overview: Install Office SharePoint Server 2007 in a server farm environment Prepare the database servers Prepare the Web and application servers Deploy in a simple server farm
Install SharePoint Server 2007 and configure the server by using the SharePoint Products and Technologies configuration wizard
You can install Office SharePoint Server 2007 by using the Setup wizard or running Setup.exe from a command prompt. After completing Setup, you configure the server by using the SharePoint Products and Technologies configuration wizard. The SharePoint Products and Technologies configuration wizard creates the Central Administration site. When you have completed the wizard, do not create an SSP or other site collection until you have finished migrating data from the stand-alone server and have attached the restored databases to the new server farm. For more information about installing and configuring SharePoint Server 2007, see the following articles: Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard Install Office SharePoint Server 2007 by using the command line
Migrate data from the stand-alone server

A single-server installation of Office SharePoint Server 2007 includes Microsoft SQL Server 2005 Express Edition. A server farm installation uses a separate Microsoft SQL Server 2005 database server. To successfully migrate from a stand-alone server to a farm, you must migrate databases
127
from the stand-alone server to the database server in the farm by using SQL Server Management Studio Express and Microsoft SQL Server Management Studio. SQL Server Management Studio Express is installed on the stand-alone server by running Setup for SQL Server Express with Advanced Services or SQL Server Express Toolkit. It is used to enable a connection from the database server that is running SQL Server Management Studio. SQL Server Management Studio is used to back up databases from the stand-alone server and restore the databases to the database server in the farm. For more information about managing SQL Server Express, see Managing SQL Server Express with SQL Server 2005 Management Studio Express Edition (http://go.microsoft.com/fwlink/?LinkId=110559&clcid=0x409). To download SQL Server Management Studio Express, visit the Visual Studio Download Center (http://go.microsoft.com/fwlink/?LinkId=110560&clcid=0x409). Migrate data from the stand-alone server to the database server on the farm 1. Set the databases on the stand-alone server to be read-only: a. In SQL Server Management Studio Express, right-click the name of the database that you want to set to read-only, and then click Properties. b. In the Select a page section, click Options. c. In the Other options section of the right pane, expand State, click the drop-down arrow for the values of Database Read-Only, and then click True.
2. Connect to the stand-alone server by using SQL Server Management Studio and back up the following databases: Shared Services DB Shared Services Search DB Shared Services Content DB WSS Content DB All additional content databases associated with Web applications on the stand-alone server:
d. On your database server, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. e. In the Connect to Server box, fill in the connection information, and then click Connect. f. After connecting to the appropriate instance of the SQL Server 2005 Database Engine, in Object Explorer, expand the server tree by clicking the plus sign next to the server name.
128
Note: The SQL Server Express instance name that is used to connect to the databases on the stand-alone server is set to OfficeServers by default. g. Expand Databases, right-click the database that you want to back up, point to Tasks, and then click Back Up. The Back Up Database dialog box appears. h. In the Source section, in the Database box, verify the database name. i. j. k. l. In the Backup type box, click the drop-down arrow for the values, and then click Full. Under Backup component, select Database. In the Backup set section, in the Name box, either accept the default value or type a different name. In the Destination section, specify the type of backup destination by selecting Disk or Tape, and then specify a destination. To create a different destination, click Add.
m. Click OK to start the backup process. 1. Restore databases to the database server on the farm by using Microsoft SQL Server Management Studio: a. After connecting to the appropriate instance of the SQL Server 2005 Express, in Object Explorer, expand the server tree by clicking the plus sign next to the server name. b. c. Right-click Databases, and then click New Database. In the Database name box, type the name of the database you want to restore.
d. In the Owner box, specify an owner if desired. e. In the Database files section, in the Logical Name box for the Data file type, verify that the logical name is the one you want to use. f. In the Initial Size (MB) box, adjust the size to approximately the size of the database you want to restore.
g. In the Logical Name box for the Log file type, verify that the logical name is the one you want to use. h. In the Initial Size (MB) box, adjust the size to approximately three or four times the size of the log file for the database you want to restore. Make the log file large to accommodate entries during the upgrade process. You can always shrink the transaction log after you have completed the upgrade. i. In the Autogrowth column for the log file, set the value to By 10 percent, unrestricted growth. You can change this setting after you perform the upgrade, but again, you do not want to have the log file run out of space during the upgrade process.
129
j.
Click OK to create the database.
For more information about migrating databases including different backup and restore options for different versions of SQL Server, see Migrate databases (http://technet.microsoft.com/enus/library/cc263299.aspx).
Stsadm Command-Line Tool

Microsoft Office SharePoint Server 2007 includes the Stsadm command-line tool for administration of Office SharePoint Server 2007 servers and sites. The Stsadm command-line tool is located at the following path on the drive where SharePoint Products and Technologies is installed: %COMMONPROGRAMFILES%\microsoft shared\web server extensions\12\bin. You must be an administrator on the local computer to use the Stsadm command-line tool. The Stsadm command-line tool provides a method for performing the Office SharePoint Server 2007 administration tasks at a command prompt or by using batch files or scripts. The Stsadm command-line tool provides access to operations that are not available by using the Central Administration site, such as changing the administration port. The command-line tool has a more streamlined interface than Central Administration, and it allows you to perform the same tasks. There are certain operations and certain parameters that are only available by using the Stsadm command-line tool. The Stsadm command-line tool will be used to attach the restored stand-alone databases to the SQL Server database on the farm so that the site content (including the Shared Services Provider) will be available on the new installation on the farm. To see what actions are available with the tool you can run stsadm help which returns the operations that can be performed and stsadm help <operation name> to get detailed documentation about a particular operation. For more information, see Stsadm command-line tool (http://technet.microsoft.com/enus/library/cc261956.aspx). For more details about Stsadm command-line operations and parameters, see: Index for Stsadm operations and properties (http://technet.microsoft.com/en-us/library/cc263384.aspx). To start and configure the required services: Start the Windows SharePoint Services Search: stsadm -o spsearch -action start -farmserviceaccount Redmond\user farmservicepassword MyPassword Start the Office SharePoint Server Search service: stsadm -o osearch -action start -role IndexQuery -farmserviceaccount domain\user farmservicepassword MyPassword -farmcontactemail user@domain.com For additional information, see Osearch: Stsadm operation (http://technet.microsoft.com/enus/library/cc262920.aspx).
130
Create and attach data from the Shared Services Provider (SSP)
After you migrate data from the stand-alone server to the farm, you must use the Stsadm command-line tool to create the SSP Web application for the farm and attach the restored SSP database to the farm. The Stsadm command-line tool is available on the installation drive for Office SharePoint Server 2007 at %Common Program Files%\Microsoft Shared\Web Server Extensions\12\bin. You create the SSP Web application by using the following command: stsadm -o extendvs -url <URL> -ownerlogin <domain/username> -owneremail <emailed> -exclusivelyusentlm -databaseserver <DBservername> -databasename <NewcontentDBname> -apcreatenew -apidname <Apppoolname> -apidtype configurableid -apidlogin <domain/username> -apidpwd <Password> Example stsadm -o extendvs -url http://intranet:8080 -ownerlogin domain\username -owneremail user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename SSPContentDB -apcreatenew -apidname SSPAppPool -apidtype configurableid -apidlogin domain\username -apidpwd MyPassword This command creates a Web application with the URL http://intranet:8080 that can be used to host the SSP. Note: The databasename parameter is the Shared Services content database that was restored from the stand-alone server. The stand-alone installation uses the default Web application for the My Site host location. When you migrate to a farm, we recommend that the My Site host location use a separate Web application. Example stsadm -o extendvs -url http://intranet:8090 -ownerlogin domain\username -owneremail user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename
131
MySiteContentDB -apcreatenew -apidname MySiteAppPool -apidtype configurableid apidlogin domain\username -apidpwd MyPassword After creating both Web applications, you restore the SSP by using the restoressp command. The sspdatabasename and searchdatabasename for the databases that were restored to the farm from the stand-alone server: stsadm o restoressp title <SSP name> -url <Web application url> -mysiteurl <MySite Web application url> -ssplogin <username> -ssppassword <password> -sspdatabaseserver <SSP database server> -sspdatabasename <SSP database name> -searchdatabaseserver <Search database server> -searchdatabasename <Search database name) -indexserver <index server> -indexlocation <index file path> Example stsadm -o restoressp -title Migrated_SSP1 -url http://intranet:8080 -mysiteurl http://intranet:8090 -ssplogin domain\username -ssppassword MyPassword sspdatabaseserver SQLServer -sspdatabasename MySSP1_db -searchdatabaseserver SearchServer-searchdatabasename SharedServices1_Search indexserver MyServer -indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office Server\Applications" For more information about the Stsadm command-line tool, see Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx). For additional information about how to perform this procedure using the Stsadm command-line tool, see Restoressp (http://technet.microsoft.com/en-us/library/cc262163.aspx), Extendvs (http://technet.microsoft.com/en-us/library/cc263040.aspx), and Createssp (http://technet.microsoft.com/en-us/library/cc262773.aspx).
Attach site collection data from content databases

The final step of migrating a stand-alone installation to a server farm installation is the migration of content databases for each site collection. For each site collection on the stand-alone server, run the following command by using the Stsadm command-line tool: stsadm -o extendvs -url <URL> -ownerlogin <domain/username>
132
-owneremail <emailed> -exclusivelyusentlm -databaseserver <DBservername> -databasename <NewcontentDBname> -apcreatenew -apidname <Apppoolname> -apidtype configurableid -apidlogin <domain/username> -apidpwd <Password> Example stsadm -o extendvs -url http://intranet -ownerlogin domain\username -owneremail user@domain.com -exclusivelyusentlm -databaseserver intranet-databasename WSSContent -apcreatenew -apidname SharePoint_80_AppPool -apidtype configurableid -apidlogin domain\username -apidpwd MyPassword This command restores the top-level site collection http://intranet that also contains the My Site content. The databasename parameter is the restored database from the stand-alone installation that will now be attached to the top-level site. For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx). See Also Chapter overview: Install Office SharePoint Server 2007 in a server farm environment Deploy in a simple server farm Install Office SharePoint Server 2007 on a stand-alone computer Migrate to another farm by using the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx) Install Office SharePoint Server 2007 by using the command line Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx).
133
Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008
In this section: Hardware and software requirements Perform installation steps Perform post-installation steps Configure the trace log Configure Windows Server Backup
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the Windows Server 2003 operating system, you must download and run Setup and the SharePoint Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server 2007 without service packs on Windows Server 2008. Important: This section discusses how to perform a clean installation of Office SharePoint Server 2007 with SP1 in a stand-alone environment on Windows Server 2008. It does not cover upgrading the operating system from Windows Server 2003 to Windows Server 2008. Note: This section does not cover installing Office SharePoint Server 2007 in a server farm on Windows Server 2008. For more information, see Deploy a simple farm on the Windows Server 2008 operating system. Note: There is no direct upgrade from a stand-alone installation to a farm installation. You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007 features and capabilities, such as collaboration, document management, and search. A stand-alone configuration is also useful if you are deploying a small number of Web sites and you want to minimize administrative overhead. When you deploy Office SharePoint Server 2007 on a single server using the default settings, the Setup program automatically installs the Windows Internal Database and uses it to create the configuration database and an initial content database for your SharePoint sites. In addition, Setup installs the SharePoint Central Administration Web site and creates your first SharePoint site collection and site.
134
Important: Office SharePoint Server 2007 requires the following components: the Web Server role, Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint Server 2007 will cease to run if you uninstall these components.
Hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your server has the required hardware and software. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). Also, make sure the Management Compatibility role service is added to your server and the .NET Framework is installed, as described below. Notes Server Manager is designed to guide server administrators through the process of installing, configuring, and managing server roles and features that are part of Windows Server 2008. For more information on using the Server Manager, see the Windows Server 2008 Server Manager Technical Overview (http://go.microsoft.com/fwlink/?LinkID=109936&clcid=0x409).
IIS 6.0 Management Compatibility role service

If you use the Server Manager to perform a default Internet Information Services (IIS) 7.0 installation, the IIS 6.0 Management Compatibility role service is not included. Since this is a required role service, you must use the following procedure. Add the IIS 6.0 Management Compatibility role service 1. Click Start, point to Administrative Tools, and then click Server Manager. 2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and select Add Role Services. 3. In the Add Role Services wizard, under Role services, select IIS 6 Management Compatibility. 4. From the Select Role Services pane, click Next, and then at the Confirm Installations Selections pane, click Install. 5. To complete the Add Role Services wizard, click Close.
Microsoft .NET Framework version 3.0

Before you install Office SharePoint Server 2007 on Windows Server 2008, you must install the .NET Framework version 3.0. You do not need to install the Web Server role or the Windows Process Activation Service; these are installed automaticallyalong with Windows Internal Databasewhen you install Office SharePoint Server 2007 SP1. Use the following procedure to install the .NET Framework version 3.0.
135
Install Microsoft .NET Framework version 3.0 1. Click Start, point to Administrative Tools, and then click Server Manager. 2. In Server Manager, on the Action menu, click Add features. 3. In the Features list, select the .NET Framework 3.0 Features check box, and then click Next. 4. Follow the wizard steps to install the.NET Framework version 3.0. Note: You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508).
Perform installation steps

You can only install Office SharePoint Server 2007 with SP1 on Windows Server 2008. We recommend that you create a slipstreamed installation source for Office SharePoint Server 2007. This installation source must include the files from both Windows SharePoint Services 3.0 SP1 and Office SharePoint Server 2007 SP1. For more information on using the updates folder to create a slipstream source, see the topic Create an installation source that includes software updates (http://technet.microsoft.com/en-us/library/cc261890.aspx). Note: If you have not created an updated installation source, you must first install Office SharePoint Server 2007 without any software updates and, without running the SharePoint Products and Technologies Configuration Wizard at the end of the installation, install Service Pack 1. After the installations are complete, you can run the SharePoint Products and Technologies Configuration Wizard. To install and configure Office SharePoint Server 2007, you must first install Office SharePoint Server 2007 with SP1 and then run the SharePoint Products and Technologies Configuration Wizard. When you install Office SharePoint Server 2007 on a single server, run the Setup program using the Basic option. This option uses the Setup program's default parameters to install Office SharePoint Server 2007 and Windows Internal Database. Notes If you uninstall Office SharePoint Server 2007, and then later reinstall Office SharePoint Server 2007 on the same computer, the Setup program could fail when creating the configuration database, causing the entire installation process to fail. You can prevent this failure by either deleting all the existing Office SharePoint Server 2007 databases on the computer or by creating a new configuration database. You can create a new configuration database by running the following command from the directory %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin: psconfig -cmd configdb -create -database <unique database name>
136
Install Office SharePoint Server 2007 with SP1 1. From your slipstreamed installation source, run Setup.exe. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup places a red circle next to the text box and displays a message that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Basic to install to the default location. To install to a different location, click Advanced, and then on the File Location tab, specify the location you want to install to and finish the installation. 5. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Make sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 6. Click Close to start the configuration wizard. The SharePoint Products and Technologies Configuration Wizard starts, and you can go directly to the procedure "To run the SharePoint Products and Technologies Configuration Wizard." Note: Do not add any server roles in Windows Server 2008 Server Manager before the setup for Office SharePoint Server 2007 is complete. If you add a server role, the setup process will fail, and you will need to uninstall and reinstall Office SharePoint Server 2007.
Configure SharePoint Products and Technologies

Once you have finished installing Office SharePoint Server 2007 with SP1, you can run the SharePoint Products and Technologies Configuration Wizard to configure the installation. Run the SharePoint Products and Technologies Configuration Wizard 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. In the dialog box that notifies you that some services might need to be restarted or reset during configuration, click Yes. 3. On the Configuration Successful page, click Finish. Your new SharePoint site opens. Note: If you are prompted for your user name and password, you might need to add the SharePoint site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are
137
provided in the following procedure. Note: If you see a proxy server error message, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring proxy server settings are provided later in this section. If you want to configure the installation from the command line, use the following procedure. Run the SharePoint Products and Technologies Configuration Wizard from the command line Type the following command, and then press ENTER: psconfig.exe -cmd setup -cmd standaloneconfig -lcid 0 -cmd configdb -create server<servername>\OfficeServers -cmd helpcollections -installall -cmd secureresources -cmd services -install -provision -cmd installfeatures -cmd adminvs -provision -cmd evalprovision -provision -cmd applicationcontent -install After you have configured the Office SharePoint Server 2007 installation, you should add the SharePoint site to the list of trusted sites, using the following steps. Add the SharePoint site to the list of trusted sites 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted Sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL of your site, and then click Add. 5. Click Close to close the Trusted Sites dialog box. 6. Click OK to close the Internet Options dialog box. If you are using a proxy server in your organization, use the following steps to configure Internet Explorer to bypass the proxy server for local addresses. Configure proxy server settings to bypass the proxy server for local addresses 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. In the Address box, type the address of the proxy server. 6. In the Port box, type the port number of the proxy server. 7. Select the Bypass proxy server for local addresses check box.
138
8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.
Perform post-installation steps

After Setup finishes, your browser window opens to the home page of your new SharePoint site. Although you can start adding content to the site, or start customizing the site, we recommend that you perform the following administrative tasks by using the SharePoint Central Administration Web site. Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save emailed documents, and show e-mailed meetings on site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming email settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. For more information, see Configure outgoing e-mail settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. This includes enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configure diagnostic logging settings. Configure antivirus protection settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings enable you to control whether documents are scanned on upload or download and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. Create SharePoint sites When Setup finishes, you have a single Web application that contains a single SharePoint site collection that hosts a SharePoint site. You can create more SharePoint site collections, sites, and Web applications if your site design requires multiple sites or multiple Web applications. For more information, see Chapter overview: Deploy and configure SharePoint sites. Note: If you create additional Web applications to host SharePoint sites, you must also configure Windows Firewall to allow communication on the ports for those Web
139
applications. For more information, see Deploy a simple farm on the Windows Server 2008 operating system. Perform administrator tasks by using the Central Administration site 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, under Administrator Tasks, click the task you want to perform. 3. On the Administrator Tasks page, next to Action, click the task.

Trace log files can help you to troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. The trace log can also be useful for analyzing problems that might occur. For example, you can use events that are written to the trace log to identify what configuration changes were made in Office SharePoint Server 2007 before the problem occurred. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes related to the search service. Store these log files for an extended period of time in a safe location that will not be overwritten. By default, Office SharePoint Server 2007 saves two days of events in the trace log files; trace log files that contain events that are older than two days are deleted. When using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain and the duration (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify the location where the log files are written or accept the default path. See step 3 in this procedure to determine the location that the system stores trace log files for your system. Configure the trace log to save seven days of events 1. In Central Administration, on the Operations tab, in the Logging and Reporting section, click Diagnostic logging. 2. On the Diagnostic Logging page, in the Trace Log section, do the following: In the Number of log files box, type 336. In the Number of minutes to use a log file box, type 30. Tip:
140
To save 10,080 minutes (seven days) of events, you can use any combination of number of log files and minutes to store in each log file. 3. Ensure that the path specified in the Path box has enough room to store the extra log files or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK.
Configure Windows Server Backup

If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must configure the following registry keys. If you do not configure these registry keys, Windows Server Backup will not work properly with Windows SharePoint Services 3.0. Important: You must be logged on as a member of the Administrators group on the local server computer to edit the registry. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Configure registry keys for Windows Server Backup 1. Click Start, click Run, and in the Open box, type regedit, and then click OK. 2. In the User Account Control dialog box, click Continue to open the Registry Editor. 3. In the Registry Editor, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ 4. On the Edit menu, click New, and then click Key. 5. Type WindowsServerBackup and then press ENTER. 6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and then click Key. 7. Type Application Support, and then press ENTER. 8. Select the Application Support key, and then on the Edit menu, click New, and then click Key. 9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press ENTER. This is the GUID for the WSS Writer. 10. Select the new key, and then on the Edit menu, click New, and then click String Value. 11. Type Application Identifier as the new value, and then press ENTER. 12. Right-click the Application Identifier value, and then click Modify.
141
13. In the Value Data box, type Windows SharePoint Services, and then click OK. 14. On the Edit menu, click New, and then click DWORD (32-bit) Value. 15. Type UseSameVssContext as the new value name, and then press ENTER. 16. Right-click the UseSameVssContext value, and then click Modify. 17. In the Value Data box, type 00000001, and then click OK.
142
II. Install Office SharePoint Server 2007 in a server farm environment

143
Chapter overview: Install Office SharePoint Server 2007 in a server farm environment
In this section: Suggested topologies Before you begin deployment Overview of the deployment process Important: This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007 in a server farm environment. It does not cover upgrading from previous releases of Office SharePoint Server 2007 or how to upgrade from Microsoft Office SharePoint Portal Server 2003. For more information about upgrading from SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc303420.aspx). Note: This section does not cover installing Office SharePoint Server 2007 on a single computer as a stand-alone installation. For more information, see Install Office SharePoint Server 2007 on a stand-alone computer. You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a large number of sites, if you want the best possible performance, or if you want the scalability of a multi-tier topology. A server farm consists of one or more servers dedicated to running the Office SharePoint Server 2007 application. Note: There is no direct upgrade from a stand-alone installation to a farm installation. Because a server farm deployment of Office SharePoint Server 2007 is more complex than a stand-alone deployment, we recommend that you plan your deployment. Planning your deployment can help you to gather the information you need and to make important decisions before beginning to deploy. For information about planning, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Server farm environments can encompass a wide range of topologies, and can include many servers or as few as two servers. A small server farm typically consists of a database server running either Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers running Internet Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end servers are configured as Web servers and application servers. The
144
Web server role provides Web content to clients. The application server role provides Office SharePoint Server 2007 services such as servicing search queries, and crawling and indexing content. A medium server farm typically consists of a database server, an application server running Office SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server 2007 and IIS. In this configuration, the application server provides indexing services and Excel Calculation Services, and the front-end Web servers service search queries and provide Web content. A large server farm typically consists of two or more clustered database servers, several load balanced front-end Web servers running Office SharePoint Server 2007, and two or more application servers running Office SharePoint Server 2007. In this configuration, each of the application servers provides specific Office SharePoint Server 2007 services such as indexing or Excel Calculation Services, and the front-end servers provide Web content. Note: All of the Web servers in your server farm must have the same SharePoint Products and Technologies installed. For example, if all of the servers in your server farm are running Office SharePoint Server 2007, you cannot add to your farm a server that is running only Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office SharePoint Server 2007 in your server farm, you must install Office Project Server 2007 and Office SharePoint Server 2007 on each of your Web servers. To enhance the security of your farm and reduce the surface area that is exposed to a potential attack, you can turn off services on particular servers after you install SharePoint Products and Technologies.

This section provides information about actions that you must perform before you begin deployment. Important The account that you select for installing Office SharePoint Server 2007 needs to be a member of the Administrators group on every server on which you install Office SharePoint Server 2007. However, you can remove this account from the Administrators group on the servers after installation. For information about assigning users to be SSP administrators, see Shared Services Providers in Plan for security roles (http://technet.microsoft.com/enus/library/cc262918.aspx).
To deploy Office SharePoint Server 2007 in a server farm environment, you must provide credentials for several different accounts. For information about these accounts, see Plan for administrative and service accounts in the Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.
145
You must install Office SharePoint Server 2007 on the same drive on all load-balanced frontend Web servers. You must install Office SharePoint Server 2007 on a clean installation of the Microsoft Windows Server 2003 operating system with the most recent service pack. If you uninstall a previous version of Office SharePoint Server 2007, and then install Office SharePoint Server 2007, Setup might fail to create the configuration database and the installation will fail. Note: We recommend that you read the Known Issues/Readme documentation before you install Office SharePoint Server 2007 on a domain controller. Installing Office SharePoint Server 2007 on a domain controller requires additional configuration steps that are not discussed in this section.
You must install the same language packs on all servers in the farm. For more information about installing language packs, see Deploy language packs. All the instances of Office SharePoint Server 2007 in the farm must be in the same language. For example, you cannot have both an English version of Office SharePoint Server 2007 and a Japanese version of Office SharePoint Server 2007 in the same farm. You must use the Complete installation option on all computers you want to be index servers, query servers, or servers that run Excel Calculation Services. If you place a query server beyond a firewall from its index server, you must open the NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls that separate these servers. If your environment does not use NetBIOS, you must use directhosted server message block (SMB); this requires that you open the TCP/UDP 445 port. If you want to have more than one index server in a farm, you must use a different Shared Services Provider (SSP) for each index server.

The deployment process consists of three phases: deploying and configuring the server infrastructure, creating and configuring one or more Shared Services Providers (SSPs), and deploying and configuring SharePoint site collections and sites.

Deploying and configuring the server infrastructure consists of the following steps:
146
Preparing the database server. Preinstalling the databases (optional). Verifying that the servers meet hardware and software requirements. Running Setup on all servers you want to be in the farm. Installing available language template packs on front-end Web servers (optional). For more information about installing language template packs, see Deploy language packs. Running the SharePoint Products and Technologies Configuration Wizard.
If you want to search over the Help content for Office SharePoint Server 2007, starting the Windows SharePoint Services Search service.
Phase 2: Create and configure a Shared Services Provider

Creating and configuring an SSP consists of the following steps: Creating a Web application to host the SSP. Creating the SSP. Configuring the Web application and the SSP. Configuring services on the servers.
For more information about creating and configuring SSPs, see III. Create and configure Shared Services Providers.
Phase 3: Deploy and configure SharePoint site collections and sites

Deploying and configuring SharePoint site collections and sites consists of the following steps: Creating a Web Application to host the site collections and sites. Creating the site collections. Creating the sites.
For more information about creating site collections and sites, see Deploy and configure SharePoint sites (http://technet.microsoft.com/en-us/library/cc262442.aspx).
147
Prepare the database servers

In this section: SQL Server and database collation Required accounts Preinstall databases (optional)
Before installing Microsoft Office SharePoint Server 2007, you must prepare the database server. The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service pack. The Office SharePoint Server 2007 Setup program automatically creates the necessary databases when you install and configure Office SharePoint Server 2007. Optionally, you can preinstall the required databases if your IT environment or policies require this. For more information about prerequisites, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). If you are using SQL Server 2005, you must also change the surface area settings. Configure surface area settings in SQL Server 2005 1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Surface Area Configuration. 2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area Configuration for Services and Connections. 3. In the tree view, expand the node for your instance of SQL Server, expand the Database Engine node, and then click Remote Connections. 4. Select Local and Remote Connections, select Using both TCP/IP and named pipes, and then click OK.

The SQL Server collation must be configured for case-insensitive. The SQL Server database collation must be configured for case-insensitive, accent-sensitive, Kana-sensitive, and widthsensitive. This is to ensure file name uniqueness consistent with the Windows operating system. For more information about collations, see "Selecting a SQL Collation" or "Collation Settings in Setup" in SQL Server Books Online (http://www.microsoft.com/downloads/details.aspx?familyid=BE6A2C5D-00DF-4220-B13329C1E0B6585F&displaylang=en).
148
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and to install Office SharePoint Server 2007. For more information about the required accounts, including specific privileges required for these accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose
SQL Server service account
SQL Server prompts for this account during SQL Server Setup. This account is used as the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT
If you are not using the default instance, these services will be shown as: Setup user account Server farm account MSSQL$InstanceName SQLAgent$InstanceName
The user account that is used to run Setup on each server. This account is also referred to as: Database access account The application pool account for the Central Administration site The process account for the Windows SharePoint Services Timer (SPAdmin) service This account is:
Preinstall databases (optional)

In many IT environments, database creation and management are handled by the database administrator (DBA). Security and other policies might require that the DBA create the databases required by Office SharePoint Server 2007. This topic provides details about how the DBA can create these databases before beginning the Office SharePoint Server 2007 installation or creation of a Shared Services Provider (SSP). For more information about preinstalling databases, including detailed procedures, see Deploy using DBA-created databases.
149
Prepare the Web and application servers

In this section: Install the Microsoft .NET Framework version 3.0 Enable ASP.NET 2.0
Before you install and configure Microsoft Office SharePoint Server 2007, be sure that your servers have the recommended hardware and software. To deploy a server farm, you need at least one server acting as a Web server and an application server, and one server acting as a database server. For more information about these requirements, see Determine hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).

Go to the Microsoft Download Center Web site (http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409), and on the Microsoft .NET Framework 3.0 Redistributable Package page, follow the instructions for downloading and installing the .NET Framework version 3.0. There are separate downloads for x86-based computers and x64-based computers; be sure to download and install the appropriate version for your computer. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features.
Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all Office SharePoint Server 2007 servers. Enable ASP.NET 2.0 1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click the Web Service Extensions folder. 3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
150
Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies configuration wizard
In this section: Recommended order of configuration Run Setup on the first server Run the SharePoint Products and Technologies Configuration Wizard Add the SharePoint Central Administration Web site to the list of trusted sites Configure proxy server settings to bypass the proxy server for local addresses Add servers to the farm Run the SharePoint Products and Technologies Configuration Wizard on additional servers Start the Windows SharePoint Services Search service Stop the Central Administration service on all index servers Disable the Windows SharePoint Services Web Application service on all servers not serving content
After preparing your database and the servers in your farm, run Setup and then run the SharePoint Products and Technologies Configuration Wizard on all your farm servers. Do this on all farm servers before going on to create a Shared Services Provider (SSP). Note: We recommend that you run Setup on all the servers that will be in the farm before you configure the farm. You can add servers to the farm at this point, or after you have created and configured an SSP. You can add servers after you have created and configured an SSP to add redundancy, such as additional load-balanced Web servers or additional query servers. It is recommended that you run Setup and the configuration wizard on all your application servers before you create and configure the SSP.
Recommended order of configuration

We recommend that you configure Microsoft Office SharePoint Server 2007 in the order listed below. This order makes configuration easier, and ensures that services and applications are in place before they are required by server types. 1. We recommend that the Central Administration site be installed on an application server. In a server farm that includes more than one application server, install the Central Administration site on the application server with the least overall performance load. If your farm will have an
151
application server, install Office SharePoint Server 2007 on that server first; this also installs the Central Administration Web site. 2. All your front-end Web servers. 3. The index server (if using a separate server for search queries and indexing). 4. The query servers, if separate from the index server. Note: To configure more than one query server in your farm, you cannot configure your index server as a query server. 5. Other application servers (optional). Because the SSP configuration requires an index server, you must start the Office SharePoint Server Search service on the computer that you want to be the index server, and configure it as an index server before you can create an SSP. Because of this, you must deploy and configure an index server before other servers. You can choose any server to be the first server on which you install Office SharePoint Server 2007. However, the Central Administration Web site is automatically installed on the first server on which you install Office SharePoint Server 2007. You can configure different features on different servers. The following table shows which installation type should be used for each feature set.
Server type Installation type
Central Administration Web application Application server (such as Excel Calculation Services) Search index server Search query server Web server
Complete or front-end Web Complete
Complete Complete Complete or front-end Web (subsequent servers must join an existing farm) Note: If you choose the front-end Web installation option, you will not be able to run additional services, such as search, on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any servers that you add you will join to this farm. Setting up the first server involves two steps: installing the Office SharePoint Server 2007 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The SharePoint Products and Technologies Configuration Wizard automates
152
several configuration tasks, including installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site.

We recommend that you install and configure Office SharePoint Server 2007 on all of the farm servers before you configure Office SharePoint Server 2007 services and create sites. Regardless of how many Web servers you have in your server farm, you must have Microsoft SQL Server 2005 database software running on at least one database server before you install Office SharePoint Server 2007 on your Web servers. By default, when you add servers to the farm and run the SharePoint Products and Technologies Configuration Wizard, the wizard does not create additional Central Administration Web sites on the servers that you add, nor does it create any databases on your database server. However, you can use the wizard to create additional Central Administration Web sites on the servers that you add.

Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first. Note: Setup installs the Central Administration Web site on the first server on which you run Setup. Therefore, we recommend that the first server on which you install Office SharePoint Server 2007 be a server from which you want to run the Central Administration Web site. Run Setup on the first server 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. The Basic option is for stand-alone installations.
153
5. On the Server Type tab, select Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.

After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including installing and configuring the configuration database, installing Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. In the dialog box that notifies you that some services might need to be restarted during configuration, click Yes. 3. On the Connect to a server farm page, click No, I want to create a new server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Type a name for your configuration database in the Database name box, or use the default database name. The default name is "SharePoint_Config". 6. In the User name box, type the user name of the server farm account. (Be sure to type the user name in the format DOMAIN\username.) Important This account is the server farm account and it is used to access your configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool, and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the
154
SQL Server Security Administrators server role. The user account that you specify for this service account must be a domain user account. Because this account does not require a high level privilege, we recommend that you follow the principle of least privilege, and specify a user account that is not a member of the Administrators group on your Web servers or your back-end servers. 7. In the Password box, type the user's password, and then click Next. 8. On the Configure SharePoint Central Administration Web Application page, select the Specify port number check box; type a port number if you want the SharePoint Central Administration Web application to use a specific port, or leave the Specify port number check box cleared if you do not care which port number the SharePoint Central Administration Web application uses. 9. In the Configure SharePoint Central Administration Web Application dialog box, do one of the following: If you want to use NTLM authentication (the default), click Next. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next. Note: In most cases, use the default setting (NTLM). Use Negotiate (Kerberos) only if Kerberos authentication is supported in your environment. Using the Negotiate (Kerberos) option requires you to configure a Service Principal Name (SPN) for the domain user account. To do this, you must be a member of the Domain Admins group. For more information, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409). 10. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 11. On the Configuration Successful page, click Finish. The SharePoint Central Administration Web site home page opens. Notes If you are prompted for your user name and password, you might need to add the SharePoint Central Administration Web site to the list of trusted sites, and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps. If a proxy server error message appears, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring this setting are provided later in this section.
155
Add the SharePoint Central Administration Web site to the list of trusted sites
Add the SharePoint Central Administration Web site to the list of trusted sites 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted sites, and then click Sites. 3. Clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration Web site, and then click Add. 5. Click Close to close the Trusted sites dialog box. 6. Click OK to close the Internet Options dialog box.
Configure proxy server settings to bypass the proxy server for local addresses
Configure proxy server settings to bypass the proxy server for local addresses 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, in the Local Area Network (LAN) settings area, click LAN Settings. 3. In the Automatic configuration section, clear the Automatically detect settings check box. 4. In the Proxy Server section, select the Use a proxy server for your LAN check box. 5. Type the address of the proxy server in the Address box. 6. Type the port number of the proxy server in the Port box. 7. Select the Bypass proxy server for local addresses check box. 8. Click OK to close the Local Area Network (LAN) Settings dialog box. 9. Click OK to close the Internet Options dialog box.

We recommend that you install and configure Office SharePoint Server 2007 on all of your Web servers and the index server before you configure Office SharePoint Server 2007 services and create sites. If you want to build a minimal server farm configuration, and incrementally add Web servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a single Web server, and configure the Web server as both a Web server and an application server. Regardless of how many Web servers you have in your server farm, you must have SQL Server
156
2005 running on at least one back-end database server before you install Office SharePoint Server 2007 on your Web servers. Important: If you uninstall Office SharePoint Server 2007 from the first server on which you installed it, your farm might experience problems. It is not recommended that you install Office SharePoint Server 2007 on an index server first. Run Setup on additional servers front-end Web servers 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Web Front End. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the following section. Run Setup on additional servers index or query server 1. From the product disc, run Setup.exe, or from the product download, run Officeserver.exe, on one of your Web servers. 2. On the Enter your Product Key page, enter your product key, and then click Continue. Note: Setup automatically verifies the product key, places a green check mark next to the text box, and enables the Continue button after it validates the key. If the key
157
is not valid, Setup displays a red circle next to the text box and prompts you that the key is incorrect. 3. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 4. On the Choose the installation you want page, click Advanced. 5. On the Server Type tab, click Complete. 6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the File Location tab, and then type the location or Browse to the location. 7. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 8. When you have chosen the correct options, click Install Now. 9. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 10. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several configuration tasks, including installing Office SharePoint Server 2007 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard. Run the SharePoint Products and Technologies Configuration Wizard on additional servers 1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. In the dialog box that notifies you that some services might need to be restarted during configuration, click Yes. 3. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 6. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format DOMAIN\username.) This must be the same user account you used when you configured
158
the first server. 7. In the Password box, type the user's password, and then click Next. 8. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 9. On the Configuration Successful page, click Finish.
Start the Windows SharePoint Services Search service (optional)

You must start the Windows SharePoint Services Search service on every computer that you want to search over Help content. If you do not want users to be able to search over Help content, you do not need to start this service. Start the Windows SharePoint Services Search service (optional) 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Windows SharePoint Services Search, click Start. 4. On the Configure Windows SharePoint Services Search Service Settings page, in the Service Account section, type the user name and password for the user account under which the Windows SharePoint Services Search service account will run. 5. In the Content Access Account section, type the user name and password for the user account that the Search service will use to search over content. This account must have read access to all the content you want it to search over. If you do not specify credentials, the same account used for the Search service will be used. 6. In the Indexing Schedule section, either accept the default settings, or specify the schedule that you want the Search service to use when searching over content. 7. After you have configured all the settings, click Start.
Stop the Central Administration service on all index servers

In farms with more than one index server, stop the Central Administration service on all index servers. This service is used for the Central Administration Web site and is not required on index servers. Stopping this service on index servers can help avoid URL resolution problems with indexing. On the other hand, you must be sure that this service is started on the server that hosts the Central Administration Web site, even if that server is also an index server. You do not need to stop this service for installations where the farm has only one index server.
159
Before stopping the service on the index server, make sure that the service is running another server. Stop the Central Administration service on an index server 1. On the Services on Server page, select the index server from the Server drop-down list. 2. Under Select server role to display services you will need to start in the table below, select the Custom option. 3. In the table of services, next to Central Administration, in the Action column, click Stop.
Disable the Windows SharePoint Services Web Application service on all servers not serving content
Disable the Windows SharePoint Services Web Application service on all servers that are not serving content, especially index servers. On the other hand, you must be sure that this service is enabled on the servers that are serving content. Disable the Windows SharePoint Services Web Application service on a server 1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, next to Windows SharePoint Services Web Application, click Stop.
160
Deploy language packs

In this section: About language IDs and language packs Preparing your front-end Web servers for language packs Installing language packs on your front-end Web servers
Language packs enable site owners and site collection administrators to create SharePoint sites and site collections in multiple languages without requiring separate installations of Microsoft Office SharePoint Server 2007. You install language packs, which contain language-specific site templates, on your front-end Web servers. When an administrator creates a site or a site collection based on a language-specific site template, the text that appears on the site or the site collection is displayed in the site template's language. Language packs are typically used in multinational deployments where a single server farm supports people in different locations or in situations where sites and Web pages must be duplicated in one or more languages. For more information about language packs, see Plan for multilingual sites (http://technet.microsoft.com/enus/library/cc262055.aspx). Note: You cannot change an existing site, site collection, or Web page from one language to another by applying different language-specific site templates; once you choose a language-specific site template for a site or a site collection, the site or site collection will always display content in the language of the original site template. Word breakers and stemmers enable you to efficiently and effectively search across content on SharePoint sites and site collections in multiple languages without requiring separate installations of Office SharePoint Server 2007. Word breakers and stemmers are not installed with language packs. Instead, they are automatically installed on your front-end Web servers by the Setup wizard. For more information about word breakers and stemmers, see the "Plan word breakers and stemmers" section in Plan to crawl content (http://technet.microsoft.com/enus/library/cc262926.aspx). You can install language packs for Microsoft Office Server products from the Microsoft Download site, at 2007 Office System Language Packs (http://www.microsoft.com/downloads/details.aspx?FamilyId=2447426B-8689-4768-BFF0CBB511599A45&displaylang=en). Important: If you are uninstalling a Microsoft Office Server product, you must uninstall all language packs before you uninstall the product.
161
About language IDs and language packs

When site owners or site collection administrators create sites or site collections, they can choose a language for the each site or site collection The language they choose represents the language identifier (ID), and the language ID determines the language that is used to display text and interpret text that is put on the site or site collection. For example, when a site administrator chooses to create a site in French, the site's toolbars, navigation bars, lists, and column headings appear in French. Likewise, if a site administrator chooses to create a site in Arabic, the site's toolbars, navigation bars, lists, and column headings appear in Arabic, and the default left-to-right orientation of the site changes to a right-to-left orientation to properly display Arabic text. The list of available languages that a site administrator can use to create a site or site collection is generated by the language packs that are installed on your front-end Web servers. By default, sites and site collections are created in the language in which Office SharePoint Server 2007 was installed. For example, if you install the Spanish version of Office SharePoint Server 2007, the default language for sites, site collections, and Web pages is Spanish. If a site administrator needs to create sites, site collections or Web pages in a language other than the default Office SharePoint Server 2007 language, you must install the language pack for that language on your front-end Web servers. For example, if you are running the French version of Office SharePoint Server 2007, and a site administrator wants to create sites in French, English, and Spanish, you must install the English and Spanish language packs on your front-end Web servers. Note: By default, when a site administrator creates a new Web page within a site, the Web page uses the site's language ID to display text. Language packs for Office SharePoint Server 2007 are not bundled into multilingual installation packages. You must install a specific language pack for each language that you want to support. Also, language packs must be installed on each of your front-end Web servers to ensure that each Web server can render content in the specified language. The following table lists the language packs that are available for Office SharePoint Server 2007.
Language Country/Region Language ID
German English Japanese
Germany United States Japan
1031 1033 1041
Although a site administrator specifies a language ID for a site, some user interface elements such as error messages, notifications, and dialog boxes do not display in the language that was specified. This is because Office SharePoint Server 2007 relies on several supporting technologies for example, the Microsoft .NET Framework, Microsoft Windows Workflow Foundation, Microsoft ASP.NET, and Microsoft SQL Server 2005 some of which are localized into only a limited number of languages. If a user interface element is generated by any of the
162
supporting technologies that is not localized into the language that the site administrator specified for the site, the user interface element appears in English. For example, if a site administrator creates a site in Hebrew, and the.NET Framework component displays a notification message, the notification message will not display in Hebrew because the .NET Framework is not localized into Hebrew. This situation can occur when sites are created in any language except the following: Chinese, French, German, Italian, Japanese, Korean, and Spanish. In some cases, some text might originate from the original installation language, which can create a mixed-language experience. This type of mixed-language experience is typically seen only by content creators or site administrators and is not seen by site users.
Preparing your front-end Web servers for language packs

Before you install language packs on your front-end Web servers, you must do the following: Install the necessary language files on your front-end Web servers. Install Office SharePoint Server 2007 on each of your front-end Web servers. Run the SharePoint Products and Technologies Configuration Wizard on each of your frontend Web servers.
Language files are used by the operating system and provide support for displaying and entering text in multiple languages. Language files include: Keyboard files Input Method Editors (IMEs) TrueType font files Bitmap font files Code page conversion tables National Language Support (.nls) files Script engines for rendering complex scripts
Most language files are installed by default on the Microsoft Windows Server 2003 operating system. However, you must install supplemental language files for East Asian languages and languages that use complex script or require right-to-left orientations. The East Asian languages include Chinese, Japanese, and Korean; the complex script and right-to-left oriented languages include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese. Instructions for installing these supplemental language files are provided in the following procedure. We recommend that you install these language files only if you need them. The East Asian files require about 230 megabytes of hard disk space. The complex script and right-to-left languages do not use much disk space, but installing either set of files might reduce performance when entering text.
163
Note: You must be a member of the Administrators group on the computer to install these language files. After the language files are installed, the languages are available to all users of the computer. Note: You will need your Windows Server 2003 product disc to perform this procedure, or you will need to know the location of a shared folder that contains your operating system installation files. Note: You must restart your computer after you install supplemental language files. Install additional language files 1. On your front-end Web server, click Start, point to Settings and then Control Panel, and then click Regional and Language Options. 2. In the Regional and Language Options dialog box, on the Languages tab, in the Supplemental Language Support section, select one or both of the following checkboxes: Install files for complex script and right-to-left languages Install files for East Asian languages
3. Click OK in the dialog box that alerts you that additional disk space is required for the files. 4. Click OK to install the additional language files. 5. When prompted, insert your Windows Server 2003 product disc or provide the location of your Windows Server 2003 installation files. 6. When prompted to restart your computer, click Yes. After you install the necessary language files on your front-end servers, you need to install Office SharePoint Server 2007 and run the SharePoint Products and Technologies Configuration Wizard. The wizard creates and configures the configuration database and performs other configuration tasks that must be done before you install language packs. For more information about installing Office SharePoint Server 2007 and running the SharePoint Products and Technologies Configuration Wizard, see Deploy in a simple server farm and Install Office SharePoint Server 2007 on a stand-alone computer.
Installing language packs on your front-end Web servers

After you install the necessary language files on your front-end servers, you can install your language packs. Language packs are available as individual downloads (one download for each supported language). If you have a server farm environment, and you are installing language
164
packs to support multiple languages, you must install the language packs on each of your front end Web servers. Important: The language pack installs in its native language, for example the Russian language pack executable file is localized into Russian. The procedure provided below is for the English language pack. Install a language pack 1. Run setup.exe. 2. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 3. The setup wizard runs and installs the language pack. 4. Rerun the SharePoint Products and Technologies Configuration Wizard, using the default settings. If you do not run the SharePoint Products and Technologies Configuration Wizard after you install a language pack, the language pack will not be installed properly. Rerun the SharePoint Products and Technologies Configuration Wizard 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Products and Technologies Configuration Wizard. 2. On the Welcome to SharePoint Products and Technologies page, click Next. 3. Click Yes in the dialog box that alerts you that some services might need to be restarted during configuration. 4. On the Modify server farm settings page, click Do not disconnect from this server farm, and then click Next. 5. If the Modify SharePoint Central Administration Web Administration Settings page appears, do not modify any of the default settings, and then click Next. 6. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 7. On the Configuration Successful page, click Finish. When you install language packs, the language-specific site templates are installed in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\template\number directory, where number is the Language ID for the language that you are installing. For example, the US English language pack installs to the \Program Files\Common Files\Microsoft Shared\web server extensions\12\template\1033 directory. After you install a language pack, site owners and site collection administrators can create sites and site collections based on the language-specific site templates by specifying a language when they are creating a new SharePoint site or site collection.
165
Uninstalling language packs

If you no longer need to support a language for which you have installed a language pack, you can remove the language pack by using Add/Remove Programs in Control Panel. Removing a language pack removes the language-specific site templates from your computer. All sites that were created with those language-specific site templates will no longer work (the URL will produce a HTTP 500 - Internal server error page). Reinstalling the language pack will make the site functional. Note: You cannot remove the language pack for the version of Office SharePoint Server 2007 that you have installed on your server. For example, if you are running the Japanese version of Office SharePoint Server 2007, you cannot uninstall the Japanese language support for Office SharePoint Server 2007.
166
III. Create and configure Shared Services Providers

167
Chapter overview: Create and configure Shared Services Providers

After you have installed Microsoft Office SharePoint Server 2007, you must configure the primary Shared Services Provider (SSP) that your SharePoint sites will rely on to provide services such as search, personalization, or business intelligence. This chapter helps you create the primary Shared Services Provider, and configure settings for the shared services that are hosted by that SSP. In this chapter: Configure the primary Shared Services Provider Configure the Office SharePoint Server Search service A. Configure personalization B. Configure business intelligence features C. Configure Excel Services D. Configure InfoPath Forms Services E. Configure Office Project Server
168
Configure the primary Shared Services Provider

Create the Shared Services Provider
1. On the SharePoint Central Administration home page, click the Application Management tab on the top navigation bar. 2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. 3. On the Manage this Farm's Shared Services page, click New SSP. Important: If you have not created a Web application for the SSP administration site, you need to create one before you create the SSP. If you have already created a Web application for the SSP administration site, skip to step 14. 4. On the New Shared Services Provider page, click Create a new Web application. 5. On the Create New Web Application page, in the IIS Web Site section, click Create a new IIS web site, and do not modify the default settings in this section. 6. In the Security Configuration section, under Authentication provider, select the appropriate option for your environment, and do not modify the default settings in the remainder of this section. Note: By default, the authentication provider is set to NTLM. Use the Negotiate (Kerberos) setting only if Kerberos is supported in your environment. This option will require configuring a Service Principal Name for the domain user account, for which you must have Domain Administrator credentials. For more information about configuring Kerberos, see Microsoft Knowledge Base article KB 832769: HOW TO: Configure Windows SharePoint Services to Use Kerberos Authentication (http://support.microsoft.com/?kbid=832769). 7. In the Load Balanced URL section, do not modify the default settings. 8. In the Application Pool section, click Create new application pool. 9. In Application pool name, enter the name of your application pool or use the default name. 10. Click Configurable, and in User name and Password, type the user name and password for the user account that you want to act as the application pool identity for your SSP Web application. The user account must be a domain user account, but the user account does not have to be a member of any particular security group. It is recommended that you use the principle of least privilege and select a unique user account that does not have administrative rights on
169
your front-end servers or on your back-end database servers. You can use the user account that you specified as the Microsoft Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username. 11. In the Database Name and Authentication section, verify the database information and make sure that Windows Authentication (recommended) is selected. 12. In the Search Server section, do not modify the default settings. 13. Click OK. Upon successful creation of the Web application, the New Shared Services Provider page appears. 14. In the SSP Name section, in Web Application, select the Web application that you created for the SSP, and do not modify any of the default settings in this section. 15. In My Site Location section, choose the correct Web application. Note: It is recommended that you run My Sites and the SSP administration site in different Web applications so that you can back up and restore My Sites separately from the SSP administration site. 16. In the SSP Service Credentials section, in User name and Password, type the user name and password for the user account under which you want the SSP to run. The user account must be a domain user account, but the user account does not have to be a member of any particular security group. It is recommended that you use the principle of least privilege and select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers. You can use the user account that you specified as the Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username. 17. In the SSP Database section, you can either accept the default settings (recommended), or specify your own settings for the database server, the database name, or the SQL authentication credentials. 18. In the Search Database section, you can either accept the default settings (recommended), or specify your own settings for the search database server, the database name, or the SQL Server authentication credentials. 19. In the Index Server section, in Index Server, click the server on which you configured the Search service. If there is no index server listed in the Index Server section, then no server in your farm has been assigned the index server role. To assign the index server role to a server in your farm, follow the instructions in Configure a dedicated front-end Web server for crawling (http://technet.microsoft.com/en-us/library/cc261810.aspx).
170
20. In the SSL for Web Services section, click No. 21. Click OK. Upon successful creation of the SSP, the Success page appears. 22. On the Success page, click OK to return to the Manage this Farm's Core Services page. For information about how to perform this procedure using the Stsadm command-line tool, see Shared Services Provider: Stsadm operation (http://technet.microsoft.com/enus/library/cc262916.aspx).
Create a new SSP

Important: To configure an SSP, you must have already configured an index server for the farm. Without an index server, creation of a new SSP will fail. For more information about configuring an index server, see the topic Configure the primary Shared Services Provider (http://technet.microsoft.com/en-us/library/cc262649.aspx). To create and configure a new SSP: 1. In a Web browser, open the Central Administration page for your farm. 2. On the top navigation bar, click Application Management. 3. On the Application Management page, under Office SharePoint Server Shared Services, click Create or configure this farm's shared services. 4. On the Manage this Farm's Shared Services page, on the top navigation bar, click New SSP. 5. In the SSP Name section, specify a unique, descriptive name for this SSP. This name will be used to identify the SSP in administration pages. 6. In the My Site location section, select the Web application for this SSP. 7. In the SSP Service Credentials section, specify the credentials which will be used by SSP Web services for inter-server communication and for the SSP timer service to run jobs. 8. In the SSP Database section, specify the database server and database name for storing session data. Use of the default database server and database name is recommended for most cases. 9. In the Index Server section, select the index server which will crawl content in all Web applications associated with this SSP. You may also specify the path on the index server where the indexes will be located if you do not want to use the default path. 10. In the SSL for Web Services section, choose whether or not to use SSL to protect communications to and from Web services. Note: If you choose to enable SSL for Web services, you must add the certificate on
171
each server in the farm by using the IIS administration tool. Until this is done, the Web services will not be available. 11. Click OK to create the SSP.
Associate an SSP with a Web application

A Web application may be associated with only one SSP, but each SSP may be associated with multiple Web applications. To associate an SSP with a Web application: 1. On the taskbar, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. In the Quick Launch, click Shared Services Administration. 3. On the Manage this Farm's Shared Services page, on the top navigation bar, click Change Associations. Note: In the SSP Name column in the SSP list, you will see all the Web applications with which each SSP is currently associated. 4. On the Change Association between Web Applications and SSPs page, under Shared Services Provider, select the SSP you want to configure. 5. In the Web applications section, select the Web applications you want to associate with the SSP. 6. Click OK to associate the SSP with the selected Web applications.
172
Configure the Office SharePoint Server Search service

In this section: Server-level configuration Farm-level configuration SSP-level configuration Site collection-level configuration
This section describes the process of deploying the search features for Microsoft Office SharePoint Server 2007 that are related to crawling content. If you have not already done so, we highly recommend that you first read the topics described in Plan search (http://technet.microsoft.com/en-us/library/cc263400.aspx) and fill out the companion Plan to crawl content worksheet (http://go.microsoft.com/fwlink/?LinkID=73748&clcid=0x409). As you proceed through this section, refer to this worksheet so that you have the information you need to configure these search features. For information about how to perform this procedure using the Stsadm command-line tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).
Server-level configuration
The procedures in this section are performed at the server level. To perform these procedures, you must be a member of the Administrators group for each server on which you want to perform them.
Install protocol handlers

The following protocols are supported by the default protocol handlers: bdc bdc2 file http https rb rbs sps sps3 sps3s spsimport
173
spss sts sts2 sts2s sts3 sts3s
Refer to the Protocol handlers section of the Plan to crawl content worksheet to review your decisions for installing additional protocol handlers. When installing the protocol handlers on your index server, follow the appropriate installation instructions provided by the manufacturer of each protocol handler. Note: You must be a member of the Administrators group on each server on which you want to install an additional protocol handler.
Install and register IFilters

The procedures used to install and register IFilters vary among different IFilters. Refer to the File type inclusions section of the Plan to crawl content worksheet for the IFilters you decided to add. This section includes instructions for installing and registering the following IFilters. If an IFilter that you need is not listed here, contact the manufacturer for instructions for installing third -party IFilters. If you do not need to install additional IFilters, skip to the next section. Note: You must be a member of the Administrators group on each server on which you want to install an IFilter.
Install and register the OneNote IFilter

Before Microsoft Office OneNote 2007 files can be crawled and indexed, you must first do the following: Install Office OneNote 2007 on the index server. This installs the OneNote IFilter. Note: The Office OneNote 2007 IFilter can crawl both OneNote 2003 and Office OneNote 2007 files. The Office OneNote 2003 IFilter can crawl OneNote 2003 files only. Add the OneNote file extension to the File Types list. Register the OneNote IFilter. Note: You must be a member of the Administrators group on the index server to perform the following procedures.
174
Add the OneNote file extension to the File Types list 1. Open the administration page for the Shared Services Provider (SSP). To open the administration page for the SSP, do the following: a. In Central Administration, on the top link bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. c. On the Manage this Farm's Shared Services page, click the SSP for which you want to open the administration page.
2. On the Shared Services Administration page, in the Search section, click Search settings. 3. On the Configure Search Settings page, in the Crawl Settings section, click File Types. 4. On the Manage File Types page, click New File Type. 5. On the Add File Type page, in the File extension box, type one, and then click OK. Note: Do not type the period character "." before the file extension. Register the OneNote IFilter 1. On the index server, click Start, and then click Run. 2. In the Open box, type notepad, and then click OK. 3. Type or copy the following text into Notepad: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Setup\Filters\.one] "Extension"="one" "FileTypeBucket"=dword:00000001 "MimeTypes"="application/msonenote" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Setup\ContentIndexCommon\Filters\Extension\.one] @="{B8D12492-CE0F-40AD-83EA-099A03D493F1}" 4. In Notepad, on the File menu, click Save As. 5. In the Save As dialog box, in the File name box, type onenote.reg, and then click Save. 6. On the index server, double-click the onenote.reg file that you just created. Note: This step starts the process of setting the necessary registry keys for registering
175
the OneNote IFilter. 7. If the Open File - Security Warning dialog box appears, click Run. 8. In the Registry Editor dialog box, click Yes. 9. Click OK to close the Registry Editor box. 10. Restart the index server. Note: The index server must be restarted for the IFilter registration to take effect. After you restart the index server, you must start a full crawl of the locations that contain Office OneNote 2007 files before they can appear in search queries. If your document libraries require check-out to edit the files, Office OneNote 2007 files will often be in checked-out state. Any updates to the checked-out files that are saved to the library will not be crawled until the files are checked in. In general, we recommend that administrators do not require that files be checked out before they can be edited for document libraries that are intended for storing OneNote files.
Farm-level configuration
The procedures in this section are performed at the farm level. To perform these procedures, you must be a farm administrator.
Create crawler impact rules

Use the following procedure, along with the decisions you recorded in the Crawler impact rules section of the Plan to crawl content worksheet, to create crawler impact rules. Create crawler impact rules 1. In Central Administration, on the Application Management tab, in the Search section, click Manage search service. 2. On the Manage Search Service page, in the Farm-Level Search Settings section, click Crawler impact rules. 3. On the Crawler Impact Rules page, click Add Rule. 4. On the Add Crawler Impact Rule page, in the Site section, in the Site box, type the site name that will be associated with this crawler impact rule. Note: When typing the URL, you must exclude the protocol. For example, do not include http:// or file://. 5. In the Request Frequency section, select one of the following options: Request up to the specified number of documents at a time and do not wait between requests. If you choose this option, use the Simultaneous requests list to select how many documents you want the crawler to request at one time when crawling this URL. You can specify the maximum number of requests that the Office
176
SharePoint Services Search service can make at one time when crawling this URL. Request one document at a time and wait the specified time between requests. You can specify a delay (in seconds) between requests, when crawling this URL. When this option is selected, the Office SharePoint Services Search service makes one request per site at one time, and then it waits for the specified amount of time before making the next request. In the Time to wait (in seconds) box, type the time to wait (in seconds) between requests. The minimum time to wait between requests is one second, and the maximum time is 1,000 seconds.
6. Click OK.
Configure farm-level search settings

Use the following procedure, along with the decisions you recorded in the Farm-level search settings section of the Plan to crawl content worksheet, to configure your farm-level search settings. Configure farm-level search settings 1. In Central Administration, on the Application Management tab, in the Search section, click Manage search service. 2. On the Manage Search Service page, in the Farm-Level Search Settings section, click Farm-level search settings. 3. On the Manage Farm-Level Search Settings page, in the Contact E-mail Addresses section, type the e-mail address of the person in your organization whom external site administrators can contact if problems arise when their site is being crawled. 4. In the Proxy Server Settings section, if you want to use a proxy server when crawling, select Use the proxy server specified and then do the following: In the Address box, enter either the NetBIOS name or the IP address of the proxy server. In the Port box, type the port to use for this proxy server. To bypass this proxy server when crawling local addresses, select the Bypass proxy server for local (intranet) addresses check box. To specify addresses for which to bypass the proxy server when crawling, enter those addresses in the Do not use proxy server for addresses beginning with box. In the Connection time (in seconds) box, enter the number of seconds you want the server to wait while connecting to other services. In the Request acknowledgement time (in seconds) box, enter the number of seconds you want the server to wait for another service to acknowledge a request to connect to that service.
5. In the Timeout Settings section, do the following:
6. In the SSL Certificate Warning Configuration section, select the Ignore SSL
177
certificate name warnings check box if you want to trust that sites are legitimate even if their certificate names are not exact matches. Otherwise, ensure that this check box is unselected. 7. Click OK.

The trace log can be very useful for analyzing problems that may occur. Events that are written to the trace log are especially helpful because you can use them to determine what configuration changes where made in Office SharePoint Server 2007 before the problem occurred. By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. When you are using either the Office SharePoint Server Search service or the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events. You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events. 96 log files * 30 minutes of events per file = 2880 minutes or two days of events. You can also specify the location where the log files are written or accept the default path. Configure the trace log to save seven days of events 1. In Central Administration, on the Operations tab, in the Logging and Reporting section, click Diagnostic logging. 2. On the Diagnostic Logging page, in the Trace Log section, do the following: In the Number of log files box, type 336. In the Number of minutes to use a log file box, type 30. Tip: You can use any combination of number of log files and minutes to store in each log file you want to achieve 10,080 minutes (seven days) of events. 3. Ensure that the path specified in the Path box has enough room to store the extra log files, or change the path to another location. Tip: We recommend that you store log files on a hard drive partition that is used to store log files only. 4. Click OK. Trace log files are invaluable for troubleshooting issues related to configuration changes of either the Office SharePoint Server Search service or the Windows SharePoint Services Search service. Because problems related to configuration changes are not always discovered right away, we recommend that you save all trace log files that the system creates on any day that you
178
make any configuration changes related to either search service. Store these log files for an extended period of time in a safe location that will not be overwritten. See step 3 in the procedure above to determine the location where the system stores trace log files for your system.
SSP-level configuration
The procedures in this section are performed at the Shared Services Provider (SSP) level. To perform these procedures, you must be an SSP administrator for Search.
Open the administration page for the SSP

Use the following procedure to open the administration page for the SSP that you want to configure. Open the administration page for the SSP 1. In Central Administration, on the top link bar, click Application Management. 2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. 3. On the Manage this Farm's Shared Services page, click the SSP for which you want to open the administration page.
Specify the default content access account

Use the following procedure, along with the decision you recorded in the Default content access account section of the Plan to crawl content worksheet, to specify the content access account that the crawler will use, by default, when crawling content. Specify the default content access account 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl settings section, click Default content access account. 3. On the Default Content Access Account page, in the Account box, type the domain and user name for the account (in the form domain\username). 4. In the Password and Confirm Password boxes, type the password for the account. 5. Click OK.
Create content sources

Use the following procedure, along with the decisions you recorded in the Content sources section of the Plan to crawl content worksheet, to create your content sources.
179
Use the following procedure to create a content source of any of the following content source types: SharePoint sites Web sites File shares Microsoft Exchange public folders Create content sources 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, click New Content Source. 4. On the Add Content Source page, in the Name section, in the Name box, type a name for the content source. Note: Each content source name must be unique within the SSP in which it is created. 5. In the Content Source Type section, select the type of content you want to crawl by using this content source. 6. In the Start Addresses section, in the Type start addresses below (one per line) box, type the URLs from which the search system should start crawling. Note: For performance reasons, you cannot add the same start addresses to multiple content sources. 7. In the Crawl Settings section, select the behavior for the type of content you selected. 8. In the Crawl Schedules section, you can specify when to start full and incremental crawls. You can create a full crawl schedule by clicking the Create Schedule link below the Full Crawl list. You can create an incremental crawl schedule by clicking the Create Schedule link below the Incremental Crawl list.
9. Click OK. 10. Repeat steps 4 through 10 for any additional content sources you want to create. Use the following procedure to create a content source of the business data content source type. Create content source for business data 1. On the Shared Services Administration page, in the Search section, click Search settings.
180
2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, click New Content Source. 4. On the Add Content Source page, in the Name section, in the Name box, type a name for the content source. Note: Each content source name must be unique within the SSP in which it is created. 5. In the Content Source Type section, select Business Data. 6. In the Applications section, select Crawl entire Business Data Catalog to crawl all applications registered in the Business Data Catalog or select Crawl selected applications and select the specific applications you want to crawl. 7. In the Crawl Schedules section, you can specify when to start full and incremental crawls. You can create a full crawl schedule by clicking the Create Schedule link below the Full Crawl list. You can create an incremental crawl schedule by clicking the Create Schedule link below the Incremental Crawl list.
8. Click OK. 9. Repeat steps 4 through 9 for any additional content sources you want to create.
Create crawl rules

Use the following procedure, along with the decisions you recorded in the Crawl rules section of the Plan to crawl content worksheet, to create crawl rules. Create crawl rules 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Crawl rules. 3. On the Manage Crawl Rules page, click New Crawl Rule. 4. On the Add Crawl Rule page, in the Path section, in the Path box, type the path affected by this rule. You can use standard wildcard characters in the path. For example: http://server1/folder* contains all Web resources with a URL that starts with http://server1/folder. *://*.txt includes every document with the txt file extension. Exclude all items in this path. Select this option if you want all items in the specified path to be excluded from the crawl. Include all items in this path. Select this option if you want all items in the path to
181
5. In the Crawl Configuration section, select one of the following:
be crawled. 6. If you chose to exclude all items in this path, skip to step 8. Otherwise, you can further refine the inclusion by selecting any combination of the following: Follow links on the URL without crawling the URL itself. Select this option if you want to crawl links contained within the URL, but not the URL itself. Crawl complex URLs (URLs that contain a question mark (?)). Select this option if you want to crawl URLs that contain parameters that use the question mark (?) notation. Crawl SharePoint content as HTTP pages. Normally, SharePoint content is crawled by using a special protocol. Select this option if you want SharePoint content to be crawled as HTTP pages instead. When the content is crawled by using the HTTP protocol, item permissions are not stored. To use the default content access account when crawling URLs affected by this crawl rule, select Use the default content access account. If you want to use a different content access account, select Specify a different content access account, and then do the following: In the Account box, type the account name that can access the paths defined by this crawl rule. Examples are user_name and DOMAIN\user_name. In the Password and Confirm Password boxes, type the password for this account. If you want to prevent basic authentication from being used, select the Do not allow Basic Authentication check box. To use a client certificate for authentication, select Specify client certificate, and then click a certificate on the Certificate menu.
7. In the Specify Authentication section, do one of the following:
8. Click OK. 9. Repeat steps 4 through 8 for each new crawl rule you want to create.
Reorder your crawl rules

After you create all your crawl rules, we recommend that you specify the order in which you want the rules to be applied while content is being crawled. Crawl rules are applied in the order in which they are listed. Therefore, if two rules cover the same or overlapping content, the first rule that is listed is applied. Use the following procedure to specify the order of your crawl rules. Reorder crawl rules 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Crawl rules. 3. On the Manage Crawl Rules page, in the Order column in the list of crawl rules, select a value in the drop-down list that specifies the position you want the rule to occupy. Other
182
values are shifted accordingly.
Configure the file type inclusions list

Use the following procedure, along with the decisions that you recorded in the File-type inclusions section of the Plan to crawl content worksheet, to add file types from the file type inclusions list. Add file types 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click File types. 3. On the Manage File Types page, click New File Type. 4. On the Add File Type page, in the File extension box, type the file name extension for the file type that you want to add (for example, type doc). Note: Do not precede the file type with the period "." character. 5. Click OK. 6. Repeat steps 4 through 7 for any other file types you want to add. You can also delete file types from this list for the file types you don't want the crawler to include in the content index. Use the following procedure, along with the decisions you recorded in the File-type inclusions section of the Plan to crawl content worksheet, to delete file types from the file type inclusions list. Delete file types 1. On the Manage File Types page, position the cursor over the file name extension that you want to delete, and then click Delete on the menu that appears. 2. In the message box, click OK to confirm that you want to delete the file type.
Crawl the content

Before the content can be indexed, you must first crawl the content. You can either crawl the content defined in a particular content source individually, or crawl all the content specified by all content sources at one time.
Crawl content defined in a particular content source

Use the following procedure to crawl content defined in a particular content source. Crawl content defined in a particular content source 1. On the Shared Services Administration page, in the Search section, click Search
183
settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, position the cursor over the content source you want to crawl, and then click Start full crawl on the menu that appears.
Crawl content specified by all content sources

Use the following procedure to crawl content specified by all content sources. Crawl content specified by all content sources 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules. 3. On the Manage Content Sources page, in the Quick Launch, click Start all crawls.
Create managed properties

Use the following procedure, along with the decisions you recorded in the Plan managed properties section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create managed properties. Create managed properties 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Metadata property mappings. 3. On the Metadata Property Mappings page, click New Managed Property. 4. On the New Managed Property page, in the Name and type section, in the Property name box, type the name of the managed property you want to create. 5. In the Description box, type a description for this managed property. 6. Under The type of information in this property, select a property type. 7. In the Mappings to crawled properties section, select one of the following: Include values from all crawled properties mapped. Select this option if you want values from all crawled properties to be mapped. A query for a property in a document in which all crawled properties are mapped returns a result if any of the crawled properties that are mapped match the query. Include values from a single crawled property based on the order specified. Select this option if you want only a single value mapped. When multiple crawled properties are mapped to a managed property, the one that is chosen will be the first
184
in the list that has a value for a given document. You can reorder the list by using the Move up and Move down buttons. 8. If you selected Include values from all crawled properties mapped, skip to step 12. 9. Click Add Mapping to add a mapping to the list. 10. The Crawled property selection dialog box appears. Configure the settings as follows: a. On the Select a category menu, click either All categories or a specific type of document category (for example, Office or SharePoint). b. In Select a crawled property, select a crawled property to map to the managed property that you are adding. Because the list of crawled properties is likely to be long, you can type the name (or the first part of the name) of the property that you are looking for in the Crawled property name box and then click Find. c. Click OK. 11. Repeat steps 9 through 10 for each additional crawled property that you want to map to this managed property. 12. On the New Managed Property page, in the Use in scopes section, select the Allow this property to be used in scopes check box if you want this managed property to be available for defining scopes. 13. Click OK. Note: Changes to the property mappings take effect on a document-by-document basis as soon as a document is crawled, regardless of the type of the crawl. A full crawl ensures that the changes are consistently applied to the entire index.
Create shared scopes

Use the following procedure, along with the decisions you recorded in the Plan scopes section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create shared scopes. Create shared scopes 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Scopes section, click View scopes. 3. On the View Scopes page, click New Scope. 4. On the Create Scope page, in the Title and Description section, in the Title box, type a title for the scope. 5. In the Description box, type a description for the scope that informs administrators what the purpose of the scope is.
185
Note: These descriptions are not visible to users. 6. Your credentials are automatically entered in the read-only Last modified by box. Note: Last modified by settings are not visible to users. 7. In the Target Results Page section, select one of the following: Use the default Search Results Page. Select this option if you want search results from this scope to be presented by using the standard Search Results page. Specify a different page for searching this scope. Select this option if you want search results from this scope to be presented on a custom page. If you select this option, type the URL for the custom Search Results page in the Target results page box.
8. Click OK.
Create scope rules

Use the following procedure, along with the decisions you recorded in the Plan scopes section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scope rules.
186
The following table describes the four scope rule types that you can choose from when creating a scope rule. For simplicity, a separate procedure is provided for each scope rule type.
Scope rule type Purpose
Web address
Select this option if you want the scope to include or exclude content from any resource in the search index that can be identified either by a URL (such as Web sites, file shares, and Exchange public folders) or by a host name, domain name, or subdomain name. Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope.
Property query
Select this option if you want the scope to include or exclude content that has a managed property with a particular value. For example, Author="John Doe". Select this option if you want the scope to include or exclude content that was crawled by using a particular content source. Select this option if the rule should not restrict the scope (the scope will include or exclude all content in the search index).
Content source
All content
Use the following procedure to open the Add Scope Rule page. Open the Add Scope Rule page 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Scopes section, click View scopes. 3. On the View Scopes page, position the cursor over the scope that you want to edit, click the arrow that appears, and then click Edit Properties and Rules on the menu that appears. 4. On the Scope Properties and Rules page, in the Rules section, click New rule.
187
Use the following procedure to create scope rules by using the Web address scope rule type. Create scope rules by using the Web address scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address. 2. In the Web Address section, select one of the following options and provide the address you want to associate with this rule: Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope. Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
3. In the Behavior section, select one of the following options:
4. Click OK. Use the following procedure to create scope rules by using the Property query scope rule type. Create scope rules by using the Property query scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Property Query. 2. In the Property Query section, select the managed property that you want to use to limit the scope from the Add property restrictions menu. 3. In the = box, type the string (value) that the managed property needs to match. 4. In the Behavior section, select one of the following options: Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
5. Click OK.
188
Use the following procedure to create scope rules by using the Content source scope rule type. Create scope rules by using the Content source scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Content source. 2. In the Content Source section, in the corresponding menu, select the content source from the list that you want to associate with this rule. 3. In the Behavior section, select one of the following options: Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
4. Click OK. Use the following procedure to create scope rules by using the All content scope rule type. Create scope rules by using the All content scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content. 2. Click OK.
Specify authoritative pages

Use the following procedure, along with the decisions you recorded in the Authoritative pages section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to specify authoritative pages. Specify authoritative pages 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Authoritative Pages section, click Specify authoritative pages. 3. On the Specify Authoritative Pages page, in the Authoritative Web Pages section, in the Most authoritative pages box, list the URLs that are central or authoritative. Note: Separate the URLs by hard returns so that you list one full URL per line. 4. In the Second-level authoritative pages box, list the URLs that are secondary. 5. In the Third-level authoritative pages box, list the URLs that are tertiary. 6. In the Non-authoritative Sites section, in the Sites to demote box, list the URLs that
189
you want to mark as unimportant when search results are returned (for example, URLs of sites that contain outdated information but are kept for record-keeping). Note: Any URL or item whose prefix matches the provided URLs in the Sites to demote box is demoted. 7. If you want the ranking calculations to begin after you click OK, in the Refresh Now section, select the Refresh now check box. If the check box is cleared, ranking calculations occur according to a predetermined schedule. 8. Click OK.
Create server name mappings

Use the following procedure, along with the decisions you recorded in the Server name mappings section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to specify server name mappings. Specify server name mappings 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Server name mappings. 3. On the Server Name Mappings page, click New Mapping. 4. On the Add Server Name Mapping page, in the Address in index box, type the address for the crawled content. 5. In the Address in search results box, type the address that you want users to see on the Search Results page when they receive query results for the address you typed in the Address in index box. 6. Click OK.
Manage search-based alerts

Search-based alerts are active, by default. However, you can deactivate them. Refer to the decision you recorded in the Search-based alerts section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), and do the following steps if you want to deactivate search-based alerts. Deactivate search-based alerts 1. On the Shared Services Administration page, in the Search section, click Search settings. 2. On the Configure Search Settings page, in the Crawl Settings section, click Searchbased alerts.
190
3. On the Configure Search-based Alerts page, click Deactivate.
Site collectionlevel configuration

The procedures in this section are performed at the site collection level. To perform these procedures, you must be a site collection administrator for the site collection on which you want to perform them.
Create scopes at the site collection level

Site collection administrators can choose to use scopes that were created at the SSP level, copy scopes that were created at the SSP level and modify them, or create new site collection level scopes. Use the following procedure, along with the decisions you recorded in the Site-collection level scopes section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to copy shared scopes at the site collection level. Copy shared scopes 1. On the top-level site of the site collection on which you want to create a scope, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search scopes. 3. On the View Scopes page, position the cursor over the name of the shared scope you want to copy, and then click Make Copy on the menu that appears. Note: The copy of the shared scope appears in the Unused Scopes section of the View Scopes page. Use the following procedure, along with the decisions you recorded in the Site-collection level scopes section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scopes at the site collection level. Create scopes at the site collection level 1. On the top-level site of the site collection on which you want to create a scope, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search scopes. 3. On the View Scopes page, click New Scope. 4. On the Create Scope page, in the Title and Description section, type a brief title for the scope that will best explain it to your users. You can also type a fuller description for
191
reference by site administrators. 5. Ignore the Display Groups section for now. We will assign display groups to scopes later in this section. 6. In the Target Results Page section, select one of the following: Use the default Search Results Page. Select this option if you want search results from this scope to be presented by using the standard Search Results page. Specify a different page for searching this scope. Select this option if you want search results from this scope to be presented on a custom page. If you select this option, type the URL for the custom Search Results page in the Target results page box.
7. Click OK.
Create scope rules at the site collection level

Use the following procedure, along with the decisions you recorded in the Site-collection level scopes section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scope rules. The following table describes the scope rule types that you can choose from when creating a site collection level scope rule. For simplicity, a separate procedure is provided for each scope rule type.
Scope rule type Purpose
Web address
Select this option if you want the scope to include or exclude content from any resource in the search index that can be identified either by a URL (such as Web sites, file shares, and Exchange public folders) or by a host name, domain name, or subdomain name. Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope.
Property query
Select this option if you want the scope to include or exclude content that has a managed property with a particular value. For example, Author="John Doe".
192
Scope rule type
Purpose
All content
Select this option if the rule should not restrict the scope (the scope will include or exclude all content in the search index).
Use the following procedure to open the Add Scope Rule page. Open the Add Scope Rule page 1. On the top-level site of the site collection on which you want to create a scope rule, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search scopes. 3. On the View Scopes page, position the cursor over the scope that you want to edit, click the arrow that appears, and then click Edit Properties and Rules on the menu that appears. Note: You cannot add scope rules to shared scopes at the site collection level. 4. On the Scope Properties and Rules page, in the Rules section, click New rule. Use the following procedure to create scope rules by using the Web address scope rule type. Create scope rules by using the Web address scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address. 2. In the Web Address section, select one of the following options and provide the address you want to associate with this rule: Folder. Select this option if you want to include or exclude items in the folder and subfolders of the indicated URL (for example, http://site/subsite/folder). Hostname. Select this option if you want to specify a host name. All items in the host name will be included or excluded from the scope (according to the behavior rules). Domain or subdomain. Select this option if you want to specify a domain or subdomain (for example, widgets.contoso.com). All items in the domain or subdomain will be included in or excluded from the scope. Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
193
3. In the Behavior section, select one of the following options:
4. Click OK. Use the following procedure to create scope rules by using the Property Query scope rule type. Create scope rules by using the Property Query scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select Property Query. 2. In the Property Query section, select the managed property that you want to use to limit the scope from the Add property restrictions list. 3. In the = box, type the string (value) that the managed property needs to match. 4. In the Behavior section, select one of the following options: Include. Select this option if you want the rule to be applied (if another rule precludes its inclusion, it won't be included). The Include option is analogous to the logical operator AND. Require. Select this option if you want the rule to be applied regardless of other rules. The Require option is analogous to the logical operator OR. Exclude. Select this option if you want items that match this rule to be excluded from the scope. The Exclude option is analogous to the logical operator AND NOT.
5. Click OK. Use the following procedure to create scope rules by using the All content scope rule type. Create scope rules by using the All content scope rule type 1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content. 2. Click OK.
Manage display groups

To support a customized search experience, you can set up new display groups with which to associate your scopes, and you can assign scopes to the default display groups. Site administrators can also control the order in which scopes appear within a particular display group. After you create a display group, designers can modify the Search Box Web Part to display it.
Create a new display group

Use the following procedure, along with the decisions you recorded in the Display groups section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create display groups at the site collection level and to assign the scopes you want to them. Create display groups 1. On the top-level site of the site collection on which you want to create a display group, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search
194
scopes. 3. On the View Scopes page, click New Display Group. 4. On the Create Scope Display Group page, type a title and description that easily identifies the purpose of the group. 5. In the Scopes section, select the check box next to each scope that you want to include in this display group. You can manage the ordering of the scopes in the group by using the Position from Top lists. 6. In the Default Scope section, in the Default Scope list, select the scope that you want to be applied if users do not make a choice on their own. 7. Click OK.
Assign scopes to default display groups

Use the following procedure, along with the decisions you recorded in the Display groups section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to assign scopes to the default Search Drop-down and Advanced Search display groups. Assign scopes to default display groups 1. On the top-level site of the site collection on which you want to assign scopes, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search scopes. 3. On the View Scopes page, in the Title column, click Search Dropdown. 4. On the Edit Scope Display Group page, in the Scopes section, select the check boxes for the scopes you want to be included in this display group, and clear the check boxes for the scopes you want to remove from this display group. 5. Optionally use the Position from Top lists to specify the order in which the scopes will appear to the user for this display group. 6. Click OK. 7. On the View Scopes page, in the Title column, click Advanced Search. 8. On the Edit Scope Display Group page, in the Scopes section, select the check boxes for the scopes you want to be included in this display group, and clear the check boxes for the scopes you want to remove from this display group. 9. Optionally use the Position from Top lists to specify the order in which the scopes will appear to the user for this display group. 10. Click OK.
Modify the Search Box Web Part for a new display group
Use the following procedure to modify the Search Box Web Part for a new display group.
195
Modify the Search Box Web Part for a new display group 1. Go to the Search Center page on the site collection on which you want to modify the Search Box Web Part. 2. Click Site actions, and then click Edit Page. 3. In the search box, click Edit, and then click Modify Shared Web Part. 4. In the Search Box tool pane, click the plus sign (+) next to Miscellaneous. 5. In the Scope Display Group text box, type the name of the display group that you want to use, and then click Apply. 6. Click OK to close the tool pane. 7. On the Search Center page, click either Publish or Check In to Share Draft, depending on your site permissions and workflow.
Create keywords and Best Bets

Search keywords and Best Bets enable you to provide two important features to help your users get the search results they need: Search keywords enable you to create a glossary of important terms within your organization. When a user types the keyword in a search query, the definition that has been created for that keyword is displayed at the top of the Search Results page. Best Bets enable you to prominently present editorially selected search results. Best Bets are URLs to pages, documents, or external Web sites that you associate with particular search keywords. When a user types a keyword in a search query that has one or more Best Bets, the Search Results page prominently displays the Best Bet URLs, including the title and description of each one.
Best Bets are most helpful in situations in which a site administrator wants to promote specific pages. Because the Best Bet URLs are displayed prominently on the Search Results page, end users may be more inclined to view them. Use the following procedure, along with the decisions you recorded in the Keywords and Best Bets section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create keywords and Best Bets. Create keywords and Best Bets 1. On the top-level site of the site collection on which you want to create keywords and Best Bets, click Site actions, point to Site Settings, and then click Modify All Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Search keywords. 3. On the Manage Keywords page, click Add Keyword. 4. On the Add Keyword page, in the Keyword Information section, in the Keyword Phrase box, type the keyword phrase you want to create. 5. In the Synonyms box, type the synonyms you want to associate with this keyword
196
phrase. You can type more than one synonym by separating them with semicolons. 6. If you want to associate a Best Bet with this keyword, in the Best Bets section, click Add Best Bet. Otherwise, skip to step 13. 7. If this is the first Best Bet you will create on this site collection, skip to step 9. Otherwise, in the Add Best Bet dialog box, do one of the following: To create a new Best Bet, select Add new best bet and then skip to step 9. To select an existing Best Bet, select Select existing best bet, click the Best Bet you want from the Select best bets from the list below box, and then click OK. Skip to step 13.
8. In the URL box, type the URL you want to associate with this Best Bet. 9. In the Title box, type the title you want to associate with this Best Bet. This title appears in the Select best bets from the list below box, when selecting an existing Best Bet. 10. In the Description box, type a description for this Best Bet. This description appears with the Best Bet on the Search Results page. 11. Click OK. 12. If you want to create a definition for this keyword, in the Keyword Definition section, type the definition that you want to appear next to Best Bets for this keyword on the Search Results page (optional). 13. In the Contact section, type the user name of the person to inform when the keyword is past its review date (optional). 14. In the Publishing section, you can optionally choose end and review dates for this keyword. 15. Click OK. 16. Repeat steps 4 through 16 to create additional keywords and best bets.
197
A. Configure personalization
198
Chapter overview: Configure personalization

In this section: Configure personalization permissions Configure connections to personalization services Configure targeted content Configure personalization sites Configure policies for Profile Services
The personalization service in Microsoft Office SharePoint Server 2007 uses information about users in your organization that is stored in directory services. That information can be supplemented with information about users from line-of-business applications. Personalization information can then be displayed in user profiles, and the properties in user profiles can be used to target content. Consult the plan for personalization in your initial deployment, and then configure the options that you have selected.
Configure personalization permissions

Before you can use personalization properties in your deployment, you must configure access to the service. You must enable access for administrators of the Shared Services Provider (SSP) to the service and to the associated Web application on which the SSP is hosted. You must also configure user permissions to view and share personalization information from My Sites. For more information about configuring personalization permissions, see Configure personalization permissions.
Configure connections to personalization services

The administrator of personalization services for the SSP configures connections to directory services to include properties for the accounts of all users who view and share information across the organization. If some groups of users work entirely separately, those accounts connect to separate SSPs. Directory services can include Active Directory directory services and Lightweight Directory Access Protocol (LDAP) directory services. After configuring connections to personalization services, you must also configure the settings to regularly import properties from each directory services connection. Each property is mapped to a property in the user profile. For more information about configuring connections to personalization services, see Configure policies for Profile Services.
199
Configure targeted content

After the SSP administrator has configured access to directory services and has configured user profiles, it is time to configure targeted content. Content is primarily targeted by using audiences. Audiences are defined by using rules based on properties from directory services. Lists, sites, and other content are then targeted to those audiences so that only members of targeted audiences can see the content. Some kinds of content are not targeted to users until their locations are selected by administrators as trusted. The SSP administrator configures trusted My Site locations, published links to Office client applications, and personalization site links so that the correct content is available for the right users. For more information about targeting content, see Configure targeted content.
Configure personalization sites

Personalization sites use targeted Web Parts and the Current User Filter Web Part to target information to users based on their account name or display name, so that each person sees personalized information on the site. This differs from other targeted Web Parts in that the information is targeted by user and not by audience. For more information about configuring personalization sites, see Configure personalization sites.
Configure policies for Profile Services

After configuring user profiles, targeted content, and personalization sites, SSP administrators for the personalization service can configure privacy policies that determine how that information is viewed and how it can be shared. For more information about configuring policies, see Configure policies for Profile Services. See Also Plan for personalized content and sites (http://technet.microsoft.com/enus/library/cc262525.aspx)
200
Configure personalization permissions

In this section: Configure SSP administrator permissions for Profile Services Configure access to SSP pages Configure user permissions for personalization Configure access to trusted My Site host locations
Before enabling personalization features in your deployment, you must first configure permissions to personalization features. Although some permissions are configured by default for deployments using Active Directory directory services, other configuration options vary according to the specific plan for deployment. Administrators of the Shared Services Provider (SSP) have limited ability to configure personalization services. The administration options for personalization services are associated with a set of permissions for different personalization features. Administrators can have access to some or all of these administration options. The users of the SSP have access to personal features associated with My Sites. Administrators of personalization permissions are responsible for configuring any changes to the default permissions for users.
Configure SSP administrator permissions for Profile Services

SSP administrators can view the SSP Home page and some configuration options, but many of the personalization management tasks are only available to administrators that have additional permissions. These additional configuration tasks include: Managing permissions. Managing user profiles. Managing audiences. Managing portal usage for personalization.
By default, the account that was used to install Microsoft Office SharePoint Server 2007 on the server has all of these permissions. This account can be used to delegate permissions to other users. In some organizations, one SSP administrator will have all permissions, and access to every management task. In other organizations, the permissions will be distributed among more than one administrator. Refer to your deployment plan when adding permissions for administrators. Use the following procedure to configure administrator permissions to the SSP for personalization services.
201
Configure administrator permissions to the SSP for personalization sites 1. Open the administration page for the SSP. To open the administration page for the SSP, perform the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick Launch. 2. On the SSP Home page, in the User Profiles and My Sites section, click Personalization services permissions. 3. On the Manage Permissions page, click Add Users/Groups. 4. On the Add Users/Groups page, in the Choose Users section, type the name of the users and groups that you want to add. If a user or group is already on the list, select the check box for that user or group, and then click Modify Permissions of Selected Users. 5. In the Choose Permissions section, select the permissions that you want for the added users and groups: To enable administration of user profiles, select Manage user profiles. Users who have this permission can access the User profiles and properties page and the Profile services policies page. To enable administration of permissions to personalization services, select Manage permissions. To enable administration of audiences, select Manage Audiences. To enable administration of the portal usage reporting service, select Manage usage analytics.
6. Click Save.
Configure access to the SSP pages

SSP administrators managing Profile Services must have access to the SSP pages for Profile Services. This access is in addition to the separate permissions to the service. To access the SSP Home page, an account must be a member of the Site Collection Administrators group. By default, the account that set up the SSP is a member of the Site Collection Administrators group. For the first SSP in the initial deployment, that is the account that was used to install Office SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps are necessary. In most organizations, SSP administration will be delegated to one or more additional users. The account used to set up the SSP can be used to add other accounts to the Site Collection Administrators group.
202
Use the following procedure to configure access to SSP pages. Configure access to SSP pages 1. Open the administration page for the SSP. To open the administration page for the SSP, perform the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick Launch. 2. On the SSP Home page, click the Site Actions menu. 3. In the Site Action menu, click Site Settings. 4. On the Site Settings page, in the Users and Permissions section, click Site collection administrators. 5. On the Site Collection Administrators page, in the Site Collection Administrators section, perform the following: a. Type the name or account that you want to add to the Site Collection Administrators group. b. Click the Check Names icon. If the name or account is found in directory services, it will appear as a link in the text box. c. If the name or account was not found, or if you want to search for more users, click the Browse icon.
d. On the Select People dialog box, in the Find box, type part or all of the user's name or account name, and then press Enter. All accounts that match appear in the text box. e. Select one or more accounts that you want to add, and then click Add. f. When you are done adding SSP administrators, click OK. 6. On the Site Collection Administrators page, click OK.
Configure user permissions for personalization

After configuring permissions for administrators, it is time to configure permissions for other users. By default, all users have both of the following permissions: Use personal features Create personal site
203
Users who have the Use personal features permission can see personalized information in sites, including user profiles for other users. Users who have both the Use personal features permission and the Create personal site permission can create a My Site by clicking the My Site link in the top navigation bar. In some organizations, personalization features may not be enabled. In these scenarios, the administrator with permission to manage permissions would remove these permissions for all authenticated users. In other organizations, only some users will have access to personalization features. In these scenarios, the personalization permissions would be removed for the All Authenticated Users group, and another group would be created containing users who have both permissions. In some organizations, My Sites will be created on a case-by-case basis, or created by managers during deployment. In these scenarios, users would have the Use personal features permission, but not the Create personal site permission. Because these permissions are managed in the same place as administrator permissions, it is possible to create several groups with different combinations of permissions. It is recommended that you carefully plan group permissions during the initial deployment so that you can minimize administration tasks during regular operations. Use the following procedure to configure user permissions for personalization. Configure user permissions for personalization 1. On the SSP home page, in the User Profiles and My Sites section, click Personalization services permissions. 2. On the Manage Permissions page, click Add Users/Groups. 3. On the Add Users/Groups page, in the Choose Users section, type the name of the users and groups that you want to add. If a user or group is already on the list, select the check box for that user or group, and then click Modify Permissions of Selected Users. 4. In the Choose Permissions section, select the permissions that you want for the added users and groups: To enable creation of My Sites, select Create personal site. To enable access to personalization features, select Use personal features.
5. Click Save. Access to personalized information can also be modified by configuring profile services policies for users. For more information about configuring profile services policies, see Configure policies for Profile Services.
Configure access to trusted My Site host locations

Users of personalization services have the permissions given to them by administrators, but these permissions are limited to the services consumed from a single SSP.
204
While good planning can avoid many situations where users need access to multiple My Sites, some scenarios may require that a user have access to more than one My Site host location. The typical scenario that requires multiple My Site host locations is a geographically distributed deployment with multiple sets of shared services in different locations. In these scenarios, it is common for each region to have its own set of My Sites and personalization features based on the needs of each region. Use the following procedure to add trusted My Site host locations. Add trusted My Site host locations 1. On the SSP home page, in the User Profiles and My Sites section, click Trusted My Site host locations. 2. On the Trusted My Site Host Locations page, click New to add another Trusted My Site host location. 3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the URL of the trusted My Site host location, and type a description for the location. 4. In the Target Audiences section, select one or more audiences to use. For trusted My Site locations, the relevant audiences typically represent the set of users that belong to each My Site host location. 5. Click OK. During regular operations, in response to changes in directory services, one or more users often end up with My Sites in different locations. Trusted My Site host locations can be used to provide access to personalization features targeted for only these users, without enabling access to all users. See Also Configure policies for Profile Services Configure targeted content
205
Configure connections to Profile Services

In this section: Add import connections Configure import connections Configure user profiles
Personal information about the users in your organization is stored in directory services and line of-business applications and imported to the user profile store so that it can be used to present personalized or targeted content in sites, and to search for people in your organization. When the administrator of the Shared Services Provider (SSP) configures user profile imports, the import connections necessary for those settings are configured automatically except for custom connections. Custom import connections must be configured separately.
Configure import settings

Import settings are used to regularly import properties from each directory services connection. Each property is mapped to a property in the user profile. Use the following procedure to configure import settings. Configure import settings 1. Open the administration page for the SSP. To open the administration page for the SSP, do the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick Launch. 2. On the SSP home page, in the User Profiles and My Sites section, click User profiles and properties. 3. On the User Profiles and Properties page, in the Profiles and Import Settings section, click Configure profile import. 4. On the Configure Profile Import page, in the Source section, select the source for the import. This is usually the current domain, or the entire forest.
206
Note: Changing this setting will delete any manually configured connections for the current source. 5. In the Default Access Account section, select Specify Account and type a name and password for the access account. Note: It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Content Access Account. 6. Depending on your plan for scheduling user profile imports, select Schedule full import in the Full Import Schedule section, or select Schedule incremental import in the Incremental Import Schedule section, and then select the day and time to schedule the import. 7. Click OK. Before continuing with configuration of personalization features, ensure that you have imported all user profiles at least once. To run a full import of user profiles: On the User Profiles and Properties page, in the Profile and Import Settings section, click Start full import.
Add import connections

The administrator of personalization services for the SSP configures import connections, adding accounts for all users who are sharing personalized information by using the SSP. In deployments that have groups of isolated users, personalized information is isolated by using multiple SSPs. In deployments that have multiple SSPs, the SSP administrator must add connections between SSPs. Connections to directory services can include Active Directory directory services and Lightweight Directory Access Protocol (LDAP) directory services. You can add a connection to the Business Data Catalog, but it is recommended that you first add import connections for directory services. Most of these connections are configured automatically when import settings are configured. You can change the default configuration options or add custom import connections. Use the following procedure to add an import connection. Add an import connection 1. Open the administration page for the SSP. To open the administration page for the SSP, perform the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm's shared services. c. On the Manage this Farm's Shared Services page, there is a link to each SSP and
207
links to the Web applications for each SSP. Click the link for the SSP that you want to open. You can also access the SSP by clicking the link to the SSP home page in the Quick Launch. 2. On the SSP home page, in the User Profiles and My Sites section, click User profiles and properties. 3. On the User Profiles and Properties page, in the Profile and Import Settings section, click View import connections. 4. On the View Import Connections page, click Create New Connection. 5. To add a connection to Active Directory directory services: a. On the Add Connection page, in the Connection Settings section, on the Type menu, click Active Directory. b. In the Domain name text box, type the domain name for the domain that contains the information that you want to import. c. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. e. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. Note: The Enable Server Side Incremental option must be selected if you are planning to perform incremental imports. 6. To add a connection to an Active Directory resource: a. In the Connection Settings section, on the Type menu, click Active Directory Resource. b. In the Domain name text box, type the domain name for the domain that contains the information that you want to import. c. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box.
208
e. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. f. In the Master Forest Connection Settings section, in the Domain name text box, type the domain name for the master forest associated with the Active Directory resource that you want to import.
g. Select Auto discover domain controller if the specific domain controller for the master forest is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller. h. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. Select Specify Account and type the account name and password that you want to use to import user profiles from this connection. Note: It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Account. 7. To add a connection to LDAP directory services: a. On the Add Connection page, in the Connection Settings section, in the Type menu, click LDAP Directory. b. In the Connection name text box, type the name of the connection. c. In the Directory service server name text box, type the name of the server for the directory service.
d. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. e. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. f. In the Providername text box, type the name of the provider for this connection. g. In the Username attribute text box, type the name of the attribute to import. Note: This attribute is the identification attribute for each entry in LDAP directory services, associated with a single user or account. By default, this is the uid attribute. 8. In the Search Settings section, in the Search base text box, type the distinguished name of the directory node from which to import the users. If you do not know the
209
distinguished name, click the Auto Fill Root Search Base button. 9. In the User filter text box, you can add new query clauses to the default query to filter which user profiles are imported. 10. Under Scope, select One level to import one level of user profiles, or Subtree to import all user profiles under the search base. 11. To improve performance, you can type a maximum number of user profiles to import in the Page Size text box, and type a maximum number of seconds for the import in the Page time out text box. 12. In the Authentication Information section, select Specify Account and type the account name and password that you want to use to import user profiles from this connection. Note: It is recommended that you specify an account, rather than relying on the default content access account. To use the default content access account, select Use Default Account. 13. Click OK. For most connections, unless you have a specific need to narrow the scope of the import or limit the impact on the servers for directory services, you can accept the default values that appear on the Add Connection page. If you have non-user accounts in Active Directory, such as accounts used for testing, you might want to filter out those accounts. Configuration settings for connections can be modified to improve performance as part of regular operations. For more information about the exact settings to use when importing user profiles, see the technical reference documentation for Microsoft SharePoint Office Server 2007. For more information about Active Directory, see the documentation for Active Directory. After you have configured import connections to directory services, you can add a connection for additional properties imported from the Business Data Catalog. Unlike directory services, it is not possible to create user profiles from the Business Data Catalog. You can only add Business Data Catalog data to existing user profiles imported from directory services, although you can add as much or as little data as you want. Use the following procedure to add an import connection to the Business Data Catalog. Add an import connection to the Business Data Catalog 1. On the View Import Connections page, click Create New Connection. 2. On the Add Connection page, in the Connection Settings section, in the Type menu, click Business Data Catalog. 3. In the Connection name text box, type the name of the connection. 4. In the Domain name text box, type the domain name for the domain that contains the information that you want to import. 5. In the Business Data Catalog Entity menu, select the name of the business data type
210
that contains the data field to import as a user profile property. 6. Under Connection, select Connect User Profile Store to Business Data Catalog Entity as a 1:1 mapping, and then select a profile property that maps to the business data type in the Return items identified by this profile property menu. 7. To import multiple items for the business data type, select Connect User Profile Store to Business Data Catalog Entity as a 1:many mapping, select a property to filter by in the Filter items by menu, and then type a property for the filter value in the Use this profile property as the filter value menu. 8. Select Auto discover domain controller if the specific domain controller is not important. To select a specific domain controller, select Specify a domain controller, and then in the Domain controller name menu, click the name of a specific domain controller. 9. In the Port text box, type the number of the port to use to connect to the domain. To use SSL to help secure the connection, select the Use SSL-secured connection check box, and type a port number that is configured to use SSL in the Port text box. 10. To minimize the performance impact on the domain controller, type a number of seconds in the Time out text box, and select Enable Server Side Incremental. 11. In the Providername text box, type the name of the provider for this connection. 12. In the Username attribute text box, type the name of the attribute to import. Note: This attribute is the identification attribute for each entry in the Business Data Catalog for this business data type.
Configure user profiles

You can add properties to user profiles other than those that are imported from directory services and the business data catalog. These properties can be mapped to existing properties so that their values can be automatically updated during profile imports. During initial deployment, add the additional properties that you identified during user profile planning. Use the following procedure to add properties to user profiles. Add properties to user profiles 1. On the User Profiles and Properties page, in the User Profile Properties section, click Add profile property. 2. On the Add User Profile Property page, in the Property Settings section, type a name and display name for the property. Note: If your deployment uses multiple languages, you can provide alternative display names for each language by clicking the Edit Languages button, clicking Add
211
Language, selecting a language from the menu, and then typing the display name in the new language. You can add display names for any of the available languages. The display name that appears depends on the language used by the user viewing the property. 3. On the Type menu, select the data type for the property. 4. On the Length menu, type the maximum number of characters allowed for values for this property. 5. To allow multiple values for this property, select the Allow multiple values check box, and then select an option from the Multivalue Separator menu. Note: If you select the Allow multiple values check box, the property will be permanently set as a multi-valued property. You cannot change this setting after you have selected it. 6. To allow users to select values from a list of choices, select the Allow choice list check box 7. In the User Description section, type a description that provides instructions for users who are adding values for this property. Note: If your deployment uses multiple languages, you can provide alternative descriptions for each language by clicking the Edit Languages button, clicking Add Language, selecting a language from the menu, and then typing the display name in the new language. You can add descriptions for any of the available languages. The description that appears depends on the language used by the user viewing the property. 8. In the Policy Settings, Edit Settings, and Display Settings sections, select a policy setting and default privacy setting for this property, select whether users can edit values for this property, and configure display options. For more information about privacy policies, see Configure policies for Profile Services. 9. In the Choice List Settings section, choose whether the property uses a defined choice list, add the choices, and select whether users can add to the choice list. Note: This section is only available if you selected the Allow choice list check box in the Property Settings section. For more information about choice lists, see Plan for people and user profiles. 10. In the Search Settings section, select the Alias check box if the property is equivalent to the user's name for purposes of search. Select Indexed if this property is part of the search schema for users, so that it can be used to find users or is displayed in users search results. 11. In the Property Import Mapping section, select the data source and data type field to
212
use when mapping this property. 12. Click OK.
See Also Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx) Configure policies for Profile Services Configure targeted content Configure personalization sites
213
Configure targeted content

In this section: Create and configure audiences Configure published links to Office client applications Configure personalization site links Configure access to trusted My Site host locations
In Microsoft Office SharePoint Server 2007, content in a site can be targeted to individuals and groups of users so that a site can provide a personalized experience for all users. This encourages collaboration across an organization. Content is primarily targeted by using audiences. Audiences are defined by using audience rules based on properties in user profiles or membership in distribution lists and SharePoint groups. Properties and distribution list membership information are imported from directory services or from line-of-business applications that are registered in the Business Data Catalog. SharePoint groups are configured within each site or site collection. SharePoint lists and Web Parts can be targeted by using audiences, so that only members of the targeted audience can view content. Links to certain sites can be targeted by audience. Examples of targeted links include published links to Office client applications and personalization site links. Targeted links appear in Office client applications and My Sites only for users who are members of the target audiences. Administrators of the Shared Services Provider (SSP) create and configure audiences, and then configure the compilation schedules for audiences. After audiences are created by SSP administrators, any other user with the correct permissions can use audiences to target content. SSP administrators also configure the settings for published links to the Office client applications and personalization site links. In configurations that have more than one My Site location, the SSP administrator for personalization services configures trusted My Site locations so that some groups of users can view personalized content across all My Site locations.
Create and configure audiences

Audiences use the information from directory services and user profiles to target information in links, lists, Web Parts, document libraries, and sites. Before you can create, configure, and compile audiences, you must import user profiles from directory services. After creating audiences, you can target content by configuring the audience targeting properties of the content. Use the following procedures to create and configure audiences Create and configure audiences 1. On the SSP home page, in the Audiences section, click Audiences.
214
2. On the Manage Audiences page, click Create audience. 3. On the Create Audience page, type a name and description. 4. In the Owner text box, type or select a person to own this audience. 5. Select Satisfy all of the rules or Satisfy any of the rules depending on the rules you have planned for each audience. Note Complex rules containing AND and OR can be created by developers using the SharePoint object model. 6. Click OK. 7. On the Add Audience Rule page, to add a rule based on a user: a. In the Operand section, select User. b. In the Operator section, select Reports Under to create a rule based on organizational hierarchy or select Member Of to target by group or distribution list. c. Type or select the user that you want to use to test this rule. For a Reports Under rule, select the person who is the manager of the users that you want to include in the audience. For a Member Of audience, select the group or distribution list to include for the audience rule.
8. To add a rule based on a property of user profiles: a. In the Operand section, select Property, and then select a property from the menu. b. In the Operator menu, select an operator for the property. The operators vary by property, but common operators include =, Contains, and <>. Full descriptions of the operators are available in the planning and operations documentation for Office SharePoint Server 2007. c. Type a value to use when evaluating the property against this rule. 9. Click OK. Use the following procedure to configure audience compilation and compile audiences. Configure audience compilation and compile audiences 1. On the Manage Audiences page, click Specify compilation schedule. 2. On the Specify Compilation Schedule page, select Enable scheduling. 3. Select a start time in the Start at menu. To compile audiences at the same time each day, select Every day. To compile audiences at the same time once per week, select Every week on, and then select a day of the week To compile audiences once a month, select Every month on this date, and then select a day of the month.
4. Click OK. On the Manage Audiences page, click Start compilation at any time to compile audiences. All audiences will be compiled.
215
Note: You can compile audiences individually from the View Audiences page by clicking the audience, and then clicking Compile. Actual targeting of content based on audiences is performed by site administrators or contributors. As part of planning for your initial deployment, your planning team will identify the key content to target. Audience administrators should work with site administrators during deployment to ensure that content is targeted according to plan.
Configure published links to Office client applications

Users of Office 2007 client applications can see links to SharePoint sites from those applications. This allows users to quickly and easily access sites and save documents to sites or document libraries. SSP administrators configure published links to Office applications during initial deployment, and can add or change links as part of regular operations. Links can be visible for all users or only specific groups of users by using audiences. Administrators configure published links to Office client applications and target them to audiences. Use the following procedure to configure published links to Office client applications. Configure published links to Office client applications 1. On the SSP Home page, in the User Profiles and My Sites section, click Published links to Office client applications. 2. On the Published links to Office client applications page, click New to add a link to Office client applications. 3. On the Published links to Office client applications: New Item page, in the URL section, type the URL of the link that you want to appear in Office applications, and type a description for the link. 4. In the Type section, select the kind of site for the URL. This will affect how client applications display the link. 5. In the Target Audiences section, select one or more audiences to use. Only members of these audiences will have access to the link in Office client applications. 6. Click OK.
Configure personalization site links

Personalization sites are sites that present information that is personalized based on the current user of a site by using a filter Web Part to display only the information relevant for the current user. Creating a personalization site link adds the link to the My Site navigation bar.
216
Every user who is a member of a targeted audience can see the personalization link when viewing their personal site, along with other relevant personalization sites. This enables each user to have a single access point for personalized content. The configuration page for personalization sites does not check the template of linked sites, so SSP administrators can theoretically create a link to any kind of sites. However, to focus the purpose of My Sites, it is recommended that only personalization site links or links to sites that use a similar template be added to the list on the Personalization site links page. SSP administrators select an owner for each personalization site link. This provides a contact for the personalization link, but does not configure any permissions for audiences. The visibility of each link can be modified by the relevant site administrator of each site during regular operations, by changing the targeted audiences. Audience creation and membership can only be configured by the audiences administrator from the SSP administration pages. Configure the personalization site links for the key personalization sites identified during site hierarchy and personalization planning. Additional links can be added as necessary as part of regular operations. Use the following procedure to configure personalization site links. Configure personalization site links 1. On the SSP Home page, in the User Profiles and My Sites section, click Personalization site links. 2. On the Personalization site links page, click New to add a link to a personalization site. 3. On the Personalization site links: New Item page, in the URL section, type the URL of the link that you want to appear in the My Site navigation bar, and type a description for the link. 4. In the Owner section, type the account name of an owner for the site link. This user is typically the site administrator for the personalization site. 5. In the Target Audiences section, select one or more audiences to use. Only members of these audiences will see the link in the My Site navigation bar. 6. Click OK.
Configure access to trusted My Site host locations

Users of personalization services have the permissions given to them by administrators, but these permissions are limited to a single SSP. While good planning can avoid many situations where users need access to multiple My Sites, some scenarios require that a user have access to more than one My Site host location. These scenarios typically involve geographically distributed server farms, each with its own set of shared services. Consult your planning for SSPs and trusted My Site host locations to determine which trusted My Site host locations you need to add and the audiences you need to use when targeting those locations.
217
Use the following procedure to add trusted My Site host locations. Add trusted My Site host locations 1. On the SSP Home page, in the User Profiles and My Sites section, click Trusted My Site host locations. 2. On the Trusted My Site Host Locations page, click New to add another Trusted My Site host location. 3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the URL of the trusted My Site host location, and type a description for the location. 4. In the Target Audiences section, select one or more audiences to use. For trusted My Site locations, the relevant audiences typically represent the set of users that belong to each My Site host location. 5. Click OK. During regular operations, in response to changes in directory services, one or more users can end up with My Sites in different locations. This can happen when an account is migrated from one SSP to another, such as when an employee changes geographic divisions in an organization that uses different SSPs for geographically distributed locations. Trusted My Site host locations can be used to provide access to personalization features targeted for only these users, without enabling access to all users. See Also Plan for audiences (http://technet.microsoft.com/en-us/library/cc261958.aspx) Configure personalization sites
218
Configure personalization sites

In this section: Create personalization sites Design personalization sites Target personalization site links
Microsoft Office SharePoint Server 2007 provides a template for creating personalization sites. Personalization sites use a Current User Filter Web Part that can be connected to other Web Parts on the page to display content that is personalized for each user who visits the site. Unlike personal sites, which combine Web Parts that display information configured by Shared Services Provider (SSP) administrators by configuring user profiles and personalization policies with content customized by each user, personalization sites are designed to be customized by site owners for a larger audience. Site owners are selected during initial deployment by SSP administrators when they configure personalization links. The site owner of each site is typically the site administrator for the site, and decides which audiences to use when targeting the display of the personalization link on the My Site navigation bar. Site administrators, possibly working with site designers, create and customize personalization sites based on recognized business needs.
Create personalization sites

Creation of personalization sites is straightforward. A personalization site can be created by any user who has the create sites permission. Use the following procedure to create a personalization site. Create a personalization site 1. On the Site Actions menu, click Create Site. 2. On the New SharePoint Site page, in the Title and Description section, type a title and description for the personalization site. 3. In the Web Site Address section, type a directory name to complete the URL in the URL name text box. 4. In the Permissions section, select the desired permissions. 5. In the Template Selection section, click the Enterprise tab, and then click Personalization Site. 6. Configure navigation options and site categories depending on the purpose of the site and your site hierarchy and site navigation plans. 7. Click Create.
219
Design personalization sites

Design of personalization sites can be simple or complex depending on the need of the site. The key personalization sites for the initial deployment are identified during site hierarchy planning based on the needs of your organization. Consult site hierarchy planning, and then design each personalization site to meet your identified needs. The list of Web Parts that can be used in designing personalization sites is provided in part in the planning documentation, developer documentation, and technical reference documentation for Office SharePoint Server 2007. For more information about the full capabilities of Web Parts, see this documentation. The key concept to understand regardless of the exact Web Parts used is how to connect the Current User Filter Web Part to other Web Parts. Use the following procedure to connect the Current User Filter Web Part to other Web Parts. Connect the Current User Filter Web Part to other Web Parts 1. On the Site Actions menu, click Edit Page. 2. Add the Web Parts that you want to connect to the filter Web Parts, based on your plan for the design of this site. 3. On the Current User Filter Web Part, click the Edit menu, point to Connections, point to Send Values To, and then click the name of the Web Part that you want to connect to the filter Web Part. Note: Some connected Web Parts can accept a default value from the Current User Web Part. The procedure to connect these Web Parts uses the Send Default Value To connection option, but is otherwise the same. 4. On the Configure Connection Webpage dialog, in the Consumer Field Name menu, select the property to filter by. For example, to filter the contents of a Documents Web Part, select Modified By to filter the list in the Documents Web Part to display only the documents modified by the current user. 5. Click Finish. 6. Click Exit Edit Mode when you are done connecting Web Parts.
Target personalization site links

Personalization site links determine how personalization site links appear in the My Site navigation bar. Links to personalization sites are targeted by using audiences. The SSP administrator creates audiences and assigns an owner and set of audiences for each personalization site link. The owner is responsible for maintaining the targeting of the link over time by selecting new audiences, but typically cannot create audiences.
220
Personalization sites do not have to appear in the My Site navigation bar. However, users are much more likely to view a personalization site and work on the information they see on a personalization site if it is one of the sites that appears in the My Site navigation bar. Because the personalization sites created during initial deployment represent key business processes identified during planning, it is usually a good idea to include links to the sites in the My Site navigation bar and carefully consider how those links are targeted. Use the following procedure to configure personalization site links. Configure personalization site links 1. On the SSP home page, in the User Profiles and My Sites section, click Personalization site links. 2. On the Personalization Site Links page, click New to add a link to a personalization site. 3. On the Personalization Site Links: New Item page, in the URL section, type the URL of the link that you want to appear in the My Site navigation bar, and type a description for the link. 4. In the Owner section, type the account name of an owner for the site link. This user is typically the site administrator for the personalization site. 5. In the Target Audiences section, select one or more audiences to use. Only members of these audiences will see the link in the My Site navigation bar. 6. Click OK. For more information on configuring personalization site links, see Configure targeted content.
221
Configure policies for Profile Services

In this section: Configure policies for personalization features Configure policies for user profiles
In Microsoft Office SharePoint Server 2007, Shared Services Provider (SSP) administrators for personalization services configure the policies that determine who can view personalized information and how that information can be shared. Every kind of personalized information is affected by these policies, including: Memberships in SharePoint sites and distribution lists. Social networking features, such as My Colleagues. Links on personal sites. Personalization site link pinning. User profile properties.
Consult your planning for personalization policies, and then configure settings for each of these personalization features.
Configure policies for personalization features

Policies for profile services are used to configure the access and privacy settings for My Site personalization features and user profile properties. Although all users with the Use personal features permission can view personalized information, SSP administrators can configure policies for each specific feature or user profile to achieve greater precision in preserving privacy and sharing information according to the needs of each organization. Use the following procedure to configure policies for personalization features. Configure policies for personalization features 1. On the SSP home page, in the User Profiles and My Sites section, click Profile services policies. 2. On the Manage Policy page, click the policy that you want to set, and then click Edit Policy. 3. On the Edit Policy page, in the Policy Settings section, in the Policy Setting menu, select the policy setting for the feature or property. Click Enabled to enable the information to be shared by users other than the SSP administrator. The visibility of enabled features is configured in the Default Privacy Settings menu. This option is only available for policies for features and not policies for user profile properties. Select Disabled to prevent anyone but the SSP administrator from viewing the
222
property or feature. Select Required if the property must contain information. The visibility of the property is configured in the Default Privacy Settings menu. Select Optional if the property is not required. Each user decides whether optional properties contain information based on the user's preference.
4. In the Default Privacy Setting menu, select the people who can view information for the feature or property. Click Only Me to limit visibility to the user. Click My Manager to limit visibility to the user and the user's manager. Click My Workgroup to limit visibility to the user and all users who report to the same manager. Click My Colleagues to limit visibility to the user and all colleagues for that user. Click Everyone to share the information with all users who have the "use personal features" permission.
5. To enable users to change the default privacy setting, select the User can override check box. 6. To enable a property to be available in user information lists for SharePoint sites other than My Site, select the Replicable check box. This property and its values from the user profile will be replicated to other sites. Note: If you clear a check box that has already been selected, any information that was replicated before the change will remain on other SharePoint sites until it is changed on each site. This can occur during deployment if you clear a check box for a property that is replicable by default if the property has already been imported from directory services or the Business Data Catalog. 7. Click OK.
Configure policies for user profiles

Use the following procedure to configure policies for user profiles. Configure policies for user profiles 1. On the SSP home page, in the User Profiles and My Sites section, click User profile and properties. 2. On the User Profiles and Properties page, in the User Profile Properties section, click View profile properties. 3. On the View Profile Properties page, click the property that you want to configure, and then click Edit. 4. On the Edit User Profile Property page, in the Policy Settings section, from the Policy
223
Setting menu, click the policy setting for the property. Select Required if the property must contain information. The visibility of the property is configured in the Default Privacy Settings menu, as discussed in step 5. Select Optional if the property is not required. Each user decides whether or not to provide values for optional properties. Select Disabled to prevent anyone but the SSP administrator from viewing the property or feature.
5. In the Default Privacy Setting menu, select the people who can view information for the feature or property. Click Only Me to limit visibility to the user. Click My Manager to limit visibility to the user and the user's manager. Click My Workgroup to limit visibility to the user and all users who report to the same manager. Click My Colleagues to limit visibility to the user and all colleagues for that user. Click Everyone to share the information with all users who have the Use personal features permission.
6. To enable users to change the default privacy setting, select the User can override check box. 7. To enable a property to be available in user information lists for SharePoint sites other than My Site, select the Replicable check box. This property and its values from the user profile will be replicated to other sites. Note: Replication occurs during profile imports. The information list is replaced by the values for the property in the imported user profile. Changes made to properties in the user profile that are not replicated will not appear on other sites. If you clear a Replicable check box that was previously selected, any information that was replicated before the change will remain on other SharePoint sites until it is changed on each site. This can occur during deployment if you clear a check box for a property that is replicable by default after the property has been imported from directory services or the Business Data Catalog. 8. In the Edit Settings section, click an option to allow or not allow users to edit values for properties in their user profiles. To allow users to edit values for the property in their user profiles, click Allow users to edit values for this property. To prevent users from editing values for the property, click Do not allow users to edit values for this property. To display the property in the profile properties section of the user's profile page, select Show in the profile properties section of the user's profile page.
9. In the Display Settings section, select where the property is displayed on My Site.
224
To display the property on the Edit Details page available from the personal page of My Site, select Show on the Edit Details page. To display changes to the property in the Colleagues section of My Site and all other instances of the Colleague Tracker Web Part, click Show changes in the Colleague Tracker web part.
10. Click OK. See Also Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx) Policies for Profile Services (http://technet.microsoft.com/en-us/library/cc263160.aspx)
225
B. Configure business intelligence features

226
Chapter overview: Configure business intelligence features

In this section: Configure access to business data Register line-of-business applications in the Business Data Catalog Customize business data lists, Web Parts, and sites Configure business data search
Microsoft Office SharePoint Server 2007 enables the integration of data from line-of-business applications with features that enable that data to be found, displayed, and analyzed along with other content by users who use SharePoint sites. After you have planned the line-of-business applications, SharePoint lists, and sites for your organization, you must configure the connection between data in applications and the features in your deployment that use data.
Configure access to business data

The first step to enabling business data within your deployment involves configuring access to business data. You must configure access to the Business Data Catalog for a Shared Services Provider (SSP) administrator. For each line-of-business application, you configure access to the underlying database, or to a database that contains a copy of the data that has been isolated from the data. Finally, you configure access to the business data that is made available by the Business Data Catalog, so that business data features are available for the users who use that data and unavailable to other users. For more information about configuring access to business data, see Configure access to business data.
Register line-of-business applications in the Business Data Catalog

When you register line-of-business applications in the Business Data Catalog, you select the business data types and properties for each business data type to import. You select fields in the line-of-business application and then map them to business data properties that appear in SharePoint lists, Web Parts, business dashboards, and the Report Center site. For more information about registering line-of-business applications in the Business Data Catalog, see Register business applications in the Business Data Catalog.
227
Customize business data lists, Web Parts, and sites

After you configure access to business data and imported business data types and properties, you can include the data in SharePoint lists and Web Parts. These lists and Web Parts are used in sites across your organization, particularly business dashboards and the Report Center site. Business data displayed in dashboard sites enables complex data analysis and action through business intelligence features, such as Excel Web Access Web Parts and key performance indicators (KPIs). These features are implemented by site administrators and end users, but business planners and SSP administrators should work closely with these users during initial deployment to implement the decisions made during planning. For more information about customizing business data in lists, Web Parts, and sites, see Customize business data lists, Web Parts, and sites.
Configure business data search

A key step to making business data easily available is to integrate business data into your initial search deployment. For more information about finding business data, see Configure business data search. See Also Chapter overview: Plan for business intelligence (http://technet.microsoft.com/enus/library/cc262935.aspx)
228
Configure access to business data

In this section: Configure SSP administrator rights for the Business Data Catalog Configure access to the SSP pages Configure application definitions and single sign-on for the Business Data Catalog Configure data warehousing Configure permissions for business data
In Microsoft Office SharePoint Server 2007, the Business Data Catalog enables users to find and analyze business data and take effective actions directly from SharePoint sites that use business data. When configuring the Business Data Catalog, it is critical that you protect the security and integrity of the data in line-of-business applications. One of the most important ways to protect your data is to carefully enable access to data to users who can use it effectively, and preventing access by other users. During planning for your deployment, you identify the purpose of your sites, the business applications associated with key business purposes, and the users who use each application. During deployment, you enable access to the groups of users identified during planning. To enable access to business data, you should: Configure Shared Services Provider (SSP) administrator rights for the Business Data Catalog. Configure access to the SSP pages. Configure single sign-on for the Business Data Catalog. Configure data warehouses for data security. Configure user permissions for business data.
Configure SSP administrator rights for the Business Data Catalog

SSP administrators must have permissions to both the Business Data Catalog service and the SSP administration pages for the Business Data Catalog. Use the following procedure to configure SSP administrator rights to the Business Data Catalog service. Configure SSP administrator rights to the Business Data Catalog service 1. Open the administration page for the SSP. To open the administration page for the SSP, do the following: a. On the top navigation bar, click Application Management.
229
b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick Launch. 2. On the SSP home page, in the Business Data Catalog section, click Business Data Catalog permissions. 3. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups. 4. On the Add Users/Groups: Business Data Catalog page, in the Choose Users section, enter the name or account of the user that you want to add. 5. In the Choose Permissions section, select one or more permissions for the user. For the main administrator of the Business Data Catalog, it is common to select all permissions. Edit: Select this permission to enable users to import application definitions and add, edit, or delete application definitions, business data types, and data fields for business data types. Execute: Select this permission to enable users to change the properties of business data. Select in Clients: Select this permission to enable the user to refer to business data types and fields in SharePoint lists, Web Parts, sites, and client applications. Set permissions: Select this permission to enable the user to configure permissions for other users.
6. Click Save.
Configure access to the SSP pages

SSP administrators who manage the Business Data Catalog must have access to the SSP pages for the Business Data Catalog. This access is in addition to the separate permissions to the Business Data Catalog service. To access the SSP home page, an account must be a member of the Site Collection Administrators group. By default, the account that set up the SSP is a member of the Site Collection Administrators group. For the first SSP in the initial deployment, that is the account that was used to install Office SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps are necessary. In most organizations, SSP administration will be delegated to one or more additional users. The account used to set up the SSP can be used to add other accounts to the Site Collection Administrators group. Use the following procedure to configure access to the SSP pages.
230
Configure access to the SSP pages 1. Open the administration page for the SSP. To open the administration page for the SSP, do the following: a. On the top navigation bar, click Application Management. b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farms shared services. c. On the Manage this Farms Shared Services page, there is a link to each SSP and links to the Web applications for each SSP. Click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick Launch. 2. On the SSP home page, click the Site Actions menu. 3. On the Site Actions menu, click Site Settings. 4. On the Site Settings page, in the Users and Permissions section, click Site collection administrators. 5. On the Site Collection Administrators page, in the Site Collection Administrators section, do the following: a. Type the name or account that you want to add to the Site Collection Administrators group. b. Click the Check Names icon. If the name or account is found in directory services, it will appear as a link in the text box. c. If the name or account was not found, or if you want to search for more users, click the Browse icon.
d. On the Select People dialog box, in the Find box, type part or all of the user's name or account name, and then press Enter. All accounts that match appear in the text box. e. Select one or more accounts that you want to add, and then click Add. f. When you are done adding SSP administrators, click OK. 6. On the Site Collection Administrators page, click OK.
Configure application definitions and single signon for the Business Data Catalog
Line-of-business applications are added to the Business Data Catalog by importing application definitions authored in XML. In most scenarios, access to applications from a single account is accomplished by using the single-sign on (SSO) feature of Office SharePoint Server 2007. SSO maps permissions from external data sources including line-of-business applications to permissions in Office SharePoint Server 2007. This enables a user to access multiple data sources regardless of platform or authentication requirements without having to re-enter
231
credentials for each system. This enables more accessible use and sharing of data without sacrificing security. The Business Data Catalog is only one of several features and services that take advantage of SSO. SSO is also used by Excel Services in Microsoft Office SharePoint Server 2007, InfoPath Forms Services, and in a variety of Web Parts, lists, and search features that access external data sources. With SSO, all of these data sources can be accessed securely by using a single sign-on. The Business Data Catalog relies on application definitions to translate the data types and fields of data sources into metadata that is useful in sites and applications that use Office SharePoint Server 2007. The SSP administrator for the Business Data Catalog, or a Web designer author the XML file for the application definition, includes authentication information and the business data types and fields in the planned business data schema. The SSP administrator then imports the application definitions to the Business Data Catalog. This data can then be viewed and analyzed in SharePoint sites to improve business data collaboration and business intelligence. To use SSO for applications in the Business Data Catalog, the farm administrator must configure SSO on the server farm. Then, the farm administrator must create application definitions for each line-of-business application that match the separate application definitions already imported into the Business Data Catalog. By the end of server farm configuration of SSO, enterprise application definitions should exist for all of the line-of-business applications in the Business Data Catalog. The administrator of the Business Data Catalog should work closely with farm administrators to ensure that the necessary application definitions are created. For more information on the configuration of SSO on the server farm, see Configure single sign-on. After SSO is configured on the server farm and enterprise application definitions have been created for the line-of-business applications that will be added to the Business Data Catalog, the administrator of the Business Data Catalog imports the application definitions to the Business Data Catalog. Then, you can import the business data types and fields for those applications. For more information about importing application definitions, see Register business applications in the Business Data Catalog. For more information about managing single sign-on, see Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx).
Configure data warehousing

While it is possible to enable access directly to your line-of-business applications, you might choose to copy a relevant subset of data from the application to a data warehouse. This protects more sensitive data by keeping it accessible to a small number of people on a relatively isolated server, while the data more useful for collaboration and business intelligence across your organization is copied to a server to which a broader number of people have direct access. You might also want to limit the load on your line-of-business application server by using the copied data, and limit direct access to the application to business data actions designed to update data based on analysis and business intelligence. This practice decreases the freshness of the data displayed in SharePoint lists and sites, and creates a greater need to ensure data normalization during regular operations.
232
During planning for your deployment, you considered these trade-offs, and identified the data that you want to copy to a data warehouse. To copy data from a line-of-business application to a data warehouse, follow the procedures for copying the data relevant to the particular application. When you configure the connections to business applications, use the location of the business data warehouse instead of the line-ofbusiness application. When configuring business data actions that are intended to update the underlying data, you will have to separately configure access to the business data application.
Configure permissions for business data

After you have configured administrator permissions, you will register business data applications in the Business Data Catalog. For more information about registering applications and importing business data types and properties, see Register business applications in the Business Data Catalog. To use the data from the applications registered in the Business Data Catalog, you must then configure SharePoint permissions for groups of users that collaborate on projects that use business data. Use the following procedure to configure permissions for business data. Configure permissions for business data 1. On the SSP home page, in the Business Data Catalog section, click Business Data Catalog permissions. 2. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups. 3. On the Add Users/Groups: Business Data Catalog page, in the Choose Users section, enter the name or account of the user that you want to add. 4. In the Choose Permissions section, select one or more permissions for the user. Edit: Select this permission to enable users to import application definitions and add, edit, or delete application definitions, business data types, and data fields for business data types. Execute: Select this permission to enable users to change the properties of business data. Select in Clients: Select this permission to enable the user to refer to business data types and fields in SharePoint lists, Web Parts, sites, and client applications. Set permissions: Select this permission to enable the user to configure permissions for other users.
5. Click Save.
233
See Also Register business applications in the Business Data Catalog Customize business data lists, Web Parts, and sites Configure business data search Plan for business intelligence (http://technet.microsoft.com/en-us/library/cc262935.aspx)
234
Register business applications in the Business Data Catalog

In this section: Create application definitions Import application definitions Configure enterprise application definitions for single sign-on Configure business data types and fields
Before you can use data from any line-of-business application in Microsoft Office SharePoint Server 2007, you must register that information in the Business Data Catalog. The Business Data Catalog is the service that manages connections among line-of-business applications and the SharePoint lists, Web Parts, and sites that use data from those applications. To register line-of-business applications in the business data catalog, you should: Create application definitions for each application or database in your organization. Application definitions contain connection settings, authentication mode, and definitions for the business data types and properties imported for a particular application. Import application definitions to the Business Data Catalog. Configure single sign-on (SSO) enterprise application definitions for applications that will be using SSO. Configure business data types and the fields for each business data type.
After completing these steps for each line-of-business application in your organization, you can then use the data from applications in SharePoint lists, Web Parts, and business data-enabled sites such as business dashboards and the Report Center site. Data can also be imported for use in user profiles or used in enterprise search to find business data.
Create application definitions

An application definition is a file that describes a database or Web service. An application includes the following information: Connection settings Authentication mode Definitions of business data types Other information, depending upon the application
Application definitions are XML files that are authored by Business Data Catalog administrators or Web designers who understand the business data schema established in the plan for business data. During deployment, an application definition is created for each line of business application. For each application, the business data types (also known as entities) and properties for each entity are defined within the application definition file according to the schema. The application
235
definition files can be imported into the Business Data Catalog, and can be exported as a backup for disaster recovery scenarios. For more information about authoring application definitions, see the Microsoft Office SharePoint Server 2007 Software Development Kit (SDK).
Import application definitions

To use application definitions in the Business Data Catalog, you must import the application definitions. During initial deployment, you can add newly created application definitions for each line-of-business application. During regular operations, you will have to export your existing application definitions before importing them to ensure that you do not overwrite a new application definition with one that is out of date. Because application definitions include security settings, it is important that you always ensure that you are updating the correct version of any application definition so that your security settings are retained. Use the following procedure to import an application definition. Import an application definition 1. On the SSP home page, in the Business Data Catalog section, click Import application definition. 2. On the Import Application Definition page, in the Application Definition section, enter the location of the application definition. 3. In the File Type section, select the type of application definition to import. Note: The author of the application definition file should know the file type for the application definition. If you don't know the file type, use the default option. 4. In the Resources to import section, select the resources to import. Select Localized Names to import names for business data fields in multiple languages. Select Properties to import properties from the application definition. Select Permissions to import permissions from the application definition.
5. Click Import.
Configure enterprise application definitions for single sign-on

If you are using SSO to access line of business applications, you must configure SSO for your line-of-business applications. For more information about configuring SSO for the Business Data Catalog, see Configure access to business data, or see Configure single sign-on. Server farm administrators create application definitions for line-of-business applications and other data sources.
236
Use the following procedure to create an application definition. Create an application definition 1. In Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions. 4. On the Manage Enterprise Application Definitions page, click New Item. 5. On the Create Enterprise Application Definition page, in the Application and Contact Information section, in the Display name box, type the name that is displayed to users. 6. In the Application name box, type the name that Web Parts use to refer to the enterprise application definition. Single sign-on components use the application name to specify which enterprise application definition to use. This name should match the name used in the application definition in the Business Data Catalog. 7. In the Contact e-mail address box, type the e-mail address that users can contact for the enterprise application. 8. In the Account type section, select one of the following: a. Group. Select this option if users will connect to the enterprise application through a group account. If you select this option, you need to configure account information for the application definition. b. Individual. Select this option if each user has an account in the application definition. c. Group using restricted account. Select this option if users will connect to the enterprise application through a group that uses a restricted account. If you select this option, credentials are stored separately for regular credentials and a different API is used to access the credentials. Select this option only when all of the following is true:
9. The account is a group account. 10. An intermediary application such as Business Data Catalog imposes further security restrictions. 11. The data is highly sensitive. 12. In the Authentication type section, select the Windows authentication check box. Warning: If Windows authentication is not used, the logon credentials are not encrypted. 13. In the Logon Account Information section, configure each of the Field boxes for soliciting required logon information from users. Selecting Yes for Mask hides the text typed by the user. This helps to keep sensitive information such as passwords secret. 14. Click OK.
237
Administrators for the Business Data Catalog should work closely with farm administrators to ensure that the necessary application definitions are created that correspond to the configuration plans for the Business Data Catalog.
Configure business data types and fields

The business data types (also known as entities) and the fields for each business data type are included and defined in the application definition file. Application definitions created according to the business schema will already be properly configured. However, some configurations might still be necessary if: If the business data schema changes during the process of deployment, you might have to update entities and fields for existing applications. These changes are made by changing and re-importing the application definition file. If you want to change the list of people with access to a particular application or entity, you can configure permissions in the business data catalog. If you plan additional business data actions for one or more entities, you can configure the business data actions in the Business Data Catalog. If you want to change how business data profiles appear, you can edit the profile page template.
To add or edit fields for existing business data types or to import new business data types, you must edit the application definition file.
Manage permissions for an application or entity

Use the following procedure to manage permissions for an application or entity. Manage permissions for an application or entity 1. On the SSP home page, in the Business Data Catalog section, click View applications or View entities. 2. On the Business Data Catalog Applications or Business Data Catalog Entities page, click the application or entity you want to manage. 3. On the View Application or View Entity page, click Manage Permissions. 4. On the Manage Permissions page, click Add Users/Groups to add users and groups. 5. On the Add Users/Groups page, in the Choose Users section, enter the new users and groups that you want to add. 6. In the Choose Permissions section, select the permissions that you want for the users and groups. 7. Click OK. 8. To remove users or groups, on the Manage Permissions page, select the check boxes for the users and groups that you want to remove, and then click Remove Selected Users. 9. To modify the permissions of selected users, click Modify Permissions of Selected
238
Users. 10. On the Modify Permissions page, in the Choose Permissions section, select the permissions that you want for the user or group. 11. Click OK. 12. To copy permissions for an application to all entities for that application, or to copy permissions for an entity to all child entities, click Copy all permissions to descendants, and click OK on the dialog box that appears. For more information about business data catalog permissions, see Configure access to business data.
Add business data actions for an entity

Use the following procedure to add business data actions for an entity. Add business data actions for an entity 1. On the SSP home page, in the Business Data Catalog section, click View entities. 2. On the Business Data Catalog Entities page, click the entity that you want to edit. 3. On the View Entity page, in the Actions list, click Add Action. 4. On the Add Action page, in the Name section, type a name for the action in the Action Name text box. 5. In the URL section, type the URL that will appear in the browser when this action is selected in the Navigate to this URL text box. 6. To assign properties and add them as parameters to the URL: a. In the URL Parameters section, click the Add Parameter button. b. Select a parameter from the dropdown list that appears. c. To remove a parameter, click the Remove button next to the parameter that you want to remove.
d. Note: Properties assigned to parameters are sent to the target URL and can be processed by business data Web Parts on that page, such as filter Web Parts. 7. In the Icon section, to use a standard icon, select Standard icon, and then click the standard icon that is relevant for this action. 8. To use a custom icon, in the Icon section, select The image at this URL, and then type the URL of the image. 9. Click OK.
239
Edit the profile page template

Use the following procedure to edit the profile page template. Edit the profile page template 1. On the SSP home page, in the Business Data Catalog section, click Edit profile page template. 2. On the profile template page, click Site Actions, and then click Edit Page. 3. In Edit Mode, add and modify Web Parts according to the planned template. Note: To view business data profiles in a complex business dashboard, you can replace the default profile page template with the dashboard page template, and then modify the new template. This enables you to use key performance indicators, filters, and other tools for business intelligence and analysis directly from business data profiles.
240
Customize business data lists, Web Parts, and sites

In this section: Create business data lists Create KPIs and KPI lists Create and configure reports in the Report Center site Create and configure dashboard sites Create other business data sites
After configuring access to business data and registering applications in the Business Data Catalog, business data is available for use in lists, Web Parts, and sites in your deployment. The initial creation and customization of lists, Web Parts, and sites is performed by site administrators, designers, and contributors. While these tasks are daily operations for different users, and not the responsibility of IT professionals, it is important to set up key lists, Web Parts, and sites as part of an initial deployment of Microsoft Office SharePoint Server 2007. The relevant customization tasks during deployment include: Creating SharePoint lists that use business data that can be used by business data Web Parts and sites that use business data. Creating key performance indicators (KPIs) based on business data lists, other SharePoint lists, Excel workbooks, or data sources made available in data connection libraries. Creating reports and adding KPI lists and business data lists to the Reports Library of the Report Center site or any site that uses the Report Center template. Creating and configuring dashboard sites in the Report Center site. Creating additional Report Center sites and other sites that use business data.
Create business data lists

Business data lists are any SharePoint lists that include business data. The data is imported from properties of line-of-business applications registered in the Business Data Catalog. Business data lists are typically stored in document libraries for sites related to the applications that are the source of data, and can also be used to configure business data Web Parts that are used in sites, such as personalization sites and the Report Center site. Use the following procedure to create a business data list. Create a business data list 1. In the Quick Launch, click Lists. 2. On the All Site Content page in the list view, click Create to create a custom list, or click the link to an existing list.
241
3. On the list page, on the Settings menu, click Create Column. 4. On the Create Column page, in the Name and Type section, type a name and then select the Business data check box. 5. In the Additional Column Settings section, select the business data type and field that contains the data you want to add to the list. 6. To display the action menu for the selected business data type, click Display the actions menu. 7. To link the column to the business data profile for the type, click Link this column to the profile page. 8. Click OK. You can add as many business data columns as you want. For more information about business data lists, see the User's Guide.
Create KPIs and KPI lists

KPIs provide a quick graphical indication of the state of a key business process. KPIs calculate a single value based on a range of data from one of several sources, and then test that value against a value that represents progress toward a business goal. For each KPI planned in your initial configuration, you create a KPI list. Then, you add one or more KPIs to the list, grouping KPIs for related business processes. For organizational purposes, each KPI list is typically created and stored in the site that will be displaying KPIs, such as the Reports Library of a Report Center site. Use the following procedure to create KPIs and KPI lists. Create KPIs and KPI lists 1. On the Quick Launch, click Lists. 2. On the All Site Content page, click Create. 3. On the Create page in the Custom Lists section, click KPI list. 4. On the New page, in the Name and Description page, type a name and description. 5. In the Navigation section, click Yes if you want the KPI to be visible on the Quick Launch. 6. Click Create. 7. On the KPI list page, click the New menu, and then click the type of indicator that you want to add. You can use data from a SharePoint list, an Excel workbook, a SQL Server 2005 Analysis Services cube from a data connection library, of from a manual list of values. 8. On the New Item page, enter values for the relevant properties. For more information on creating and configuring KPIs, see the User's Guide.
242
Create and configure reports in the Report Center site

For business data lists and KPI lists that are based on data from the Business Data Catalog that you plan to use in the Report Center site, you can create the lists the Reports Library of the Report Center site. These lists can then be used in dashboards for the Report Center site. In the Report Center site, you can also create reports based on Excel data Use the following procedure to create a report. Create a report in the Report Center site 1. In the Reports Library, click the New menu, and then click Report. 2. On the Reports Library: Report page, enter properties for the report, and then click OK. 3. In the Reports Library, click the menu for the report, and then click Edit in Microsoft Office Excel to add data to the report. During deployment, you will only add the key reports that you identified during planning. The other reports can be added by users during normal operations. For more information about using reports to display Excel data, see C. Configure Excel Services.
Create and configure dashboard sites

Dashboard sites are configured by adding and configuring the relevant Web Parts. Dashboard sites use filter Web Parts to provide both automatic and user-selected filtering of data displayed in KPI List Web Parts and Excel workbooks. In some cases, they may also include business data Web Parts. Each filter is connected to the Web Parts it filters by the site administrator. Dashboard sites can be created from the Report Center site, or from any site that is created by using the Report Center template. KPI List Web Parts are used to display either a list of several KPIs for your organization, or the details of a single KPI from a KPI list. Excel Web Access Web Parts are used to display information from Excel workbooks. Business data Web Parts can be used to display data from line-of-business applications, by using a business data list that includes data from the relevant applications. Use the following procedure to create and configure a dashboard site. Create and configure a dashboard site 1. On the home page of the site, in the Quick Launch, click Reports to open the Report Center site. Note: If your site template does not include a Report Center site, you must first create a site by using the Report Center template, and then open that site. 2. On the home page of the Report Center site, in the Quick Launch, click Dashboards to
243
open a list of dashboards in the Reports Library page of the Report Center site. 3. On the Reports Library page, click the New menu, and then click Dashboard Page. 4. On the New Dashboard page, in the Page Name section, provide a name, title, and description for the dashboard site. 5. In the Key Performance Indicator section, select Allow me to select an existing KPI later. Note: Alternatively, you can select Create a KPI list for me automatically, and then configure the KPI list later. 6. Click OK. 7. On the Dashboard page, in the Site Actions menu, click Edit Page. 8. For the Web Part Page zone in which you want to add a Web Part, click Add a Web Part. 9. On the Add Web Parts Web page, in the Suggested Web Parts section, select the check box for the type of Web Part you want to add, and then click Add. 10. To configure the Web Part, click the Edit menu, and then click Modify Shared Web Part. For more information about the configuration options for Business Data Web Parts, see Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx). Use the following procedure to configure filter Web Parts. Configure filter Web Parts 1. On the Add Web Parts Web page, select the checkbox for the filter Web Part that you want to add, and then click Add. 2. On the filter Web Part, click Edit, point to Connections, and then select the Web Part to connect to the filter. For more information about the configuration options for filter Web Parts, see Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx). For more information about configuring Excel Web Access Web Parts, see Chapter overview: Configure Excel Services.
Create other business data sites

Business data Web Parts and KPI List Web Parts can be used in any site. Site administrators can add business data to personalization sites so that each person views a personalized view of the data in each Web Part. KPIs for key business processes are often available on portal home pages, or pages in the Search Center site organized around business data. Refer to your site hierarchy plan for your initial deployment, and add business data and KPI Web Parts for each relevant site.
244
See Also B. Configure business intelligence features Plan business data lists (http://technet.microsoft.com/en-us/library/cc261850.aspx) Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx) Plan key performance indicators (http://technet.microsoft.com/en-us/library/cc263321.aspx) Plan reports (http://technet.microsoft.com/en-us/library/cc263506.aspx) Plan business data actions (http://technet.microsoft.com/en-us/library/cc262684.aspx) Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx)
245
Configure business data search

In this section: Ensure availability of business data Configure and crawl business data content sources Configure and customize query options for business data
Administrators of the search service and administrators of individual site collections must configure several options before business data is available in search results. To make business data available for search, you should: Ensure that the data you want users to find is available in the Business Data Catalog, and ensure that users have the intended permissions. Configure and crawl business data content sources. Configure and customize query options for business data.
Most of these tasks are performed by the administrator of the search shared service or by the administrator of the Business Data Catalog. Some tasks are performed by site collection administrators. Both shared services administrators and site collection administrators will help plan search for business data.
Ensure availability of business data

Users can only search for business data for line-of-business applications if it is available in the Business Data Catalog, and only if users have the intended permissions. The Shared Services Provider (SSP) administrator for the Business Data Catalog must configure access to business data and register business data types and properties for all line-of-business applications that use the SSP. For more information on configuring access to business data, see Configure access to business data. For more information about registering line-of-business applications in the Business Data Catalog, see Register business applications in the Business Data Catalog.
Configure and crawl business data content sources

Business data, as any other content, can only be found during search queries if a content source has been created that includes a start address for the data. SSP administrators for the search service must create and configure all content sources for business data, based on the data identified during planning. When you add start addresses for business data, you must use a location that respects the security settings configured in the Business Data Catalog. For example, if the Business Data Catalog connects to a server containing a copy of data instead of the server that is running the
246
line-of-business application, you must use the location of the copied data in the start address for the business data content source. Use the following procedure to configure business data content sources. Configure business data content sources 1. Create one or more content sources for the data in line-of-business applications, using one start address per application. Use a start address that respects your security configuration. 2. To use a crawling account other than the default content access account to crawl a particular business data start address, create a crawl rule for that start address. All content sources that include that start address will use that account. 3. To change how a particular start address is crawled, configure a crawl rule for that start address. 4. Crawl all business data content sources. 5. Some properties for business data might appear as crawled properties in the search schema. Based on search schema planning, select relevant properties in the Configure Search section of the Business Data Catalog and map them to managed properties for search. These properties will be available for use during search queries. 6. Crawl the content sources again to complete the mapping of managed properties.
Configure and customize query options for business data

After crawling business data content sources, the SSP administrator for the search service creates and configures shared search scopes for business data. Then site administrators create site search scopes and keywords, and configure relevance settings for queries performed on the sites that they manage. Both SSP administrators and site administrators configure query options based on decisions made during planning for the initial deployment. Many of these settings will be changed as part of regular operations, but it is helpful to configure the initial query options for your deployment of Office SharePoint Server 2007. Use the following procedure to configure the initial query options. Configure initial query options 1. Create shared search scopes for business data (SSP administrator). 2. Create site-specific search scopes for business data (site administrators). 3. Configure keywords for business data (site administrators). 4. Configure relevance settings (site administrators). 5. Customize the Search Center tabs for business data.
247
See Also Configure access to business data Register business applications in the Business Data Catalog
248
C. Configure Excel Services

249
Chapter overview: Configure Excel Services

Configure Excel Services in Microsoft Office SharePoint Server 2007 to centrally manage user access to system resources and external databases. From the Central Administration Web application in Microsoft Office SharePoint Server 2007, you can configure the SharePoint document libraries, UNC paths, and HTTP Web sites from which Excel Calculation Services can open workbooks. You can also configure which external databases workbook authors are allowed to access. You can configure restrictions on the use of data connections, single sign-on (SS0) authentication, and the use of user-defined functions.
About Excel Services configuration

Trusted file locations These are SharePoint document libraries, UNC paths, or HTTP Web sites that have to be explicitly trusted before Excel Calculation Services is allowed to access them. For more information, see Add a trusted file location. Single sign-on SSO enables authentication against external data sources without having to provide authentication credentials more than once. SSO authentication is required in a trusted subsystem environment. For more information, see Start the Single Sign-On service and Manage settings for single sign-on. Trusted data providers These are databases that reside outside of the Excel Services farm and that Excel Calculation Services is explicitly configured to trust when processing data connections in workbooks. Excel Calculation Services attempts to process a data connection only if the connection is to a database that has been added to the Excel Services trusted data providers list. For more information, see Add a trusted data provider. Trusted data connection libraries These are SharePoint document libraries that contain Office data connection (.odc) files that are used to manage workbook connections to trusted data providers. In the trusted subsystem model, front-end Web servers and application servers running Excel Calculation Services trust the accounts of the associated Office SharePoint Server 2007 applications. For more information, see Add a trusted data connection library. User-defined functions These are functions that enable users to extend the functionality of Excel Web Services. For more information, see Enable user-defined functions.
See Also Plan Excel Services security (http://technet.microsoft.com/en-us/library/cc263086.aspx)
250
Add a trusted file location

In this section: About trusted file locations Add a trusted file location
About trusted file locations

In Microsoft Office SharePoint Server 2007, a trusted file location is a SharePoint document library, a UNC path, or an HTTP Web site that is configured as a trusted repository for workbooks that Excel Calculation Services can access. Excel Calculation Services opens workbooks that are stored in trusted file locations only. If you are planning to use a new SharePoint document library as a trusted file location for Excel Services in Microsoft Office SharePoint Server 2007, create the new document library on a SharePoint site. To create the new document library, click the Site Actions menu, select Create, and then click Document Library. On the New page, type a name for the new document library and click Create.
Add a trusted file location

Use the following procedure to add a trusted file location. Add a trusted file location 1. From Administrative Tools, open the SharePoint Central Administration Web application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Office SharePoint Server 2007 Shared Services section, click Create or Configure this Farm's Shared Services. 4. On the Manage this Farm's Shared Services page, click SharedServices1 (Default). This is the Shared Services Provider (SSP) that you will configure. 5. On the Shared Services home page, in the Excel Services Settings section, click Trusted file locations. 6. On the Excel Services Trusted File Locations page, click Add Trusted File Location. 7. In the Address section, type the location and name of the SharePoint Office SharePoint Server 2007 document library that you want to add as a trusted file location in Excel Services. If the document library is stored in the Windows SharePoint Services 3.0 content database, ensure that Windows SharePoint Services 3.0 is selected as the Location Type.
251
8. In the External Data section, select the type of data connections that you will allow workbooks in this trusted file location to contain and click OK. In the External Data section, you can determine whether workbooks stored in trusted file locations and opened in Excel Calculation Services sessions can access an external data source. You can designate whether Allow External Data is set to None, Trusted data connection libraries only, or Trusted data connection libraries and embedded. If you select either Trusted data connection libraries only or Trusted data connection libraries and embedded, the workbooks stored in the trusted file locations are allowed to access external data sources. External data connections can be accessed only when they are embedded in or linked from a workbook. Excel Calculation Services checks the list of trusted file locations before opening a workbook. If you select None, Excel Calculation Services will block any attempt to access an external data source. If you manage data connections for a large number of workbook authors, you might want to select Trusted data connection libraries only. For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecsfiletrustedlocation (http://technet.microsoft.com/en-us/library/cc262818.aspx). See Also Add a trusted data connection library
252
Start the Single Sign-On service

In this section: About single sign-on authentication Start the Single Sign-On service
About single sign-on authentication

In Microsoft Office SharePoint Server 2007, single sign-on (SSO) authentication enables users to access multiple system resources without having to provide authentication credentials more than once. Office SharePoint Server 2007 implements SSO authentication by including a Windows service and a secure credentials database. To authenticate a data connection in a workbook against an external data source, you can configure Excel Calculation Services to retrieve authentication credentials from an SSO store. To enable SSO functionality for Office SharePoint Server 2007, you need to start the Microsoft Single Sign-On service and then manage SSO settings in the SharePoint Central Administration Web application.
Start the Single Sign-On service

Use the following procedure to start the Single Sign-On service. Start the Single Sign-On service 1. From Administrative Tools, click Services. 2. Double-click Microsoft Single Sign-On Service. 3. On the Log On tab of the Single Sign-On Service Properties page, click This account, and then type the domain, user name, and password that you have used to install and manage your server. 4. Click Apply. 5. On the General tab of the Single Sign-On Service Properties page, change the startup type to Automatic, click Start, and then click OK. Note: Start the Single Sign-On service on all front-end Web servers and all application servers in your farm that run Excel Calculation Services.
See Also Manage settings for single sign-on
253
Manage settings for single sign-on

In this section: About single sign-on settings Manage single sign-on settings
About single sign-on settings

Excel Services in Microsoft Office SharePoint Server 2007 supports three data authentication methods: Integrated Windows authentication, single sign-on (SSO) authentication, and None. Imagine a data connection in a workbook opened in an Excel Calculation Services application server that uses stored credentials for authentication against an external data source. In this scenario, Excel Calculation Services has to retrieve valid credentials from an SSO authentication database, and then use the credentials to authenticate against a data source before the data connection can be established. To enable SSO functionality for Microsoft Office SharePoint Server 2007, you need to start the Microsoft Single Sign-On service, and then manage SSO settings in the SharePoint Central Administration Web application.
Manage single sign-on settings

Use the following procedure to manage SSO settings. Manage SSO settings 1. From Administrative Tools, open the SharePoint Central Administration Web application. 2. On the Central Administration home page, click Operations. 3. In the Security Configuration section, click Manage settings for single sign-on. 4. On the Manage Settings for Single Sign-On page, click Manage server settings. 5. In the Account Name box for the SSO Administrator account, type the same domain and user name that you used to configure the Single Sign-On service. If the user name you used to configure the Single Sign-On service is a member of a Windows security group, you can type the name of the Windows security group instead of a user name. 6. In the Enterprise Application Definition Administrator Account box, type the same domain and user name that you used to configure the Single Sign-On service.
See Also Start the Single Sign-On service

254
Add a trusted data provider

In this section: About trusted data providers Add a trusted data provider
About trusted data providers

Trusted data providers are external databases that Excel Calculation Services is explicitly configured to trust when processing data connections in workbooks. Excel Calculation Services attempts to process a data connection only if the connection is to a trusted data provider. You can control access to external data by explicitly defining the data providers that are trusted and recording them in the list of trusted data providers. The list of trusted data providers designates specific external data providers to which workbooks opened in Excel Calculation Services are permitted to connect. Before instantiating a data provider to enable a workbook to connect to an external data source, Excel Calculation Services checks the connection information to determine whether the provider appears on the list of trusted data providers. If the provider is on the list, a connection is attempted; otherwise, the connection request is ignored.
Add a trusted data provider

Use the following procedure to add a trusted data provider. Add a trusted data provider 1. From Administrative Tools, open the SharePoint Central Administration Web application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Office SharePoint Server 2007 Shared Services section, click Create or Configure this Farms Shared Services. 4. On the Manage this Farms Shared Services page, click SharedServices1 (Default). This is the Shared Services Provider (SSP) that you will configure. 5. On the Shared Services home page, in the Excel Services Settings section, click Trusted data providers. 6. On the Excel Services Trusted Data Providers page, click Add Trusted Data Provider. 7. In the Provider ID section, type the identifier of the external database you want to add as a trusted data provider in Excel Services in Microsoft Office SharePoint Server 2007. Click OK.
255
For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecssafedataprovider (http://technet.microsoft.com/enus/library/cc263293.aspx).
See Also Add a trusted data connection library
256
Add a trusted data connection library

In this section: About trusted data connection libraries Add a trusted data connection library
About trusted data connection libraries

In Microsoft Office SharePoint Server 2007, a trusted data connection library is a data connection library from which you have determined that it is safe to access Office data connection (.odc) files. The .odc files are used to centrally manage connections to external data sources. Instead of allowing embedded connections to external data sources, Excel Calculation Services can be configured to require the use of .odc files for all data connections. The .odc files are stored in data connection libraries, and the data connection libraries have to be explicitly trusted before Excel Calculation Services will allow workbooks to access them. If a data connection is linked from a workbook that is accessed by a server running Excel Calculation Services, the server checks the connection information and the list of trusted data connection libraries. If the data connection library is on the list, a connection is attempted by using the .odc file from the data connection library; otherwise, the connection request is ignored. Before you can configure a data connection library as a trusted data connection for Excel Services in Microsoft Office SharePoint Server 2007, you must create a data connection library on a SharePoint site. To create a data connection library, click the Site Actions menu, select Create, and then click Data Connection Library. On the New page, type a name for the new data connection library and click Create.
Add a trusted data connection library

Use the following procedure to add a trusted data connection library. Add a trusted data connection library 1. From Administrative Tools, open the SharePoint Central Administration Web application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Office SharePoint Server 2007 Shared Services section, click Create or Configure this Farms Shared Services. 4. On the Manage this Farms Shared Services page, click SharedServices1 (Default). This is the Shared Services Provider (SSP) that you will configure. 5. On the Shared Services home page, in the Excel Services Settings section, click Trusted data connection libraries.
257
6. On the Excel Services Trusted Data Connection Libraries page, click Add Trusted Data Connection Library. 7. Type the address of the data connection library that you want to configure as a trusted data connection library and click OK. For information about how to perform this procedure by using the Stsadm command-line tool, see Add-ecstrusteddataconnectionlibrary (http://technet.microsoft.com/en-us/library/cc261726.aspx). See Also Add a trusted file location
258
Enable user-defined functions

In this section: About user-defined functions Enable user-defined functions Enable user-defined functions for workbooks in a trusted file location
About user-defined functions

User-defined functions extend the capabilities of Excel Services in Microsoft Office SharePoint Server 2007 by enabling you to define and create custom functions. To enable this functionality, you need to configure Excel Services to support user-defined functions. To configure this support, you must enable user-defined functions on trusted file locations containing workbooks that require access to this functionality. In addition, you must register user defined function assemblies on the Excel Services user-defined function assembly list.
Enable user-defined functions

Use the following procedure to enable user-defined functions. Enable user-defined functions 1. From Administrative Tools, open the SharePoint Central Administration Web application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Office SharePoint Server 2007 Shared Services section, click Create or Configure this Farm's Shared Services. 4. On the Manage this Farm's Shared Services page, click SharedServices1 (Default). This is the Shared Services Provider (SSP) that you will configure. 5. On the Shared Services home page, in the Excel Services Settings section, click Userdefined function assemblies. 6. On the Excel Services User-Defined Functions page, click Add User-Defined Function Assembly. 7. In the Assembly box, type the assembly strong name or the file path of the user-defined function assembly that you want to register. 8. In Assembly Location, perform the following actions: a. Select the global assembly cache (GAC) if you are deploying a user-defined function assembly to the GAC on each Excel Calculation Services application server in your farm. b. Select Local file if you want to save a user-defined function to a directory on an
259
Excel Calculation Services application server (a local path), or to a network share (a UNC path). c. Ensure that the Enable Assembly check box is selected, and then click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/enus/library/cc262904.aspx).
Enable user-defined functions for workbooks in a trusted file location

Use the following procedure to enable user-defined functions for workbooks in a trusted file location. Enable user-defined functions for workbooks in a trusted file location 1. In the Excel Services section of the Shared Services Administration home page, click Trusted file locations. 2. On the Excel Services Trusted File Locations page, click the URL of the trusted file location whose properties you want to edit. 3. In the User-Defined Functions section of the Excel Services Edit Trusted File Location page, select User-defined functions allowed, and then click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/enus/library/cc262904.aspx).
260
D. Configure InfoPath Forms Services

261
Configure InfoPath Forms Services for Office SharePoint Server

InfoPath Forms Services provides you with the ability to deploy your organization's forms to Microsoft Office SharePoint Server and enable users to fill out these forms using a Web browser. There are many ways you can configure InfoPath Forms Services depending on the needs of your organization. For example, by default, form templates deployed by non-administrators ("user form templates") can be opened in a browser, but you can disable this feature so that only administrator-approved templates are browser-enabled. You should configure InfoPath Forms Services before you begin to deploy form templates in order to avoid unexpected behavior. Before you begin to configure InfoPath Forms Services, you should read the planning articles in Plan Forms Services (http://technet.microsoft.com/en-us/library/cc262498.aspx) to ensure your configuration choices are aligned with the needs of your organization.
Configure InfoPath Forms Services using Central Administration

To configure InfoPath Forms Services, you will need to navigate to the Configure InfoPath Forms Services page in the SharePoint Central Administration Web site. Configure InfoPath Forms Services 1. On the taskbar, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. In the navigation bar, click the Application Management tab. 3. On the Application Management page, in the InfoPath Forms Services section, click Configure InfoPath Form Services. 4. On the Configure InfoPath Forms Services page, in the User Browser-enabled Form Templates section, you can choose settings that determine how user form templates are processed by InfoPath Forms Services. a. Select the Allow users to browser-enable form templates check box to allow users to deploy browser-enabled form templates. b. Select the Render form templates that are browser-enabled by users check box to allow browser-enabled form templates deployed by users to be rendered in a Web browser. If this option is not selected, users can still deploy browser-compatible form templates, but these form templates are not accessible through a Web browser. 5. In the Data Connection Timeouts section, specify default and maximum timeouts for data connections from a browser-enabled form. The connection timeout can be changed by code in the form template, but it will never exceed the maximum timeout specified.
262
a. In the Default data connection timeout box, enter the time in milliseconds that will elapse before a data connection times out. The default timeout is 10000 milliseconds. You can override this setting with code within a form template that specifies the data connection timeout value. b. In the Maximum data connection timeout box, enter the maximum time in milliseconds that will elapse before a data connection times out. The default timeout is 20000 milliseconds. This is an absolute setting, and it overrides any data connection timeout values specified within form template code. 6. In the Data Connection Response Size section, type a value in kilobytes in the box to specify the maximum size of responses data connections are allowed to process. Data connection responses that exceed this value will generate an error message. 7. In the HTTP data connections section, select the Require SSL for HTTP authentication to data sources box to require an SSL-encrypted connection for data connections that use Basic authentication or Digest authentication. You must have configured Secure Sockets Layer (SSL) properly in order for this setting to function. 8. In the Embedded SQL Authentication section, select the Allow embedded SQL authentication box to allow forms to use embedded SQL credentials. Forms that connect to databases may embed SQL user name and password data in the connection string. The connection string can be read in plaintext in the universal data connection file associated with the solution, or in the solution manifest. 9. In the Authentication to data sources (user form templates) section, select the Allow user form templates to use authentication information contained in data connection files box to allow user form templates to use embedded authentication information such as an explicit user name and password or a Microsoft Single Sign-On application ID.
10. In the Cross-Domain Access for User Form Templates section, select the Allow cross-domain data access for user form templates that use connection settings in a data connection file box to allow user form templates to access data from another domain. 11. In the Thresholds section, specify the thresholds at which to end user sessions and log error messages. Form operations that exceed these thresholds will terminate the user session, resulting in the loss of all form data entered during the session, and generate an error message. a. In the Number of postbacks per form session state box, type the maximum number of postbacks you want to allow. The default value is 75. b. In the Number of actions per postback box, type the maximum number of actions per postback you want to allow. The default value is 200. 12. Before you configure form session state, you should read Configure session state for InfoPath Forms Services. Correct configuration of form session state requires that you understand how session state is configured for Office SharePoint Server, and it can dramatically affect the behavior of InfoPath Forms Services operations and system
263
performance. Form session state stores data necessary to maintain a user session. File attachment data in the form will receive an additional 50 percent of session state space. Note: The default parameters should work for most scenarios. If you change the default settings, verify that form-filling sessions are working properly. 13. In the Form Session State section, configure the following parameters: a. In the Active sessions should be terminated after text box, type the maximum session duration in minutes. Form-filling sessions that exceed this value will terminate, an error message will be generated, and all form data entered during the session will be lost. The default value is 1440 minutes. b. In the Maximum size of form session state text box, type the maximum session state size in kilobytes. Form-filling sessions that exceed this value will terminate, an error message will be generated, and all form data entered during the session will be lost. The default value is 4096 kilobytes. c. In the Select the location to use for storing form session state section, choose from the following options:
Choose this option To do this
Session State Service (best for lowbandwidth users) Form view (reduces database load on server)
Store session state data on the computer running Microsoft SQL Server Store session state data on the client computer. If form session state is larger than the value specified in the associated text box, the Session State Service will be used instead.
d. In the associated text box, type the session state size in kilobytes at which form view will be automatically transitioned to the Session State Service. Once this threshold is reached, session state data will be saved to the SQL Server database, and the session will continue to use the Session State Service. The default value is 40 kilobytes. 14. Click OK to save your settings. See Also Configure session state for InfoPath Forms Services
264
Configure session state for InfoPath Forms Services

In this section: Configure session state for Forms Services Session state vs. Form view
InfoPath Forms Services uses session state to store the large amount of transient data generated while filling out a form. As a result, front-end Web servers can remain stateless between round trips, and each postback is not burdened with carrying large amounts of session state information over narrow bandwidth pipes. Other methods of state management, such as in process, are not supported for farms with multiple front-end Web servers. Session state can only be used with Web applications that are associated with a Shared Services Provider (SSP). For more information about SSPs, see Plan Shared Services Providers (http://technet.microsoft.com/enus/library/cc263276.aspx). Note: In order for the session state database to be properly maintained, the SQL Agent must be turned on for the instance of Microsoft SQL Server where session data is stored. If the SQL Agent is not turned on, expired sessions are not automatically expunged from the session table and may eventually pose a storage problem. Note: If you are deploying Microsoft Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express Edition, such as in a single-server deployment, expired sessions must be expunged manually. SQL Server 2005 Express Edition does not include the SQL Agent, and it cannot run automated stored procedures.
Configure session state for Forms Services

You can configure session state settings such as state type and session thresholds for InfoPath Forms Services across the entire farm. If any of the thresholds are exceeded, the user's session is terminated, resulting in the loss of all form data, and an error is entered in the event log for the server. The error message shown to the user is "session has exceeded the amount of allowable resources." To configure form session state, see step 12 in Configure InfoPath Forms Services for Office SharePoint Server.
Session state versus Form view

You can configure InfoPath Forms Services to use the Session State service (the default option) or Form view (ASP.NET view state) to control how user sessions are managed. When you
265
configure InfoPath Forms Services to use the Session State service, all browser sessions are maintained on the SQL Server database, which uses little network bandwidth, but has a cumulative performance impact on the computer running SQL Server. When you are using Form view, sessions are maintained on the client browser, and all session data is included in each postback to the server, up to 40 KB of session data. This approach uses more bandwidth than using session state does, but it does not affect the performance of the computer running SQL Server. Once session data reaches 40 KB in size, the session automatically transitions to session-state management. We recommend the use of Form view in environments with smaller groups of users, because it reduces the impact on the computer running SQL Server. If your InfoPath Forms Services deployment will have many users, particularly if session data is below 40 KB for many high -usage form templates, session state is likely a better choice. If Form view is used, the bandwidth used by browser sessions of 40 KB or fewer can be monitored if there is a concern that network performance might be adversely affected. See Also Manage session state for Microsoft Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc263527.aspx) Configure InfoPath Forms Services for Office SharePoint Server
266
E. Configure Office Project Server

267
Deploy Project Server 2007 with Office SharePoint Server 2007

Microsoft Office Project Server 2007 is the core of Microsoft Office Enterprise Project Management (EPM) Solutions. The Microsoft Office Enterprise Project Management (EPM) Solution allows you to effectively manage and prioritize projects and resources across your organization. With it your teams can share knowledge, collaborate smoothly to complete tasks and deliverables, and adjust activities quickly to accommodate project changes and updates. And you can accurately assess your needs and effectively deploy resources across the organization. For more information about Office Project Server 2007 and EPM Solutions, see What's new in Office Project 2007 (http://technet.microsoft.com/en-us/library/cc197654.aspx). Note: Additional information can be found in the Microsoft Office Enterprise Project Management Solution and Microsoft Office Project Server 2007 Product Guide (http://www.microsoft.com/office/preview/solutions/epm/guide.mspx). You can easily install and configure Office Project Server 2007 on an existing Office SharePoint Server 2007 farm. For detailed information and procedures, see Deploy Project Server 2007 to an existing deployment of Office SharePoint Server 2007 (http://technet.microsoft.com/enus/library/cc197558.aspx).
268
IV. Perform additional configuration tasks

269
Chapter overview: Additional configuration tasks

After the initial installation and configuration of Microsoft Office SharePoint Server 2007, you can configure several additional settings. The configuration of additional settings is optional, but many key features are not available unless these settings are configured.
Configure additional administrative settings

To take full advantage of the administrative features and capabilities of Microsoft Office SharePoint Server 2007, perform the following optional administrative tasks by using SharePoint Central Administration: Configure incoming e-mail settings You can configure incoming e-mail settings so that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-mail settings so that SharePoint sites can archive e-mail discussions as they happen, save emailed documents, and show e-mailed meetings on site calendars. In addition, you can configure the SharePoint Directory Management Service to provide support for e-mail distribution list creation and management. For more information, see Configure incoming email settings. Configure outgoing e-mail settings You can configure outgoing e-mail settings so that your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and notifications to site administrators. You can configure both the "From" e-mail address and the "Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail settings for all Web applications or for only one Web application. For more information, see Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web application. Configure workflow settings You can configure workflow settings to enable end users to create their own workflows by using code pre-generated by administrators. You can also configure whether internal users without site access can receive workflow alerts, and whether external users can participate in workflows by receiving copies of documents by e-mail. For more information, see Configure workflow settings. Configure diagnostic logging settings You can configure several diagnostic logging settings to help with troubleshooting. These include enabling and configuring trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events. For more information, see Configure diagnostic logging settings. Configure single sign-on You can configure single sign-on settings in the farm. Single sign-on enables you to connect to external data sources by using Excel Calculation Services or the Business Data Catalog. For more information, see Configure single sign-on. Configure antivirus settings You can configure several antivirus settings if you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings allow
270
you to control whether documents are scanned on upload or on download, and whether users can download infected documents. You can also specify how long you want the antivirus program to run before it times out, and you can specify how many execution threads the antivirus program can use on the server. For more information, see Configure antivirus settings. You can use the following procedure to configure optional administrative settings using SharePoint Central Administration. Configure administrative settings using SharePoint Central Administration 1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. On the SharePoint Central Administration home page, under Administrative Tasks, click the administrative task that you want to perform. 3. On the Administrative Tasks page, next to Action, click the task.
271
Configure incoming e-mail settings

In this section: Install and configure the SMTP service Configure Active Directory Configure permissions to the e-mail drop folder Configure DNS Manager Configure attachments from Outlook 2003 Configure incoming e-mail settings Configure incoming e-mail on SharePoint sites
Use this procedure to configure the incoming e-mail settings for Microsoft Office SharePoint Server 2007. The features of Office SharePoint Server 2007 that use incoming e-mail are not available until these settings are configured. Before you configure incoming e-mail settings in Office SharePoint Server 2007, confirm that: You have read the topic Plan incoming e-mail (http://technet.microsoft.com/enus/library/cc263260.aspx). One or more servers in your server farm are running the Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server that is running the SMTP service. This server must be configured to accept relayed e-mail from the mail server for the domain. One or more servers in your server farm are running the Microsoft SharePoint Directory Management Service, or you know the name of another server that is running the SharePoint Directory Management Web Service. The application pool account for the SharePoint Central Administration Web site has the Create, delete, and manage user accounts right to the container in the Active Directory directory service. The application pool account for Central Administration, the logon account for the Windows SharePoint Services Timer service, and the application pool accounts for your Web applications have the correct permissions to the e-mail drop folder. The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS Manager for the mail server that you plan to use for incoming e-mail. Note: All of these configuration steps are described in detail in the following sections.
272
Install and configure the SMTP service

Incoming e-mail for Office SharePoint Server 2007 uses the SMTP service. The SMTP service can be either installed on one or more servers in the farm, or administrators can provide an e-mail drop folder for e-mail forwarded from the service on another server. The drop folder option is not recommended because administrators of the other server can affect the availability of incoming email by changing the configuration of SMTP, and because this requires the additional step of configuring permissions to the e-mail drop folder. If a drop folder is not used, the SMTP service must be installed on each server that is used to receive and process incoming e-mail. Typically, this includes every front-end Web server in the farm.
Start the Windows SharePoint Services Web Application service

Each server that is running the SMTP service must also be running the Windows SharePoint Services Web Application service. These servers are called front-end Web servers. In many cases, this service will have already been configured. Important: Membership in the Farm Administrators group of the Central Administration site is required to complete this procedure. Start the Windows SharePoint Services Web Application service 1. On the top navigation bar, click Operations. 2. On the Operations page, in the Topology and Services section, click Services on server. 3. On the Services on Server page, find Windows SharePoint Services Web Application in the list of services, and click Start.
Install the SMTP service

The SMTP service is a component of IIS. It must be installed on every front-end Web server in the farm that you want to configure for incoming e-mail. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Install the SMTP service 1. In Control Panel, click Add or Remove Programs. 2. In Add or Remove Programs, click Add/Remove Windows Components. 3. In the Windows Components Wizard, in the Components box, click Application Server, and then click the Details button.
273
4. In the Application Server dialog box, in the Subcomponents of Application Server box, click Internet Information Services (IIS), and then click the Details button. 5. In the Internet Information Services (IIS) dialog box, select the SMTP Service check box. 6. Click OK to return to the Application Server dialog box. 7. Click OK to return to the main page of the Windows Components Wizard. 8. Click Next. 9. When Windows has finished installing the SMTP service, on the Completing the Windows Components Wizard page, click Finish.
Configure the SMTP service

After installing the SMTP service, you must configure the service to accept relayed e-mail from the mail server for the domain. You can decide to accept relayed e-mail from all servers except those you specifically exclude. Alternatively, you can block e-mail from all servers except those you specifically include. You can include servers individually, or in groups by subnet or domain. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Configure the SMTP service 1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In IIS Manager, expand the server name that contains the SMTP server that you want to configure. 3. Right-click the SMTP virtual server that you want to configure, and then click Properties. 4. On the Access tab, under Access control, click Authentication. 5. In the Authentication dialog box, under Select acceptable authentication methods for this resource, verify that Anonymous access is selected. 6. Click OK. 7. On the Access tab, under Relay restrictions, click Relay. 8. To enable relaying from any server, under Select which computer may relay through this virtual server, select All except the list below. 9. To accept relaying from one or more specific servers, follow these steps: a. Under Select which computer may relay through this virtual server, select Only the list below. b. Click Add, and then add servers one at a time by IP address, or in groups by using a subnet or a domain.
274
c.
Click OK to close the Computer dialog box.
10. Click OK to close the Relay Restrictions dialog box. 11. Click OK to close the Properties dialog box.
Add an SMTP connector in Exchange Server

In some scenarios, mail from Microsoft Exchange Server computers might not be automatically relayed to the Office SharePoint Server 2007 servers that are running the SMTP service. In these scenarios, administrators of Exchange mail servers can add an SMTP connector so that all mail sent to the Office SharePoint Server 2007 domain uses the Office SharePoint Server 2007 servers that are running the SMTP service. For more information about SMTP connectors, see the Help documentation for Exchange Server.
Configure Active Directory

Incoming e-mail uses the Microsoft SharePoint Directory Management Service to connect SharePoint sites to the directory services used by your organization. If you enable the Microsoft SharePoint Directory Management Service, users can create and manage distribution groups from SharePoint sites. SharePoint lists that use e-mail can then be found in directory services, such as the Address Book. You must also select which distribution group requests from SharePoint lists require approval. The Microsoft SharePoint Directory Management Service can be installed on a server in the farm, or you can use a remote Microsoft SharePoint Directory Management Service. To use the Microsoft SharePoint Directory Management Service on a farm or server, you must configure the Central Administration application pool identity account to have the Create, delete, and manage user accounts right to the container that you specify in Active Directory. The preferred way to do this is by delegating the right to the Central Administration application pool identity account. An Active Directory administrator must set up the organizational unit (OU) and delegate the Create, delete, and manage user accounts right to the container. The advantage of using the Microsoft SharePoint Directory Management Service on a remote farm is that you do not have to delegate rights to the organizational unit for multiple farm service accounts. If the application pool account for Central Administration is different from the application pool account for the Web application of the list or site that is enabled for e-mail, you must use the application pool account for the Web application when completing the following procedures. You must then delegate additional rights to the Central Administration application pool account. The following procedures are performed on a domain controller that runs Microsoft Windows Server 2003 SP1 (with DNS Manager) and Microsoft Exchange Server 2003 SP1. In some deployments, these applications might run on multiple servers in the same domain. Important: Membership in the Domain Administrators group or delegated authority for domain administration is required to complete this procedure.
275
Create an organizational unit in Active Directory 1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers, right-click the folder for the second-level domain that contains your server farm, point to New, and then click Organizational Unit. 3. Type the name of the organizational unit, and then click OK. After creating the organization unit, we recommend that you delegate the Create, delete, and manage user accounts right to the container. Important: Membership in the Domain Administrators group or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Delegate right to the application pool account 1. In Active Directory Users and Computers, find the organizational unit that you just created. 2. Right-click the organizational unit, and then click Delegate control. 3. On the Welcome page of the Delegation of Control Wizard, click Next. 4. On the Users and Groups page, click Add, and then type the name of the application pool identity account that the Web application uses. 5. In the Select Users, Computers, and Groups dialog box, click OK. 6. On the Users or Groups page of the Delegation of Control Wizard, click Next. 7. On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create, delete, and manage user accounts check box, and then click Next. 8. On the last page of the Delegation of Control Wizard, click Finish to exit the wizard. If you must add permissions for the application pool identity account directly, complete the following procedure. Important: Membership in the Account Operators group, Domain Administrators group, or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Add permissions for the application pool account 1. In Active Directory Users and Computers, click the View menu, and then click Advanced Features. 2. Right-click the organizational unit that you just created, and then click Properties. 3. In the Properties dialog box, click the Security tab, and then click Advanced. 4. Click Add, and then type the name of the application pool identity account for the Web
276
application. 5. Click OK. 6. In the Permission Entries section, double-click the application pool identity account. 7. In the Permissions section, under Allow, select the Modify permissions check box. 8. Click OK to close the Permissions dialog box. 9. Click OK to close the Properties dialog box. 10. Click OK to close the Active Directory Users and Computers plug-in. If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you must know the URL for the Web service. This URL is typically in the following format: http://server:adminport/_vti_bin/SharePointEmailWS.asmx.
Configure Active Directory under atypical circumstances

If you are using the Directory Management Service and the Central Administration application pool uses a different account from the Web application for the list or site on which you want to enable incoming e-mail, you must delegate additional rights to the Central Administration application pool account. If you do not delegate these rights, then you cannot enable incoming email for the list or site. Note: Before you delegate the following rights to the Central Administration application pool account for the organizational unit, you must delegate rights to the application pool account for the Web application. The procedures for delegating those rights are explained in the previous section. Administrators must delegate full control of the organizational unit to the Central Administration application pool account. After this delegation is complete, administrators can enable incoming email.
To delegate full control of the organizational unit to the Central Administration application pool account
Important: Membership in the Domain Administrators group or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Delegate full control of the organizational unit to the Central Administration application pool account 1. Right-click the organizational unit, and then click Delegate control. 2. In the Delegation of Control wizard, click Next. 3. Click Add, and then type the name of the application pool account for Central
277
Administration. 4. Click OK. 5. Click Next. 6. On the Tasks to Delegate page of the Delegation of Control wizard, select Create a custom task to delegate, and then click Next. 7. Select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next. 8. In the Permissions section, select Create all Child Objects and Delete all Child Objects. 9. Click Next. 10. On the last page of the Delegation of Control wizard, click Finish to exit the wizard. Delegating full control of the organizational unit to the Central Administration application pool account enables administrators to enable e-mail for a list. Administrators cannot disable email for the list or document library after delegating full control because the Central Administration account tries to delete the contact from the entire organizational unit rather than deleting the contact from the list.
To add the Delete Subtree permission for the Central Administration application pool account
To enable administrators to disable incoming e-mail on a list, you must add the Delete Subtree permission for the Central Administration application pool account. Important: Membership in the Account Operators group, Domain Administrators group, or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure. Add the Delete Subtree permission for the Central Administration application pool account 1. In Active Directory Users and Computers, click the View menu, and then click Advanced Features. 2. Right-click the organizational unit and then click Properties. 3. In the Properties dialog box, click the Security tab, and then click Advanced. 4. In the Permission Entries section, double-click the Central Administration application pool account. 5. In the Permissions section, under Allow, select Delete Subtree. 6. Click OK to close the Permissions dialog box. 7. Click OK to close the Properties dialog box. 8. Click OK to close the Active Directory Users and Computers plug-in.
278
After adding the permission, you must restart Internet Information Services (IIS) for the farm. For more information about Active Directory, see the Help documentation for Active Directory.
Configure permissions to the e-mail drop folder

When incoming e-mail settings are set to advanced mode, you must ensure that certain accounts have the correct permissions to the e-mail drop folder.
Configure e-mail drop folder permissions for the logon account for the Windows SharePoint Services Timer service
Ensure that the logon account for the Windows SharePoint Services Timer service has the Modify permission on the e-mail drop folder. If the logon account for the service does not have the Modify permission, e-mail enabled document libraries will receive duplicate e-mail messages. Important: Membership in the Administrators group on the local computer that contains the e-mail drop folder is required to complete this procedure. Configure e-mail drop folder permissions 1. In Windows Explorer, right-click the drop folder, click Properties, and then click the Security tab. 2. On the Security tab, under the Group or user names box, click the Add button. 3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select box, type the name of the logon account for the Windows SharePoint Services Timer service, and then click OK. Note: This account is listed on the Log On tab of the Properties dialog box for the service in the Services console. 4. In the Permissions for User or Group box, next to Modify, select the Allow check box. 5. Click OK.
Configure e-mail drop folder permissions for the application pool account for a Web application
If your deployment uses different application pool accounts for Central Administration and one or more Web applications for front-end Web servers, each application account must have permissions to the e-mail drop folder. If the application pool account for the Web application does not have the required permissions, e-mail will not be delivered to document libraries on that Web application. In most cases, when you configure incoming e-mail settings and select an e-mail drop folder, permissions are added for two worker process groups:
279
WSS_Admin_WPG, which includes the application pool account for Central Administration and the logon account for the Windows SharePoint Services Timer service, has Full Control permission. WSS_WPG, which includes the application pool accounts for Web applications, has Read & Execute, List Folder Contents, and Read permissions.
In some cases, these groups might not be configured automatically for the e-mail drop folder. For example, if Central Administration is running as the Network Service account, the groups or accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It is a good idea to check whether these groups have been added automatically to the e-mail drop folder. If the groups have not been added automatically, you can add them or add the specific accounts that are required. Important: Membership in the Administrators group on the local computer that contains the e-mail drop folder is required to complete this procedure. Configure e-mail drop folder permissions 1. In Windows Explorer, right-click the drop folder, click Properties, and then click the Security tab. 2. On the Security tab, under the Group or user names box, click the Add button. 3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to select box, type the name of the worker process group or application pool account for the Web application, and then click OK. Note: This account is listed on the Identity tab of the Properties dialog box for the application pool in IIS. 4. In the Permissions for User or Group box, next to Modify, select the Allow check box. 5. Click OK.
Configure DNS Manager

Incoming mail requires a Mail Exchanger (MX) resource record to be added in DNS Manager for the host or subdomain running Office SharePoint Server 2007. This is distinct from any existing MX records in the domain. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Add a Mail Exchanger (MX) resource record for the subdomain 1. In DNS Manager, select the forward lookup zone for the domain that contains the
280
subdomain for Office SharePoint Server 2007. 2. Right-click the zone, and then click New Mail Exchanger. 3. In the Host or domain text box, type the host or subdomain name for Office SharePoint Server 2007. 4. In the Fully qualified domain name (FQDN) of mail server text box, type the fully qualified domain name for the server that is running Office SharePoint Server 2007. This is typically in the format subdomain.domain.com. 5. Click OK.
Configure attachments from Outlook 2003

Attachments to messages sent from Microsoft Outlook 2003 must be encoded in UUEncode or Binhex format to appear separately in e-mail enabled document libraries. Attachments from Outlook 2003 that use different encoding will not be listed, but e-mail messages that contain attachments will be listed.
Configure incoming e-mail settings

Before you can enable incoming e-mail on the server that is running Office SharePoint Server 2007, you must have configured the SMTP service on front-end Web servers in the farm and the Active Directory and DNS Manager on the domain controller, or you must know the name of other servers that are running these services. This procedure configures the settings that are used for incoming e-mail. You can also configure options for safe e-mail servers and the incoming e-mail display address. Important: Membership in the Administrators group of the Central Administration site is required to complete this procedure. Configure incoming e-mail settings 1. On the top navigation bar, click Operations. 2. On the Operations page, in the Topology and Services section, click Incoming e-mail settings. 3. If you want to enable sites on this server to receive e-mail, on the Incoming E-mail Settings page, in the Enable Incoming E-Mail section, click Yes. 4. Select either the Automatic or the Advanced settings mode. If you select Advanced, you can specify a drop folder instead of using an SMTP server. 5. If you want to connect to the Microsoft SharePoint Directory Management Service, in the Directory Management Service section, click Yes. a. In the Active Directory container where new distribution groups and contacts will be created box, type the name of the container in the format
281
OU=ContainerName, DC=domain, DC=com, where ContainerName is the name of the organizational unit in Active Directory, domain is the second-level domain, and com is the top-level domain. Note: The Central Administration application pool account must be delegated the Create, delete, and manage user accounts task for the container. Access is configured in the properties for the organizational unit in Active Directory. b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail server. The server name must match the fully qualified domain name in the MX entry for the mail server in DNS Manager. c. To accept only messages from authenticated users, click Yes for Accept messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow creation of distribution groups from SharePoint sites. Otherwise, click No. e. Under Distribution group request approval settings, select the actions that will require approval. Actions include the following: Create new distribution group Change distribution group e-mail address Change distribution group title and description Delete distribution group
6. If you want to use a remote SharePoint Directory Management Web Service, select Use remote. a. In the Directory Management Service URL box, type the URL of the Microsoft SharePoint Directory Management Service that you want to use. b. In the SMTP mail server for incoming mail box, type the name of the SMTP mail server. The server name must match the fully qualified domain name in the MX entry for the mail server in DNS Manager on the domain server. c. To accept messages from authenticated users only, click Yes for Accept messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow creation of distribution groups from SharePoint sites. Otherwise, click No. 7. If you do not want to use the Microsoft SharePoint Directory Management Service, click No. 8. In the Incoming E-Mail Server Display Address section, type a display name for the email server (for example, mail.fabrikam.com) in the E-mail server display address box. Tip: You can specify the e-mail server address that is displayed when users create an incoming e-mail address for a list or group. Use this setting together with the Microsoft SharePoint Directory Management Service to provide an e-mail server
282
address that is more user-friendly. 9. In the Safe E-Mail Servers section, select one of the following options: Accept mail from all e-mail servers Accept mail from these safe e-mail servers. If you select this option, type the IP addresses (one per line) of the e-mail servers that you want to specify as safe in the corresponding box.
10. In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of the folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from the SMTP service. This option is available only if you selected advanced mode. 11. Click OK.
Configuring incoming e-mail on SharePoint sites

After configuring incoming e-mail settings, site administrators can configure e-mail enabled lists and document libraries. For more information about e-mail enabled document libraries, see the Help documentation for site administrators. Contact addresses created for these document libraries appear automatically in Active Directory Users and Computers under the organizational unit for Office SharePoint Server 2007, and must be managed by the administrator of Active Directory. The Active Directory administrator can add more e-mail addresses for each contact. For more information about how to manage contacts in Active Directory, see the Help documentation for Active Directory. Alternatively, the Exchange Server computer can be configured by adding a new Exchange Server Global recipient policy to automatically add external addresses that use the second-level domain name and not the subdomain or host for Office SharePoint Server 2007. For more information about how to manage Exchange Server, see the Help documentation for Exchange Server. See Also Plan incoming e-mail (http://technet.microsoft.com/en-us/library/cc263260.aspx) Demo: Configure a SharePoint Server 2007 site to receive e-mail (http://office.microsoft.com/enus/sharepointserver/HA102047921033.aspx)
283
Configure outgoing e-mail settings

In this section: Install and configure the SMTP service4 Configure outgoing e-mail settings
Use this procedure to configure the default outgoing e-mail settings for all Web applications. You can override the default outgoing e-mail settings for specific Web applications by using the procedure that is described in Configure outgoing e-mail settings for a specific Web application.

Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the SMTP server must be configured to allow anonymous access and to allow e-mail messages to be relayed. Additionally, the SMTP server must have Internet access if you want the ability to send messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a server that has Internet access. The SMTP server that you use can be a server in the farm, or another server.

The SMTP service is a component of IIS. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Install the SMTP service 1. In Control Panel, click Add or Remove Programs. 2. In Add or Remove Programs, click Add/Remove Windows Components. 3. In the Windows Components Wizard, in the Components box, click Application Server, and then click the Details button. 4. In the Application Server dialog box, in the Subcomponents of Application Server box, click Internet Information Services (IIS), and then click the Details button. 5. In the Internet Information Services (IIS) dialog box, select the SMTP Service check box. 6. Click OK to return to the Application Server dialog box. 7. Click OK to return to the main page of the Windows Components Wizard. 8. Click Next. 9. When Windows has finished installing the SMTP service, on the Completing the Windows
284
Components Wizard page, click Finish.

After installing the SMTP service, configure the service to accept relayed e-mail from servers in your farm. You can decide to accept relayed e-mail from all servers except those you specifically exclude. Alternatively, you can block e-mail from all servers except those you specifically include. You can include servers individually, or in groups by subnet or domain. By enabling both anonymous access and e-mail relaying, you increase the possibility that the SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit this possibility by carefully configuring your mail servers to help protect against spam. One way that you can do this is by limiting relaying to a specific list of servers or domain, and preventing relaying from all other servers. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Configure the SMTP service 1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In IIS Manager, expand the server name that contains the SMTP server that you want to configure. 3. Right-click the SMTP virtual server that you want to configure, and then click Properties. 4. On the Access tab, under Access control, click Authentication. 5. In the Authentication dialog box, under Select acceptable authentication methods for this resource, verify that Anonymous access is selected. 6. Click OK. 7. On the Access tab, under Relay restrictions, click Relay. 8. To enable relaying from any server, under Select which computer may relay through this virtual server, select All except the list below. 9. To accept relaying from one or more specific servers, follow these steps: a. Under Select which computer may relay through this virtual server, select Only the list below. b. Click Add, and then add servers one at a time by IP address, or in groups by using a subnet or domain. c. Click OK to close the Computer dialog box. 10. Click OK to close the Relay Restrictions dialog box. 11. Click OK to close the Properties dialog box.
285

Important: Membership in the Farm Administrators group of the Central Administration site is required to complete this procedure. Configure outgoing e-mail settings 1. On the top navigation bar of the SharePoint Central Administration Web site, click Operations. 2. On the Operations page, in the Topology and Services section, click Outgoing e-mail settings. 3. On the Outgoing E-Mail Settings page, in the Mail Settings section, type the SMTP server name for outgoing e-mail (for example, mail.example.com) in the Outbound SMTP server box. 4. In the From address box, type the e-mail friendly address as you want it to appear to email recipients. 5. In the Reply-to address box, type the e-mail address to which you want e-mail recipients to reply. 6. In the Character set menu, select the character set that is appropriate for your language. 7. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Email: Stsadm operation (http://technet.microsoft.com/enus/library/cc261681.aspx).
See Also Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)
286
Configure outgoing e-mail settings for a specific Web application

In this section: Install and configure the SMTP service Configure outgoing e-mail settings
Use this procedure to configure the outgoing e-mail settings for a specific Web application. Before using this procedure, you must first configure the default outgoing e-mail settings for all Web applications by using the procedure described in Configure outgoing e-mail settings.

Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the SMTP server must be configured to allow anonymous access and to allow e-mail messages to be relayed. Additionally, the SMTP server must have Internet access if you want the ability to send messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a server that has Internet access. The SMTP server that you use can be a server in the farm, or another server.

The SMTP service is a component of IIS. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Install the SMTP service 1. In Control Panel, click Add or Remove Programs. 2. In Add or Remove Programs, click Add/Remove Windows Components. 3. In the Windows Components Wizard, in the Components box, click Application Server, and then click the Details button. 4. In the Application Server dialog box, in the Subcomponents of Application Server box, click Internet Information Services (IIS), and then click the Details button. 5. In the Internet Information Services (IIS) dialog box, select the SMTP Service check box. 6. Click OK to return to the Application Server dialog box. 7. Click OK to return to the main page of the Windows Components Wizard.
287
8. Click Next. 9. When Windows has finished installing the SMTP service, on the Completing the Windows Components Wizard page, click Finish.

After installing the SMTP service, configure the service to accept relayed e-mail from servers in your farm. You can decide to accept relayed e-mail from all servers except those you specifically exclude. Alternatively, you can block e-mail from all servers except those you specifically include. You can include servers individually, or in groups by subnet or domain. By enabling both anonymous access and e-mail relaying, you increase the possibility that the SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit this possibility by carefully configuring your mail servers to help protect against spam. One way that you can do this is by limiting relaying to a specific list of servers or domain, and preventing relaying from all other servers. Important: Membership in the Administrators group on the local computer is required to complete this procedure. Configure the SMTP service 1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In IIS Manager, expand the server name that contains the SMTP server that you want to configure. 3. Right-click the SMTP virtual server that you want to configure, and then click Properties. 4. On the Access tab, under Access control, click Authentication. 5. In the Authentication dialog box, under Select acceptable authentication methods for this resource, verify that Anonymous access is selected. 6. Click OK. 7. On the Access tab, under Relay restrictions, click Relay. 8. To enable relaying from any server, under Select which computer may relay through this virtual server, select All except the list below. 9. To accept relaying from one or more specific servers, follow these steps: a. Under Select which computer may relay through this virtual server, select Only the list below. b. Click Add, and then add servers one at a time by IP address, or in groups by using a subnet or domain. c. Click OK to close the Computer dialog box.
288
10. Click OK to close the Relay Restrictions dialog box. 11. Click OK to close the Properties dialog box.

Important: Membership in the Farm Administrators group of the Central Administration site is required to complete this procedure. Configure outgoing e-mail settings 1. On the top navigation bar of the SharePoint Central Administration Web site, click Application Management. 2. On the Application Management page, in the SharePoint Web Application Management section, click Web application outgoing e-mail settings. 3. On the Web Application E-Mail Settings page, select a Web application by using the Web Application menu in the Web Application section. 4. In the Mail Settings section, type the SMTP server name for outgoing e-mail (for example, type mail.fabrikam.com) in the Outbound SMTP server box. 5. In the From address box, type the e-mail friendly address as you want it to appear to email recipients. 6. In the Reply-to address box, type the e-mail address to which you want e-mail recipients to reply. 7. On the Character set menu, click the character set that is appropriate for your language. 8. Click OK. See Also Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)
289
Configure workflow settings

Use this procedure to configure the workflow settings for Microsoft Office SharePoint Server 2007. Workflow settings are configured at the Web application level, enabling you to configure different settings for different Web applications. When you configure workflow settings, you must first select the Web application to configure. Site administrators can create workflows from the Site Settings page for the site or site collection. By default, end users can create their own workflows by using code already deployed by an administrator. You can also choose to limit workflow creation to site administrators. By default, workflows can include users who do not have site access. Users without site access who attempt to complete the task assigned to them will be directed to the Error: Access Denied page, where they can request access to the site. If you do not enable alerts for internal users without site access, workflows that include those users will not generate alerts for those users. By default, external users cannot participate in workflows, and external users included in workflows will not be alerted. You can choose to allow external users to participate in workflows by sending copies of documents to those users by e-mail.
Configuring workflow settings

Note: Membership in the Administrators group of the Central Administration site is required to complete this procedure. Configure workflow settings 1. On the top navigation bar, click Application Management. 2. On the Application Management page, in the Workflow Management section, click Workflow settings. 3. On the Workflow Settings page, in the Web Application section, the current Web application is displayed in the Web Application menu. To configure the settings for a different Web application, click Change Web Application, and then select a new Web application on the Select Web Application page. 4. In the User-Defined Workflows section, select Yes if you want to enable user-defined workflows, or select No if you do not want to enable user-defined workflows. 5. In the Workflow Task Notifications section, under Alert internal users who do not have site access when they are assigned a workflow task, select Yes if you want internal users without site access to be sent an e-mail alert when a task is assigned to them. Users attempting to complete the task by using the link in the alert will be directed to the Request Permissions page. If you do not want internal users without site access to be
290
sent an e-mail alert when a task is assigned to them, select No. 6. Under Allow external users to participate in workflow by sending them a copy of the document, select Yes if you want documents to be sent to external users by e-mail when those users are part of the workflow but they do not have access permissions to the documents. If you do not want documents to be sent to external users who do not have access permissions, select No. Note: If the object in the workflow is not a document but a list item, the list item properties are displayed in a table as part of the e-mail message. 7. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Workflow management: Stsadm operation (http://technet.microsoft.com/enus/library/cc263153.aspx).
291
Configure diagnostic logging settings

In this section: Customer Experience Improvement Program Error reports Event throttling Configuring diagnostic logging settings
Use this procedure to configure the diagnostic logging settings for Microsoft Office SharePoint Server 2007. You can configure how diagnostic events are logged according to their criticality. Additionally, you can set the maximum number of log files that can be maintained, and you can set how long to capture events to a single log file. You can also indicate whether or not to provide Microsoft with continuous improvement and Dr. Watson event data.
Customer Experience Improvement Program

The Customer Experience Improvement Program (CEIP) is designed to improve the quality, reliability, and performance of Microsoft products and technologies. With your permission, anonymous information about your server will be sent to Microsoft to help us improve SharePoint Products and Technologies. For more information, see the Customer Experience Improvement Program privacy statement (http://go.microsoft.com/fwlink/?LinkID=84784&clcid=0x409).
Error reports
Error reports are created when your system encounters hardware or software problems. Microsoft and its partners actively use these reports to improve the reliability of your software. Error reports include the following: information regarding the condition of the server when the problem occurs; the operating system version and computer hardware in use; and the Digital Product ID, which can be used to identify your license. The IP address of your computer is also sent because you are connecting to an online service to send error reports; however, the IP address is used only to generate aggregate statistics. Microsoft does not intentionally collect any personal information. However, error reports could contain data from log files, such as user names, IP addresses, URLs, file or path names, and e mail addresses. Although this information, if present, could potentially be used to determine your identity, the information will not be used in this way. The data that Microsoft collects will be used only to fix problems and to improve software and services. Error reports will be sent by using encryption technology to a database with limited access, and will not be used for marketing purposes.
292
For more information, see the Microsoft Error Reporting Service privacy statement (http://go.microsoft.com/fwlink/?LinkId=85028&clcid=0x409). If you want to provide error reports to Microsoft and its partners, select the option to collect error reports. Base your decision on your organization's policies about sharing the information collected by error reports, and the potential impact of error collection on users and administrators. Two options are available for error reports: You can choose to periodically download a file from Microsoft that can help identify system problems based on the error reports that you provide to Microsoft. You can change the error collection policy to silently send all reports. This changes the computer's error reporting behavior to automatically send reports to Microsoft without prompting users when they log on.
Event throttling
You can configure the diagnostic options for event logging. Events can be logged in either the Windows event log or the trace log. You can configure event throttling settings to control how many events are recorded in each log, according to the criticality of the events. To provide more control in event throttling, you can decide to throttle events for all events, or for any single category of events. Several categories of events are available, based on different services and features of SharePoint Products and Technologies. Categories of events can be defined by individual services or by groupings of related events. Selected event categories include: All Categories defined by product, such as Office SharePoint Server 2007 and Microsoft Office Project Server 2007 Administrative functions such as Administration, Backup and Recovery, Content Deployment, and Setup and Upgrade Feature areas such as Document Management, E-Mail, Forms Services, Information Policy Management, Information Rights Management, Publishing, Records Center, Site Directory, Site Management, User Profiles, and Workflow SharePoint Services and other services such as the Load Balancer Service Shared services such as all Office Server Shared Services, Business Data, and Excel Calculation Services
For the selected category, select the least-critical event to record, for both the Windows event log and the trace log. Events that are equally critical to or more critical than the selected event will be recorded in each log. The list entries are sorted in order from most-critical to least-critical. The levels of events for the Windows event log include: None Error Warning
293
Audit Failure Audit Success Information None Unexpected Monitorable High Medium Verbose
The levels of events for the trace log include:
For more information about the Windows event log or the trace log, see the Windows documentation.
Configuring diagnostic logging settings

Note: Membership in the Administrators group of the Central Administration site is required to complete this procedure. Configure diagnostic logging settings 1. On the top navigation bar, click Operations. 2. On the Operations page, in the Logging and Reporting section, click Diagnostic logging. 3. On the Diagnostic Logging page, in the Customer Experience Improvement Program section, under Sign Up for the Customer Experience Improvement Program, select one of the following options: Yes, I am willing to participate anonymously in the Customer Experience Improvement Program (Recommended). No, I don't wish to participate.
If you select Yes, users can decide whether they want to report Customer Experience Improvement Program events to Microsoft. 4. In the Error Reports section, under Error reporting, select one of the following: Collect error reports. If you select this option, you can also select or clear two options to control how error reports are collected: Periodically download a file that can help identify system problems. Change this computer's error collection policy to silently send all reports. This changes the computer's error reporting behavior to automatically send reports to
294
Microsoft without prompting users when they log on. Ignore errors and don't collect information. 5. In the Event Throttling section, in the Select a category menu, select a category of events: a. In the Least critical event to report to the event log menu, select the least-critical event to report to the event log for the selected category. b. In the Least critical event to report to the trace log menu, select the least-critical event to report to the trace log for the selected category. 6. In the Trace Log section, in the Path text box, type the local path to use for the trace log on all servers in the farm. The location must exist on all servers in the farm. a. In the Number of log files text box, type the maximum number of files that you want to maintain. b. In the Number of minutes to use a log file text box, type the number of minutes to use each log file. 7. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Setlogginglevels (http://technet.microsoft.com/en-us/library/cc261740.aspx) and Listlogginglevels (http://technet.microsoft.com/en-us/library/cc262133.aspx).
295
Configure single sign-on

Single sign-on (SSO) is a Microsoft Office SharePoint Server feature that provides storage and mapping of credentials such as account names and passwords. Using SSO, portal sitebased applications can retrieve information from third-party applications and back-end systems such as Enterprise Resource Planning (ERP) and Customer Relations Management (CRM) systems. The use of single sign-on functionality enables users to authenticate only once when they access portal sitebased applications that need to obtain information from other business applications and systems. Configuring single sign-on consists of five tasks: Configure and start the Microsoft Single Sign-On service Configure Single Sign-On for Office SharePoint Server 2007 Manage the encryption key Manage enterprise application definitions Manage account information for an enterprise application definition
Note that you must be logged into the SharePoint Central Administration Web site on a farm server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to configure SSO on a workstation or any computer that is not a farm server, you will see an error message that reads "Single sign-on cannot be configured from this server. To configure single sign-on, go to the computer running the single sign-on service and specify these settings locally." Follow the procedures in the sections that follow to configure SSO for your Office SharePoint Server 2007 environment.
Configure and start the Microsoft Single Sign-On service

To use single sign-on, the Microsoft Single Sign-On service (SSOSrv) must be installed on all Microsoft Windows front-end Web servers in the farm. SSOSrv must also be installed on all servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also be installed on the index server. SSOSrv is configured by using the Services console. When configuring the service, a logon account is required. The logon account must meet all of the following criteria: Must be a domain user account. It cannot be a group account. Must be an Office SharePoint Server farm account. Must be a member of the local Administrators group on the encryption-key server. (The encryption-key server is the first server on which you start SSOSrv.) Must be a member of the Security Administrators role and db_creator role on the computer running Microsoft SQL Server.
296
Must be either the same as the single sign-on administrator account, or a member of the group account that is the single sign-on administrator account. Configure and start the Microsoft Single Sign-On service 1. On the server, click Start, Control Panel, Administrative Tools, and then click Computer Management. 2. In the Computer Management console, expand Services and Applications, and then click Services. 3. Right-click Microsoft Single Sign-On Service, and then choose Properties. 4. On the General tab, change the Startup type to Automatic. 5. On the General tab, under Service Status, click Start. 6. Click OK to save your changes and close the Properties window. 7. Repeat steps 1 through 6 for each applicable server in the farm.
Configure Single Sign-On for Office SharePoint Server 2007

Managing server settings for single sign-on includes specifying the appropriate administrator accounts, the single sign-on database server and server name, and time-out and audit log settings. Note: You must open Central Administration on the computer that runs Office SharePoint Server 2007 to manage server settings for single sign-on. Configure SSO for Office SharePoint Server 2007 1. On Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage server settings. 4. On the Manage Settings for Single Sign-On page, in the Account name box in the Single Sign-On Administrator Account section, type the single sign-on administrator account name by using the form domain/group or domain/username. Note: The single sign-on administrator account specifies the set of people who can create, delete, or modify application definitions. The administrator account can also back up the encryption key. The user or group that you specify as the single sign-on administrator must be all of the following:
297
Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list. The same account as the single sign-on service account, if a user is specified. If a group is specified, the single sign-on service account must be a member of that group. The same as the configuration account for single sign-on, if a user is specified. If a group is specified, the configuration account for single sign-on must be a member of that group. A member of the Farm Administrators group on Central Administration.
If a group is specified, all users who are added to the group for the purpose of administering single sign-on must be members of the local Administrators group on the encryption-key server. Do not make this account a member of the local Administrators group on the encryption-key server. 5. In the Enterprise Application Definition Administrator Account section, in the Account name box, type the account name of the group or user who can set up and manage enterprise application definitions. Type the name by using the form domain/group or domain/username. The enterprise application definition administrator account can manage credentials of an enterprise application definition, including changing the password of a group enterprise application definition and changing or deleting credentials for an individual enterprise application definition. The user or group that you specify must be the following: Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list. A member of the Reader SharePoint group on Central Administration.
6. In the Database Settings section, in the Server name box, type the NetBIOS name of the single sign-on database server (for example, computer_name or computer_name\SQL_Server_instance). Do not type the fully qualified domain name. 7. In the Database name box, enter the name of the single sign-on database server. Note: Unless you are pre-creating databases, we recommend that you use the default database server and single sign-on database server. 8. In the Time Out Settings section, in the Ticket time out (in minutes) box, type a value for how many minutes passes before a single sign-on ticket expires. The time-out should be long enough to last between the time that the ticket is issued and the time that the enterprise application redeems the ticket. Two minutes is the recommended value. 9. In the Delete audit log records older than (in days) box, type a value for how many days the audit log holds records before deleting them. 10. Click OK.
298
Manage the encryption key

The first server that SSOSrv is enabled on becomes the encryption-key server. The encryptionkey server generates and stores the encryption key. The encryption key is used to encrypt and decrypt the credentials that are stored in the SSO database. Because the encryption key protects security credentials, we recommend that you create a ne w encryption key on a regular schedule (for example, every 90 days). We also recommend that you create a new encryption key immediately if you suspect that account credentials have been compromised. The encryption key must be backed up each time a new key is created. You do not need to back up the encryption key at any other time (except when you are moving the encryption-key server role from one server to another). You must back up the encryption key from the encryption-key server locally; the key cannot be backed up remotely. You can also use encryption key backup and restore to move the encryption-key server role from one server to another. (Other tasks must also be completed to move the encryption-key server role.) Note: You must open Central Administration on the computer that runs Office SharePoint Server 2007 to manage the encryption key. Manage the encryption key 1. On Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage encryption key. From the Manage Encryption Key page, you can perform three management tasks: Create a new encryption key Back up an encryption key Restore an encryption key
Create a new encryption key

1. On the Manage Encryption Key page, in the Encryption Key section, click Create Encryption Key. 2. On the Create Encryption Key page, select the Re-encrypt all credentials by using the new encryption key check box. Important:
299
If you do not re-encrypt the existing credentials with the new encryption key, users must retype their credentials for individual application definitions, and administrators must retype group credentials for group application definitions. 3. Click OK.
Back up an encryption key

1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Backup section, click the removable media drive on which you want to store the encryption-key backup. 2. Click Back Up.
Restore an encryption key

You should always back up the encryption key when you back up the single sign-on database, because the database is useless without the encryption key. Also, before you replace an encryption-key server, make sure to back up the encryption key so that it can be restored on the new encryption-key server.
1. On the Manage Encryption Key page, in the Drive list in the Encryption Key Restore section, click the removable media drive from which you want to restore the encryptionkey backup. 2. Click Restore.
Manage enterprise application definitions

In the single sign-on environment, the back-end external data sources and systems are referred to as enterprise applications. For each enterprise application that Office SharePoint Server 2007 connects to, a corresponding enterprise application definition needs to be configured.
1. On Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions.
300
Manage account information for an enterprise application definition

If you are using a group to connect to the enterprise application, you need to provide account credentials for the group to use. If individual users are connecting directly to the enterprise application, you can preset or reset user passwords, or you can delete users from the enterprise application definition.
1. On Central Administration, on the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on. 3. On the Manage Settings for Single Sign-On page, in the Enterprise Application Definition Settings section, click Manage account information for enterprise application definitions. 4. On the Manage Account Information for an Enterprise Application Definition page, in the Enterprise application definition list in the Account Information section, click the application definition for which you want to manage account information. 5. In the Group account name box, type the name of the group that is allowed access to the enterprise application. 6. In the Enterprise Application Definition section, select one of the following:
Option Purpose
Update account information
Enter credentials for the first time or update the credentials used to connect to the enterprise application. Delete the credentials currently used to connect to the enterprise application.
Delete stored credentials for this account from this enterprise application definition Delete stored credentials for this account from all enterprise application definitions
Delete the credentials currently used to connect the selected enterprise application from all enterprise application definitions. Deleting stored credentials deletes credentials only for individual accounts; it does not delete credentials for group accounts.
If you select Update account information, complete the following steps: a. Click Set. b. On the Provide Account Information page, in the Logon Information section, type
301
the user name and password of the account that will be used to connect to the enterprise application. c. Click OK. 7. Click Done.
302
Configure antivirus settings

Use this procedure to configure the antivirus settings for Microsoft Office SharePoint Server 2007. You can activate antivirus measures only after installing a compatible antivirus scanner. In a server farm, you must install antivirus software on every front-end Web server in the server farm. You can configure four antivirus settings: Scan documents on upload Select this setting to scan uploaded documents. This helps prevent users with infected documents from distributing them to other users. Scan documents on download Select this setting to scan downloaded documents. This helps prevent users from downloading infected documents by warning them about infected files. Users can still choose to download infected files, unless the option to allow users to download infected documents is not selected. Allow users to download infected documents If this option is selected, users can download infected documents. In most cases, do not select this option. Unless you have a specific reason to download infected documents, such as troubleshooting a virus infection on your system, do not select this option. Attempt to clean infected documents Select this setting to automatically clean infected documents that were discovered during scanning.
Administrative credentials
Membership in the Administrators group of the Central Administration site is required to complete this procedure. Configure antivirus settings 1. On the top navigation bar, click Operations. 2. On the Operations page, in the Security Configuration section, click Antivirus. 3. On the Antivirus page, in the Antivirus Settings section, select one or all of the following: Scan documents on upload Scan documents on download Allow users to download infected documents Attempt to clean infected documents
4. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Antivirus: Stsadm properties (http://technet.microsoft.com/en-us/library/cc261683.aspx).
303
Configure authentication
In this section: Configure anonymous access Configure digest authentication Configure forms-based authentication Configure Web SSO authentication by using ADFS Configure Kerberos authentication
Authentication is the process of validating client identity, usually by means of a designated authority. Web site authentication helps establish that a user who is trying to access Web site resources can be verified as an authenticated entity. An authentication application obtains credentials from a user who is requesting Web site access. Credentials can be various forms of identification, such as user name and password. The authentication application tries to validate the credentials against an authentication authority. If the credentials are valid, the user who submitted the credentials is considered to be an authenticated identity.
Office SharePoint Server authentication

To determine the most appropriate Office SharePoint Server authentication mechanism to use, consider the following issues: To use a Windows authentication mechanism, you need an environment that supports user accounts that can be authenticated by a trusted authority. If you use a Windows authentication mechanism, the operating system performs user credential management tasks. If you use an authentication provider other than Windows, such as forms authentication, you must plan and implement a credential management system and determine where to store user credentials. You might need to implement an impersonation/delegation model that can pass a user's operating systemlevel security context across tiers. This enables the operating system to impersonate the user and delegate the user's security context to the next downstream subsystem.
Microsoft Office SharePoint Server is a distributed application that is logically divided into three tiers: the front-end Web server tier, the application server tier, and the back-end database tier. Each tier is a trusted subsystem and authentication can be required for access to each tier. Credential validation requires an authentication provider. Authentication providers are software components that support specific authentication mechanisms. Office SharePoint Server 2007 authentication for is built on the ASP.NET authentication model and includes three authentication providers:
304
Windows authentication provider Forms authentication provider
Web SSO authentication provider
You can use the Active Directory directory service for authentication, or you can design your environment to validate user credentials against other data stores, such as a Microsoft SQL Server database, a lightweight directory access protocol (LDAP) directory, or any other directory that has an ASP.NET 2.0 membership provider. The membership provider specifies the type of data store you are going to use. The default ASP.NET 2.0 membership provider uses a SQL Server database. Office SharePoint Server 2007 includes an LDAP v3 membership provider, and ASP.NET 2.0 includes a SQL Server membership provider. You can also deploy multiple authentication providers to enable, for example, intranet access by using Windows authentication and external access by using forms authentication. Using multiple authentication providers requires the use of multiple Web applications. Each Web application must have a designated zone and a single authentication provider. The authentication providers are used to authenticate against user and group credentials that are stored in Active Directory, in a SQL Server database, or in a Non-Active Directory LDAP directory service (such as NDS). For more information about ASP.NET membership providers, see Configuring an ASP.NET Application to Use Membership (http://go.microsoft.com/fwlink/?LinkId=87014&clcid=0x409).
Windows authentication provider

The Windows authentication provider supports the following authentication methods: Anonymous authentication Anonymous authentication enables users to find resources in the public areas of Web sites without having to provide authentication credentials. Internet Information Services (IIS) creates the IUSR_computername account to authenticate anonymous users in response to a request for Web content. The IUSR_computername account, where computername is the name of the server that is running IIS, gives the user access to resources anonymously under the context of the IUSR account. You can reset anonymous user access to use any valid Windows account. In a stand-alone environment, the IUSR_computername account is on the local server. If the server is a domain controller, the IUSR_computername account is defined for the domain. By default, anonymous access is disabled when you create a new Web application. This provides an additional layer of security, because IIS rejects anonymous access requests before they can ever be processed if anonymous access is disabled. Basic authentication Basic authentication requires previously assigned Windows account credentials for user access. Basic authentication enables a Web browser to provide credentials when making a request during an HTTP transaction. Because user credentials are not encrypted for network transmission, but are sent over the network in plaintext, using basic authentication over an unsecured HTTP connection is not recommended. To use basic authentication, you should enable Secure Sockets Layer (SSL) encryption.
305
Digest authentication Digest authentication provides the same functionality as basic authentication, but with increased security. User credentials are encrypted instead of being sent over the network in plaintext. User credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. The MD5 Message-Digest Algorithm is described in detail in Internet Engineering Task Force (IETF) RFC 1321 (http://www.ietf.org). To use digest authentication, note the following requirements: The user and IIS server must be members of, or trusted by, the same domain. Users must have a valid Windows user account stored in Active Directory on the domain controller. The domain must use a Microsoft Windows Server 2003 domain controller. You must install the IISSuba.dll file on the domain controller. This file is copied automatically during Windows Server 2003 Setup.
Integrated Windows authentication Integrated Windows authentication can be implemented using either NTLM or constrained Kerberos delegation. Constrained Kerberos delegation is the most secure authentication method. Integrated Windows authentication works well in an intranet environment where users have Windows domain accounts. In Integrated Windows authentication, the browser attempts to use the current user's credentials from a domain logon, and if the attempt is unsuccessful, the user is prompted to enter a user name and password. If you use Integrated Windows authentication, the user's password is not transmitted to the server. If the user has logged on to the local computer as a domain user, the user does not have to authenticate again when the user accesses a network computer in that domain.
Kerberos authentication This method is for servers that are running Active Directory on Microsoft Windows 2000 Server and more recent versions of Windows. Kerberos is a secure protocol that supports ticketing authentication. A Kerberos authentication server grants a ticket in response to a client computer authentication request that contains valid user credentials. The client computer then uses the ticket to access network resources. To enable Kerberos authentication, the client and server computers must have a trusted connection to the domain Key Distribution Center (KDC). The client and server computers must also be able to access Active Directory. For more information about configuring a virtual server to use Kerberos authentication, see Microsoft Knowledge Base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkId=115572&clcid=0x409).
306
Constrained Kerberos delegation Constrained authentication is the most secure configuration for communication between multiple application tiers. You can use constrained delegation to pass the original caller's identity through multiple application tiers: for example, from a Web server to an application server to a database server. Constrained Kerberos delegation is also the most secure configuration for accessing back-end data sources from application servers. Impersonation enables a thread to run in a security context other than the context of the process that owns the thread. In most server farm deployments in which front-end Web servers and application servers run on different computers, impersonation will require constrained Kerberos delegation.
Impersonation and Kerberos delegation Kerberos delegation enables an authenticated entity to impersonate the credentials of a user or computer within the same forest. When impersonation is enabled, the impersonating entity is allowed to use credentials for performing tasks on behalf of the impersonated user or computer. During impersonation, ASP.NET applications can run by using the credentials of another authenticated entity. By default, ASP.NET impersonation is disabled. If impersonation is enabled for an ASP.NET application, then that application runs using the credentials of the access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_computername identity). When impersonation is enabled, only your application code runs under the context of the impersonated user. Applications are compiled and configuration information is loaded by using the identity of the ASP.NET process. For more information about impersonation, see ASP.NET Impersonation (http://go.microsoft.com/fwlink/?LinkId=115573&clcid=0x409).
NTLM authentication This method is for Windows servers that are not running Active Directory on a domain controller. NTLM authentication is required for networks that receive authentication requests from client computers that do not support Kerberos authentication. NTLM is a secure protocol that supports user credential encryption and transmission over a network. NTLM is based on encrypting user names and passwords before sending the user names and passwords over the network. NTLM authentication is required in networks where the server receives requests from client computers that do not support Kerberos authentication. NTLM is the authentication protocol that is used in Windows NT Server and in Windows 2000 Server workgroup environments, and in many Active Directory deployments. NTLM is used in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. When Windows 2000 Server is converted to native mode where no down-level Windows NT domain controllers exist, NTLM is disabled. Kerberos then becomes the default authentication protocol for the enterprise.
307
Forms authentication provider

The forms authentication provider supports authentication against credentials stored in Active Directory, in a database such as a SQL Server database, or in an LDAP data store such as Novell eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms authentication enables user authentication based on validation of credential input from a logon form. Unauthenticated requests are redirected to a logon page, where the user must provide valid credentials and submit the form. If the request can be authenticated, the system issues a cookie that contains a key for reestablishing the identity for subsequent requests.
Web single sign-on (SSO) authentication provider

Web SSO is also referred to as federated authentication or delegate authentication, because it supports secure communication across network boundaries. SSO is an authentication method that enables access to multiple secure resources after a single successful authentication of user credentials. There are several different implementations of SSO authentication. Web SSO authentication supports secure communication across network boundaries by enabling users who have been authenticated in one organization to access Web applications in another organization. Active Directory Federation Services (ADFS) supports Web SSO. In an ADFS scenario, two organizations can create a federation trust relationship that enables users in one organization to access Web-based applications that are controlled by another organization. For information about using ADFS to configure Web SSO authentication, see Configure Web SSO authentication by using ADFS. For information about how to perform this procedure using the Stsadm command-line tool, see Authentication: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263116.aspx).
308
Configure anonymous access

In this section: About anonymous access Enable anonymous access for a zone Enable anonymous access for individual sites Enable anonymous access for individual lists
Anonymous access enables users to find resources in the public areas of Web sites without having to provide authentication credentials.
About anonymous access

Internet Information Services (IIS) creates the IUSR_computername account to authenticate anonymous users in response to a request for Web content. The IUSR_computername account, where computername is the name of the server that is running IIS, gives the user access to resources anonymously under the context of the IUSR account. You can reset anonymous user access to use any valid Windows account. Note: You can set up different anonymous accounts for different Web sites, virtual or physical directories, and files. In a stand-alone environment, the IUSR_computername account is on the local server. If the server is a domain controller, the IUSR_computername account is defined for the domain. By default, anonymous access is disabled by Office SharePoint Server 2007 when you create a new Web application. This provides an additional layer of security because IIS rejects anonymous access requests before they can ever be processed by Office SharePoint Server 2007 if anonymous access is disabled.
Enable anonymous access for a zone

Use the following procedures to enable anonymous access for a zone of a Web application. Within each Web application, you can categorize different classes of users into one of the following five zones: Internet is the zone used for customers. Typically, the Internet zone is the only zone you would configure for anonymous access. Intranet is the zone used for internal employees. Default is the zone used for remote employees. Custom is the zone used for administrators. Extranet is the zone used for partners.
309
Enable anonymous access for a zone of a Web application 1. From Administrative Tools, open the SharePoint Central Administration Web site application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Application Security section, click Authentication providers. 4. On the Authentication Providers page, make sure the Web application that is listed in the Web Application box (under Site Actions) is the one that you want to configure. If the listed Web application is not the one that you want to configure, click the drop-down arrow to the right of the Web Application drop-down list box and select Change Web Application. 5. In the Select Web Application dialog box, click the Web application that you want to configure. 6. On the Authentication Providers page, click the zone of the Web application on which you want to enable anonymous access. The zones that are configured for the selected Web application are listed on the Authentication Providers page. 7. On the Edit Authentication page, in the Anonymous Access section, select Enable Anonymous Access, and then click Save. At this point, the Web application zone has been enabled for anonymous access.
Enable anonymous access for individual sites

Now you need to enable anonymous access for individual sites in the site collection. Enable anonymous access for individual sites 1. Go to the site on which you want to enable anonymous access and click the Site Actions menu. 2. On the Site Actions menu, click Site Settings. 3. On the Site Settings page, in the Users and Permissions section, click Advanced Permissions. 4. On the Permissions page, on the Settings menu, click Anonymous Access. The settings for anonymous access lists three options: Entire Web site Select this option if you want to enable anonymous access for the entire Web site. Lists and libraries Select this option if you want to limit anonymous access to only the lists and libraries on your site. Nothing Select this option if you want to prevent anonymous access from being used on your site.
5. Click OK.
310
At this point, your site is configured for anonymous access based on the options that you have selected.
Enable anonymous access for individual lists

If you select Lists and libraries, enable anonymous access for individual lists. Enable anonymous access for individual lists 1. Go to the home page of your Web site and, in the left navigation pane, click View All Site Content. 2. Click the list on which you want to enable anonymous access. 3. On the Settings menu, click List Settings. 4. On the Customize List page, in the Permissions and Management section, click Permissions for this list. 5. On the Permissions page, on the Actions menu, click Edit Permissions. A dialog box is displayed informing you that you are about to create unique permissions for this list. Click OK. 6. On the Settings menu, click Anonymous Access. 7. Select permissions for users who have anonymous access to the list, and then click OK. At this point, users have anonymous access to the list you have configured. You can control whether users have anonymous access to other lists, the home page, or other pages on this site.
311
Configure digest authentication

In this section: About digest authentication Enable digest authentication for a zone of a Web application Configure IIS to enable digest authentication
About digest authentication

Basic authentication requires previously assigned Windows account credentials for user access. Basic authentication enables a Web browser to provide credentials when making a request during an HTTP transaction. Because user credentials are not encrypted for network transmission, but are sent over the network in plaintext, using basic authentication over an unsecured HTTP connection is not recommended. To use basic authentication, you should enable Secure Sockets Layer (SSL) encryption. Digest authentication provides the same functionality as basic authentication, but with increased security. User credentials are encrypted instead of being sent over the network in plaintext. User credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the authentication requestor to present valid credentials in response to a challenge from the server. To authenticate against the server, the client has to supply an MD5 message digest in a response that contains a shared secret password string. The MD5 Message-Digest Algorithm is described in detail in RFC 1321. For access to RFC 1321, see Internet Engineering Task Force (IETF) (http://www.ietf.org). To use digest authentication, note the following requirements: The user and IIS server must be members of, or trusted by, the same domain. Users must have a valid Windows user account stored in Active Directory on the domain controller. The domain must use a Microsoft Windows Server 2003 domain controller. You must install the IISSuba.dll file on the domain controller. This file is copied automatically during Windows Server 2003 Setup. You must install Windows Server 2003 with SP2 or later. Microsoft Office SharePoint Server 2007 does not support digest authentication on Windows Server 2003 with SP1 or earlier. To enable digest authentication to work with browsers other than Microsoft Internet Explorer 6.0 or Internet Explorer 7.0, you must install the IIS hotfix described in Knowledge Base article 932729. For information about this hotfix, see FIX: Error message when you try to access a Web site that is hosted on IIS 6.0: Access Denied (http://go.microsoft.com/fwlink/?LinkId=92784&clcid=0x409).
312
Enable digest authentication for a zone of a Web application

Use the following procedures to enable digest authentication for a zone of a Web application. Within each Web application, you can categorize different classes of users into one of the following five zones: Internet is the zone used for customers. Intranet is the zone used for internal employees. Default is the zone used for remote employees. Custom is the zone used for administrators. Extranet is the zone used for partners. Enable digest authentication for a zone of a Web application 1. From Administrative Tools, open the SharePoint Central Administration Web site application. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the Application Security section, click Authentication providers. 4. On the Authentication Providers page, make sure the Web application that is listed in the Web Application box (under Site Actions) is the one that you want to configure. If the listed Web application is not the one that you want to configure, click the drop-down arrow to the right of the Web Application drop-down list box and select Change Web Application. 5. In the Select Web Application dialog box, click the Web application that you want to configure. 6. On the Authentication Providers page, click the zone of the Web application on which you want to enable digest authentication. The zones that are configured for the selected Web application are listed on the Authentication Providers page. 7. On the Edit Authentication page, in the IIS Authentication section, clear the Integrated Windows authentication and Basic authentication check boxes, and then click Save. At this point use the IIS Management Console to configure IIS to enable digest authentication.
Configure IIS to enable digest authentication

Use the following procedures to configure IIS to enable digest authentication. Configure IIS to enable digest authentication 1. From Administrative Tools on the Start menu, click Internet Information Services to start the IIS Management Console. 2. Under the Web Sites node on the console tree, right-click the IIS Web site that
313
corresponds to the Web application zone on which you want to configure digest authentication, and then click Properties. 3. On the Web Site Properties page, click the Directory Security tab. 4. In the Anonymous access and authentication control section, click the Edit button. 5. In the Authenticated access section of the Authentication Methods dialog box, select Digest authentication for Windows domain servers. A dialog box is displayed informing you that digest authentication only works with Active Directory domain accounts, and asking you if you want to continue. Click Yes. 6. In the Realm section of the of the Authentication Methods dialog box, click the Select button. 7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK. At this point, your Web site is configured to use digest authentication.
314
Configure forms-based authentication

In this section: About forms-based authentication Configure forms-based authentication across multiple zones Configure forms-based authentication for My Sites Web applications Configure the SSP for forms-based authentication Configure user profiles and people search
Microsoft Office SharePoint Server 2007 authentication is performed by an authentication mechanism that is supported by one of the available authentication providers. Providers are modules that contain the code necessary to authenticate the credentials of a requestor Authentication for Office SharePoint Server 2007 is built on the ASP.NET authentication model and includes three authentication providers: Windows authentication provider Forms-based authentication provider Web Single Sign-On (SSO) authentication provider
In addition, ASP.NET supports the use of pluggable authentication providers, which means that you can write an authentication provider to support any credential store that you want to use.
About forms-based authentication

The forms-based authentication provider supports authentication against credentials stored in Active Directory, in a database such as a SQL Server database, or in a Lightweight Directory Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms-based authentication enables user authentication based on validation of credential input from a logon form. Unauthenticated requests are redirected to a logon page, where the user must provide valid credentials and submit the form. If the request can be authenticated, the system issues a cookie that contains a key for reestablishing the identity for subsequent requests. The forms-based authentication provider supports authentication against credentials stored in one of the following: The Active Directory directory service A database An LDAP data store
To enable forms-based authentication for a Office SharePoint Server 2007 Web site and add users to the user account database, perform the following procedures.
315
Create a new site 1. On the home page of the SharePoint Central Administration Web site, click Application Management. 2. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 3. On the Create or Extend Web Application page, click Create a new Web application. 4. On the Create New Web Application page, in the Security Configuration section, make sure NTLM is selected under Authentication provider. Also, select Yes under Allow Anonymous. 5. Use the default entries to complete the new Web application creation procedure and click OK. At this point, you have created a new site placeholder. Use the following procedure to create a site collection. Create a site collection 1. On the top link bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application section, verify that the Web application in which you want to create the site collection is selected. If it is not, click Change Web Application on the Web Application menu. Then, on the Select Web Application page, click the Web application in which you want to create the site collection. 4. In the Title and Description section, type the title and description for the site collection. 5. In the Web Site Address section, under URL, select the path to use for your URL. Note: If you select a wildcard inclusion path, you must also type the site name to use in the URL of your site. The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions. 6. In the Template Selection section, in the Select a template list, select the template that you want to use for the top-level site in the site collection. 7. In the Primary Site Collection Administrator section, enter the user name (in the form domain\username) for the user who will be the site collection administrator. 8. If you want to identify a user as the secondary owner of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, enter the user name for the secondary administrator of the site collection. 9. If you are using quotas to limit resource use for site collections, in the Quota Template section, click a template in the Select a quota template list. 10. Click OK.
316
At this point, you have created a site collection. Use the following procedure to configure a forms based authentication provider. Configure a forms-based authentication provider 1. On the home page of the SharePoint Central Administration Web site, click Application Management. 2. On the Application Management page, in the SharePoint Web Application Management section, click Web application list. 3. On the Web Application List page, double-click the new Web application that you created in the previous procedure. 4. On the Application Management page, in the Application Security section, click Authentication providers. 5. On the Authentication Providers page, click the zone name for the authentication provider whose settings you want to configure. 6. On the Edit Authentication page, in the Authentication Type section, select Forms. If you need to explicitly grant anonymous access to a site collection, in the Anonymous Access section, select the Enable anonymous access check box for all sites within the Web application. To disable anonymous access for all sites within the Web application, clear the Enable anonymous access check box. Note: If you enable anonymous access here, anonymous access can still be denied at the site collection level or at the site level. However, if you disable anonymous access here, it is disabled at all levels within the Web application. 7. In the Membership Provider Name section, in the Membership provider name box, type the name of the membership provider that you want to use. Note: If the Web application is going to support forms-based authentication, the membership provider must be correctly configured in the Web.config file for the IIS Web application that hosts SharePoint content on each Web server. The membership provider must also be added to the Web.config file for the IIS Web application that hosts Central Administration. 8. In the Client Integration section, under Enable Client Integration, make sure No is selected, and then click Save. If you select Yes, features that start client applications according to document types will be enabled. This option will not work correctly with some types of forms-based authentication. If you select No, features that start client applications according to document types will be disabled. Users will have to download documents and then upload them after they make changes.
317
Notes For forms-based authentication, client integration is disabled by default. When client integration is disabled, links to client applications are not visible and documents cannot be opened in client applications; documents can only be opened in a Web browser. However, users can download documents, edit them in client applications locally, and then upload them to the site. Client integration is disabled by default when you use forms-based authentication. This is because client integration does not natively support forms-based authentication. You might be able to use many client integration features with forms-based authentication, and there are workarounds available to implement varying levels of client integration functionality with forms-based authentication. However, if published workarounds are inadequate, or if you find unexpected issues using workarounds, we do not provide support and there are no product changes to address these issues. If you plan to use client integration with forms-based authentication, you must fully test any available solutions or workarounds to determine if the performance and functionality are acceptable in your environment. Product Support can provide commercially reasonable support to help you troubleshoot published workarounds. After a user provides credentials, the system issues a cookie that identifies the user. On subsequent requests, the system first checks the cookie to see whether the user has already been authenticated, so the user does not have to supply credentials again. If the user has not selected the Remember me? box on the logon page, the credential information is not cached on the client computer, and is valid only during the current session. This is especially important in a scenario where users are connecting from public computers or kiosks, where you would not want user credentials to be cached. Users are required to reauthenticate if they close the browser, log off from a session, or navigate to another Web site. Also, you can configure a maximum idle session time-out value to force reauthentication if a user is idle for a prolonged period of time during a session.
Configure forms-based authentication across multiple zones

Implementing forms-based authentication can interfere with enterprise search functionality. To enable search across content authenticated using a custom authentication mechanism, you must have the Default zone configured to support NTLM authentication. The Office SharePoint Server 2007 search crawler polls zones in the following order:
318
Default zone Intranet zone Internet zone Custom zone Extranet zone
Note: If you use forms-based authentication and the Office SharePoint Server 2007 search crawler polls a zone that is configured to support Kerberos authentication, the Office SharePoint Server 2007 search crawler will fail. If you use forms-based authentication and the Office SharePoint Server 2007 search crawler polls a zone that is configured to support basic or certificate authentication, you have to configure a crawl rule and provide credentials or certificates in the Shared Services Provider (SSP) search settings. If a crawl rule is not configured, the crawler will cycle through all of the zones until it finds a zone that is configured with NTLM. If the crawler finds a zone configured with NTLM, the crawl will succeed. If the crawler finds a zone configured with Kerberos or Digest authentication, the crawl will fail and polling will stop. Office SharePoint Server 2007 does not allow a Web application to work with the same provider name across multiple zones. You can configure the Web.config file to use the same provider for each zone; however, the name of the provider has to be unique for each zone. For additional information on authentication mechanisms and samples for configuring formsbased authentication with multiple providers, see Plan for authentication (http://technet.microsoft.com/en-us/library/cc263434.aspx).
Configure forms-based authentication for My Sites Web applications

To plan a forms-based authentication implementation across your Office SharePoint Server 2007 deployment, you need to determine how to configure forms-based authentication to interoperate with My Sites Web applications. To ensure that forms-based authenticated users can perform people searches and create My Sites Web applications in an Office SharePoint Server 2007 farm, perform the following procedure: 1. Create a Web application with NTLM authentication configured for the Default zone. For information about creating a Web application, see Create or extend Web applications. 2. Create an SSP. For information about creating an SSP, see Chapter overview: Create and configure Shared Services Providers. At this point, all the Web applications are extended to the Default zone, and the authentication mechanism is configured as NTLM.
319
3. To ensure that the crawler can access the content, configure the extended content Web application for forms-based authentication by selecting the Web application from the Web Application list in Central Administration, as shown in the following figure:
4. Follow the link to Create or Extend Web Application and choose the option to extend a Web application. Type in the details, such as choosing a port number where the new Web application will be hosted in IIS, and choosing the zone that this extended Web application will reside under. The following figure shows the original Web application, which is always created in the Default zone, and the extended Web application created under the Custom zone.
Each of the zones identifies the logical separation of access restrictions to the same content. Note: You cannot increase the number of zones. 5. Configure the membership provider name of the extended Web application for forms-based authentication, as shown in the following figure.
After extending the content Web application to a different zone, you can configure authentication providers and enable different authentication mechanisms using different
320
URLs. At this point, add a provider section in the Web.config file of the extended Web application. Note: Adding the provider section in the Web.config file for the default zone will have no impact on Office SharePoint Server 2007 awareness of the provider for the new zone. Practically, the two zones are isolated from each other as far as IIS Web sites are concerned, even though they will still share the same application pool. 6. Modify the authentication provider by following the link to the Authentication Providers page. This page displays all of the zones on which the Web application has been extended. Select the appropriate zone and configure the authentication provider. In the preceding example, the authentication provider is configured as the PeopleDCLDAPMemberShipProvider for the Custom zone. 7. Add the first administrative user who will have administrative access on all site collections within the Web application. In this example, the content is the same and the site collections are identical across all the extended zones (Default and Custom), even though the URLs are different. When the Web application is first created, the application pool identity is granted Full Read permissions on the Web application for all zones. For the Default zone, access is controlled by the primary site collection administrator who was specified during the creation of the site collection at the root of the Web application. For the extended zone, you have to add a specific user with Full Control on the Web application to enable initial logon to the site collections and to perform administrative tasks. To add a user, click Add Users on the Policy for Web Application page, and select a zone. Run the People Picker and resolve the name of the user. Note: The user will be added as provider:username because the People Picker will resolve the user by using the provider configured in the Web.config file for the extended Web application. Office SharePoint Server 2007 ignores the custom provider if All Zones is selected in the Zone drop-down list. Therefore, it is very important to ensure that the appropriate zone is selected. 8. After the user has been added, verify that forms-based authentication is functioning and browse to the URL for the extended zone. In this example, the content Web application is in the Default zone on port 2000 and is extended to the Custom zone on port 2001. Browse to the extended port. 9. At this point, the forms-based authentication logon screen is displayed. Type the credentials for the user you added earlier, and click Submit. You are then redirected to the Default.aspx page of the site. The Default.aspx page is very similar to a standard Default.aspx page of a default zone site. However, in this example, the My Site creation link is not displayed. My Sites and personalization are services provided by the Shared Services Provider (SSP). There is an existing SSP that provides these services to this Web application. At this point in the procedure, the SSP is unaware of the new user, whose credentials you used to log in. Because links are security
321
trimmed, they are not displayed and, in this example, the current user is not recognized by the SSP. To correct this situation, enable the SSP for forms-based authentication, as described in the following procedure.
Configure the SSP for forms-based authentication

To configure the Shared Services Provider (SSP) for forms-based authentication, extend the SSP administration Web application to map to the same zone as the content Web application. On the Manage this Farm's Shared Services page, the administration site host for the SSP is listed on port 80, and the SSP is only aware of NTLM authentication. To make the SSP aware of the custom provider, configure the SSP for forms-based authentication. 1. Extend the Web application on port 80 (the administration site host) to the same zone on which the content Web application was extended, and then configure the extended Web application for forms-based authentication. Note: Typically, users are not aware of this new Web application and this Web application only provides forms-based authentication awareness to the SSP. 2. Browse to the new SSP administration site. After the administration Web application is formsbased authentication enabled, you can point the browser to a URL such as http://<server>:<extended port>/ssp/admin/default.aspx. This is similar to the URL for the SSP administration site (with a different port number). However, now you are prompted for credentials on the forms-based authentication logon page. After you enter the credentials of the user that you added during the Add Users procedure on the Policy for Web Application page, you are redirected to the Administration page. Note: If you try to browse to Personalization Services Permissions in the User Profiles and My Sites section of the Shared Services Administration page, access is denied. This is because the logged-on user does not have permissions to modify personalization services permissions even though the forms-based authenticated user has permissions to browse the site. To change this behavior, the user has to have permissions explicitly provided in a different account, and the account itself has to have permissions to modify personalization services permissions. In this example, that configuration would be difficult to configure because you are currently browsing using the one account that has been added with Full Control over the SSP. Users in a Windows authenticated zone are the only ones who have permissions to edit personalization services permissions. To enable forms-based authenticated users to edit personalization services permissions, you must be logged on as a user in a Windows authenticated zone. 3. Add permissions for personalization links by logging in to the SSP administration site using the Default zone.
322
Note: Make sure the welcome control displays the identity of the Windows user. 4. Browse to the Personalization Services Permissions page, and launch the People Picker. 5. Try resolving the forms-based authenticated user here. The People Picker will not resolve the forms-based authenticated user because this zone is not aware that there is another provider that can be queried to find these users. 6. To make this zone aware of the provider, modify the Web.config file for this zone and add the same provider section that you added for enabling forms-based authentication. Important: In the Web.config file, do not set the defaultProvider attribute. If you set this attribute, the People Picker and security trimmer will always use this provider to resolve and authenticate users. 7. Browse back to the Personalization Services Permissions page and launch the People Picker, which now resolves the forms-based authentication user and displays all users who meet the same criteria. 8. Select a user and a choose the permissions you want to assign to this user: Create Personal Site: This permission is required to make the My Site link visible, and enables users to create a My Site. Use Personal Features: This permission enables users to access SSP and My Site features. Manage user profiles: This permission enables users to view and manage user profiles from the Profile Store. Manage Audiences: This permission enables users to manage audiences. Manage Permissions: This permission enables permission management on an SSP. Manage Usage Analytics: This permission enables users to manage and configure usage analysis.
9. Click Save. At this point, you can log back on to the Custom zone SSP site as a forms-based authenticated user and add additional users. In addition, you can configure sets of permissions for these additional users. After the user is enabled with the Create Personal Site permissions, the My Site link will be displayed. You can browse to the Custom zone portal using the forms-based authenticated user and note the Welcome control suite displays the My Site link. However, clicking the link will not actually create a My Site. This is because the SSP still only refers to the default zone for the My Site host, even though the SSP is extended on the Custom zone. The Web application is not yet aware of the forms authenticated users. You can address this by extending the My Site Web application and configuring it for forms-based authentication. Because you can manually set the My Site host from within the SSP, it does not matter if the My Site host is extended to a different zone than the SSP administration Web application. If you are implementing a scenario in which these two zones have to be different, you can browse to the SSP, using forms-based authentication, and manually set the My Site host. Browse to the SSP
323
administration Web site using forms-based authentication and then browse to the My Site Settings page. Now you can edit the personal site provider to point to the newly extended My Site Web application. If you extend the My Site Web application onto the same zone as the SSP administration Web application, Office SharePoint Server 2007 will automatically realign the My Sites and this manual configuration is not necessary. In addition, you can go to the content site, log on by using forms-based authentication, and create a My Site for the forms-based authenticated user.
Configure user profiles and people search

To plan a forms-based authentication implementation across your Office SharePoint Server 2007 deployment, you need to determine how to configure forms-based authentication to interoperate with user profiles and people search. Office SharePoint Server 2007 imports user profiles using the active authentication provider. For people search to work with forms-based authentication, the user profiles have to be imported with the forms-based authentication provider. If the same set of users is imported using Windows authentication over the Default zone, and forms-based authentication over the Custom zone, profile import will import the same set of users at the same time, identifying them differently. For example, the user, "domain\user1" is treated differently from the user "provider:user1". This is true even though all of the properties are identical, including the source from which they were imported. It is the provider that differentiates the two users and treats them as two different users. Assuming that you have already configured the SSP administration Web application to work with forms-based authentication, perform the following procedures to enable people search. Make sure that the SSP administration Web application is extended and correctly configured to use forms-based authentication. In addition, note that the administrative user should be explicitly assigned permission to manage user profiles from the Personalization Service Permissions page. 1. To configure a user profile import, browse to the SSP administration site for the Custom zone. Because this has already been configured with forms-based authentication, you can logon using the credentials of the administrative user. 2. Click User Profiles and Properties and configure a new import connection. The available options are Active Directory, LDAP Directory, Active Directory Resource, and Business Data Catalog. In this example, because the source is a user store on a domain, an LDAP directory is selected as the connection type. 3. Populate the connection name and the name of the LDAP server, as defined in the provider section. 4. Type the provider name, as listed in the Web.config file, and the user name attribute from the provider section. The rest of the information should be filled in automatically. 5. Start the import using the newly added import connection.
324
6. Verify that the profiles are imported by clicking View User Profiles, as shown in the following figure:
After the import is performed, the user profile store in Office SharePoint Server 2007 is updated with the new profiles. To enable people search, perform the next procedure. 7. Initiate a crawl of the people content source. When the crawl is complete, you will be able to perform a people search on the forms-based authentication site.
325
Configure Web SSO authentication by using ADFS

In this section: About federated authentication systems Before you begin Configuring your extranet Web application to use Web SSO authentication Allowing users access to your extranet Web site Working with the People Picker Working with E-mail and UPN claims Working with groups and organizational group claims
About federated authentication systems

Microsoft Office SharePoint Server 2007 provides support for federated authentication scenarios where the authentication system is not local to the computer that hosts Office SharePoint Server 2007. Federated authentication systems are also known as Web single sign-on (SSO) systems. With Active Directory Federation Services (ADFS), people in one company can access servers hosted by a different company by using their existing Active Directory accounts. ADFS also establishes a trust relationship between the two companies and a seamless one-time logon experience for end users. ADFS relies on 302 redirects to authenticate end users. Users are issued an authentication token (cookie) after they are authenticated.
Before you begin

Before you use ADFS to configure Web SSO authentication for your extranet Web application, you should become familiar with the following resources: Microsoft SharePoint Products and Technologies Team Blog entry about configuring multiple authentication providers (http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring multiple-authentication-providers-for-sharepoint-2007.aspx). Step-by-Step Guide for Active Directory Federation Services (http://go.microsoft.com/fwlink/?LinkId=145396). The server names and examples used in this section are based on this step-by-step guide, which describes setting up ADFS in a small lab environment. In this environment, a new server named Trey-SharePoint is joined to the Trey Research forest. Follow the steps in the step-by-step guide to configure your ADFS infrastructure. However, because this section describes how to configure Office SharePoint Server 2007 in a claims-aware application mode, you do not have to implement all the steps for building Windows NT token agent applications that are described in the step-by-step guide.
326
Note: When you use the People Picker to add users to Windows SharePoint Services 3.0, Windows SharePoint Services 3.0 validates the users against the provider, which in this example is ADFS. Therefore, you should configure the Federation Server before you configure Windows SharePoint Services 3.0. Important: The setup process has been captured in a VBScript file that you can use to configure Office SharePoint Server 2007 to use ADFS for authentication. This script file is contained in the file (SetupSharePointADFS.zip) and is available on the Microsoft SharePoint Products and Technologies blog, listed in the Attachments section. For more information, see the blog page A script to configure SharePoint to use ADFS for authentication (http://go.microsoft.com/fwlink/?LinkId=113894).
Configuring your extranet Web application to use Web SSO authentication

1. Install the Web Agent for Claims Aware Applications. 2. Download and install the hot fix for ADFS described in The role provider and the membership provider cannot be called from Windows SharePoint Services 3.0 on a Windows Server 2003 R2-based computer that is running ADFS and Microsoft Windows SharePoint Services 3.0 (http http://go.microsoft.com/fwlink/?LinkId=145397). This hot fix will be included in Windows Server 2003 Service Pack 2 (SP2). 3. Install Office SharePoint Server 2007, configure all the services and servers in the farm, and then create a new Web application. By default, this Web application will be configured to use Windows authentication, and it will be the entry point through which your intranet users will access the site. In the example used in this section, the site is named http://trey-moss. 4. Extend the Web application that you created in step 2 in another zone. On the Application Management page in the SharePoint Central Administration Web site, click Create or Extend Web Application, click Extend an existing Web Application, and then do the following: a. Add a host header. This is the DNS name by which the site will be known to users in the extranet. In this example, the name is extranet.treyresearch.net. b. Change the zone to Extranet. c. Give the site a host header name that you will configure in DNS for your extranet users to resolve against.
d. Click Use Secure Sockets Layer (SSL), and change the port number to 443. ADFS requires that sites be configured to use SSL. e. In the Load Balanced URL box, delete the text string :443. Internet Information Services (IIS) will automatically use port 443 because you specified the port number in the previous step. f. Complete the rest of the steps on the page to finish extending the Web application.
327
5. On the Alternate Access Mappings (AAM) page, verify that the URLs resemble the following table.
Internal URL Zone Public URL for Zone
http://trey-moss https://extranet.treyresearch.net
Default Extranet
http://trey-moss https://extranet.treyresearch.net
6. Add an SSL certificate to the Extranet Web Site in IIS. Make sure that this SSL certificate is issued to extranet.treyresearch.net, because this is the name that clients will use when they access the sites. 7. Configure the Authentication provider for the extranet zone on your Web application to use Web SSO by doing the following: a. On the Application Management page of your farms Central Administration site, click Authentication Providers. b. Click Change in the upper-right corner of the page, and then select the Web application on which you want to enable Web SSO. c. In the list of two zones that are mapped for this Web application (both of which should say Windows), click the Windows link for the Extranet zone.
d. In the Authentication Type section, click Web Single Sign On. e. In the Membership provider name box, type SingleSignOnMembershipProvider2 Make a note of this value; you will be adding it to the name element of the <membership> section in the web.config files that you will edit later in this procedure. f. In the Role manager name box, type SingleSignOnRoleProvider2 Make a note of this value; you will be adding it to the name element of the <roleManager> section in the web.config files you will edit later in this procedure. g. Make sure the Enable Client Integration setting is set to No. h. Click Save. Your extranet Web application is now configured to use Web SSO. However, at this point, the site will be inaccessible because no one has permissions to it. The next step is to assign permissions to users so that they can access this site. Note: After selecting WebSSO as the Authentication Provider, Anonymous Authentication will be automatically enabled for the SharePoint site in IIS (no user action is required). This setting is required for the site to allow access using only claims.
328
Allowing users access to your extranet Web site

1. Use a text editor to open the web.config file for the Web site on the default zone that is using Windows authentication. 2. Add the following entry anywhere in the <system.web> node. <membership> <providers> <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fsserver/adfs/fs/federationserverservice.asmx" /> </providers> </membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"> <providers> <remove name="AspNetSqlRoleProvider" /> <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fsserver/adfs/fs/federationserverservice.asmx" /> </providers> </roleManager> 3. Change the value for fs-server to reflect your resource Federation Server (adfsresource.treyresearch.net). Ensure that you entered the correct membership provider and the role manager names on the Central Administration Authentication Providers page. When this entry is added to web.config, the People Picker on the default zone site that is using Windows authentication is able to know about the ADFS providers and, therefore, can resolve the ADFS claims. This enables you to grant permissions to the ADFS claims on your Web site. 4. Grant ADFS claims access to the site by doing the following: a. Navigate to the Web site on the default zone that uses Windows authentication as an administrator of the site. b. Click the Site Actions menu, point to Site Settings, and then click Advanced Permissions. c. Click New, and then click Add Users.
329
d. To add a user claim, specify their e-mail address or User Principal Name in the Users/Groups section. If both UPN and e-mail claims are sent from the federation server, then SharePoint will use UPN to verify against the MembershipProvider. Therefore, if you want to use e-mail, you will have to disable the UPN claim in your federation server. See Working with UPN and e-mail Claims for more information. e. To add a group claim, type the name of the claim you want the SharePoint site to use in the Users/Groups section. For example, create an organizational group claim named Adatum Contributers on the Federation Server. Add the claim name Adatum Contributers to the Sharepoint site as you would a Windows user or group. You can assign this claim Home Members [Contribute], and then any user who accesses the SharePoint site by using this group claim will have Contributor access to the site. f. Select the appropriate permission level or SharePoint group. g. Click OK. 5. Use the text editor of your choice to open the web.config file for the extranet site, and add the following entry in the <configSections> node. <sectionGroup name="system.web"> <section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" /> </sectionGroup> 6. Add the following entry to the <httpModules> node <add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" /> Note: The ADFS authentication module should always be specified after the Sharepoint SPRequest module in the <httpModules> node of the web.config file. It is safest to add it as the last entry in that section. 7. Add the following entry anywhere under the <system.web> node. <membership defaultProvider="SingleSignOnMembershipProvider2"> <providers> <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </providers> </membership>
330
<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2"> <providers> <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 /> </providers> </roleManager> <websso> <authenticationrequired /> <auditlevel>55</auditlevel> <urls> <returnurl>https://your_application</returnurl> </urls> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> <isSharePoint /> </websso> Note: Change the value for fs-server to your Federation Server computer, and change the value of your_application to reflect the URL of your extranet Web application. 8. Browse to the https://extranet.treyresearch.net Web site as an ADFS user who has permissions to the extranet web site.
About using Central Administration

You can also use Central Adminstration policy to grant rights to ADFS users, but it is best not to use that method for the following reasons: Granting rights by policy is a very coarse operation. It allows the user (or group) to have the same set of rights in every Web site, in every site collection on the whole Web application. It should be used very judiciously; in this particular scenario, we can grant access to ADFS users without using this method. After the sites are being used in an extranet environment, it is very likely that the internal users will be responsible for granting access to sites and content. Because only the farm administrators have access to the Central Administration site, it makes the most sense that internal users can add ADFS claims from the default zone site that is using Windows authentication.
331
As you extend Web applications by using different providers, you can configure one or more of them to be able to find users and groups from various providers that you are using on that Web application. In this scenario, we configured our site that uses Windows authentication in a way that allows users of that site to select other Windows users, Windows groups, and ADFS claims, all from one site.
Working with the People Picker

The People Picker cannot perform wildcard searches for searching roles. If you have a Web SSO Role provider role named Readers, and you type Read in the People Picker search dialog box, it will not find your claim. If you type Readers, it will. This is not a bug, you just cannot perform wildcard searching by using the Role provider. Command-line executable files like stsadm.exe will not be able to resolve the ADFS claims by default. For example, you might want to add a new user to the extranet site by using the stsadm.exe o adduser command. To enable Stsadm (or other executable file) to resolve users, create a new config file by doing the following: Create a new file named stsadm.exe.config in the same directory where stsadm.exe is located (%programfiles%\Common Files\Microsoft Shared Debug\Web Server Extensions\12\BIN). Add the following entry in the stsadm.exe.config file: <configuration> <system.web> <membership defaultProvider="SingleSignOnMembershipProvider2"> <providers> <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fsserver/adfs/fs/federationserverservice.asmx" /> </providers> </membership> <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2"> <providers> <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fsserver/adfs/fs/federationserverservice.asmx" /> </providers>
332
</roleManager> </system.web> </configuration> Note: Change the value of fs-server to your resource Federation Server (adfsresource.treyresearch.net).
Working with E-mail and UPN claims

To configure whether or not the Federation Server is enabled to send e-mail or UPN claims to Office SharePoint Server 2007, perform the following procedure.
1. From Administrative Tools on your Federation Server, open the ADFS snap-in. Note: You can also open the ADFS snap-in by typing ADFS.MSC in the Run dialog box. 2. Select your Office SharePoint Server 2007 application node (your application should already be added to the list of nodes). 3. In the claims list on the right, right-click E-mail, and select Enable or Disable. 4. In the claims list on the right, right-click UPN, and select Enable or Disable. Note: If both UPN and E-mail are enabled, Office SharePoint Server 2007 will use UPN to perform user claim verification. Therefore, when configuring the Office SharePoint Server 2007, be careful about which user claim you enter. Also note that the UPN claim will only work consistently if the UPN suffixes and the e-mail suffixes that are accepted by the Federation Server are identical. This is because the membership provider is e-mail based. Because of this complexity in configuring UPN claims, e-mail is the recommended user claim setting for membership authentication.
Working with groups and organizational group claims

In Office SharePoint Server 2007, rights can be assigned to Active Directory groups by adding them to a SharePoint group or directly to a permission level. The level of permissions a given user has on a site is calculated based on the Active Directory groups the user is a member of, the SharePoint groups the user belongs to, and any permission levels that the user has been directly added to.
333
When you use ADFS as a role provider in Office SharePoint Server 2007, the process is different. There is no way for the Web SSO provider to directly resolve an Active Directory group; instead, it resolves groups by using organizational group claims. When you use ADFS with Office SharePoint Server 2007, you must create a set of organizational group claims in ADFS. You can then associate multiple Active Directory groups with an ADFS organizational group claim. For group claims to work with the latest version of ADFS, you need to edit the web.config file for the ADFS application in IIS on your ADFS server. Open the web.config file and add <getGroupClaims /> to the <FederationServerConfiguration> node inside the <System.Web> node, as shown in the following example. <configuration> <system.web> <FederationServerConfiguration> <getGroupClaims /> </FederationServerConfiguration> </system.web> </configuration> In the Adatum (Account Forest), do the following: 1. Create an Active Directory group named Trey SharePoint Readers. 2. Create an Active Directory group named Trey SharePoint Contributors. 3. Add Alansh to the Readers group and Adamcar to the Contributors group. 4. Create an organizational group claim named Trey SharePoint Readers. 5. Create an organizational group claim named Trey SharePoint Contributors. 6. Right-click the Active Directory account store, and then click New Group Claim Extraction. a. Select the Trey SharePoint Readers organizational group claim, and then associate it with the Trey SharePoint Readers Active Directory group. b. Repeat step 6, and then associate the Trey SharePoint Contributors organizational group claim with the Trey SharePoint Contributors Active Directory group. 7. Right-click the Trey Research Account Partner, and then create the outgoing claim mappings: a. Select the Trey SharePoint Reader claim, and then map to outgoing claim adatum-treyreaders. b. Select the Trey SharePoint Contributor claim, and then map to outgoing claim adatumtrey-contributors. Note: The claim mapping names must be agreed on between the organizations, and they must match exactly.
334
On the Trey Research side, start ADFS.MSC, and then do the following: 1. Create an organizational group claim named Adatum SharePoint Readers. 2. Create an organizational group claim named Adatum SharePoint Contributors. 3. Create incoming group mappings for your claims: a. Right-click the Adatum account partner, and then click Incoming Group Claim Mapping. b. Select Adatum SharePoint Readers, and then map it to the incoming claim name adatum-trey-readers. c. Select Adatum SharePoint Contributors, and then map it to the incoming claim name adatum-trey-contributors.
4. Right-click the Office SharePoint Server 2007 Web application, and then click Enable on both the Reader and Contributor claims. Browse to the http://trey-moss site on the Trey Research side as the site administrator, and then do the following: 1. Click the Site Actions menu, point to Site Settings, and then click People and Groups. 2. If it is not already selected, click the Members group for your site. 3. Click New, and then click Add Users on the toolbar. 4. Click the address book icon next to the Users/Groups box. 5. In the Find box in the People Picker dialog box, type Adatum SharePoint Readers In the Give Permission section, select SharePoint group homeVisitors [Readers]. 6. In the Find box, type Adatum SharePoint Contributors In the Give Permission section, select SharePoint group homeMembers [Contribute].
335
Configure Kerberos authentication

In this section: About Kerberos authentication Before you begin Configure Kerberos authentication for SQL communications Configure Internet Explorer to include port numbers in Service Principal Names Create Service Principal Names for your Web applications using Kerberos authentication Deploy the server farm Configure services on servers in your farm Create Web applications using Kerberos authentication Create a site collection using the Collaboration Portal template in the portal site Web application Create a Shared Services Provider for your farm Confirm successful access to the Web applications using Kerberos authentication Confirm correct Search Indexing functionality Confirm correct Search Query functionality Configure your SSP infrastructure for Kerberos authentication Register new custom-format SPNs for your SSP service account in Active Directory Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication Add a new registry key to all of your servers running Office SharePoint Server to enable generation of the new custom-format SPNs Confirm Kerberos authentication for root-level shared services access Confirm Kerberos authentication for virtual-directory-level shared services access Configuration limitations Additional resources and troubleshooting guidance
About Kerberos authentication

Kerberos is a secure protocol that supports ticketing authentication. A Kerberos authentication server grants a ticket in response to a client computer authentication request, if the request contains valid user credentials and a valid Service Principal Name (SPN). The client computer then uses the ticket to access network resources. To enable Kerberos authentication, the client and server computers must have a trusted connection to the domain Key Distribution Center (KDC). The KDC distributes shared secret keys to enable encryption. The client and server
336
computers must also be able to access Active Directory directory services. For Active Directory, the forest root domain is the center of Kerberos authentication referrals. To deploy a server farm running Microsoft Office SharePoint Server 2007 using Kerberos authentication, you must install and configure a variety of applications on your computers. T his section describes an example server farm running Office SharePoint Server 2007 and provides guidance for deploying and configuring the farm to use Kerberos authentication to support the following functionality: Communication between Office SharePoint Server 2007 and Microsoft SQL Server database software. Access to the SharePoint Central Administration Web application. Access to other Web applications, including a portal site Web application, a My Site Web application, and an SSP Administration site Web application. Access to the shared services for the Office SharePoint Server 2007 Web applications in the Office SharePoint Server 2007 Shared Services Provider (SSP) infrastructure.
Before you begin

This section is intended for administrative-level personnel who have an understanding of the following: Windows Server 2003 Active Directory Internet Information Services (IIS) 6.0 (or IIS 7.0) Windows SharePoint Services 3.0 Office SharePoint Server 2007 Windows Internet Explorer Kerberos authentication, as implemented in Active Directory for Windows Server 2003 Network Load Balancing (NLB) in Windows Server 2003 Computer accounts in an Active Directory domain User accounts in an Active Directory domain IIS Web sites and their bindings and authentication settings IIS application pool identities for IIS Web sites The SharePoint Products and Technologies Configuration Wizard Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Web applications Central Administration pages Service principal names (SPNs) and how to configure them in an Active Directory domain Important: To create SPNs in an Active Directory domain, you must have domain administrativelevel permissions.
337
Kerberos authentication for the SSP infrastructure in Office SharePoint Server 2007 requires the installation of the Infrastructure Update for Microsoft Office Servers. Note: An SSP is a logical grouping of a common set of services and service data that can be provided to Web applications and their associated Web sites. An SSP infrastructure enables the sharing of services across server farms, Web applications, and site collections. The Office Server Web Services Web site is the SSP infrastructure. The SSP infrastructure exists on any server running Office SharePoint Server 2007 that is deployed using the Complete installation option. Kerberos authentication does not work with the Office Server Web Services Web site unless the Infrastructure Update for Microsoft Office Servers is installed. This section does not provide an in-depth examination of Kerberos authentication. Kerberos is an industry-standard authentication method that is implemented in Active Directory. This section does not provide detailed, step-by-step instructions for installing Office SharePoint Server 2007 or using the SharePoint Products and Technologies Configuration Wizard. This section does not provide detailed, step-by-step instructions for using Central Administration to create Office SharePoint Server 2007 Web applications.
Software version requirements

The guidance provided in this section, and the testing performed to confirm this guidance, are based on results using systems running Windows Server 2003 and Internet Explorer with the latest updates applied from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409). The following software versions were installed: Windows Server 2003 Service Pack 2 (SP2) with the latest updates from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409) Windows Internet Explorer 7, version 7.0.5730.11 The released version of Office SharePoint Server 2007
You should also make sure that your Active Directory domain controllers are running Windows Server 2003 SP2 with the latest updates applied from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409).
Known issues
Kerberos authentication cannot be configured to work with the SSP infrastructure in Office SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed. Therefore, if you do not have the Infrastructure Update for Microsoft Office Servers installed, disregard the guidance in this section for configuring Kerberos authentication for the SSP infrastructure. Office SharePoint Server 2007 can crawl Web applications configured to use Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to default
338
ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, Office SharePoint Server 2007 Search cannot crawl Office SharePoint Server 2007 Web applications that are configured to use Kerberos authentication if the Web applications are hosted on IIS virtual servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443). Currently, Office SharePoint Server 2007 Search can only crawl Office SharePoint Server 2007 Web applications hosted on IIS virtual servers bound to non-default ports that are configured to use either NTLM authentication or Basic authentication. For end-user access using Kerberos authentication, if you need to deploy Web applications that can only be hosted on IIS virtual servers that are bound to non-default ports, and if you want endusers to get search query results, then: The same Web applications must be hosted on other IIS virtual servers on non-default ports. The Web applications must be configured to use either NTLM or Basic authentication. Search Indexing must crawl the Web applications using NTLM or Basic authentication. Configuring the Central Administration Web application using Kerberos authentication hosted on an IIS virtual server bound to non-default ports. Configuring portal and My Site applications, and shared services using Kerberos authentication hosted on IIS virtual servers bound to default ports and with an IIS host header binding. Ensuring that Search Indexing successfully crawls Office SharePoint Server 2007 Web applications using Kerberos authentication. Ensuring that users accessing Kerberos-authenticated Web applications can successfully get search query results for those Web applications. Configuring Kerberos authentication for the SSP infrastructure (if the Infrastructure Update for Microsoft Office Servers is installed).
This section provides guidance for:
Additional background
It is important to understand that when you use Kerberos authentication, accurate authentication functionality is dependant in part on the behavior of the client that is attempting to authenticate using Kerberos. In an Office SharePoint Server 2007 farm deployment using Kerberos authentication, Office SharePoint Server 2007 is not the client. Before you deploy a server farm running Office SharePoint Server 2007 using Kerberos authentication, you must understand the behavior of the following clients: The browser (in the context of this section, the browser is always Windows Internet Explorer). The Microsoft .NET Framework.
The browser is the client used when browsing to a Web page in an Office SharePoint Server 2007 Web application. When Office SharePoint Server 2007 performs tasks such as crawling the local Office SharePoint Server 2007 content sources or making calls to the SSP infrastructure, the .NET Framework is functioning as the client.
339
For Kerberos authentication to work correctly, you must create SPNs in Active Directory. If the services to which these SPNs correspond are listening on non-default ports, the SPNs should include port numbers. This is to ensure that the SPNs are meaningful. It is also required to prevent the creation of duplicate SPNs. When a client (Internet Explorer or the .NET Framework) attempts to access a resource using Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos authentication process. If the client does not construct an SPN that matches the SPN that is configured in Active Directory, Kerberos authentication will fail, usually with an access denied error. There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are using Office SharePoint Server 2007 Web applications that are bound to non-default port numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs that it constructs. In a farm running Office SharePoint Server 2007, the Central Administration Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port. Therefore, this section addresses both IIS port-bound and IIS host-header-bound Web sites, and it provides a link to instructions for directing Internet Explorer to include port numbers in SPNs. In a farm running Office SharePoint Server 2007, by default the .NET Framework does not construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports. It is also the reason why Kerberos authentication cannot be correctly configured and made to work for the SSP infrastructure unless the Infrastructure Update for Microsoft Office Servers is installed.
Server farm topology

This section targets the following Office SharePoint Server 2007 server farm topology: Two computers running Windows Server 2003 that are acting as front-end Web servers, with Windows NLB configured. Three computers running Windows Server 2003 that are acting as application servers. One of the application servers hosts the Central Administration Web application. The second application server is running Search Query, and the third application server is running Search Indexing. One computer running Windows Server 2003 that is used as the SQL host for the farm running Office SharePoint Server 2007. For the scenario described in this section, you can use either Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005 SP2.
This section provides guidance for configuring one SSP in the farm.
340
Active Directory, computer naming, and NLB conventions

The scenario described in this section uses the following Active Directory, computer-naming, and NLB conventions:
Server role Domain name
Active Directory A front-end Web server running Office SharePoint Server 2007 A front-end Web server running Office SharePoint Server 2007 Office SharePoint Server 2007 Central Administration Search Indexing running Office SharePoint Server 2007
mydomain.net mossfe1.mydomain.net
mossfe2.mydomain.net
mossadmin.mydomain.net
mosscrawl.mydomain.net
Search Query running Office SharePoint Server mossquery.mydomain.net 2007 SQL Server host running Office SharePoint Server 2007 mosssql.mydomain.net
An NLB VIP is assigned to mossfe1.mydomain.net and mossfe2.mydomain.net as a result of configuring NLB on these systems. A set of DNS host names that point to this address is registered in your DNS system. For example, if your NLB VIP is 192.168.100.200, you have a set of DNS records that resolve the following DNS names to this IP address (192.168.100.200): kerbportal.mydomain.net kerbmysite.mydomain.net kerbsspadmin.mydomain.net
341
Active Directory domain account conventions

The example in this section uses the naming conventions listed in the following table for service accounts and application pool identities used in the farm running Office SharePoint Server 2007.
Domain account or application pool identity Name
Local administrator account On all servers running Office SharePoint Server 2007 (but not on the host computer running SQL Server) For Office SharePoint Server 2007 setup and for the SharePoint Products and Technologies Configuration Wizard run-as user
mydomain\pscexec
Local administrator account on the SQL Server host computer SQL Server service account used to run the SQL Server service on the SQL host Office SharePoint Server 2007 farm administrator account
mydomain\sqladmin
mydomain\mosssqlsvc
mydomain\mossfarmadmin This is used as the application pool identity for Central Administration and as the service account for the SharePoint Timer Service. mydomain\portalpool
Office SharePoint Server 2007 application pool identity for the portal site Web application Office SharePoint Server 2007 application pool identity for the My Site Web application Office SharePoint Server 2007 application pool identity for the Shared Services Administration Web site Office SharePoint Server 2007 SSP service account Windows SharePoint Services 3.0 search service account Windows SharePoint Services 3.0 search content access account Office SharePoint Server 2007 search service account
342
mydomain\mysitepool
mydomain\sspadminpool
mydomain\sspsvc
mydomain\wsssearch
mydomain\wsscrawl
mydomain\mosssearch
Domain account or application pool identity
Name
Office SharePoint Server 2007 content access account
mydomain\mosscrawl
Preliminary configuration requirements

Before you install Office SharePoint Server 2007 on the computers in your server farm, make sure you have performed the following procedures: All servers used in the farm, including the SQL host, are set up with Windows Server 2003 SP2, including the latest updates applied from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409). All servers in the farm have Internet Explorer 7 (and the latest updates for it) installed from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409). SQL Server (either SQL Server 2000 SP4 or SQL Server 2005 SP2) is installed and running on the SQL host computer, and the SQL Server service is running as the account, mydomain\sqlsvc. A default instance of SQL Server is installed and is listening on TCP port 1433. The SharePoint Products and Technologies Configuration Wizard run-as user has been added: As a SQL Login on your SQL host. To the SQL Server DBCreators role on your SQL host. To the SQL Server Security Administrators role on your SQL host.
Configure Kerberos authentication for SQL communications

Configure Kerberos authentication for SQL communications before installing and configuring Office SharePoint Server 2007 on your servers running Office SharePoint Server 2007. This is necessary because Kerberos authentication for SQL communications has to be configured, and confirmed to be working, before your computers running Office SharePoint Server 2007 can connect to your SQL Server. The process of configuring Kerberos authentication for any service installed on a host computer running Windows Server 2003 includes creating an SPN for the domain account used to run the service on the host. SPNs are made up of the following parts: A Service Name (for example, MSSQLSvc or HTTP) A host name (either real or virtual) A port number
343
The following list contains examples of SPNs for a default instance of SQL Server running on a computer named mosssql and listening on port 1433: MSSQLSvc/mosssql:1433 MSSQLSvc/mosssql.mydomain.com:1433
These are the SPNs that you will create for the instance of SQL Server on the SQL host that will be used by the farm described in this section. You should always create SPNs that have both a NetBIOS name and a full DNS name for a host on your network. There are different methods that you can use to set an SPN for an account in an Active Directory domain. One method is to use the SETSPN.EXE utility that is part of the resource kit tools for Windows Server 2003. Another method is to use the ADSIEDIT.MSC snap-in on your Active Directory domain controller. This section addresses using the ADSIEDIT.MSC snap-in. There are two core steps for configuring Kerberos authentication for SQL Server: Create SPNs for your SQL Server service account. Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to servers running SQL Server.
Create the SPNs for your SQL Server service account

1. Log on to your Active Directory domain controller using the credentials of a user that has domain administrative permissions. 2. In the Run dialog box, type ADSIEDIT.MSC. 3. In the management console dialog box, expand the domain container folder. 4. Expand the container folder containing user accounts, for example CN=Users. 5. Locate the container for the SQL Server Service account, for example CN=mosssqlsvc. 6. Right-click this account, and then click Properties. 7. Scroll down the list of properties in the SQL Server Service account dialog box until you find servicePrincipalName. 8. Select the servicePrincipalName property and click Edit. 9. In the Value to Add field, in the Multi-Valued String Editor dialog box, type the SPN MSSQLSvc/mosssql:1433 and click Add. Next, type the SPN MSSQLSvc/mosssql.mydomain.com:1433 in this field and click Add. 10. Click OK on the Multi-Valued String Editor dialog box, and then click OK on the properties dialog box for the SQL Server service account.
Confirm Kerberos authentication is used to connect servers running Office SharePoint Server 2007 to SQL Server
Install the SQL Client Tools on one of your servers running Office SharePoint Server 2007, and use the tools to connect from your server running Office SharePoint Server 2007 to those running SQL Server. This section does not address the steps for installing the SQL Client Tools on one of
344
your servers running Office SharePoint Server 2007. The confirmation procedures are based on the following assumptions: You are using SQL Server 2005 SP2 on your SQL host. You have logged on to one of your servers running Office SharePoint Server 2007, using the account mydomain\pscexec, and have installed the SQL 2005 Client Tools on the server running Office SharePoint Server 2007.
1. Run the SQL Server 2005 Management Studio. 2. When the Connect to Server dialog box appears, type the name of the SQL host computer (in this example, the SQL host computer is mosssql), and click Connect to connect to the SQL host computer. 3. To confirm that Kerberos authentication was used for this connection, run the event viewer on the SQL host computer and examine the Security event log. You should see a Success Audit record for a Logon/Logoff category event that is similar to the data shown in the following tables: Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Workstation Name Logon GUID {36d6fbe0-2cb8-916c-4fee-4b02b0d3f0fb} pscexec MYDOMAIN (0x0,0x6F1AC9) 3 Kerberos Success Audit Security Logon/Logoff 540 10/31/2007 4:12:24 PM MYDOMAIN\pscexec MOSSSQL
345
Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port Examine the log entry to confirm that: 1. The user name is correct. The mydomain\pscexec account logged on over the network to the SQL host. 2. The logon type is 3. A type 3 logon is a network logon. 3. The logon process and authentication package both use Kerberos authentication. This confirms that your server running Office SharePoint Server 2007 is using Kerberos authentication to communicate with the SQL host. 4. The Source Network Address matches the IP address of the computer from which the connection was made. If your connection to the SQL host fails with an error message similar to Cannot generate SSPI context, it is likely that there is an issue with the SPN being used for your instance of SQL Server. To troubleshoot and correct this, please refer to the article How to troubleshoot the "Cannot generate SSPI context" error message (http://go.microsoft.com/fwlink/?LinkId=76621) from the Microsoft Knowledge Base. 192.168.100.100 2465
Configure Internet Explorer to include port numbers in Service Principal Names

Many versions of Internet Explorer do not include port numbers in the SPNs that they construct. To determine if you are using a version of Internet Explorer 6 that has this problem, and for steps necessary to correct it, refer to the article Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=99681) from the Microsoft Knowledge Base. You should very carefully examine the version number of the DLL referenced in this section to determine if the version of Internet Explorer that you are using requires the fix described in the article. If your version of Internet Explorer does not construct an SPN with port numbers, and you are using Office SharePoint Server 2007 Web applications hosted on IIS virtual servers bound to non-default ports, you must apply this fix to be able to go to the Web applications that are using your version of Internet Explorer. Within the context of t his section, you must ensure that the version of Internet Explorer you are using includes port numbers in the
346
SPNs that it constructs, because the SPN that you add to your Active Directory for the Central Administration Web application will contain a port number.
Create Service Principal Names for your Web applications using Kerberos authentication
As far as Kerberos authentication is concerned, there is nothing special about IIS-based Office SharePoint Server 2007 Web applicationsKerberos authentication treats them as just another IIS Web site. This process requires knowledge of the following items: The Service Class for the SPN (in the context of this section, for Office SharePoint Server 2007 Web applications, this is always HTTP). The URL for all of your Office SharePoint Server 2007 Web applications using Kerberos authentication. The host name portion of the SPN (either real or virtual; this section addresses both). The port number portion of the SPN (in the scenario described in this section, both IIS portbased and IIS host-header-based Office SharePoint Server 2007 Web applications are used). The Windows Active Directory accounts for which your SPNs must be created.
The following table lists the information for the scenario described in this section:
URL Active Directory account SPN
http://mossadmin.mydomain.net:10000
mossfarmadm HTTP/mossadmin.mydomain.net:1 in 0000 HTTP/mossadmin.mydomain.net:1 0000
http://kerbportal.mydomain.net
portalpool
HTTP/kerbportal.mydomain.net HTTP/kerbportal
http://kerbmysite.mydomain.net
mysitepool
HTTP/kerbmysite.mydomain.net HTTP/kerbmysite
http://kerbsspadmin.mydomain.net/ssp/a dmin Notes for this table:
sspadminpool
HTTP/kerbsspadmin.mydomain.net HTTP/kerbsspadmin
The first URL listed above is for Central Administration, and uses a port number. You dont have to use port 10000. This is just an example used for consistency throughout this section.
347
The next three URLs are for the portal site, My Site, and Shared Services Administration site, respectively.
Use the guidance provided above to create the SPNs you need in Active Directory to support Kerberos authentication for your Office SharePoint Server 2007 Web applications. You need to log on to a domain controller in your environment using an account that has domain administrative permissions. To create the SPNs, you can use either the SETSPN.EXE utility mentioned previously, or you can use the ADSIEDIT.MSC snap-in mentioned previously. If using the ADSIEDIT.MSC snap-in, please refer to the instructions provided earlier in this section for creating the SPNs. Be sure to create the correct SPNs for the correct accounts in Active Directory.
Deploy the server farm

Deploying the server farm includes the following steps: 1. Set up Office SharePoint Server 2007 on all of your servers running Office SharePoint Server 2007. 2. Run the SharePoint Products and Technologies Configuration Wizard and create a new farm. This step includes creating an Office SharePoint Server 2007 Central Administration Web application that will be hosted on an IIS virtual server bound to a non-default port and use Kerberos authentication. 3. Run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm. 4. Configure Services on Servers in your farm for: Windows SharePoint Services 3.0 Search service Office SharePoint Server 2007 Search Indexing Office SharePoint Server 2007 Search Query
5. Create Web applications that are used for the portal site, My Site, and the Shared Services Administration site using Kerberos authentication. 6. Create a site collection using the Collaboration Portal template in the portal site Web application. 7. Create a Shared Services Provider for your farm. 8. Confirm successful access to the Web applications using Kerberos authentication. 9. Confirm correct Search Indexing functionality. 10. Confirm correct Search Query functionality. 11. Configure your SSP infrastructure for Kerberos authentication. This is an optional step that requires the installation of the Infrastructure Update for Microsoft Office Servers. 12. Confirm SSP functionality using Kerberos authentication. This is an optional step that requires the installation of the Infrastructure Update for Microsoft Office Servers.
348
Install Office SharePoint Server 2007 on all of your servers

This is the straightforward process of running Office SharePoint Server 2007 setup to install the Office SharePoint Server 2007 binaries on your servers running Office SharePoint Server 2007. Log on to each of your computers running Office SharePoint Server 2007 using the account mydomain\pscexec. No step-by-step instructions are provided for this. For the scenario described in this section, do a Complete installation of Office SharePoint Server 2007 on all servers that require Office SharePoint Server 2007.
Run the SharePoint Products and Technologies Configuration Wizard and create a new farm
For the scenario described in this section, run the SharePoint Products and Technologies Configuration Wizard from the MOSSADMIN Search Indexing server first, so that MOSSADMIN hosts the Office SharePoint Server 2007 Central Administration Web application. On the server named MOSSCRAWL, when setup completes, a Setup Complete dialog box appears with a check box selected to run the SharePoint Products and Technologies Configuration Wizard. Leave this check box selected and close the setup dialog box to run the SharePoint Products and Technologies Configuration Wizard. When running the SharePoint Products and Technologies Configuration Wizard on this computer, direct the Wizard to create a new farm using the following settings: Provide the database server name (in this section, it is the server named MOSSSQL). Provide a configuration database name (you can use the default, or stipulate a name of your choice). Provide the database access (farm administrator) account information. Using the scenario in this section, that account is mydomain\mossfarmadmin. Provide the information required for the Office SharePoint Server 2007 Central Administration Web application. Using the scenario in this section, that information is: Central Administration Web application port number: 10000 Authentication Method: Negotiate
When you have provided all the required information, the SharePoint Products and Technologies Configuration Wizard should finish successfully. If it completes successfully, confirm that you can access the Office SharePoint Server 2007 Central Administration Web application home page using Kerberos authentication. To do this, perform the following steps: 1. Log on to a different server running Office SharePoint Server 2007 or another computer in the domain mydomain as mydomain\pscexec. You should not verify correct Kerberos authentication behavior directly on the computer hosting the Office SharePoint Server 2007 Central Administration Web application. This should be done from a separate computer in the domain. 2. Start Internet Explorer on this server and attempt to go to the following URL: http://mossadmin.mydomain.net:10000. The home page of Central Administration should render.
349
3. To confirm that Kerberos authentication was used to access Central Administration, go back to the computer named MOSSADMIN and run the event viewer and look in the security log. You should see a Success Audit record that looks similar to the following table: Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Authentication Package Workstation Name Logon GUID Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port 192.168.100.100 2505 {fad7cb69-21f8-171b-851b-3e0dbf1bdc79} pscexec MYDOMAIN (0x0,0x1D339D3) 3 Kerberos Kerberos Success Audit Security Logon/Logoff 540 11/1/2007 2:22:20 PM MYDOMAIN\pscexec MOSSADMIN
350
Examination of this log record shows the same type of information as in the previous log entry: Confirm that the user name is correct; it is the mydomain\pscexec account that logged on over the network to the server running Office SharePoint Server 2007 that is hosting Central Administration. Confirm that the logon type is 3; a logon type 3 is a network logon. Confirm that the logon process and authentication package both use Kerberos authentication. This confirms that Kerberos authentication is being used to access your Central Administration Web application. Confirm that the Source Network Address matches the IP address of the computer from which the connection was made.
If the Central Administration home page fails to render and instead an unauthorized error message is displayed, Kerberos authentication is failing. There are usually only two causes for this failure: The SPN in Active Directory was not registered for the correct account. It should have been registered for mydomain\mossfarmadmin. The SPN in Active Directory does not match the SPN being constructed by Internet Explorer or is otherwise invalid. The most common cause of this is that Internet Explorer is not constructing an SPN containing the correct port number. See the previous section titled Configure Internet Explorer to include port numbers in Service Principal Names to correct this problem. You also might have omitted the port number from the SPN that you registered in Active Directory. Either way, ensure that this is corrected and that Central Administration is working, using Kerberos authentication, before proceeding. Note: A diagnostic aid you could use to see what is going on over the network is a network sniffer, such as Microsoft Network Monitor, to take a trace during browsing to Central Administration. After the failure, examine the trace and look for KerberosV5 Protocol packets. Find a packet with an SPN constructed by Internet Explorer. If that SPN does not contain a port number, you need to apply the fix described in the section titled Configure Internet Explorer to include port numbers in Service Principal Names. If the SPN in the trace looks correct, either the SPN in Active Directory is invalid, or it has been registered for the wrong account.
Run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm
Now that your farm has been created and you can successfully access Central Administration using Kerberos authentication, you need to run the SharePoint Products and Technologies Configuration Wizard and join the other servers to the farm. On each of the other four servers running Office SharePoint Server 2007 (mossfe1, mossfe2, mossquery, and mosscrawl), Office SharePoint Server 2007 installation should have completed, and the setup completion dialog box should appear with the SharePoint Products and
351
Technologies Configuration Wizard check box selected. Leave this check box selected and close the setup completion dialog box to run the SharePoint Products and Technologies Configuration Wizard. Perform the procedure to join each of these servers to the farm. Upon completion of the SharePoint Products and Technologies Configuration Wizard on each server you add to the farm, verify that each of these servers can render Central Administration, which is running on the server, MOSSADMIN. If any of these servers fail to render Central Administration, take the appropriate steps to solve the problem before you proceed.
Configure services on servers in your farm

Configure specific Windows SharePoint Services 3.0 and Office SharePoint Server 2007 services to run on specific servers running Windows SharePoint Services 3.0 and Office SharePoint Server 2007 in the farm, using the accounts indicated in the following sections. Note: This section does not provide an in-depth description of the user interface. Only highlevel instructions are provided. You should be familiar with Central Administration and how to perform the required steps before you proceed. Access Central Administration and perform the following steps to configure the services on the servers indicated, using the accounts indicated.
Windows SharePoint Services Search

On the Services on Server page in Central Administration: 1. Select the server MOSSQUERY. 2. In the list of services that appears, close to the middle of the page, locate the Windows SharePoint Services 3.0 Search service, and then click Start in the Action column. 3. On the subsequent page, provide the credentials for the Windows SharePoint Services 3.0 search service account and for the Windows SharePoint Services 3.0 Content Access account. In the scenario in this section, the Windows SharePoint Services 3.0 search service account is mydomain\wsssearch, and the Windows SharePoint Services 3.0 content access account is mydomain\wsscrawl. Type the account names and passwords in the appropriate locations on the page, and then click Start.
Index server
On the Services on Server page in Central Administration: 1. Select the server MOSSCRAWL. 2. In the list of services that appears close to the middle of the page, locate the Office SharePoint Server 2007 Search service, and then click Start in the Action column. On the subsequent page, check the Use this server for indexing content check box and then provide the credentials for the Office SharePoint Server 2007 search service account. In the scenario in this section, the Office SharePoint Server 2007 search service account is
352
mydomain\mosssearch. Type the account names and passwords in the appropriate locations on the page, and then click Start.
Query server
On the Services on Server page in Central Administration: 1. Select the server MOSSQUERY. 2. In the list of services that appears close to the middle of the page, locate the Office SharePoint Server 2007 Search service, and then click the service name in the Service column. On the subsequent page, check the Use this server for serving search queries check box and click OK.
Create Web applications using Kerberos authentication

In this section, create Web applications that are used for the portal site, a My Site, and the Shared Services Administration site in your farm. Note: This section does not provide an in-depth description of the user interface. Only highlevel instructions are provided. You should be familiar with Central Administration and how to perform the required steps before you proceed.
Create the portal site Web application

1. On the Application Management page in Central Administration, click Create or extend Web application. 2. On the subsequent page, click Create a new Web application. 3. On the subsequent page, make sure Create a new IIS Web site is selected. In the Description field, type PortalSite. In the Port field, type 80. In the Host Header field, type kerbportal.mydomain.net.
4. Make sure Negotiate is selected as the authentication provider for this Web application. 5. Create this Web application in the Default zone. Do not modify the zone for this Web application. 6. Make sure Create new application pool is selected. In the Application Pool Name field, type PortalAppPool. Make sure Configurable is selected. In the User name field, type the account mydomain\portalpool.
7. Click OK.
353
8. Confirm that the Web application is successfully created. Note: If you want to use an SSL connection and bind the Web application to port 443, type 443 in the Port field and select Use SSL on the Create New Web Application page. In addition, you must install an SSL wildcard certificate. When using an IIS host header binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate. For more information about SSL host headers in IIS, see Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Create the My Site Web application

1. On the Application Management page in Central Administration, click Create or extend Web application. 2. On the subsequent page, click Create a new Web application. 3. On the subsequent page, make sure Create a new IIS Web site is selected. In the Description field, type MySite. In the Port field, type 80. In the Host Header field, type kerbmysite.mydomain.net.
4. Make sure Negotiate is selected as the authentication provider for this Web application. 5. Create this Web application in the Default zone. Do not modify the zone for this Web application. 6. Make sure Create new application pool is selected. In the Application Pool Name field, type MySiteAppPool. Make sure Configurable is selected. In the User name field, type the account mydomain\mysitepool.
7. Click OK. 8. Confirm that the Web application is successfully created. Note: If you want to use an SSL connection and bind the Web application to port 443, type 443 in the Port field and select Use SSL on the Create New Web Application page. In addition, you must install an SSL wildcard certificate. When using an IIS host header binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate. For more information about SSL host headers in IIS, see Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Create the Shared Services Administration site Web application

1. On the Application Management page in Central Administration, click Create or extend Web application. 2. On the subsequent page, click Create a new Web application.
354
3. On the subsequent page, make sure Create a new IIS Web site is selected. In the Description field, type SSPAdminSite. In the Port field, type 80. In the Host Header field, type kerbsspadminsite.mydomain.net.
4. Make sure Negotiate is selected as the authentication provider for this Web application. 5. Create this Web application in the Default zone. Do not modify the zone for this Web application. 6. Make sure Create new application pool is selected. In the Application pool name field, type SSPAdminSiteAppPool. Make sure Configurable is selected. In the User name field, type the account mydomain\sspadminpool.
7. Click OK. 8. Confirm that the Web application is successfully created. Note: If you want to use an SSL connection and bind the Web application to port 443, type 443 in the Port field and select Use SSL on the Create New Web Application page. In addition, you must install an SSL wildcard certificate. When using an IIS host header binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate. For more information about SSL host headers in IIS, see Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Create a site collection using the Collaboration Portal template in the portal site Web application
In this section, you create a site collection on the portal site in the Web application that you created for this purpose. Note: This section does not provide an in-depth description of the user interface. Only highlevel instructions are provided. You should be familiar with Central Administration and how to perform the required steps before you proceed. 1. On the Application Management page in Central Administration, click Create site collection. 2. On the subsequent page, make sure you select the correct Web application. For the example in this section, select http://kerbportal.mydomain.net. 3. Provide the title and description you want to use for this site collection. 4. Leave the Web site address unchanged. 5. In the Template Selection section under Select a Template, click the Publishing tab and select the Collaboration Portal template. 6. In the Primary Site Collection Administrator section, type mydomain\pscexec.
355
7. Specify the Secondary Site Collection Administrator you want to use. 8. Click OK. 9. Confirm that the portal site collection is successfully created.
Create a Shared Services Provider for your farm

Create a Shared Services Provider for the farm. Note: This section does not provide an in-depth description of the user interface. Only highlevel instructions are provided. You should be familiar with Central Administration and how to perform the required steps before you proceed. 1. On the Application Management page in Central Administration, click Create or configure this farms shared services. 2. On the subsequent page, click New SSP. 3. On the subsequent page, in the SSP Name section, type SSP1 in the SSP Name field. Then, in the Web application field, select the Web application you created for the Shared Services Administration site Web application. For the example in this section, select the Web application named SSPAdminSite. In the MySite section, in the Web application field, select the Web application you created for the My Site Web site. For the example in this section, select the Web application named MySite. In the SSP service credentials section, in the User name field, type mydomain\sspsvc.
4. Click OK. 5. Confirm that your farms SSP is successfully created.
Confirm successful access to the Web applications using Kerberos authentication

Confirm that Kerberos authentication is working for the recently created Web applications. Start with the portal site. To do this, perform the following steps: 1. Log on to a server running Office SharePoint Server 2007 rather than either of the two frontend Web servers that are configured for NLB as mydomain\pscexec. You should not verify correct Kerberos authentication behavior directly on one of the computers hosting the loadbalanced Web sites using Kerberos authentication. This should be done from a separate computer in the domain. 2. Start Internet Explorer on this other system and attempt to go to the following URL: http://kerbportal.mydomain.net. The home page of the Kerberos-authenticated portal site should render.
356
To confirm that Kerberos authentication was used to access the portal site, go to one of the load balanced front-end Web servers and run the event viewer and look in the security log. You should see a Success Audit record, similar to the following table, on one of the front-end Web servers. Note that you may have to look on both front-end Web servers before you find this, depending on which system handled the load-balanced request. Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Workstation Name Logon GUID Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port 192.168.100.100 2505 {fad7cb69-21f8-171b-851b-3e0dbf1bdc79} pscexec MYDOMAIN (0x0,0x1D339D3) 3 Kerberos authentication Success Audit Security Logon/Logoff 540 11/1/2007 5:08:20 PM MYDOMAIN\pscexec mossfe1
357
Examination of this log record shows the same type of information as in the previous log entry: Confirm that the user name is correct; it is the mydomain\pscexec account that logged on over the network to the front-end Web server running Office SharePoint Server 2007 that is hosting the portal site. Confirm that the logon type is 3; a logon type 3 is a network logon. Confirm that the logon process and authentication package both use Kerberos authentication. This confirms that Kerberos authentication is being used to access your portal site. Confirm that the Source Network Address matches the IP address of the computer from which the connection was made.
If the home page of the portal site fails to render, and displays an unauthorized error message, then Kerberos authentication is failing. There are usually only a couple of causes for this: The SPN in Active Directory was not registered for the correct account. It should have been registered for mydomain\portalpool, for the Web application of the portal site. The SPN in Active Directory does not match the SPN being constructed by Internet Explorer or is invalid for another reason. In this case, because you are using IIS host headers without explicit port numbers, the SPN registered in Active Directory differs from the IIS host header specified when you extended the Web application. You need to correct this to get Kerberos authentication working. Note: A diagnostic aid you could use to see what is going on over the network is a network sniffer such as Microsoft Network Monitor to take a trace during browsing to Central Administration. After the failure, examine the trace and look for KerberosV5 Protocol packets. You should find a packet with an SPN constructed by Internet Explorer. If that SPN does not contain a port number, then you need to apply the fix described in the section Configure Internet Explorer to include port numbers in Service Principal Names. If the SPN in the trace looks correct, then either the SPN in Active Directory is invalid or the SPN has been registered for the wrong account. After you have Kerberos authentication working for your portal site, go to your Kerberosauthenticated My Site and the Shared Services Administration site using the following URLs: http://kerbmysite.mydomain.net http://kerbsspadmin.mydomain.net/ssp/admin Note: The first time you access the My Site URL, it will take some time for Office SharePoint Server 2007 to create a My Site for the logged-on user. However, it should succeed, and the My Site page for that user should render. These should both work correctly. If they dont, refer to the preceding troubleshooting steps.
358
Confirm correct Search Indexing functionality

Confirm that Search Indexing is successfully crawling the content hosted on this farm. This is the step you must take prior to confirming the Search Query results for users accessing the sites using Kerberos authentication. Note: This section does not provide an in-depth description of the user interface. Only highlevel instructions are provided. You should be familiar with Central Administration and how to perform the required steps before you proceed. 1. Access the Shared Services Administration site Web application at http://kerbsspadmin.mydomain.net/ssp/admin. 2. On this page, click Search Settings. 3. On the subsequent page, click Content Sources and Crawl Schedules. 4. On the subsequent page, access the ECB for the Office SharePoint Server Content Sources, and from the drop-down list, select Start Full Crawl. 5. Wait for the crawl to complete. If the crawl fails, you must investigate and correct the failure, and then run a full crawl. If the crawl fails with "access denied" errors, it is either because the crawling account does not have access to the content sources, or because Kerberos authentication has failed. Whatever the cause, this error must be corrected before proceeding to subsequent steps. You must complete a full crawl of the Kerberos-authenticated Web applications before proceeding.
Confirm correct Search Query functionality

To confirm that Search Query returns results for users accessing the portal site that uses Kerberos authentication: 1. Start Internet Explorer on a system in mydomain.net and go to http://kerbportal.mydomain.net. 2. When the home page of the portal site renders, type a search keyword in the Search field and press ENTER. 3. Confirm that Search Query results are returned. If they are not, confirm that the keyword you have entered is valid in your deployment, that Search Indexing is running correctly, that the Search service is running on your Search Indexing and Search Query servers, and that there are no problems with search propagation from your Search Index server to your Search Query server.
359
Configure your SSP infrastructure for Kerberos authentication

Note: This is an optional procedure that requires installation of the Infrastructure Update for Microsoft Office Servers. Without the installation of the Infrastructure Update for Microsoft Office Servers, Kerberos authentication cannot be correctly configured for Office SharePoint Server 2007. The Infrastructure Update for Microsoft Office Servers includes a new, custom-format SPN for Kerberos authentication for the SSP infrastructure. This custom-format SPN introduces a new Service Class: MSSP. The custom-format SPN is in the following format: MSSP/<host:port>/<SSP name>. This new custom-format SPN sets a .NET Framework property to direct the .NET Framework to use a specific SPN for a given URI. It is the .NET Framework that is used to make inter-server calls to the Office SharePoint Server 2007 SSP infrastructure Web services. If you examine the SSP infrastructure on an Office SharePoint Server 2007 application server, you will see that there is a Search shared service at both the root level and the virtual directory level in IIS. There is also an Excel Calculation Services (ECS) shared service at the virtual directory level in IIS. After the SSP infrastructure is configured for Kerberos authentication, Kerberos will be used for accessing shared services at both the root level and the virtual directory level. You do not need to register SPNs for the root-level Web services. You only need to register SPNs for the virtual-directory-level Web services. This is because when joining a computer to a domain, a HOST-class SPN is automatically registered for the computer account in the domain, and the SPN will work for the root-level Web service. However, you do need to register SPNs corresponding to the virtual directories that actually correlate to the SSPs in your farm. To successfully configure your SSP infrastructure for Kerberos authentication you must perform the following steps: 1. Register new custom-format SPNs for your SSP service account in Active Directory. 2. Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication. 3. Add a new registry key to all of your servers running Office SharePoint Server 2007 to enable the generation of new custom-format SPNs. 4. Confirm Kerberos authentication for root-level shared Web service access. 5. Confirm Kerberos authentication for virtual-directory-level shared Web service access. Note: In the preceding procedure, steps 4 and 5 pertain to the searchadmin.asmx shared Web service. This Search-related shared Web service is located at both the root level of the SSP infrastructure and at the virtual directory level of the SSP infrastructure. The rootlevel Search shared service can be thought of as a global Web service that pertains to
360
the configuration of the Office SharePoint Server 2007 Search service settings at the Services on Server level in Office SharePoint Server 2007 Central Administration. The virtual-directory-level Search shared service corresponds to a specific SSP in your farm, and is used when configuring Search settings specific to that SSP on the Shared Services Administration site. When performing the steps to verify Kerberos authentication for root-level shared services access, you will not see the generation or use of the newformat SPNs. You will only see the new-format SPNs when accessing the virtual directory level Web service; however, you need to verify that access to the shared service works at both levels.
Register new custom-format SPNs for your SSP service account in Active Directory
In this section, the SSP service account is mydomain\sspsvc, and the name of the SSP you created is SSP1. The SSP infrastructure exists on all servers in the farm; therefore, SPNs that refer to all servers running Office SharePoint Server 2007 must be created. Because the SSP infrastructure is bound to TCP port 56737 and SSL port 56738, you need SPNs that include both port numbers. Because of this, two SPNs are required for each application server. For the examples used in this section, you need to create 10 SPNs. Perform the following procedure to create the SPNs for your SSP infrastructure: 1. Log on to your Active Directory domain controller using the credentials of a user that has domain administrative permissions. 2. In the Run dialog box, type ADSIEDIT.MSC. 3. In the Management Console dialog box, expand the domain container folder. 4. Expand the container folder containing user accounts, for example CN=Users. 5. Locate the container for the SSP service account, for example CN=sspsvc. 6. Right-click the SSP service account, and then click Properties. 7. Scroll down the list of properties in the SSP Service account dialog box until you find servicePrincipalName. 8. Select the servicePrincipalName property and click Edit. 9. In the Value to Add field, in the Multi-Valued String Editor dialog box, add the following SPNs: MSSP/mossfe1:56737/SSP1 MSSP/mossfe1:56738/SSP1 MSSP/mossfe2:56737/SSP1 MSSP/mossfe2:56738/SSP1 MSSP/mossadmin:56737/SSP1 MSSP/mossadmin:56738/SSP1 MSSP/mosscrawl:56737/SSP1
361
MSSP/mosscrawl:56738/SSP1 MSSP/mossquery:56737/SSP1 MSSP/mossquery:56738/SSP1
Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos authentication
To configure your SSP infrastructure to use Kerberos authentication, perform the following procedure: 1. Log on to your Active Directory domain controller using the credentials of a user that has domain administrative permissions. 2. On one of your servers running Office SharePoint Server 2007, open a command prompt. 3. Change to the following directory: %COMMONPROGRAMFILES%\microsoft shared\web server extensions\12\bin. 4. Type the following command: stsadm o setsharedwebserviceauthn negotiate, and then press ENTER. Ensure that this command runs successfully before proceeding. When you have completed this procedure, the command applies to all of the SSPs that you create in your farm, including SSPs that you create after you have successfully run this command.
Add a new registry key to all of your servers running Office SharePoint Server to enable generation of the new custom-format SPNs
The generation of the new, custom-format SPNs is controlled through the setting of a new registry key introduced with the Infrastructure Update for Microsoft Office Servers. To enable the generation of the new, custom-format SPNs, this registry key must be added to all servers in the farm, and all servers must be restarted. Perform the following steps to enable the new behavior. On each server in the farm: 1. Log on as a local administrator. 2. Run the Registry Editor, and add the following new registry key: HKLM\Software\Microsoft\Office Server\12.0\KerberosSpnFormat (REG_DWORD) = 1 3. Restart the server. It is important to be aware that you must restart the server for the new registry key to take effect. Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
362
Confirm Kerberos authentication for root-level shared services access

To confirm Kerberos authentication for the root-level shared services, perform the following procedure: 1. Log on to the computer that is hosting the Central Administration Web application. If you are using the example in this section, log on to MOSSADMIN. 2. Go to Central Administration at http://mossadmin.mydomain.net:10000 3. On the Central Administration home page, click Operations. 4. On the Operations page, click Services on Server. 5. In the Server section, click the drop-down arrow to display the list of servers in the farm, and then click your Search Query server. If you are using the example in this section, select MOSSQUERY. 6. After the page refreshes, confirm that you are pointing to the correct query server, and in the Service section, click Office SharePoint Server Search. 7. Confirm that the Configure Office SharePoint Server Search Service Settings on server mossquery page is displayed. 8. Perform the following steps to confirm that Kerberos authentication was used to render the page: Log on to your Search Query serverusing the example in this section, log on to the MOSS machine named MOSSQUERY. Run the Windows event viewer. Examine the Security event log. You should see a log record that is similar to the data shown in the following table: Event Type Event Source Event Category Event ID Date Time User Computer Description Success Audit Security Logon/Logoff 540 5/6/2008 12:12:17 PM MYDOMAIN\pscexec MOSSQUERY
363
An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Authentication Package Workstation Name Logon GUID Caller User Name Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port Important: Repeat this procedure for your Search Indexing server to confirm that the page renders and that there is a security event viewer log record indicating that the Kerberos authentication package was used for accessing the page. 192.168.100.100 1964 {a96a9450-3af5-d82e-3bb3-8cd65c8e5c49} pscexec MYDOMAIN (0x0,0x7252B10) 3 Kerberos Kerberos
Confirm Kerberos authentication for virtualdirectory-level shared services access

This is the final step in configuring and deploying a server farm running Office SharePoint Server 2007 using Kerberos authentication. To confirm that Kerberos authentication is used for accessing the virtual-directory-level shared services, perform the following procedure: 1. Go to the Shared Services Administration home page. 2. Determine which of your load-balanced front-end Web servers is responding to this request. 3. On the front-end Web server that is responding to the request, run Network Monitor and apply a capture filter to capture KerberosV5 protocol packets. Using Network Monitor 3.2, this capture filter would be protocol.KerberosV5.
364
4. Start a Network Monitor sniff. 5. On the Shared Services Administration site home page, click Search Settings. 6. Confirm that the Search Settings page is displayed. 7. Stop the sniff and examine captured packets. You should see Kerberos protocol packets with descriptions that are similar to those shown in the following example: The Sname value in the preceding example (MSSP/mosscrawl:56738/SSP1) is the new-format SPN being generated and sent to the Kerberos KDC as a result of the changes included in the Infrastructure Update for Microsoft Office Servers. Log on to your index server (in the example in this section, the index server is MOSSCRAWL). Run the event viewer and examine the security log. You should see an entry that is similar to the data shown in the following table: Event Type Event Source Event Category Event ID Date Time User Computer Description An example of a successful network logon is depicted in the following table. User Name Domain Logon ID Logon Type Logon Process Authentication Package Workstation Name Logon GUID Caller User Name {2f1cccb3-c10d-27e5-9896-0f918e8ad796} sspadminpool MOSSCRAWL (0x0,0xD84A6) 3 Kerberos Kerberos Success Audit Security Logon/Logoff 540 5/6/2008 1:21:04 PM MYDOMAIN\sspadminpool MOSSCRAWL
365
Caller Domain Caller Logon ID Caller Process ID Transited Services Source Network Address Source Port 192.168.150.100 1513
Configuration limitations
There are a few configuration limitations with respect to utilizing Kerberos authentication for the SSP infrastructure using the Infrastructure Update for Microsoft Office Servers: The host name portion of the new-format SPNs that are created will be the NetBIOS name of the host running the service, for example: MSSP/kerbtest4:56738/SSP1. This is because the host names are fetched from the Office SharePoint Server 2007 configuration database, and only NetBIOS computer names are stored in the Office SharePoint Server 2007 configuration database. This might be ambiguous in certain scenarios. Currently, the Stsadm commandline tool to rename a server running Office SharePoint Server 2007 cannot be successfully used to rename a server running Office SharePoint Server 2007, so there is no workaround for this issue. Do not use SSP names containing extended characters. An SPN with an SSP name containing extended characters cannot be selected as the target for delegation. Therefore, avoid using extended characters in your SSP names.
Additional resources and troubleshooting guidance

Product/technology Resource
Windows Server 2003
Event ID 10017 error messages are logged in the System log after you install Windows SharePoint Services 3.0 (http://go.microsoft.com/fwlink/?LinkId=120456&clcid=0x409) How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005 (http://go.microsoft.com/fwlink/?LinkId=85942&clcid=0x409)
SQL Server
366
Product/technology
Resource
SQL Server
How to troubleshoot the "Cannot generate SSPI context" error message (http://go.microsoft.com/fwlink/?LinkId=82932&clcid=0x409) How to configure SQL Server 2005 Analysis Services to use Kerberos authentication (http://go.microsoft.com/fwlink/?LinkId=120459&clcid=0x409) AuthenticationManager.CustomTargetNameDictionary Property (http://go.microsoft.com/fwlink/?LinkId=120460&clcid=0x409) Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=99681&clcid=0x409) Error message in Internet Explorer when you try to access a Web site that requires Kerberos authentication on a Windows XP-based computer: "HTTP Error 401 Unauthorized: Access is denied due to invalid credentials" (http://go.microsoft.com/fwlink/?LinkId=120462&clcid=0x409) Kerberos Authentication Technical Reference (http://go.microsoft.com/fwlink/?LinkId=78646&clcid=0x409) Troubleshooting Kerberos Errors (http://go.microsoft.com/fwlink/?LinkId=93730&clcid=0x409) Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=100941&clcid=0x409) Configuring SSL Host Headers (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=120463&clcid=0x409)
SQL Server
.NET Framework
Windows Internet Explorer
Windows Internet Explorer
Kerberos authentication
IIS
About the author Mark Grossbard is a Test Engineer, MOSS Core Test, for Office SharePoint Server at Microsoft.
367
Run the Best Practices Analyzer tool

You can run the Best Practices Analyzer tool to check for common issues and best security practices. The tool generates a report that can help you optimize the configuration of your system. The tool can be run locally or from a server that is not attached to the server farm. To download the tool, click Microsoft Best Practices Analyzer for Windows SharePoint Services 3.0 and the 2007 Microsoft Office System (http://go.microsoft.com/fwlink/?LinkID=83335&clcid=0x409).
368
Configure usage reporting

In this section: About usage reporting Configure Windows SharePoint Services usage logging Enable usage reporting Activate usage reporting Monitor usage reporting
About usage reporting

Usage reporting is a service that enables site administrators, site collection administrators, and Shared Services Provider (SSP) administrators to monitor statistics about the use of their sites. Usage reporting also includes usage reporting for search queries that can be viewed by SSP administrators for search and site collection administrators. To configure usage reporting, a farm administrator must first enable Windows SharePoint Services usage logging for the farm that hosts the Web application containing the SSP. The SSP administrator enables and configures the usage reporting service. Then, site collection administrators can activate the reporting feature to enable usage reports on the site collection. After usage reporting is enabled, site administrators and site collection administrators can view site usage summary pages that have the following information for their sites and site collections: Requests and queries in the last day and the last 30 days. Average number of requests per day over the last 30 days. A chart of requests per day over the last 30 days. A list of the top page requests over the last 30 days. A list of top users over the last 30 days. A chart of top referring hosts over the last 30 days. A chart of top referring pages over the last 30 days. A list of top destination pages over the last 30 days. Top queries for the last 30 days (if search usage reporting is enabled). Search results top destination pages (if search usage reporting is enabled).
SSP administrators for the search service can view a search usage reports page that tracks the following information. Number of queries per day over the previous 30 days. Number of queries per month over the previous 12 months. Top queries over the previous 30 days. Top site collections originating queries over the previous 30 days.
369
Queries per search scope over the previous 30 days.
Site collection administrators for the SSP site can view a usage summary page that tracks the following information: Total amount of storage used by the site collection. Percent of storage space used by Web Discussions. Maximum storage space allowed. Number of users for all sites in the hierarchy. Total hits and recent bandwidth usage across all sites.
Site collection administrators can also view a site usage report that includes monthly and daily page hit totals filtered by the following criteria: Page User Operating system Browser Referrer URL
Usage reporting is very useful for managing complex site hierarchies with many sites, a large number of page hits, and a large number of search queries, and it is recommended that the service be enabled for deployments of complex site hierarchies. For less complex deployments, usage reporting might not be necessary. It is also possible to disable the service temporarily to conserve resources when other those resources are needed for other processes.
Enable Windows SharePoint Services usage logging

Before you can enable usage reporting in a SSP, you must first enable Windows SharePoint Services usage logging for the farm hosting the Web application containing the SSP. Use the following procedure to enable usage logging for the farm. Enable usage logging for the farm 1. On the Central Administration home page, click Operations. 2. On the Operations page, in the Logging and Reporting section, click Usage analysis processing. 3. On the Usage Analysis Processing page, in the Logging Settings section, select Enable logging. 4. Type a log file location and number of log files to create. 5. In the Processing Settings section, select Enable usage analysis processing, and then select a time to run usage processing. 6. Click OK. For information about how to perform this procedure using the Stsadm command-line
370
tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/enus/library/cc263478.aspx).
Enable usage reporting

After Windows SharePoint Services usage logging is enabled in the server farm, SSP administrators must enable the usage reporting service. SSP administrators can control the complexity of usage analysis processing, and select whether or not reporting is enabled for search queries. Use the following procedure to enable usage reporting. Enable usage reporting 1. On the SSP home page, in the Office SharePoint Usage Reporting section, click Usage reporting. 2. On the Configure Advanced Usage Analysis Processing page, in the Processing Settings section, click Enable advanced usage analysis processing. 3. In the Search Query Logging section, select Enable search query logging. 4. Click OK. If advanced usage analysis processing is not selected, usage reporting statistics will be minimal. For information about how to perform this procedure using the Stsadm command-line tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-us/library/cc263478.aspx).
Activate usage reporting

After usage reporting is enabled for the SSP, site collection administrators must activate the reporting feature. Until the reporting feature is activated on a site collection, usage reports are not available. Use the following procedure to activate the reporting feature. Activate the reporting feature 1. On the Site Actions menu, click Site Settings. 2. On the Site Settings page, in the Site Collection Administration section, click Site collection features. 3. On the Site Collection Features page, click the Activate button for the Reporting feature. For information about how to perform this procedure using the Stsadm command-line tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/enus/library/cc263478.aspx).
371
Monitor usage reporting

Usage reporting can be viewed in several places: Site administrators, including administrators of the SSP administration site, can view usage reporting for their site by clicking Site usage reports in the Site Administration section of the Site Settings page. Site collection administrators can view usage reporting by clicking Site collection usage reports in the Site Collection Administration section of the Site Settings page. Site collection administrators for the SSP administration site can view a usage summary by clicking Usage summary in the Site Collection Administration section of the Site Settings page. SSP administrators for search can view search usage reports by clicking Search usage reports in the Search section of the SSP home page. For information about how to perform this procedure using the Stsadm command-line tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/enus/library/cc263478.aspx).
372
V. Deploy and configure SharePoint sites

373
Chapter overview: Deploy and configure SharePoint sites

After you have installed Microsoft Office SharePoint Server 2007, configured shared services, and performed the other configuration tasks for your servers, you are ready to begin creating SharePoint sites. In this chapter: Create or extend Web applications SharePoint sites are hosted by Web applications, so you must create one or more Web applications before you can create any sites. This section covers how to create a Web application, or how to extend a Web application to host the same content as another Web application. Create zones for Web applications Each Web application can have as many as five zones, and each zone can have a different authentication method. A default zone is automatically created when you create a Web application. This section helps you configure any additional zones you need. Configure alternate access mapping Alternate access mapping enables you to assign different URLs to the same site (for example, you can configure access via the HTTP protocol for internal users and via the HTTPS protocol for external users). Alternate access mapping settings are configured per zone at the Web application level. Although the settings can be configured at any time, it is useful to configure alternate access mapping before you create your SharePoint sites. This section helps you configure alternate access mapping for a Web application. Create quota templates Quota templates enable you to set a limit on how large a site collection can become. This section helps you configure the quota templates that you want to use for any site collections you create. Create a site collection After you have configured the settings that the previous articles describe, you can create a site collection. This section helps you create a site collection from Central Administration and assign primary and secondary owners. If you want to allow users to create their own sites, you need to configure Self-Service Site Management for the Web application. For more information about choosing a method to use for site creation, see Plan process for creating sites (http://technet.microsoft.com/en-us/library/cc263483.aspx). Create a blank site to migrate content into If you are moving a site collection from one Web application or server farm to another, or using the content deployment features to deploy an existing site collection to a new site collection on a different server farm or Web application, you need to create a blank site collection as the destination for the content. This section helps you create a blank site collection, either for migrating sites or for content deployment. Add site content After you have created your site collection, you can begin adding site content. This section provides links to information that can help you add content to your sites.
374
Enable access for end users After you have created your site, you can add users and grant them access to the site. This section helps you add users to a site collection.
375
Create or extend Web applications

Before you can create a site or a site collection, you must first create a Web application. A Web application is comprised of an Internet Information Services (IIS) site with a unique application pool and can be assigned to an SSP (Shared Services Provider) to enable features such as InfoPath Forms Services, Excel Calculation Services, and Workflows. In this section: Create a new Web application Extend an existing Web application
Create a new Web application

Create a new Web application 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 4. On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Create a new Web application. 5. On the Create New Web Application page, in the IIS Web Site section, you can configure the settings for your new Web application. a. To choose to use an existing Web site, select Use an existing Web site, and specify the Web site on which to install your new Web application by selecting it from the drop-down menu. b. To choose to create a new Web site, select Create a new IIS Web site, and type the name of the Web site in the Description box. c. In the Port box, type the port number you want to use to access the Web application. If you are creating a new Web site, this field is populated with a suggested port number. If you are using an existing Web site, this field is populated with the current port number.
d. In the Host Header box, type the URL you wish to use to access the Web application. This is an optional field. e. In the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path. 6. In the Security Configuration section, configure authentication and encryption for your Web application.
376
a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site using the computer-specific anonymous access account (that is, IUSR_<computername>). c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate.
7. In the Load Balanced URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the box is populated with the current server name and port. The Zone box is automatically set to Default for a new Web application, and cannot be changed from this page. To change the zone for a Web application, see Extend an existing Web application later in this section. 8. In the Application Pool section, choose whether to use an existing application pool or create a new application pool for this Web application. To use an existing application pool, select Use existing application pool. Then select the application pool you wish to use from the drop-down menu. a. To create a new application pool, select Create a new application pool. b. In the Application pool name box, type the name of the new application pool, or keep the default name. c. In the Select a security account for this application pool section, select Predefined to use an existing application pool security account, and then select the security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a security account for an existing application pool. In the User name box, type the user name of the account you wish to use, and type the password for the account into the Password box. 9. In the Reset Internet Information Services section, choose whether to allow Windows SharePoint Services to restart IIS on other farm servers. The local server must be restarted manually for the process to finish. If this option is not selected and you have more than one server in the farm, you must wait until the IIS Web site is created on all servers and then run iisreset /noforce on each Web server. The new IIS site is not usable until that action is completed. The choices are unavailable if your farm only contains a single server. 10. Under Database Name and Authentication, choose the database server, database name, and authentication method for your new Web application.
377
Item
Action
Database Server
Type the name of the database server and SQL Server instance you want to use in the format <SERVERNAME\instance>.You may also use the default entry. Type the name of the database, or use the default entry. Choose whether to use Windows authentication (recommended) or SQL authentication. If you want to use Windows authentication, leave this option selected. If you want to use SQL authentication, select SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
Database Name
11. Click OK to create the new Web application, or click Cancel to cancel the process and return to the Application Management page.
Extend an existing Web application

You can extend an existing Web application if you need to have separate IIS Web sites that expose the same content to users. This is typically used for extranet deployments where different users access content using different domains. This option reuses the content database from an existing Web application. Extend an existing Web application 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 4. On the Create or extend Web application page, in the Adding a SharePoint Web Application section, click Extend an existing Web application.
378
5. On the Extend Web Application to Another IIS Web Site page, in the Web Application section, click the Web application link and then click Change Web application. 6. On the Select Web Application page, click the Web application you want to extend. 7. On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site section, you can select Use an existing IIS Web site to use a Web site that has already been created, or you can choose to leave Create a new IIS Web site selected. The Description, Port, and Path boxes are populated for either choice. You can choose to use the default entries or type the information you want into the boxes. 8. In the Security Configuration section, configure authentication and encryption for the extended Web application. a. In the Authentication Provider section, choose either Negotiate (Kerberos) or NTLM. b. In the Allow Anonymous section, choose Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site using the computer-specific anonymous access account (that is, IUSR_<computername>). c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate.
9. Under Load Balanced URL, type the URL for the domain name for all sites that users will access in this Web application. This URL domain will be used in all links shown on pages within the Web application. By default, the text box is populated with the current server name and port. 10. In the Load Balanced URL section, under Zone, select the zone for the extended Web application from the drop-down menu. You can choose Intranet, Internet, Custom, or Extranet. 11. Click OK to extend the Web application, or click Cancel to cancel the process and return to the Application Management page. For information about how to perform this procedure using the Stsadm command-line tool, see Extendvs: Stsadm operation (http://technet.microsoft.com/enus/library/cc263040.aspx).
379
Configure alternate access mapping

Each Web application can be associated with a collection of mappings between internal and public URLs. Both internal and public URLs consist of the protocol and domain portion of the full URL (for example, https://www.fabrikam.com). A public URL is what users type to get to the SharePoint site, and that URL is what appears in the links on the pages. Internal URLs are in the URL requests that are sent to the SharePoint site. Many internal URLs can be associated with a single public URL in multi-server farms (for example, when a load balancer routes requests to specific IP addresses to various servers in the load-balancing cluster). Each Web application supports five collections of mappings per URL; the five collections correspond to five zones (default, intranet, extranet, Internet, and custom). When the Web application receives a request for an internal URL in a particular zone, links on the pages returned to the user have the public URL for that zone. For more information, see Plan alternate access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
Manage alternate access mappings

1. On the top navigation bar, click Operations. 2. On the Operations page, in the Global Configuration section, click Alternate access mappings. For information about how to perform this procedure using the Stsadm command-line tool, see Addalternatedomain: Stsadm operation (http://technet.microsoft.com/enus/library/cc263437.aspx).
Add an internal URL

1. On the Alternate Access Mappings page, click Add Internal URLs. 2. If the mapping collection that you want to modify is not specified, then choose one. In the Alternate Access Mapping Collection section, click Change alternate access mapping collection on the Alternate Access Mapping Collection menu. 3. On the Select an Alternate Access Mapping Collection page, click a mapping collection. 4. In the Add internal URL section, in the URL protocol, host and port box, type the new internal URL (for example, https://www.fabrikam.com). 5. In the Zone list, click the zone for the internal URL. 6. Click Save. For information about how to perform this procedure using the Stsadm command-line tool, see Addpath: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263161.aspx ).
380
Edit or delete an internal URL

Note: You cannot delete the last internal URL for the default zone. 1. On the Alternate Access Mappings page, click the internal URL that you want to edit or delete. 2. In the Edit internal URL section, modify the URL in the URL protocol, host and port box. 3. In the Zone list, click the zone for the internal URL. 4. Do one of the following: Click Save to save your changes. Click Cancel to discard your changes and return to the Alternate Access Mappings page.
5. Click Delete to delete the internal URL.
Edit public URLs

Note: There must always be a public URL for the default zone. 1. On the Alternate Access Mappings page, click Edit Public URLs. 2. If the mapping collection that you want to modify is not specified, then choose one. In the Alternate Access Mapping Collection section, click Change alternate access mapping collection on the Alternate Access Mapping Collection menu. 3. On the Select an Alternate Access Mapping Collection page, click a mapping collection. 4. In the Public URLs section, you may add new URLs or edit existing URLs in any of the following text boxes: Default Intranet Extranet Internet Custom
5. Click Save.
Map to an external resource

You can also define mappings for resources outside internal Web applications. To do so, you must supply a unique name, initial URL, and a zone for that URL. (The URL must be unique to the farm.) 1. On the Alternate Access Mappings page, click Map to External Resource. 2. On the Create External Resource Mapping page, in the Resource Name box, type a unique name.
381
3. In the URL protocol, host and port box, type the initial URL. 4. Click Save.
382
Create zones for Web applications

If your solution architecture includes Web applications with more than one zone, use the guidance in this section to create additional zones.
Create a new zone

You can create a new zone by extending an existing Web application. Follow the "Extend an existing Web application" procedure in Create or extend Web applications to create a new zone. The new zone is created when you select a zone in step 10 of the procedure. Refer to your planning architecture documents and worksheets to determine which zones you need to create and what authentication method should be associated with each zone. You can change the authentication provider for a zone on the Authentication Providers page. For more information, see Plan authentication methods (http://technet.microsoft.com/enus/library/cc262350.aspx).
View existing zones

On the Alternate Access Mappings page, you can view the zones that have been created for your farm. 1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Operations. 3. On the Operations page, in the Global Configuration section, click Alternate access mappings. On the Alternate Access Mappings page, each Web application is displayed with its associated zone. For information about how to perform this procedure using the Stsadm command-line tool, see Enumalternatedomains: Stsadm operation. See Also Create or extend Web applications Configure alternate access mapping Plan authentication methods (http://technet.microsoft.com/en-us/library/cc262350.aspx)
383
Create quota templates

In this section: Create a new quota template Edit an existing quota template Delete a quota template
A quota template consists of storage limit values that specify how much data can be stored in a site collection and the storage size that triggers an e-mail alert to the site collection administrator when that size is reached. You can create a quota template that can be applied to any site collection in the farm. Note: When you apply a quota template to a site collection, the storage limit applies to the site collection as a whole. In other words, the storage limit applies to the sum of the content sizes for the top-level site and all subsites within the site collection. You can also modify existing quota templates. When a quota template is modified, the new storage limits you defined in the template will apply to any new site collection you create that uses that quota template. However, existing site collections to which the quota template has been previously applied will not be automatically updated to reflect the new storage limits.
Create a new quota template

1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Site Management section, click Quota templates. 4. On the Quota Templates page, in the Template Name section, select Create a new quota template. 5. Type the name of the new template in the New template name box. If you want to base your new template on an existing quota template, click the Template to start from down arrow and select the desired template from the drop-down menu.
6. In the Storage Limit Values section, set the values you want to apply to the template. a. If you want to restrict the amount of data that can be stored, click the Limit site storage to a maximum of check box and type the storage limit in megabytes into the text box. b. If you want an e-mail to be sent to the site collection administrator when a certain storage threshold is reached, click the Send warning E-mail when site storage reaches check box and type the threshold in megabytes into the text box.
384
7. Click OK to create the new quota template, or click Cancel to cancel the operation and return to the Application Management page.
Edit an existing quota template

1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Site Management section, click Quota templates. 4. In the Template Name section, click the Template to modify down arrow and select the template you want to edit from the drop-down menu. 5. In the Storage Limit Values section, set the values you want to apply to the template. a. If you want to restrict the amount of data that can be stored, click the Limit site storage to a maximum of check box and type the storage limit in megabytes into the text box. b. If you want an e-mail to be sent to the site collection administrator when a certain storage threshold is reached, click the Send warning E-mail when site storage reaches check box and type the threshold in megabytes into the text box. 6. Click OK to modify the quota template, or click Cancel to cancel the operation and return to the Application Management page.
Delete a quota template

1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2. On the Central Administration home page, click Application Management. 3. On the Application Management page, in the SharePoint Site Management section, click Quota templates. 4. In the Template Name section, click the Template to modify down arrow and select the template you want to delete from the drop-down menu. 5. Click the Delete button. 6. Click OK on the dialog box that appears to delete the quota template.
385
Create a site collection

When you create a site collection, you also create the top-level site within that site collection. Select the appropriate template for your scenario, such as: Publishing Portal for an Internet presence Web site, or Collaboration Portal for an Intranet portal Web site.

1. On the top navigation bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application section, if the Web application in which you want to create the site collection is not selected, click Change Web Application on the Web Application menu, and then on the Select Web Application page, click the Web application in which you want to create the site collection. 4. In the Title and Description section, type the title and description for the site collection. 5. In the Web Site Address section, under URL, select the path to use for your URL (such as an included path like /sites/ or the root directory, /). If you select a wildcard inclusion path, such as /sites/, you must also type the site name to use in your site's URL. Note: The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions. For more information about managed paths, see Define managed paths in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system. 6. In the Template Selection section, in the Select a template list, select the template that you want to use for the top-level site in the site collection. 7. In the Primary Site Collection Administrator section, enter the user name (in the form DOMAIN\username) for the user who will be the site collection administrator. 8. If you want to identify a user as the secondary owner of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, enter the user name for the secondary administrator of the site collection. 9. If you are using quotas to limit resource use for site collections, in the Quota Template section, click a template in the Select a quota template list.
386
10. Click OK. For information about how to perform this procedure by using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx).
387
Create a blank site to migrate content into

You must create the site collection that is assigned as the destination for content migration by using the Blank Site template.

Create a site collection by using the Blank Site template 1. In Central Administration, on the top link bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Create site collection. 3. On the Create Site Collection page, in the Web Application section, if the Web application in which you want to create the site collection is not selected, on the Web Application menu, click Change Web Application. 4. On the Select Web Application page, click the Web application in which you want to create the site collection. 5. In the Title and Description section, type the title and description for the site collection. 6. In the Web Site Address section, under URL, select either the root directory ("/") or an included path (for example, "/sites/") to use for your URL. If you select a wildcard included path such as /sites/, type the site name to use in your site's URL. Note: The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions. For more information about managed paths, see the topic Define managed paths in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system. 7. In the Template Selection section, in the Select a template list, on the Collaboration tab, click Blank Site. 8. In the Primary Site Collection Administrator section, specify the user name for the user who will be the site collection administrator. You can type the user name in the User name box or use the Browse button to search for a user. 9. If you want to designate a user as the secondary administrator of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, specify the user name for the secondary administrator of the site collection. 10. If you want to use a quota to limit resource use for site collections, in the Quota
388
Template section, select a template in the Select a quota template list. 11. Click OK. For information about how to perform this procedure using the Stsadm command-line tool, see Createsite: Stsadm operation (http://technet.microsoft.com/enus/library/cc262594.aspx) and Addpath: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263161.aspx).
389
Add site content

In this section: Use Web site designers to design and add content Migrate content from another site Allow users to add content directly Using Web site designers to design and add content. Migrating content from another site. Allowing users to add content directly.
There are several methods that you can use to add content to sites, including:
Depending on your scenario, you may find particular methods more appropriate. Use Web site designers to design and add content when you are working with: A published intranet portal site A published Internet Web site A published Internet site in which authors create content in the authoring site. After you migrate content, you use content deployment to deploy the content to the production site. A site or set of sites that is being reorganized. A collaboration site in which the site owner can create the lists and libraries that are needed, and then grant site members access so that they can begin contributing content. A blog site in which the blog owner can set up the structure for the blog, and then start creating posts. A wiki site in which the wiki site owner can grant access to users and the users can start creating topics in the wiki.
Migrate content from another site when you are working with:
Allow users to add content directly when you are working with:
Use Web site designers to design and add content

When you create a published site, Web site owners and designers must plan and implement many elements, such as site navigation, site design (including master pages, page layouts, and .css files), and the overall information architecture for the site. For more information about planning for these elements, see Planning and architecture for Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx). Follow the steps in Enable access for end users to give the Web site designers permissions to the site. When they have completed their work, you can then optionally grant access to authors to contribute content before you grant access to the other users in your organization or before you make the site available to the public on the Internet.
390
Migrate content from another site

When you are using a published site, you can author content in one site collection and then publish it to another. For this scenario, you must create a blank site collection to migrate the content into. For more information, see Create a blank site to migrate content into. If you are reorganizing an existing site and need to migrate content to a different site collection, you can use several methods to migrate the content. You can use: The Export and Import operations for the Stsadm command-line tool to migrate site collections or subsites. For more information about using Stsadm operations, see the following resources: Export: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262759.aspx) Import: Stsadm operation (http://technet.microsoft.com/en-us/library/cc261866.aspx)
The Content Migration object model to programmatically move content at any level in the site (Web site, list, library, folder, file, or list item). For more information about using the Content Migration object model, see "Content Migration Overview" in the Windows SharePoint Services 3.0 Software Development Kit (http://go.microsoft.com/fwlink/?LinkId=86999&clcid=0x409).
Microsoft Office SharePoint Designer 2007 to migrate individual lists or libraries to the appropriate place in the new site hierarchy. For more information about using Office SharePoint Designer 2007, see the following articles in the Office SharePoint Designer 2007 Help system: Export or import a Web package (http://go.microsoft.com/fwlink/?LinkId=87002&clcid=0x409) Back up, restore, or move a SharePoint site (http://go.microsoft.com/fwlink/?LinkId=87003&clcid=0x409)
Allow users to add content directly

If you want your site owners to begin adding content directly to a site, you can immediately grant them access and allow them to control the site's organization and design. Follow the steps in Enable access for end users to give your end users permissions to the site. After you grant permissions, users can begin adding content. For more information about adding content to sites, see the Help system for Microsoft Office SharePoint Server 2007.
391
Enable access for end users

In this section: Add site collection administrators Add site owners or other users
After you create your site collection and populate it with content, you are ready to grant access to end users. This section helps you configure administrative and user permissions for a site collection. Note that you can also configure permissions for the following securable objects within a site collection: site, list, library, folder, document, or item. For more information about assigning permissions for different securable objects within a site collection, see Plan site security (http://technet.microsoft.com/en-us/library/cc262778.aspx). In Microsoft Office SharePoint Server 2007, you can enable access to the site collection by using different methods, based on the type of site collection. The following list describes some examples of these methods: If this is a published site collection intended for an Internet audience, you can publish it to the blank site collection that you created as a destination by using the content deployment features. After you publish it, you can then configure the appropriate permissions for the new environment. For more information about publishing a site collection by using content deployment, see Plan content deployment (http://technet.microsoft.com/enus/library/cc263428.aspx) and the Content Deployment topics in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system. If this is a site collection in a development or pilot environment, you can migrate the site collection to your production environment by using import and export, and then configure the appropriate permissions for the new environment. For more information about using import and export, see Export: Stsadm operation (http://technet.microsoft.com/enus/library/cc262759.aspx) and Import: Stsadm operation (http://technet.microsoft.com/enus/library/cc261866.aspx). If this is a site collection intended to facilitate collaboration on the intranet, you can easily add the users and groups that need access to the site collection. This section describes how to perform these actions.
In most cases, these actions are not performed by farm administrators, but are performed by site collection administrators or site owners. Moreover, these steps are performed in the site collection itself, not in Central Administration. (However, you can add site collection administrators by using Central Administration and by using the Site Settings page in the site collection.) Nonetheless, this information is presented in the Deployment Guide because it is truly the final stage of deployment the stage when the site collection is made available for end users.
392
This section does not cover how to enable anonymous access. When you create a Web application, you decide whether to allow anonymous access for site collections on that Web application. For more information about anonymous access, see the following resources: Overview: Plan environment-specific security (http://technet.microsoft.com/enus/library/cc262974.aspx) Plan authentication settings for Web applications in Office SharePoint Server (http://technet.microsoft.com/en-us/library/cc263304.aspx) Choose which security groups to use (http://technet.microsoft.com/enus/library/cc261972.aspx) "Enable anonymous access in the Central Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
Add site collection administrators

When you created the site collection, you were required to supply the user name for at least one site collection administrator. If the user name you supplied was not that for the actual administrator for the site collection for example, if you did not know who was going to be actual administrator and you used your own user name or if you need to change or add a user name for a site collection administrator, you can do so by using the following procedure. Note: This procedure uses the Central Administration Web site, but you can also add a site collection administrator from the top-level site in the site collection by using the Site Settings page for the top-level site. On the Site Settings page, in the Users and Permissions section, click Site collection administrators. Add a site collection administrator 1. In Central Administration, on the top link bar, click Application Management. 2. On the Application Management page, in the SharePoint Site Management section, click Site collection administrators. 3. If the selected site is not the site for which you want to manage administrators, on the Site Collection Administrators page, on the Site Collection menu in the Site Collection section, click Change Site Collection. In the Select Site Collection dialog box, select the site for which you want to manage administrators. Click OK.
4. In either the Primary site collection administrator box or the Secondary site collection administrator box, enter the user name of the user to whom you want to assign that role. 5. Click OK.
393
Add site owners or other users

If you have not yet set up any groups for this site or site collection, you must set up groups before you can add any users to groups. (You can also add users individually, without setting up groups, but if you want to manage users efficiently, we recommend that you use groups.) To specify which group to assign to site visitors, site members, site owners, or other groups, use the following procedure. This procedure helps you set up the default groups, but you can also create additional groups. Note: The SiteName Owners group has the Full Control permission level on the site, so you can add users to that group to give them administrative access for that site. For more information about groups and permission levels, see Determine permission levels and groups to use (http://technet.microsoft.com/en-us/library/cc262690.aspx). Set up Members, Visitors, and Owners groups for a site 1. On the site home page, click the Site Actions menu, point to Site Settings, and then click People And Groups. 2. On the People and Groups page, on the Quick Launch, click Groups. 3. On the People and Groups: All Groups page, on the Settings menu, click Set Up Groups. 4. On the Set Up Groups for this Site page, select a group for each set of users that you want to change. Alternatively, select Create a new group to assign a custom group to a set of users. After you have configured groups for the site, you can add users and grant them permissions by using the following procedure. Add users to groups 1. On the site home page, click the Site Actions menu, point to Site Settings, and then click People And Groups. 2. On the People and Groups page, on the Quick Launch, click Groups. 3. Click the name of the group to which you want to add users. 4. On the People and Groups: Group name page, on the New menu, click Add Users. 5. On the Add Users page, type the account names that you want to add, or browse to find users from Active Directory directory service. 6. In the Give Permission section, be sure that Add users to a SharePoint group is selected and that the correct group is displayed. Note: In rare cases, you might want to give individual permissions to a user by clicking Give users permission directly. However, assigning individual permissions to many users can quickly become difficult and time-consuming to manage. We
394
recommend that you use groups as much as possible to efficiently manage site access. 7. Click OK. For more information about managing users and groups, see "Grant access to the portal site" in the Help system for Office SharePoint Server 2007.
395

AF010163853

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AF010163853

Hochgeladen von

Copyright:

Verfügbare Formate

Deployment for Office SharePoint Server 2007

Roadmap to Office SharePoint Server 2007 content

Office SharePoint Server 2007 content by audience

Content available on Office Online

Content available on TechNet

Content available on MSDN

Product evaluation for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89180&clcid=0x409)

Evaluation guide for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=83060&clcid=0x409)

Evaluation Guide for Search

Planning Guide, Part 2

Planning and architecture for Office SharePoint Server, part 2

Deployment for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=76139&clcid=0x409)

Deployment for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=79589)

Migration and Upgrade for SharePoint Developers

Operations for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89407&clcid=0x409)

Security and Protection

Security and protection for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89408&clcid=0x409)

Technical Reference for Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=89445&clcid=0x409)

Deployment worksheets for Office SharePoint Server 2007

Deployment worksheets by task

For this task

Use this worksheet

Deployment worksheets by title

Use this worksheet

For this task

I. End-to-end deployment scenarios

Chapter overview: End-to-end deployment scenarios

Install Office SharePoint Server 2007 on a stand-alone computer

Hardware and software requirements

Configure the server as a Web server

Install and configure IIS

Install the Microsoft .NET Framework version 3.0

Enable ASP.NET 2.0

Click OK to close the Internet Options dialog box.

Deploy in a simple server farm

Deploying Office SharePoint Server 2007 in a DBA environment

Before you begin deployment

Overview of the deployment process

Phase 1: Deploy and configure the server infrastructure

Phase 2: Create and configure a Shared Services Provider

Phase 3: Create site collections and SharePoint sites

Deploy and configure the server infrastructure

Prepare the database server

SQL Server and database collation

SQL Server Service Account

Setup user account

Server farm account/ Database access account

Verify that servers meet hardware and software requirements

Install and configure IIS

Install the Microsoft .NET Framework version 3.0

Enable ASP.NET 2.0

Run Setup and build the farm

Recommended order of configuration

Complete or Web Front End Complete

Add servers to the farm

Run Setup on the first server

Run the SharePoint Products and Technologies Configuration Wizard

6. Click OK to close the Internet Options dialog box.

Add servers to the farm

Start the Windows SharePoint Services Search service (optional)

Stop the Central Administration service on all index servers

Create and configure a Shared Services Provider

Start the Office SharePoint Server Search service