Post on 08-Dec-2014
description
transcript
‘The Ultimate’ SharePoint
Infrastructure Best Practices
Session
Michael Noel
CCO
Michael Noel Author of SAMS Publishing titles “SharePoint 2013 Unleashed,”
“SharePoint 2010 Unleashed”, “Windows Server 2012 Unleashed,” “Exchange Server 2013 Unleashed”, “ISA Server 2006 Unleashed”, and a total of 19 titles that have sold over 300,000 copies.
Partner at Convergent Computing (www.cco.com) – San Francisco, U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, System Center, Security, etc.
What’s new in Infrastructure for SharePoint 2013
Windows Server 2008 R2 SP1 or Windows Server 2012 (Preferred)
SQL Server 2008 R2 w/SP1 or SQL Server 2012 (Preferred)
Type Memory Processor
Dev/Stage/Test server 8GB RAM 4 CPU
‘All-in-one’ DB/Web/SA 24GB RAM 4 CPU
Web/SA Server 12GB RAM 4 CPU
DB Server (medium environments)
16GB RAM 8 CPU
DB Server (small environments)
8GB RAM 4 CPU
What’s new in Infrastructure for SharePoint 2013
Software/Hardware Requirements
Office Web Apps is no longer a service application Web Analytics is no longer service application, it’s
part of search New service applications available and
improvements on existing ones App Management Service – Used to manage the new
SharePoint app store from the Office Marketplace or the Application Catalog
SharePoint Translation Services – provides for language translation of Word, XLIFF, and PPT files to HTML
Work Management Service – manages tasks across SharePoint, MS Exchange and Project.
Access Services App (2013) – Replaces 2010 version of Access Services
What’s new in Infrastructure for SharePoint 2013
Changes in Service Applications and New Service Applications
A new Windows service – the Distributed Cache Service – is installed on each server in the farm when SharePoint is installed
It is managed via the Services on Server page in central admin as the Distributed Cache service
The config DB keeps track of which machines in the farm are running the cache service
What’s new in Infrastructure for SharePoint 2013
Distributed Cache Service
The purpose of the Request Management feature is to give SharePoint knowledge of and more control over incoming requests
Having knowledge over the nature of incoming requests – for example, the user agent, requested URL, or source IP – allows SharePoint to customize the response to each request
RM is applied per web app, just like throttling is done in SharePoint 2010
What’s new in Infrastructure for SharePoint 2013
Request Management (RM)
Option 1 (AD Import): Simple one-way Sync (a la SharePoint 2007)
Option 2 (SharePoint Profile Sync): Two-way, possible write-back to AD options using small FIM service on UPA server (a la 2010)
Option 3: (Enable External Identity Manager): Full Forefront Identity Manager (FIM) Synchronisation, allows for complex scenarios – Larger clients will appreciate this
What’s new in Infrastructure for SharePoint 2013
User Profile Sync – Three Options for Deployment
SharePoint 2013 continues to offer support for both claims and classic authentication modes
However claims authentication is THE default authentication option nowClassic authentication mode is still there, but can
only be managed in PowerShell – it’s gone from the UI
Support for classic mode is deprecated and will go away in a future release
There also a new process to migrate accounts from Windows classic to Windows claims – the Convert-SPWebApplication cmdlet
What’s new in Infrastructure for SharePoint 2013
Claims-based Authentication - Default
Stores new versions of documents as ‘shredded BLOBs that are deltas of the changes
Promises to reduce storage size significantly
What’s new in Infrastructure for SharePoint 2013
Shredded Storage
New Search architecture (FAST based) with one unified search
Personalised search results based on search history
Rich contextual previews
What’s new in Infrastructure for SharePoint 2013
Search – FAST Search now included
Architecting the Farm
Web
Service Apps
Data
Architecting the Farm
Three Layers of SharePoint Infrastructure
‘All-in-One’ (Avoid)
DB and SP Roles Separate
Architecting the Farm
Small Farm Models
2 SharePoint Servers running Web and Service Apps
2 Database Servers (AlwaysOn FCI or AlwaysOn Availability Groups)
1 or 2 Index Partitions with equivalent query components
Smallest farm size that is fully highly available
Architecting the Farm
Smallest Highly Available Farm
2 Dedicated Web Servers (NLB)
2 Service Application Servers
2 Database Servers (Clustered or Mirrored)
1 or 2 Index Partitions with equivalent query components
Architecting the Farm
Best Practice ‘Six Server Farm’
• Separate farm for Service Applications
• One or more farms dedicated to content
• Service Apps are consumed cross-farm
• Isolates ‘difficult’ service apps like User Profile Sync and allows for patching in isolation
Architecting the Farm
Ideal – Separate Service App Farm + Content Farm(s)
• Multiple Dedicated Web Servers
• Multiple Dedicated Service App Servers
• Multiple Dedicated Query Servers
• Multiple Dedicated Crawl Servers, with multiple Crawl DBs to increase parallelisation of the crawl process
• Multiple distributed Index partitions (max of 10 million items per index partition)
• Two query components for each Index partition, spread among servers
Architecting the Farm
Large SharePoint Farms
SharePoint Virtualisation
Allows organisations that wouldn’t normally be able to have a test environment to run one
Allows for separation of the database role onto a dedicated server Can be more easily scaled out in the future
Sample 1: Single Server Environment
SP Server Virtualisation
High-Availability across Hosts
All components Virtualised
Sample 2: Two Server Highly Available Farm
SP Server Virtualisation
Highest transaction servers are physical
Multiple farm support, with DBs for all farms on the SQL AOAG
Sample 3: Mix of Physical and Virtual Servers
SP Server Virtualisation
Scaling to Large Virtual Environments
SP Server Virtualisation
Processor (Host Only) <60% Utilisation = Good 60%-90% = Caution >90% = Trouble
Available Memory 50% and above = Good 10%-50% = OK <10% = Trouble
Disk – Avg. Disk sec/Read or Avg. Disk sec/Write Up to 15ms = fine 15ms-25ms = Caution >25ms = Trouble
• Network Bandwidth – Bytes Total/sec– <40% Utilisation =
Good– 41%-64% = Caution– >65% = Trouble
• Network Latency - Output Queue Length– 0 = Good– 1-2= OK– >2 = Trouble
Virtualisation of SharePoint ServersVirtualisation Performance Monitoring
Data Management
Sample Distributed Content Database Design
Data Management
Can reduce dramatically the size of Content DBs, as upwards of 80%-90% of space in content DBs is composed of BLOBs
Can move BLOB storage to more efficient/cheaper storage Improve performance and scalability of your SharePoint
deployment – But highly recommended to use third party
Remote BLOB Storage (RBS)
Data Management
SQL Database Optimisation
DB-AFile 1
DB-BFile 1
Volume #1
DB-AFile 2
DB-BFile 2
Volume #2
DB-AFile 3
DB-BFile 3
Volume #3
DB-AFile 4
DB-BFile 4
Volume #4
Tempdb File 1 Tempdb File 2 Tempdb File 3 Tempdb File 4
Multiple Files for SharePoint Databases
SQL Server Optimisation
• Break Content Databases and TempDB into multiple files (MDF, NDF), total should equal number of physical processors (not cores) on SQL server.
• Pre-size Content DBs and TempDB to avoid fragmentation• Separate files onto different drive spindles for best IO perf.• Example: 50GB total Content DB on Two-way SQL Server would have two
database files distributed across two sets of drive spindles = 25GB pre-sized for each file.
Multiple Files for SharePoint Databases
SQL Server Optimisation
• Implement SQL Maintenance Plans!• Include DBCC (Check Consistency) and either Reorganize
Indexes or Rebuild Indexes, but not both!
SQL Database OptimisationSQL Maintenance Plans
• Add backups into the maintenance plan if they don’t exist already
• Make sure you are doing transaction log backups as well to clean up the logs. Also, note that only DBCC SHRINKFILE recovers whitespace
High Availability and Disaster Recovery
High Availability and Disaster RecoverySQL Server Solution
Potential Data Loss
(RPO)
Potential Recovery
Time (RTO)
Automatic Failover
Additional Readable
CopiesAlwaysOn Availability Groups – Synchronous (Dual-phase commit, no data loss, can’t operate across WAN)
None 5-7 Seconds Yes 0 - 2
AlwaysOn Availability Groups – Asynchronous (Latency tolerant, cross WAN option, potential for data loss)
Seconds Minutes No 0 - 4
AlwaysOn Failover Cluster Instance (FCI) – Traditional shared storage clustering
NA 30 Seconds to several minutes
(depending on disk failover)
Yes N/A
Database Mirroring - High-safety (Synchronous) Zero 5-10 seconds Yes N/A
Database Mirroring - High-performance (Asynchronous)
Seconds Manually initiated, can
be a few minutes if automated
No N/A
SQL Log Shipping Minutes Manually initated, can
be a few minutes if
automated, by typically
hours
No Not duringa restore
Traditional Backup and Restore Hours to Days
Typically multiple
hours, days, or weeks
No Not duringa restore
Comparison of High Availability and Disaster Recovery Options
HA and DR
AlwaysOn Availability Groups in SQL 2012HA and DR
Demo
Creating SQL 2012 AOAGs
Hardware Based Load Balancing (F5, Cisco, Citrix NetScaler – Best performance and scalability
Software Windows Network Load Balancing fully supported by MS, but requires Layer 2 VLAN (all packets must reach all hosts.) Layer 3 Switches must be configured to allow Layer 2 to the specific VLAN.
If using Unicast, use two NICs on the server, one for communications between nodes.
If using Multicast, be sure to configure routers appropriately
Set Affinity to Single (Sticky Sessions) If using VMware, note fix to NLB RARP
issue (http://tinyurl.com/vmwarenlbfix)
Network Load Balancing
HA and DR
Security and Documentation
• Infrastructure Security and Best practices Physical Security Best Practice Service Account Setup Kerberos Authentication
• Data Security Role Based Access Control (RBAC) Transparent Data Encryption (TDE) of SQL Databases
• Transport Security Secure Sockets Layer (SSL) from Server to Client IPSec from Server to Server
• Edge Security Inbound Internet Security (Forefront UAG/TMG)
• Rights Management
Five Layers of SharePoint Security
Security
Service Account Name Role of Service Account Special Permissions
COMPANYABC\SRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)
COMPANYABC\SRV-SP-SQL SQL Service Account(s) – Should be separate admin accounts from SP accounts.
Local Admin on Database Server(s) (Generally, some exceptions apply)
COMPANYABC\SRV-SP-Farm SharePoint Farm Account(s) – Can also be standard admin accounts. RBAC principles apply ideally.
N/A
COMPANYABC\SRV-SP-Search Search Account N/A
COMPANYABC\SRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawled
COMPANYABC\SRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and ‘Replicate Directory Changes’ rights in AD.
COMPANYABC\SRV-SP-AP-SPCA Application Pool Identity account for SharePoint Central Admin.
DBCreator and Security Admin on SQL. Create and Modify contacts rights in OU used for mail.
COMPANYABC\SRV-SP-AP-Data
Application Pool Identity account for the Content related App Pool (Portal, MySites, etc.) Additional as needed for security.
N/A
Layer 1: Infrastructure SecuritySample List of Service Accounts
Layer 1: Infrastructure SecurityEnable Kerberos
When creating any Web Applications, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD.
Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites.
Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
Layer 2: Data SecurityRole Based Access Control (RBAC)
Role Groups defined within Active Directory (Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.
Role Groups added directly into SharePoint ‘Access Groups’ such as ‘Contributors,’ ‘Authors,’ etc.
Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires.
User1
User2
AD and/or
SP Group
SharePoint
Permissions
Layer 2: Data SecuritySQL Transparent Data Encryption (TDE)
SQL Server 2008, 2008 R2, 2012 Enterprise Edition Feature
Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key
Encrypts the backups of the database as well
Layer 3: Transport SecurityClient to Server: Using Secure Sockets Layer (SSL) Encryption
External or Internal Certs highly recommended
Protects Transport of content
Low overhead on Web Servers
Can be offloaded via SSL offloaders if needed
Don’t forget for SPCA as well!
Layer 3: Transport SecurityServer to Server: Using IPSec to encrypt traffic
By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted
IPSec encrypts all packets sent between servers in a farm
For very high security scenarios when all possible data breaches must be addressed
Layer 4: Edge SecurityForefront UAG (SSL/VPN) or other Layer 7 Filter
Layer 5: Rights ManagementActive Directory Rights Management Services (AD RMS)
AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content
Directly integrates with SharePoint DocLibs Used to restrict activities on files AFTER they have
been accessed: Cut/Paste Print Save As…
• Document all key settings in IIS, SharePoint, after installation
• Consider monitoring for changes after installation for Config Mgmt.
• Fantastic tool for this is the SPDocKit - can be found at http://tinyurl.com/spdockit
SPDocKit
Document SharePoint
Thank you New Zealand!Questions?
Company Site: www.cco.com
Twitter: twitter.com/michaeltnoel
LinkedIn: linkedin.com/in/michaeltnoel
Facebook: facebook.com/michaelnoel
VK: vk.com/sharingtheglobe
Slides: slideshare.net/michaeltnoell
Travel blog: sharingtheglobe.com
Thank you to our sponsors