Microsoft BI -2005 Kerberos Setup

Installing and Configuring the Microsoft Business Intelligence Platform

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi-core Opteron™ based server environment


2 © 2008 Dell, Inc. All rights reserved.

Table of Contents

1 Overview .................................................................................................................................... 6

1.1 Objectives .............................................................................................................................................. 6

1.2 Audience ........................................................................................................................................... 7

2 Hardware and Software Configuration for Test Environments ............................................. 8

2.1 Hardware .......................................................................................................................................... 8

2.2 Software ............................................................................................................................................ 9

2.3 High Availability Deployment ...................................................................................................... 10

3 Deployment Options – Security Considerations ..................................................................... 11

3.1 Single Server Deployment .............................................................................................................. 11

3.2 Multi‐Server Deployment ............................................................................................................... 13

3.3 Delegating Credentials .................................................................................................................. 20

3.3.1 Basic Authentication ................................................................................................................. 20

3.3.2 Explicitly Specifying Credentials .............................................................................................. 20

3.3.3 Kerberos Delegation ................................................................................................................... 21

3.4 Why Kerberos? ............................................................................................................................... 22

3.4.1 Faster Authentication ................................................................................................................ 22

3.4.2 Mutual Authentication .............................................................................................................. 23

3.4.3 Support for Delegation .............................................................................................................. 23

3.4.4 Support for the Smart Card Logon Feature ............................................................................. 23

4 Install Microsoft Business Intelligence Technology Platform .............................................. 24

4.1 Domain Controller Preparation .................................................................................................... 24

4.2 Install SQL Server 2005 Database Engine and Integration Services ........................................... 26

4.2.1 Server Details ............................................................................................................................. 26

4.2.2 Requirements and Prerequisites ............................................................................................... 26

4.2.3 Security Considerations ............................................................................................................ 28

4.2.4 SQL Server Setup ....................................................................................................................... 28

4.2.5 Data and Log Files – Change Default Path .............................................................................. 32

4.3 Install SQL Server 2005 Analysis Services .................................................................................... 34

4.3.1 Server Details ............................................................................................................................. 34

4.3.2 SQL Server Analysis Services Requirements and Prerequisites .............................................. 34


4.3.4 SQL Server Analysis Services Setup .......................................................................................... 36

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Overview

3

4.3.5 Data and Log Directories – Change Default Path ................................................................... 39

4.4 Install SQL Server 2005 Reporting Services ................................................................................. 41

4.4.1 Server Details ............................................................................................................................. 41

4.4.2 SQL Server Reporting Services Requirements and Prerequisites ........................................... 41


4.4.4 SQL Server Reporting Services Setup ....................................................................................... 43

4.5 Install Microsoft Office SharePoint Server 2007 and Excel Services ......................................... 64

4.5.1 Server Details ............................................................................................................................ 64

4.5.2 MOSS Requirements and Prerequisites .................................................................................. 64


4.5.4 MOSS Setup ............................................................................................................................... 65

4.6 Install PerformancePoint Monitoring Server ............................................................................... 81

4.6.1 Server Details ............................................................................................................................. 81

4.6.2 Monitoring Server Requirements and Prerequisites ............................................................... 81


4.6.4 Monitoring Server Setup ........................................................................................................... 82

4.7 Installing the Dashboard Designer ............................................................................................... 87

4.7.1 Dashboard Designer Requirements and Prerequisites ........................................................... 87

4.7.2 Security Considerations ........................................................................................................... 88

4.7.3 Dashboard Designer Setup ...................................................................................................... 88

4.8 Install ProClarity Analytics Server 6.3 ......................................................................................... 89

4.8.1 Server Details ............................................................................................................................ 89

4.8.2 PAS Requirements and Prerequisites ...................................................................................... 89

4.8.3 Security Considerations ........................................................................................................... 90

4.8.4 PAS Setup .................................................................................................................................. 90

5 Kerberos Delegation: Setup and Configuration ..................................................................... 95

5.1 Active Directory Settings and Configurations ............................................................................. 95

5.1.1 Domain Functional Level .......................................................................................................... 95

5.1.2 Service Account Settings .......................................................................................................... 96

5.1.3 Server Computer Settings ....................................................................................................... 108

5.2 Backend Server Settings ............................................................................................................... 116

5.2.1 SQL Server Configurations ...................................................................................................... 116

5.2.2 Analysis Services Configurations ............................................................................................. 117

5.3 Web Application Settings ............................................................................................................. 117



5.3.2 Reporting Services Configurations .......................................................................................... 118

5.3.3 Microsoft Office SharePoint Server Configurations ............................................................... 119

5.3.4 Microsoft Office PerformancePoint Server Configurations ...................................................124

5.3.5 ProClarity Analytics Server Configurations ............................................................................ 127

5.4 End User System Configurations ................................................................................................ 128

6 User Access and Security Configurations .............................................................................. 131

6.1 SQL Server 2005 Database Engine ............................................................................................... 131

6.2 SQL Server 2005 Analysis Services ............................................................................................... 133

6.3 SQL Server 2005 Reporting Services ............................................................................................ 138

6.3.1 User Permissions ...................................................................................................................... 139

6.4 Microsoft Office PerformancePoint Server 2007 ....................................................................... 144


6.5 Microsoft Office SharePoint Server 2007 .................................................................................... 153


6.6 ProClarity Analytics Server .......................................................................................................... 157


7 Troubleshooting ..................................................................................................................... 164

7.1 SQL Server Reporting Services .................................................................................................... 164

7.2 Microsoft Office SharePoint Server 2007 ................................................................................... 165

7.3 PerformancePoint Server 2007 .................................................................................................... 165

7.4 ProClarity Analytics Server ......................................................................................................... 166

8 Appendix ................................................................................................................................. 167

8.1 Appendix A ................................................................................................................................... 167

8.2 Appendix B ................................................................................................................................... 168

8.3 Appendix C ................................................................................................................................... 169

8.3.1 Running 32‐bit Applications on 64‐bit Windows (IIS 6.0) ................................................... 169

8.4 Appendix D .................................................................................................................................. 170

8.4.1 Service Accounts ...................................................................................................................... 170

8.4.2 Application Pools ...................................................................................................................... 171

8.5 Appendix E .................................................................................................................................... 173

8.5.1 SAN Information ...................................................................................................................... 173

8.5.2 SAN Configuration for SQL Server DATA Directory .............................................................174

8.6 Appendix F .................................................................................................................................... 177

8.6.1 Tempdb ..................................................................................................................................... 177


5



1 Overview Business Intelligence solutions are becoming an integral part of every enterprise. These solutions have grown as new hardware and software technologies have lowered cost and simplified implementation. Microsoft® has developed a unique set of tools and processes to meet the demands for this type of information management. In addition, companies like Dell and AMD provide Reference Configurations to assist customers in deploying an optimal hardware infrastructure to support these solutions.

These Business Intelligence tools are normally deployed in a distributed environment to scale up to the growing needs of the solution. This adds to the complexity of the system’s user authentication and security.

One of the security challenges faced today by a lot of customers in a multi‐server environment is the “double‐hop” or “delegation scenario.” A Web front end or Web service is not able to “delegate” or pass the client users credentials to authenticate and access a resource on a different server.

In this document we shall describe the steps to install and configure the various applications in the Microsoft Business Intelligence Technology Platform in a distributed environment followed by setting up Kerberos Constrained Delegation.

1.1 Objectives This document covers the installation and configuration of the following components of the Microsoft Business Intelligence Technology Platform in a multi‐server environment.

1. Microsoft®SQL Server® 2005: a. SQL Server 2005 Database Engine b. SQL Server 2005 Integration Services c. SQL Server 2005 Analysis Services d. SQL Server 2005 Reporting Services

2. Microsoft® Office SharePoint® Server 2007 3. Microsoft® Office PerformancePoint® Server 2007 Monitoring Server 4. Microsoft®ProClarity® Analytics Server

Note: PerformancePoint Server 2007 Planning and Budgeting component will not be covered in this document.


7

After the individual components are installed and configured we shall walk through the steps required to implement Kerberos Constrained Delegation.

1. Active Directory directory services and user account preparation for Kerberos 2. Kerberos Delegation settings in the various components. 3. User access settings and configuration.

1.2 Audience This document provides the necessary information and steps to plan and deploy a Microsoft Business Intelligence Platform in a multi‐server environment. Deploying the various Microsoft BI components in a distributed environment requires some additional planning and security considerations when compared to a single‐machine standalone installation.

This document provides guidance on how to install and configure the various individual components and setup the environment with Kerberos Constrained Delegation.

Who should read this document?

• Architects who are planning a multi‐server deployment of the Microsoft Business Intelligence Technology Platform.

• Infrastructure Personnel who are responsible for setting up the hardware. • Network Administrators who manage the Active Directory directory services,

user roles, and permissions. • Server and Database Administrators who are responsible for installation,

configuration, and maintenance of the individual components.

Note: Reporting Services will be deployed in native mode. SharePoint integration mode with SP2 is not covered in this document.



2 Hardware and Software Configuration for Test Environments In this section we shall discuss the hardware, software, and the initial configuration required for a Business Intelligence (BI) solution using DELL™ Servers for our test environment.

2.1 Hardware Regardless of the method of building and reporting on a data warehouse, the amount and type of hardware is extremely important. A data warehouse is typically very large, often exceeding multi‐terabytes. BI can be very CPU, memory, and I/O intensive on a database system. In addition, the larger the data warehouse, the more important it is to properly size and configure it. Not only is it important to properly size the database server, but the reporting and analysis servers as well. As a result, these applications can be very hardware intensive.

Dell™ PowerEdge™ servers are designed to deliver the highest performance for mission‐critical enterprise applications for database, business intelligence, and data warehousing. Today’s proprietary systems are increasingly expensive to maintain both in manpower and maintenance costs. Efforts to reduce IT costs and leverage technical skill‐sets have pushed the industry to move to a standards‐based hardware and software architecture. Customers looking for ease of implementation choose to deploy Dell PowerEdge servers because they are standards‐based systems which are easy to manage, simple to deploy and upgrade, and scalable as the enterprise moves to consolidate and virtualize computing resources.

The following table lists the DELL hardware used in the test environment:

Server Name Server Configuration Disk Configuration

MSDELL‐SQL Dell PowerEdge 6950

• 4 x dual core AMD Opteron™ CPUs

• 64 GB RAM • 4 x 73 GB 15K SAS Internal

Disks

• Five external SAS Disk Controllers

• Five Dell™ PowerVault™ MD1000 Storage Arrays

• 75 x 73 GB 10K SAS Drives

MSDELL‐AS Dell PowerEdge 6950

• 4 x dual core AMD Opteron™ CPUs

• 64 GB RAM

• Five external SAS Disk Controllers

• Five Dell PowerVault MD1000 Storage Arrays

• 75 x 73 GB 10K SAS

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Hardware and Software Configuration for Test Environments

9

Server Name Server Configuration Disk Configuration

• 4 x 73 GB 15K SAS Internal Disks

Drives

MSDELL‐WEBSRV1 PowerEdge 2970

• 32 GB RAM • 2 x dual core AMD Opteron

CPUs • 4 x 73 GB, 10K SAS Internal

Disks

MSDELL‐WEBSRV2 PowerEdge 2970

• 8 GB RAM • 2 x dual core AMD Opteron

CPUs • 4 x 73 GB, 10K SAS Internal

Disks

Note: For additional information on SAN Configuration please refer to Appendix E

2.2 Software The following table lists the software for each of the servers.

Server Name Prerequisite Software Application to be installed

MSDELL‐SQL • Microsoft® Windows Server® 2003 Enterprise x64 Edition R2 SP2

• SQL Server 2005 Enterprise Edition x64 SP2 (Database Engine, Integration Services)

MSDELL‐AS • Windows Server 2003 Enterprise x64 Edition R2 SP2

• SQL Server 2005 Enterprise Edition x64 SP2 (Analysis Services)

MSDELL‐WEBSRV1 • Windows Server 2003 Enterprise x64 Edition R2 SP2

• Internet Information Services (IIS 6.0)

• SQL Server 2005 Enterprise Edition x64 SP2 (Reporting Services)

• PerformancePoint Server 2007 Monitoring Server x64

• SharePoint Server 2007 x64 SP1



Server Name Prerequisite Software Application to be installed

MSDELL‐WEBSRV2 • Windows Server 2003 Enterprise x86 Edition R2 SP2

• Internet Information Services (IIS 6.0)

• ProClarity Analytics Server 6.3

[Refer Note Below]

Note

ProClarity Analytics Server is an x86 application. It will install on x64 versions of Windows but requires IIS to run in 32 bit mode. Once IIS runs in 32 bit mode other 64 bit applications like PPS, MOSS, and Reporting Services will cease to work on that machine.

To run IIS in 32 bit mode on a x64 machine and configure ProClarity on that IIS, refer to the article Running 32‐bit applications on 64‐bit Windows (IIS6.0) in Appendix C

2.3 High Availability Deployment

SQL Server 2005 Database Engine and Analysis Services are cluster‐aware applications and can be deployed in a failover cluster to ensure high availability.

Web applications like Reporting Services, SharePoint, and ProClarity Analytics Server can be used in a network load–balanced mode in a scale‐out deployment to ensure better performance and scalability.

Implementing Kerberos Delegation for a failover instance of SQL Server and Analysis Services and network load–balanced instances of Web applications involves a few additional steps and is not covered in this document.

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Deployment Options – Security Considerations

11

3 Deployment Options – Security Considerations All the components of the Microsoft BI Technology Platform can be installed on one server or across multiple servers. Based on various factors like server consolidation, performance requirements, and security, organizations might choose various deployment options.

In this section we shall discuss two different deployment options and the related security considerations.

3.1 Single Server Deployment

In a single‐server deployment all the SQL Server components ‐–MOSS, PerformancePoint, and ProClarity Analytics Server – reside on the same server. In other words, the Web server and the resources required by the Web application are on the local machine.

In such a scenario, when a client tries to browse a Web application like a SharePoint site or Reporting Services page, IIS Authenticates the client user with Active Directory directory service and passes an authentication token to ASP.Net. Then the Web application has to access other resources like SQL Server or Analysis Services which are located on the same machine.

Figure 1. Single Server – Impersonation not enabled



By default Impersonation is not enabled in ASP.Net. Hence the Web application connects to the local resources using the credentials of the Application Pool Identity Account under which it runs (Process Identity).

For Analysis Services based reports, to use the role‐based dimension security you would want the connection between the Web application and Analysis Services to happen using the credentials of the client. To facilitate this, the ASP.Net Web application has to be configured to Impersonate credentials of the user to the local resources. This can be done by setting <identity impersonate="true"/> in the web.config file of the Web application.

Figure 2. Single Server –Impersonation enabled

Once Impersonation is enabled, the Web applications access the local resources using the credentials of the client.


13

Figure 3. A PerformancePoint dashboard on a single server deployment

Note: Apart from the <identity impersonate="true"/>, there are some additional settings that are required to ensure that the credentials are being passed from SharePoint to PPS and onto SQL Server or Analysis Services. These settings will be discussed in detail in later sections.

3.2 Multi‐Server Deployment

In a distributed environment, the Web servers and the resources required by the Web application are on different machines. Enabling Impersonation on the Web application is not sufficient to pass the user credentials across the network. Impersonation across a network or Delegation of the user credentials from the Web applications to the remote resources requires additional settings.



Figure 4. Multi‐Server –Impersonation not enabled

When Delegation is not implemented and the remote resources are not configured to allow access to anonymous users, the Web applications normally generate errors like “Access Denied” or “Data Source not found.” Below are a few screenshots of the errors experienced by users while trying to browse a dashboard on a SharePoint site which accesses data from remote servers.


15

Figure 5. PerformancePoint dashboard showing error message



Figure 6. ProClarity Report embedded in a SharePoint site giving error

“The Cube could not be found”


17

Figure 7. Reporting services report based on a relational database giving

error “Cannot create a connection to Data source AdventureWorksOLTP”



Figure 8. Reporting services report based on an analysis services database

giving error “Cannot create a connection to Data source AdventureWorksOLAP”


19

Figure 9. Excel services report based on an analysis services database giving error “The data source may be unreachable, may not be

responding or may have denied you access”

Note: The “delegation scenario” can also be verified by running SQL Profiler on the relational database and Analysis Services database. When a user tries to open a dashboard, ProClarity report, or reporting services report the users credentials do not get passed to the database servers and hence you would see an ANONYMOUS LOGON on each of the Profiler Traces.



3.3 Delegating Credentials There is more than one way you can bypass the “delegation scenario”. Some approaches are more secure than others. Based on the application’s security requirements you can evaluate and choose either of these options.

In some environments it is not required that the Web applications access the remote resources like databases and file shares by delegating the credentials of the end user. The data the Web application accesses from remote sources might not be tied to a user’s credentials or might not be important enough to secure. In some cases the Web application alone controls the security of the system.

3.3.1 Basic Authentication In this method of authentication the user is prompted for credentials when accessing a Web application.

For example: A user is trying to access a Reporting Services page. The user is prompted for credentials. Once the user enters the credentials and is authenticated, Reporting Services is able to authorize the user and give the user access to the report.

The most important security concern of using Basic Authentication is that the user’s credentials are sent over the network to the server in plain text. In this case Secure Socket Layers (SSL) is required to ensure secure communication between the servers.

3.3.2 Explicitly Specifying Credentials In this method of authentication, when an application is accessing a resource, the credentials to access that resource are explicitly specified in the connection string.

This is commonly used in two scenarios:

• When the application itself handles security and restricts the data seen by the user.

• When no data is security is required. Any user who accesses the report sees the same data.

For example: You are creating a Reporting Services report which shows sales across regions. The report accesses data from a relational source. The SQL query filters data by using a security table which maps users to regions. By passing the client user ID to the query as a parameter, you can filter the result set to only those regions the user has access to. In such a case, Reporting Services does not need to connect to SQL Server using the credentials of the client user ID. Instead, credentials of an account which has permissions on SQL Server are specified in the connection string.


21

Figure 10. Multi‐Server – Explicitly Specify Credentials

In this method of authentication, the end user is not validated by SQL Server. Hence the developer needs to implement security and access rights in the application.

If the credentials used to access the data source change, all the connection strings where the user ID and password were used will have to be updated with the new password. In some cases, the credentials that are stored in the connection string are stored in plain text. Measures have to be taken to encrypt that piece of information.

Additionally, key functionalities like role‐based data security in Analysis Services will not be used directly. It will have to be implemented using functions like CustomData() in the connection string.

3.3.3 Kerberos Delegation Kerberos has been designed to facilitate authentication and delegation, or impersonation, across a network.

The Kerberos Protocol describes how clients interact with a Network Authentication Service, obtain tickets from the Kerberos Key Distribution Center (KDC) and they present these tickets to the network resources when they want to access them. Essentially the Kerberos authentication protocol provides a mechanism for mutual authentication between entities.



Figure 11. Multi‐Server ‐ With Kerberos Delegation

Microsoft Active Directory directory services implements Kerberos authentication and delegation. At a very high level these are the steps that need to be taken to implement Kerberos Delegation:

1. Create service principal names to identify services on a network. 2. Configure the service accounts or host computers to delegate credentials

to other services or computers on the network. 3. Configure the applications to use Kerberos.

3.4 Why Kerberos?

Kerberos has many benefits over basic authentication and explicitly specifying credentials. In this section we shall briefly discuss a few of the security benefits Kerberos offers.

3.4.1 Faster Authentication • The Kerberos protocol uses a unique ticketing system that provides

faster authentication. • Every authenticated domain entity can request tickets from its local

Kerberos KDC to access other domain resources. • The ticket can be used more than once and can be cached on the client

side.


23

3.4.2 Mutual Authentication Kerberos supports mutual authentication. When the client authenticates to the service that is responsible for the resource, the service may also authenticate to the client. This is a big difference from NTLM (NT LAN Manager). The NTLM challenge‐response provides only client authentication: The server challenges the client, the client calculates a response and the server validates that response. Using NTLM, users might provide their credentials to a bogus server.

3.4.3 Support for Delegation In a distributed environment Kerberos enables services to impersonate the client user’s credentials while accessing resources across multiple server‐hops on the network.

3.4.4 Support for the Smart Card Logon Feature Through the Kerberos PKINIT extension, both Windows® 2000 and Windows Server 2003 include support for the smart card logon feature. The smart card logon feature provides much stronger authentication than the password logon feature does because it relies on a two‐factor authentication: To log on, a user needs to possess a smart card and know its PIN code.



4 Install Microsoft Business Intelligence Technology Platform SQL Server 2005 provides multiple components that are used in a Business Intelligence solution including relational database, ETL component, OLAP databases, reporting, analytics and management tools. Additional tools like Office PerformancePoint Server 2007 and Office SharePoint Server are used for advanced analytics, performance management including dashboards, planning budgeting, forecasting and consolidation.

In this section we will walk through installation and configuration of the various Microsoft technologies for Business Intelligence in a distributed environment.

4.1 Domain Controller Preparation

For the purpose of demonstrating the delegation scenario using the hardware mentioned in the Test Environment, the Domain Controller was created on a virtual machine hosted on MSDELL‐WEBSRV2. All the servers were then joined to the Domain Controller.

Important: When you are implementing this solution in your environment you should use the existing Active Directory instance in your enterprise .

Note: Adding accounts and performing necessary configurations on a domain controller need to be done by a Network Administrator who manages the domain controller. There might be security policies that are enforced which have to be taken into consideration while performing these configurations.

To install and correctly configure the Microsoft Business Intelligence applications in a distributed environment you need multiple domain user accounts that serve as Service Startup Accounts or Application Pool Identity Accounts.

Note To understand the role and importance of Application Pools, Application Pool Identity, and Service Startup Accounts refer to Appendix D.

This section describes the steps that go into preparation of the environment with respect to Active Directory and user accounts before beginning to install the Microsoft BI Technology Platform.

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Install Microsoft Business Intelligence Technology Platform

25

1. Domain Functional Level:To showcase the implementation of Kerberos Constrained Delegation, we will consider an Active Directory set to Windows 2003 Domain Functional Level. Refer to “Functional Levels Background Information” in Appendix A for more information. Join the servers to the domain if they have not already been added.

2. Administrative Privileges Account: MSDELLBI\DomainAdmin. This account is used in the test environment to resemble an account that has administrative privileges on the Domain Controller and all the other servers being used in the test environment. All the application installations, configurations and Kerberos Constrained Delegation configurations will be done by this user. To install and configure the applications in your environment, you can use a single account that has administrative privileges on all the servers or multiple different accounts that have administrative privileges on individual servers.

3. Service Startup and Application Pool Identity Accounts: Create the following domain user accounts which would serve as service startup accounts for Windows services and application pool identity accounts for Web services.

a. MSDELLBI\SQLServiceAccount: This account will be used run SQL Server Windows service. The Service Principal Name for SQL Server will be created using this account.

b. MSDELLBI\ASServiceAccount: This account will be used run Analysis Services Windows service. The Service Principal Name for Analysis Services will be created using this account.

c. MSDELLBI\WebServiceAccount: This account will be used as the service startup account and as the identity account for the application pools used by the various Web services deployed on MSDELL‐WEBSRV1. Note:

When you create the user accounts (which are to be used as service startup accounts or application pool identity accounts), ensure that they do not have any administrative privileges on any of the servers or Active Directory. During the course of installation and configuration when you specify these accounts to be used by the application, the application setup or configuration utility will provide these accounts with the necessary privileges on local server resources like file system permissions for relevant folders and specific group memberships.

4. End User Accounts: MSDELLBI\User1 & MSDELLBI\User2: These accounts are

used to simulate end user access. These accounts do not have any administrative privileges on the servers or domain controller. Optionally, these accounts can have elevated permissions on the end user machines from where they access the BI applications.

Note

For the purpose of demonstrating the configuration and settings that are required to



Note

implement Kerberos Constrained Delegation for a service that is not running under a dedicated domain user account, we are running ProClarity Analytics Server under the default application pool identity of a built‐in system account (NETWORK SERVICE).

We recommend using a domain user account as the application pool identity account for ProClarity Analytics Server..

4.2 Install SQL Server 2005 Database Engine and Integration Services

4.2.1 Server Details In the test environment, SQL Server 2005 Databases Engine and SQL Server Integration Services are installed on MSDELL‐SQL.

4.2.2 Requirements and Prerequisites Please refer to the following Books Online article for detailed information on SQL Server Hardware and Software requirements:

http://technet.microsoft.com/en‐us/library/ms143506.aspx

4.2.2.1 Operating System Requirements The following table shows the operating system and SQL Server version compatibility matrix.

SQL Server Enterprise Edition

Developer Edition

Standard Edition

Operating System (X86) (X64) (X86) (X64) (X86) (X64) Windows Server 2003 Server SP1

Yes No Yes No Yes No

Windows Server 2003 Enterprise Edition SP1


Windows Server 2003 Datacenter Edition SP1


Windows Server 2003 64‐Bit x64 Standard Edition SP1

WOW641 Yes WOW641 Yes WOW641 Yes

Windows Server 2003 64‐Bit x64 Datacenter Edition SP1


Windows Server 2003 64‐Bit WOW641 Yes WOW641 Yes WOW641 Yes


27


Developer Edition

Standard Edition

x64 Enterprise Edition SP1

1: These editions of SQL Server 2005 can be installed to the Windows on Windows (WOW64) 32‐bit subsystem of a 64‐bit server.

4.2.2.2 Software Requirements SQL Server Setup requires Microsoft Windows Installer 3.1 or later and Microsoft Data Access Components (MDAC) 2.8 SP1 or later. You can download MDAC 2.8 SP1 from this Microsoft Web site.

SQL Server Setup installs the following software components required by the product:

• Microsoft .NET Framework 2.0 • SQL Server Native Client • SQL Server Setup support files

If not already installed, SQL Server Setup installs each of these components separately. Only the SQL Server Setup support files are automatically removed when you uninstall SQL Server 2005. For more information on uninstalling this release, see How to: Uninstall

an Existing Instance of SQL Server 2005 (Setup).

4.2.2.3 Internet Requirements Internet requirements for both the 32‐bit and 64‐bit versions of SQL Server 2005 are the same. The following table lists the Internet requirements for SQL Server 2005.

Component Requirement Internet software1

Microsoft® Internet Explorer® 6.0 SP1 or later is required for all installations of SQL Server 2005, as it is required for Microsoft Management Console (MMC) and HTML Help. A minimal installation of Internet Explorer is sufficient, and Internet Explorer is not required to be the default browser.

However, if you are installing client components only and you will not connect to a server that requires encryption, Internet Explorer 4.01 with Service Pack 2 is sufficient.

1: Internet Explorer 6.0 SP1 or later is required for SQL Server Management Studio, Business Intelligence Development Studio, and the Report Designer component of Reporting Services.



4.2.3 Security Considerations

4.2.3.1 User rights for installation The person installing SQL Server must be a member of the Administrators group on the server where SQL Server is being installed (MSDELL‐SQL).

4.2.3.2 User rights for Service Account The SQL Server service should run under the credentials of a domain user account as described in “Service Startup and Application Pool Identity Accounts” under the “Domain Controller Preparation “section. We will be using MSDELLBI\SQLServiceAccount as the service startup account in this installation.

For more information on Service Accounts and their importance please refer to Appendix D.

The following SQL Server components cannot be configured at install time. They will be installed with default settings.

• Notification Services • Integration Services • Full Text Search • Active Directory Helper • SQL Writer

4.2.4 SQL Server Setup

4.2.4.1 The Setup Process In this section, we discuss the sequence of user actions in full‐GUI mode and code execution required to install a new instance of SQL Server Database Engine and Integration Services.

Program Flow for Standard Install

1. On the MSDELL‐SQL server, to begin the installation process, insert the SQL Server 2005

DVD into the DVD drive. If the autorun feature on your DVD drive does not launch the

installation program, navigate to the root of the DVD and launch splash.hta. If installing

from a network share, navigate to the network folder and launch splash.hta.

2. From the autorun dialog, click Run the SQL Server Installation Wizard.


29

3. On the End User License Agreement page, read the license agreement, and then select

the check box to accept the licensing terms and conditions. Accepting the license

agreement activates the Next button. To continue, click Next. To end Setup, click Cancel.

4. On the Installing Prerequisites screen, Setup installs software required for SQL Server

2005. To begin the component update process, click Install. To continue after the update

completes, click Next.

5. On the Welcome to the Microsoft SQL Server Installation Wizard page, click Next to

continue.

6. On the System Configuration Check (SCC) page, the installation computer is scanned

for conditions that may block Setup. For information about configuration check items,

click Help at the bottom of the page or see “Check Parameters for the System

Configuration Checker.” To interrupt the scan, click Stop. To display a list of check items

grouped by result, click the Filter button and then select a category from the drop‐down

list. To view a report of SCC results, click the Report button and then select an option

from the drop‐down list. Options include Viewing the report, Saving the report to a

file, Copying the report to the Clipboard, and Sending the report as e‐mail. To

proceed with Setup after the SCC scan completes, click Next.

Note

The server on which we are installing SQL Server Database Engine (MSDELL‐SQL) does not require IIS to be installed as we are not installing any Web service components like Reporting Services or SharePoint on that server.

If IIS is not installed you might receive a warning like “IIS Feature Requirement (Warning) – Microsoft Internet Information Services (IIS) is either not installed or is disabled. IIS is required by some SQL Server Features.“. This warning can be ignored.

7. On the Registration Information page, enter information in the Name and Company

text boxes. To continue, click Next.

8. On the Components to Install page, select the following

a. SQL Server Database Services

b. Integration Services

c. Optionally you can choose Workstation Components, Books Online, and

Development Tools. This installs: o Client connectivity components like OLEDB drivers.



o Management tools like SQL Server Management Studio, SQL Server

Configuration Manager. o Performance tools like SQL Server Profiler and Tuning Advisor. o Business Intelligence Development Studio . o SQL Server Documentation.

These components are not required for the SQL Server Database Engine to run on the

server. It is good practice to have these components installed on a workstation and

manage the server remotely.

To install individual components, click Advanced. Otherwise, click Next to continue. 9. If you clicked Advanced on the previous page, the Feature Selection page displays. On

the Feature Selection page, select the program features to install using the drop‐

down boxes. To install components to a custom directory, select the feature and then

click Browse. For more information about the functionality of this page, click Help. To

continue when your feature selections are complete, click Next. Click Next.

10. On the Instance Name page, select a default or named instance for your installation. If a

default or named instance is already installed, and you select the existing instance for your

installation, Setup upgrades it and provides you the option to install additional

components. To install a new default instance, there must not be a default instance on the

computer. To install a new named instance, click Named Instance and then type a

unique instance name in the space provided. To install a new named instance side‐by‐side

with an existing instance, click Named Instance and then type a unique instance name in

the space provided. For more information about instance naming rules, click Help at the

bottom of the page, or see the Instance Name topic in SQL Server 2005 Books Online.

Click Next.

11. On the Service Account page, specify the user name, password, and domain name for

SQL Server service account. You can optionally choose to start other components at

Windows Startup. Click Next.

Note

We created a domain user account MSDELLBI\SQLServiceAccount to run the SQL Server Windows service. In case if you have not created this account, contact your network or Windows administrator to do this.


31

Figure 12. SQL Server Setup – Service Account page

12. On the Authentication Mode page you can choose Mixed Mode. Specify a password for

the SA login in SQL Server. It allows for both Windows authentication and SQL Logins.

Click Next.

Note

We are using Mixed Mode Authentication in SQL Server to enable the creation of ProClarity Analytics Server database which requires a SQL Server Login.

13. On the Collation Settings page, choose the collation settings appropriate for your

environment. Click Next.

14. On the Error Reporting page, optionally clear the check box to disable error reporting.

15. On the Ready to Install page, review the summary of features and components for your

SQL Server installation. To proceed, click Install.

16. On the Installation Progress page, you can monitor installation progress as Setup

proceeds. To view the log file for a component during installation, click the product or



status name on the Installation Progress page. Once the Setup Process completes, click

Next.

17. On the Completing Microsoft SQL Server 2005 Setup page, you can view the Setup

summary log by clicking the link provided on this page. To exit the SQL Server Installation

Wizard, click Finish.

18. If you are instructed to restart the computer, do so now. It is important to read the

message from the Setup program when you are done with installation. Failure to restart

the computer may cause failures when you run the Setup program in the future.

Note

This document was created when the latest patch for SQL Server was SP2. It is important

to update SQL Server with the latest Service Packs to ensure you have latest feature packs

and improvements in the product. Refer to the “Whats new in SQL Server 2005 Sp2” in Appendix A for additional information.

4.2.5 Data and Log Files – Change Default Path 1. From SQL Server 2005 launch SQL Server Management Studio. 2. From the Object Explorer 3. is visible on the screen click Connect and choose Database Engine. If not, click View

‐> Object Explorer or hit the F8 key. 4. Connect to Server window, specify the name of the server where SQL Server is

installed. If SQL Server 2005 was installed as a named instance, specify the ServerName/InstanceName.

5. Choose Windows Authentication. If you wish to choose SQL Server Authentication you need to user a SQL Server login with Administrative rights on the SQL Server. Connect to the server. You will see the server name with a list of folders (Databases, Security, Server Objects, and so on).

6. To launch the Server Properties window right‐click SQL Server in the Object Explorer and click Properties. This page contains all server level properties including properties to configure Data and LOG directories for your server.

7. Click Database Settings in the Select a page section on the left side of the Server Properties window. Under Database default locations change the location of Data and Log directories. You can click the ellipses next to each of the text boxes and browse to the new folder or type the new path.


33

Figure 13. SQL Server Database Settings

Please refer to the following product documentation article for detailed information on configuring data directories for SQL Server data base engine using T‐SQL statements.

http://msdn2.microsoft.com/en‐us/library/ms189133.aspx

Tempdb is a system database that is used by SQL Server for various activities like Index creation, Cursors etc. For more information on optimizing tempdb usage please refer to Appendix F



4.3 Install SQL Server 2005 Analysis Services 4.3.1 Server Details

In the test environment SQL Server 2005 Analysis Services is installed on MSDELL‐AS.

4.3.2 SQL Server Analysis Services Requirements and Prerequisites

Please refer to the following Books Online article for detailed information on SQL Server Analysis Services Hardware and Software requirements.




Developer Edition

Standard Edition











Windows Server 2003 64‐Bit x64 Enterprise Edition SP1






35

• .NET Framework 2.0 • SQL Server Native Client • SQL Server Setup support files

If not already installed, SQL Server Setup installs each of these components separately; only the SQL Server Setup support files are automatically removed when you uninstall SQL Server 2005. For more information on uninstalling this release, see How to: Uninstall




Internet Explorer 6.0 SP1 or later is required for all installations of SQL Server 2005, as it is required for Microsoft Management Console (MMC) and HTML Help. A minimal installation of Internet Explorer is sufficient, and Internet Explorer is not required to be the default browser.


Internet Information Services (IIS)

IIS 5.0 or later is required for SQL Server 2005 Reporting Services (SSRS) installations.

For more information about how to install IIS, see How to: Install Microsoft Internet Information Services. For more information about how to install IIS 7.0 on Windows Vista®, see this Microsoft Web site.

ASP.NET 2.02 ASP.NET 2.0 is required for Reporting Services. When installing Reporting Services, SQL Server Setup will enable ASP.NET if it is not already enabled.

1: Internet Explorer 6.0 SP1 or later is required for SQL Server Management Studio, Business Intelligence Development Studio, and the Report Designer component of Reporting Services. 2: For Reporting Services (64‐bit) installations on 64‐bit servers, the 64‐bit version of ASP.NET must be installed.


4.3.3.1 User Rights for Installation The person installing SQL Server Analysis Services must be a member of the Administrators group on the server where SQL Server Analysis Services is being installed (MSDELL‐AS).



4.3.3.2 User rights for Service Account The SQL Server Analysis Services service should run under the credentials of a domain user account as described in “Service Startup and Application Pool Identity Accounts” under the “Domain Controller Preparation” section. We will be using MSDELLBI\ASServiceAccount as the service startup account in this installation.


4.3.4 SQL Server Analysis Services Setup

4.3.4.1 The Setup Process In this section, we discuss the sequence of user actions in full‐GUI mode and code execution required to install a new instance of SQL Server Analysis Services.

4.3.4.1.1 Program Flow for Standard Installation 1. Install from either the SQL server 2005 DVD or a network share. If installing from a

network share, navigate to the network folder and launch splash.hta.

2. From the autorun dialog, click Run the SQL Server Installation Wizard.

3. On the End User License Agreement page, read the license agreement, and then select

the check box to accept the licensing terms and conditions. Accepting the license

agreement activates the Next button. To continue, click Next. To end Setup, click Cancel.

4. On the Installing Prerequisites page, Setup installs software required for SQL Server

2005.

5. On the Welcome to the Microsoft SQL Server Installation Wizard page, click Next to

continue.



click Help at the bottom of the page or see “Check Parameters for the System

Configuration Checker.” To interrupt the scan, click Stop. To display a list of check items

grouped by result, click the Filter button and then select a category from the drop‐down

list. To view a report of SCC results, click the Report button and then select an option

from the drop‐down list. Options include Viewing the report, Saving the report to a

file, Copying the report to the Clipboard, and Sending the report as e‐mail. To

proceed with Setup after the SCC scan completes, click Next.


37

Note

The server on which we are installing Analysis Services (MSDELL‐AS) does not have IIS

installed as we are not installing any Web service components like Reporting Services or

SharePoint on that server.

If IIS is not installed you might receive a warning like “IIS Feature Requirement (Warning) – Microsoft Internet Information Services (IIS) is either not installed or is disabled. IIS is required by some SQL Server Features.”This warning can be ignored.


text boxes. To continue, click Next and Fill out the registration information.


a. SQL Server Analysis Services

b. Optionally you can choose Workstation Components, Books Online and

Development Tools. This installs: o Client connectivity components like OLEDB drivers o Management tools like SQL Server Management Studio, SQL Server

Configuration Manager o Performance tools like SQL Server Profiler, Tuning Advisor o Business Intelligence Development Studio o SQL Server Documentation.

c. These components are not required for SQL Server Analysis Services to run on the



9. To install individual components, click Advanced. This displays the Feature Selection

page. Select the program features to install using the drop‐down boxes. To install

components to a custom directory, select the feature and then click Browse. For more

information about the functionality of this page, click Help. To continue when your

feature selections are complete, click Next.












Click Next.

11. On the Service Account page, specify the user name, password and domain name for

Analysis Services service account.

Note

We created a domain user MSDELLBI\ASServiceAccount which is used to run the

Analysis Services windows service. This user has to have reader permissions on all the

data sources used by Analysis Services. In case if you have not created this account

contact your network or Windows administrator to create an account.

Figure 14. Analysis Services Setup – Service Account page

12. On the Collation Settings page, choose the collation settings appropriate for your

environment..


39



SQL Server installation. To proceed, click Install.



status name on the Installation Progress page.


summary log by clicking the link provided on this page.




Note



and improvements in the product. Refer to the Whats new in SQL Server 2005 Sp2 in

Appendix A for additional information.

4.3.5 Data and Log Directories – Change Default Path 1. Launch SQL Server Management Studio from SQL Server 2005. 2. If the Object Explorer is visible on the screen clickConnect and choose Database

Engine. If not, click View and then click Object Explorer or hit the F8 key. 3. In the Connect to Server window, specify the name of the server where SQL Server

Analysis Services is installed. If Analysis Services was installed as a named instance, specify the ServerName/InstanceName.

4. Once it connects, you see the server name with Databases and Assemblies folders under it.

5. To launch the Analysis Services Properties window, right‐click the Analysis Services instance name in the Object Explorer and click Properties. This page contains all server level properties including properties to configure DATA and LOG directories for Analysis Services.

6. Click General in the Select a page section on the left side of the Analysis Services Properties window. A list of properties is displayed with various columns. The Value column lets you set a value for a property. The Current Value column displays the current value thats set for that property. Similarly there are other columns like Default, Restart, Type, Units, and Category. If the Restart column shows a value



”yes” for any property, changing that property will require you to restart Analysis Services before the new value takes effect.

7. Change the value of DataDir to point to the new folder where Analysis Services Data files will be stored.

8. Change the value of LogDir to point to the new folder where Analysis Services Log files will be stored.

9. Optionally you can also change the default path for the BackupDir and TempDir properties of Analysis Services. To display TempDir in the properties list check the Show Advanced (All) Properties checkbox at the bottom of the Analysis Services Properties window.

10. . Restart Analysis Services. Open the Analysis Services Properties window and verify the change in the CurrentValue column of the properties you changed.

Figure 15. Analysis Services – Server Properties

For more information on Analysis services server properties please refer to the

following SQL server technical article.


41

http://www.microsoft.com/technet/prodtechnol/sql/2005/ssasproperties.mspx

4.4 Install SQL Server 2005 Reporting Services

4.4.1 Server Details In the test environment SQL Server 2005 Reporting Services is installed on MSDELL‐WEBSRV1.

4.4.2 SQL Server Reporting Services Requirements and Prerequisites

Please refer to the following Books Online article for detailed information on SQL Server Reporting Services Hardware and Software requirements.




Developer Edition

Standard Edition











Windows Server 2003 64‐Bit x64 Enterprise Edition SP1







• .NET Framework 2.0 • SQL Server Native Client • SQL Server Setup support files

If not already installed, SQL Server Setup installs each of these components separately; only the SQL Server Setup support files are automatically removed when you uninstall SQL Server 2005. For more information on uninstalling this release, see How to: Uninstall




Internet Explorer 6.0 SP1 or later is required for all installations of SQL Server 2005, as it is required for Microsoft Management Console (MMC) and HTML Help. A minimal installation of Internet Explorer is sufficient, and Internet Explorer is not required to be the default browser.


Internet Information Services (IIS)

IIS 5.0 or later is required for SQL Server 2005 Reporting Services (SSRS) installations.

For more information about how to install IIS, see How to: Install Microsoft Internet Information Services. For more information about how to install IIS 7.0 on Windows Vista, see this Microsoft Web site.

ASP.NET 2.02 ASP.NET 2.0 is required for Reporting Services. When installing Reporting Services, SQL Server Setup will enable ASP.NET if it is not already enabled.

1: Microsoft Internet Explorer 6.0 SP1 or later is required for SQL Server Management Studio, Business Intelligence Development Studio, and the Report Designer component of Reporting Services. 2: For Reporting Services (64‐bit) installations on 64‐bit servers, the 64‐bit version of ASP.NET must be installed.


43


4.4.3.1 User Rights for Installation The person installing SQL Server Reporting Services must be a member of the Administrators group on the server where SQL Server Reporting Services is being installed (MSDELL‐WEBSRV1).

Administrator rights for SQL Server ‐ The person installing SQL Server Reporting Services must have Administrator rights on the SQL Server where the Reporting Services database is created. This privilege is required so that the Reporting Services Configuration Wizard can create the required Reporting Services databases and grant the right level of permissions to the Reporting Services Database Access Account. Once Reporting Services is configured, the Database Access Account specified during the configuration will be used to connect to the Reporting Services databases.

4.4.3.2 User rights for Service Account The SQL Server Reporting Services service should run under the credentials of a domain user account as described in “Service Startup and Application Pool Identity Accounts” under the “Domain Controller Preparation” section. The application pool identity accounts for the Report Server and Report Manager virtual directories will also use the same service account. We will be using MSDELLBI\WebServiceAccount as the service account in this installation.


4.4.4 SQL Server Reporting Services Setup

4.4.4.1 The Setup Process In this section, we discuss the sequence of user actions in full‐GUI mode and code execution required to install a new instance of SQL Server Reporting Services.

4.4.4.1.1 Program Flow for Standard Install 1. Install from either the SQL server 2005 DVD or a network share. If installing from a

network share, navigate to the network folder and launch splash.hta.

2. Run the SQL Server Installation Wizard.

3. On the Installing Prerequisites page, Setup installs software required for SQL Server

2005. To begin the component update process, click Install. To continue after the update

completes, click Next.



4. On the Welcome to Microsoft SQL Server Installation Wizard page, click Next to

continue.



click Help at the bottom of the page or see Check Parameters for the System Configuration Checker. To interrupt the scan, click Stop. To display a list of check items

grouped by result, click Filter and then select a category from the drop‐down list. To view

a report of SCC results, click Report and then select an option from the drop‐down list.

Options include Viewing the report, Saving the report to a file, Copying the report to

the Clipboard, and Sending the report as e‐mail.


text boxes.


a. Reporting Services

b. Optionally you can choose Workstation Components, Books Online and

Development Tools. This installs: o Client connectivity components like OLEDB drivers. o Management tools like SQL Server Management Studio, SQL Server

Configuration Manager. o Performance tools like SQL Server Profiler, Tuning Advisor. o Business Intelligence Development Studio. o SQL Server Documentation.

These components are not required for SQL Server Reporting Services to run on the



8. To install individual components, click Advanced. The Feature Selection page displays.

Select the program features to install using the drop‐down boxes.







45





Click Next.

10. On the Service Account page, specify the user name, password and domain name for SQL

Server service account.

Note

We created a domain user MSDELLBI\WebServiceAccount which is used to run the

windows service and application pool identities of all the Web service components

installed on MSDELL‐WEBSRV1.

Figure 16. Reporting Services Setup – Service Account page



11. If a SQL Server Database Engine instance existed on the machine where Reporting

Services is being installed, the setup wizard would provide you two options on the Report

Server Installation Options page:

• Install the default configuration: This option creates the Reporting Services

database on the local system and performs the Reporting Services configuration like

creation of virtual directories, configuring startup accounts, and other tasks using the

default settings.

• Install but do not configure the server: This option is used if you want to create

the Reporting Services databases on a remote instance of SQL Server and specify the

virtual directory settings and startup accounts for Reporting Services.

In our case, we have not installed a SQL instance on the Reporting Services box, hence we

will be creating the Reporting Services catalog database on a remote instance of SQL

Server and configure the virtual directories and startup accounts manually.

Figure 17. Reporting Services Setup – Report Server Installation Options

page


47

If you click Details on the Report Server Installation page, you see the following screen

which states the reason why setup chose the Install but do not configure the server

option.

Figure 18. Reporting Services Setup – Installation Information



SQL Server installation.



status name on the Installation Progress page.


summary log by clicking the link provided on this page.






Note



and improvements in the product. Refer to the What”s new in SQL Server 2005 Sp2 in

Appendix A for additional information.

Reporting Services SharePoint Integrated Mode

SQL Server 2005 Service Pack 2 adds an additional feature to Reporting Services.

Reporting Services can be integrated with SharePoint. Once you update a Reporting

Services instance with Service Pack 2 in the Reporting Services Configuration Wizard you

get an additional option called SharePoint Integration. This helps you setup a Reporting

Services database for new SharePoint integration mode and make the necessary settings.

Refer to the Deployment Modes for Reporting Services in Appendix A for additional

information.

4.4.4.1.2 Configure the Report Server and Create the Remote Database 1. From SQL Server 2005, point to Configuration Tools, click SQL Server Surface Area

Configuration.

2. In Surface Area Configuration for Services and Connections, verify that the Report Server

Windows service is running.

3. In Surface Area Configuration for Features, verify that Scheduled Events and Report

Delivery, HTTP and Web Service Requests, and Windows integrated security are all

enabled.

4. Open Reporting Services Configuration. Click Start, point to All Programs, point to

Microsoft SQL Server 2005, point to Configuration Tools, click Reporting Services

Configuration.


49

5. Select the local report server instance you just installed. Click Connect.

Figure 19. Connect to Report Server Instance

6. The Server Status indicates that the Report Server is started. If not, click Start. Once the

Server status turns green and Service Status shows Running, click Report Server Virtual

Directory.



Figure 20. Check Report Server Status

7. To create a new virtual directory for Report Server, click New.

Figure 21. Report Server Virtual Directory – Not Configured

8. Choose the IIS Website where you want to create the Report Server Virtual Directory and

type the name for the virtual directory. The IIS Web site defaults to Default Web Site and

virtual directory name defaults to ReportServer. Create the Report Server virtual directory.

Figure 22. New Virtual Directory

9. Once the virtual directory name and Website name appear in the respective text boxes

click Apply.


51

Figure 23. Report Server Virtual Directory ‐ Configured

10. To create a new virtual directory for Report Manager, click Report Manager Virtual

Directory. Click New.



Figure 24. Report Manager Virtual Directory ‐ Not Configured

11. Choose the IIS Website where you want to create the Report Manager virtual directory

and type the name for the virtual directory. The IIS Web site defaults to Default Web Site

and virtual directory name defaults to Reports. Click Ok to create the Report Manager

virtual directory.

Figure 25. New Virtual Directory

12. Once the virtual directory name and Website name appear in the respective text boxes

click Apply.


53

Figure 26. Report Manager Virtual Directory ‐ Configured

13. Click Windows Service Identity. This setting was configured during setup where we

specified the domain user account to use to run the Report Server. Verify that the

Reporting Services windows service is running under the service account specified

(MSDELLBI\WebServiceAccount).



Figure 27. Windows Service Identity

14. Click Web Service Identity. Here you need to configure the application pool used by the

two virtual directories and the identity account the application pool runs under.

For more information on Application Pools and Application Pool Identity Accounts please

refer to Appendix D.


55

Figure 28. Web Service Identity – Not Configured

15. Click New next to Report Server. Type the Application Pool name and specify a Windows

account for the application pool security.



Figure 29. New Application Pool

16. You could use the application pool that was created for Report Server virtual directory to

run Report Manager virtual directory too. If you choose to create a new application pool

click New next to Report Manager. Type the Application Pool name and specify a

Windows account for the application pool identity.


57

Figure 30. Web Service Identity – Create but not Applied

17. Once the new application pools have been created click Apply to configure the virtual

directories to use the new application pools.



Figure 31. Web Service Identity – Configured

18. Click Database Setup. Here we need to specify the remote instance of SQL Server. Click

Connect.


59

Figure 32. Database Setup – Not Configured

19. Type the Server Name where SQL Server was installed. If SQL Server was installed as a

named instance you need to specify the Server Name as Hostname/InstanceName. If the

user running the configuration wizard has administrative privileges on the SQL Server

choose Current User ‐ Integrated Security else choose SQL Server Account and key in the

SQL Server Account credentials with administration privileges on the Server.



Figure 33. SQL Server Connection Dialog Box

20. Next to the Database Name click New to create a new Report Server database. The SQL

Server Connection dialog box opens. Type the name of the new database and the

credentials used to create the database. If you already have a Report Server database you

want to use, you can select it rather than create a new one.


61

Figure 34. SQL Server Connection Dialog Box

21. From the Credentials Type drop down, select the type of account you want Report Server

to use to connect to the Report Server database. You can use the Service Credentials or a

Windows domain user account or SQL Server login.

In our case, let’s choose Service Credentials which essentially means that Reporting

Services will use the service account it runs under to connect to its catalog database.

If you chose Windows Credentials or SQL Server Credentials, type the user name and

password that the report server uses to connect to the report server database. For more

information, see Configuring a Report Server Database Connection.

22. Click Apply to save your changes.



Figure 35. Database Setup ‐ Configured

Note

The Encryption Keys page is used to manage the symmetric key that is used by the

report server to encrypt and decrypt the data. For more information on Encryption Keys

refer to the following article http://msdn2.microsoft.com/en‐us/library/ms189422.aspx

The Initialization page shows the status of the report server in a scale‐out deployment

or is used to join a report server to a scale‐out deployment. It currently shows a red X

next to it because the report server is not configured to encrypt or decrypt the data in the

report server database. For more information on Initialization refer to the following link


23. Open http://MSDELL-WEBSRV1/reportserver and http://MSDELL-WEBSRV2/reports to verify your installation.


63

Figure 36. Report Server home page

Figure 37. Report Manager home page



4.5 Install Microsoft Office SharePoint Server 2007 and Excel Services

4.5.1 Server Details In the test environment MOSS 2007 is installed on MSDELL‐WEBSRV1.

For the purpose of this document we will be installing Microsoft Office SharePoint Server 2007 on a single server. Installation and configuration of SharePoint in a Web server farm is out of the scope of this document.

4.5.2 MOSS Requirements and Prerequisites Please refer to the following Microsoft TechNet article for detailed Microsoft Office SharePoint Server 2007 hardware and software requirements.

http://technet2.microsoft.com/Office/en‐us/library/4d88c402‐24f2‐449b‐86a6‐6e7afcfec0cd1033.mspx?mfr=true

4.5.2.1 Operating System Office SharePoint Server 2007 runs on Windows Server 2003 with SP1 or later. We recommend that you apply all critical updates. You can use the following Windows Server 2003 editions:

• Windows Server 2003, Standard Edition • Windows Server 2003, Enterprise Edition • Windows Server 2003, Datacenter Edition

4.5.2.1.1 Windows Components After you have installed the operating system and applied all critical updates, you must configure the computer to be a Web server by enabling Internet Information Services (IIS) 6.0, including:

• Common files • WWW • Simple Mail Transfer Protocol (SMTP): Only if you want to enable email

notification.

You must configure the server to use IIS 6.0 worker process isolation mode. This is the default setting in new installations. However, if you have upgraded from IIS 5.0 on Windows Server 2000, Run WWW in IIS 5.0 isolation mode is enabled, and you must change this setting to use IIS 6.0 worker process isolation mode.


65

4.5.2.2 Microsoft .NET Framework 3.0 Before installing Office SharePoint Server 2007, you must install the Microsoft .NET Framework 3.0 and then ensure that ASP.NET 2.0 is enabled.

To enable ASP.NET v2.0.50727, open the Web service extension in the IIS snap‐in on the Microsoft Management Console (MMC). If ASP.NET 2.0 is installed on the computer before IIS is enabled, you must enable ASP.NET 2.0 by running the command aspnet_regiis -i.

4.5.2.3 Internet Requirements Office SharePoint Server 2007 administration functions require Microsoft Internet Explorer 6.0 with the most recent service packs or Internet Explorer 7.0.


4.5.3.1 User Rights for Installation The person installing MOSS must be a member of the Administrators group on the server where MOSS is being installed (MSDELL‐WEBSRV1).

4.5.3.2 Administrator Rights for SQL Server The person installing MOSS must have Administrator rights on the SQL Server Instance where the MOSS databases are created.

4.5.3.3 User rights for Service Account The MOSS services should run under the credentials of a domain user account as described in “Service Startup and Application Pool Identity Accounts” under the “Domain Controller Preparation section.” We will be using MSDELLBI\WebServiceAccount as the service startup account in this installation.


4.5.4 MOSS Setup

4.5.4.1 The Setup Process In this section, we discuss the sequence of user actions in full‐GUI mode and code execution required to install MOSS

4.5.4.1.1 Program Flow for Standard Install 1. On the MSDELL‐WEBSRV1 server, from the product disc, run Setup.exe, or from the

product download, run Officeserver.exe. 2. On the Choose the installation you want page you have two options.



The Basic option installs SharePoint in the default location with the default settings which includes a local instance of SQL Server Express Edition. Using the Advanced option, you can customize the components of SharePoint to be installed and the SQL Server instance where SharePoint databases will be created. Click Advanced.

3. In the Server Type page, choose Complete. Optionally, you can change the default install location.

4. When Setup finishes, select Run the SharePoint Products and Technologies Configuration Wizard

5. On the Welcome to SharePoint Products and Technologies page, click Next. 6. In the dialog box that notifies you that some services might need to be restarted or reset

during configuration, click Yes.

Figure 38. SharePoint Configuration Wizard warning.

7. On the Connect to a server farm page, select No, I want to create a new server farm.

8. In the Specify Configuration Database Settings page, type the SQL Server name (if the

instance is a named instance type the hostname/instance name). The default SharePoint

configuration database name is SharePoint_Config. You can change this if required. In the

Specify Database Access Account section specify the domain user account that you

created for SharePoint.

Note

The account that you specify as the Database Access account is added to SQL Server as a

login with membership to the Database Creator and SQL Server Security Administrator

roles. This account is also used as the application pool identity for the application pools

being used by SharePoint Central Administration site.

Note

We created a domain user MSDELLBI\WebServiceAccount which is used to run the

windows service and application pool identities of all the Web service components

installed on MSDELL‐WEBSRV1.


67

Figure 39. SharePoint Configuration –Database Settings

9. In the Configure SharePoint Central Administration Web Application page, specify a

port number. Choose NTLM as the authentication provider for the Web application. We

shall configure SharePoint to use Kerberos later.

10. Review the settings specified before clicking Next.

11. Once SharePoint completes the configuration click Finish.

12. The SharePoint Central Administration Web Site home page opens up.

Note

If you are prompted for your user name and password, you might need to add the SharePoint

Central Administration site to the list of trusted sites and configure user authentication

settings in Internet Explorer.



Figure 40. SharePoint Central Administration Home Page

13. Before configuring SharePoint, you can run the latest updates and service packs. At the

time this document was prepared the latest service pack was WSS 3.0 SP1 and MOSS 2007

SP1.

14. On the SharePoint Central Administration home page you see a warning that the

Server Farm configuration not complete. Click Operations. Click Services on Server.

Here you see a list of services that Microsoft Office SharePoint provides. Click Start next

to Excel Calculation Services. This service is required to provide Excel Services and Excel

Web Access on the SharePoint site. Click Start next to Office SharePoint Server Search.

Note

To successfully create an SSP on your server you require an Index Server. You must start Microsoft Office SharePoint Search on the server to create an Index Server.

Note: For more information on the benefits and features offered by Enterprise Search in MOSS 2007 refer to the following article. http://msdn2.microsoft.com/en‐us/library/ms497338.aspx


69

Figure 41. SharePoint – Services on Server

15. Click Application Management. Under Office SharePoint Server Shared Services

section click Create or configure this farms shared services.

16. This step is required to create a new Shared Service Provider which would provide features

like Excel Services to the SharePoint Web Application. In the Manage this Farms Shared

Services page click New SSP.

17. On the New Shared Services Provider Page type a name for the Shared Services

Provider. A SSP needs a Web application to host its Admin Site. Click Create a new Web



Application.

Figure 42. SharePoint – New Shared Services Provider

18. On the New Web Application page, select Create a new IIS Website, type a Website

name, specify the port. Leave the authentication as NTLM; we shall configure the Web

Application to execute under Kerberos Delegation in a later section.

19. Select No under Allow Anonymous.

20. Under Application Pool, select Create a new Application Pool. Specify a name for the

application pool and under the application pool security account select Configurable and

specify the domain user account used to run SharePoint

(MSDELLBI\WebServiceAccount).

21. You can o restart IIS manually or automatically. Specify the SQL Server instance name as

the database server. You can optionally change the database name. Under Database

Authentication, select Windows Authentication.


71

Figure 43. Web Application Settings

New Application Pool, Security Account, Database Server, Database Authentication

22. If you initiated the Search Service in MOSS, select the search server from the drop down

list, otherwise leave the default setting for Search.

23. This creates a new Web application and returns you to the Shared Services Provider

creation page. The Web application you just created is now chosen as the Web application

to host the SSPs admin site. Optionally you can create a new Web application if you wish

to provide the end users with the My Site feature. For maintenance and manageability

reasons, we recommend having a separate Web application to host the My Site.



Figure 44. Back to Shared Services Provider creation page

Note

SharePoint configuration tasks are done through the Central Administration Web site. You can open the Central Administration from a remote workstation to perform any of the configuration tasks. If SharePoint is not setup to use Secure Socket Layers (SSL) you receive a warning which states that the information you provide is not secured for communication. Enabling SSL on SharePoint is not covered in this document.

24. Under SSP Service Credentials, specify the service account

(MSDELLBI\WebServiceAccount) for Specify the same SQL Instance name as under the

Database Server and you can optionally change the database name. Choose Windows

Authentication as the Database Authentication method.


73

Figure 45. Shared Services Provider Settings

New Application Pool, Security Account, Database Server, Database Authentication

25. If you created a SharePoint Search Service and Indexing Services you can optionally create

a Search database and specify the Indexing Server details, else leave it as default.

26. On the Shared Services Provider Created Successfully page, click Ok.

27. In the Central Administration home page, click Application Management. Under

SharePoint Site Management, click Create site collection.



28. Type a title for the site collection, specify the URL and choose a template.

Figure 46. SharePoint – Site Collection Creation

29. Under the Primary site collection administrator specify a user who would be the

administrator of the SharePoint site collection. You can optionally provide a secondary

administrator.


75

Figure 47. SharePoint – Site Collection Creation



30. The Top‐Level Site Successfully Created page. You can open the site collection home

page by clicking on the link provided.

Figure 48. New SharePoint Site Collection

31. Once the Top Level site is created you need to create the following:

• Document Library for PerformancePoint dashboard items

• Document Library for Excel Reports

• Data Connection Library for data source connection files

32. The access model for the site will be configured in a later section.

• To create the document libraries, on the site collection home page click Site Actions

on the right side of the page, then select Create.

• In the Create page under Libraries, click Document Library.

• Specify a name for the document library. You can select the Navigation Options,

Document Version History settings and a Document Template. Click Create.

• Repeat the same steps again to create another document library for Excel Reports.


77

Figure 49. Document Library Creation

33. On the Create page under Libraries, select Data Connection Library. Type the name of

the data connection library. You can select the Navigation Options and Document

Version History settings. Click Create.

34. To correctly configure Excel Services you need to add the document library created for

Excel Reports to an Excel Services Trusted File Location. Open the Central

Administration home page. Under the Shared Services Administration section, select

the Shared Service Provider listed. On the SSP Administration home page, select

Trusted File Location under Excel Services.

35. In the Add Trusted File Locations page paste the URL of the Excel Document Library.

Change the Allow External Data to allow data from Trusted data connection libraries

only. The remaining settings can be left as their defaults.



Figure 50. URL for the Document Library


79

Figure 51. Adding the document library to Excel Services Trusted File

Location

36. Once the Excel Document Library has been added to Trusted File Locations, we need to

add the Excel Data Connection Library to the Trusted Data Connection Libraries. On the

Shared Services Admin home page, under Excel Services, click Trusted Data

Connection Libraries. Copy the URL of the Excel Data Connection Library and paste it

in the Address box.

37. To create a new data connection in the data connection library, open Microsoft® Office

Excel® 2007. Click the Data tab. Click From Other Sources and select Analysis Services.

38. In the Data Connection Wizard, type the name of the Analysis Services instance, choose

Windows Authentication.

39. In the Select the Database and Table page, select the cube or perspective.

40. Type a file name and friendly name for the data connection file. Check Always attempt to

use this file to refresh data.



Figure 52. Creating a new Excel Data Source Connection

41. Click Authentication Settings and ensure that it’s set to Windows authentication.

Click Ok. Click Finish to save the data connection file.

42. To add this data connection file to the Excel Data Connection library, open the data

connection library. Click Upload and click Upload Document. Browse to the folder

where the data source was created and upload the file to the data connection library. By

default the data connection file is stored in the My Documents/My Data Sources folder.

43. Once the file has been added, SharePoint will prompt you to approve the document. Click

Ok to approve the document.

44. To create any reports in Excel, the user should use the data connection file from the Excel

Data Connection Library on the SharePoint Server.

45. Once the Excel report is created, it can be published to the Excel Document Library that

was created earlier.


81

4.6 Install PerformancePoint Monitoring Server

4.6.1 Server Details In the test environment setup PPS Monitoring Server is installed on MSDELL‐WEBSRV1.

4.6.2 Monitoring Server Requirements and Prerequisites

Please refer to the following Microsoft TechNet article regarding the hardware and software requirements for Microsoft Office PerformancePoint Monitoring Server 2007.

http://technet.microsoft.com/en‐us/library/bb838773.aspx

4.6.2.1 Operating System Office PerformancePoint Server 2007 runs on Windows Server 2003 with SP1 or later. We recommend that you apply all critical updates. You can use the following Windows Server 2003 editions:

• Windows Server 2003, Standard Edition • Windows Server 2003, Enterprise Edition • Windows Server 2003, Datacenter Edition

4.6.2.1.1 Windows Components After you have installed the operating system and applied all critical updates, you must configure the computer to be a Web server by enabling Internet Information Services (IIS) 6.0.

You must configure the server to use IIS 6.0 worker process isolation mode. This is the default setting in new installations. However, if you have upgraded from IIS 5.0 on Windows Server 2000, Run WWW in IIS 5.0 isolation mode is enabled, and you must change this setting to use IIS 6.0 worker process isolation mode.

You must have Microsoft .NET Framework version 2.0 on the server with Microsoft ASP.Net 2.0 enabled.

4.6.2.2 Internet Explorer Requirements Microsoft Internet Explorer 6.0 or 7.0

4.6.2.3 Other Components: • SQL Server 2005 Database Engine. (This can be on a remote instance) • SQL Server Native Client 9.0 SP2 • ADOMD.Net 9.0 SP2



• ASP.NET 2.0 AJAX Extensions 1.0 • Microsoft SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007.


4.6.3.1 User Rights for Installation The person installing PerformancePoint Monitoring Server must be a member of the Administrators group on the server where PerformancePoint Monitoring Server 2007 is being installed (MSDELL‐WEBSRV1).

4.6.3.2 Administrator rights for SQL Server The person installing PerformancePoint Monitoring Server must have Administrator rights on the SQL Server where the PerformancePoint database is created.

4.6.3.3 User Rights for Service Account The PerformancePoint Web service should run under the credentials of a domain user account as described in “Service Startup and Application Pool Identity Accounts” under the “Domain Controller Preparation” section. We will be using MSDELLBI\WebServiceAccount as the application pool identity account in this installation.

For additional information on Application Pools and Application Pool Identity Account please refer to Appendix D.

4.6.4 Monitoring Server Setup

4.6.4.1 The Setup Process In this section, we discuss the sequence of user actions in full‐GUI mode and code execution required to install a new instance of Monitoring Server.

4.6.4.1.1 Program Flow for Standard Installation 1. On the MSDELL‐WEBSRV1 machine, install PerformancePoint Server from the CD. 2. On the startup screen, click Install Monitoring Server. If it does not automatically

launch, double‐click the Monitoring Server MSI (PSCSrv.msi). 3. Hardware and software prerequisite checking is performed by calling an external pre‐

requisite validation engine to ensure the target server is suitable for installing Monitoring Server. The Prerequisite screen will not appear if the machine meets all prerequisite requirements.

4. On the Directory Selection page, you can choose the location to install the binaries. Click Next.


83

5. On the Install page, click Next. 6. Once the Monitoring Server Installation is complete, ensure that the Run the

Monitoring Server Configuration Manager Wizard check box is selected before you click Finish. This will invoke the Configuration Manager Wizard. If you do not wish to run the Configuration Manager Wizard now, you have to run it before you begin to use PerformancePoint Server.

7. The Prerequisites screen displays the components that are needed to be installed prior to setting up the web based portion of Monitoring Server.

8. The Installation Options page has two options: • Standalone Configuration: This requires all services to be installed and running on the local server. This option cannot be customized.

• Distributed Configuration: This allows the ability to install components independently on different servers and provides more flexibility. These components will be available based on the prerequisites check to determine which components can be installed on the machine. The available components to install are as follows:

a. Monitoring System Database: The Monitoring System Database can be created on a remote SQL Instance.

b. Monitoring Server: Installs three services: • Monitoring Web Service is a front end Web service facilitates the

communication between Dashboard Designer and Monitoring System database.

• Dashboard Web Preview is a preview feature that provides the capability to deploy and view dashboards as ASP.NET Web pages.

• Dashboard Designer Installation Site is an installation site for users to install Dashboard Designer on demand using Microsoft ClickOnce Technology. It is a central point for users to download the Dashboard Designer client.

c. Scorecard Viewer for Reporting Services: Installs SQL Server 2005 Reporting Services customer data extension for a SQL Server Reports Server. This extension enables the automated deployment and rendering of Dashboards in Report Definition Language (RDL).

d. Dashboard Viewer for SharePoint Services: Installs Monitoring Web parts that enables deployment and viewing of dashboards in Windows SharePoint Services 3.0 or Office SharePoint Server 2007.

e. Monitoring Plug‐in for Report Designer (Visual Studio 2005): Installs a SQL Server 2005 Reporting Services customer data extension for Microsoft Visual Studio 2005. This extension enables the consumption of Dashboards using Report Definition Language (RDL) in Visual Studio.

Select Distributed Configuration and ensure that the checkboxes next to all the components are checked.



Figure 53. Installation Options for PerformancePoint Monitoring Server

9. On the Database screen, type the name for the SQL Server instance. Type the database name. Click Create Monitoring System Database. Click Next.


85

Figure 54. PerformancePoint Server Database Settings

10. On the Web site screen if you have SSL implemented on your Web site, select the

Require SSL connections to Monitoring Web Site box. 11. On the Application Pool Identity Account screen select Configurable and type in the

domain name, service account name, and password. Click Next. Note

We created a domain user MSDELLBI\WebServiceAccount which is used to run all the Web service components installed on MSDELL‐WEBSRV1 (SSRS, MOSS & PPS).



Figure 55. Application Pool Identity for PerformancePoint Monitoring

Server


87

12. On the Web Parts page type the URL for the SharePoint site collection. 13. The SQL Server Reporting Services screen is used to define a local Reporting Server

instance on which to deploy the Monitoring Plug‐in. 14. The Validation screen shows the components that will be installed. 15. The Review Options screen shows all the choices made throughout the Configuration

wizard. Click Configure. 16. The Progress screen shows each component that is being installed and configured. 17. The Summary screen confirms that the installation is complete.

Note

PerformancePoint Monitoring server creates three application pools. PPSMonitoringCentral, PPSMonitoringPreview, and PPSMonitoringWebService. Ensure that all these application pools are running under the identity of the service account specified during the configuration. By default, the PPSMonitoringCentral application pool executes under the identity of NETWORK SERVICE. This application pool is used by the DesignerInstall virtual directory that installs the Dashboard Designer on client machines. Change the identity of this application pool to the service account used during configuration of PPS.

4.7 Installing the Dashboard Designer

4.7.1 Dashboard Designer Requirements and Prerequisites

This section details the hardware and software requirements to install Dashboard Designer. It also lists the software prerequisites for installing Dashboard Designer.

4.7.1.1 Software Requirements The following are software requirements to install Dashboard Designer:

• Windows Server 2003 SP1 or later • Windows XP Professional SP2 or later • Windows Vista • Internet Explorer 6.0 or later



• Microsoft® Office Visio® 2007 (for strategy maps) • Office Excel 2007 (to use Excel as a data source)

4.7.1.2 Software Prerequisites The following are software prerequisites to install Dashboard Designer:

• Microsoft .NET Framework 2.0


4.7.2.1 User Rights for Installation The person installing Dashboard Designer and its prerequisites must be logged onto the computer as a user with following access rights. Users group ‐ The person installing Dashboard Designer must be a member of the Users group on the computer where Dashboard Designer is being installed. No Administrative rights are necessary to install Dashboard Designer.

4.7.3 Dashboard Designer Setup

4.7.3.1 The Setup In this section, we discuss the sequence of user actions required to install a new instance of Dashboard Designer on a machine not already running Dashboard Designer.

4.7.3.1.1 Program Flow for a Standard Installation 1. Install the Dashboard Designer on a client machinefrom http://MSDELL‐

WEBSRV1:40000/Central/. To install it on the server, the Dashboard Designer installs as a ClickOnce application from Microsoft Office PerformancePoint Server 2007

2. Click Run next to Download Dashboard Designer. 3. A Security Warning screen will appear prompting to click either Run or Don’t

Run to install Microsoft Office PerformancePoint Server Dashboard Designer. 4. Click Run. The Dashboard Designer installs as a Click Once application. You can

find the link to open Dashboard Designer by navigating to Start, then Program Files, Microsoft Office PerformancePoint Server 2007, and finallyDashboard Designer.


89

Figure 56. PerformancePoint Server Dashboard Designer

4.8 Install ProClarity Analytics Server 6.3

4.8.1 Server Details In the test environment ProClarity Analytics Server is installed on MSDELL‐WEBSRV2.

4.8.2 PAS Requirements and Prerequisites Please refer to the following ProClarity Analytics Server product documentation for detailed hardware and software prerequisites.

http://download.microsoft.com/download/1/7/3/173dd1cf‐f680‐4c37‐9763‐c209806af9fb/ProClarity%20Analytics%20Server.pdf



4.8.2.1 Operating System You can use the following Windows Server 2003 editions to install and run ProClarity Analytics Server 6.3:

• Windows Server 2003, Standard Edition • Windows Server 2003, Enterprise Edition • Windows Server 2003, Datacenter Edition • Windows Server 2003, Web Edition

4.8.2.1.1 Windows Components After you have installed the operating system and applied all critical updates, you must configure the computer to be a Web server by enabling Internet Information Services (IIS) 6.0 with Active Server Pages and Server Side Includes set to Allowed.

You must have Microsoft .Net Framework version 2.0 on the server with Microsoft ASP.Net 2.0 enabled.

4.8.2.2 Internet Explorer Requirements Microsoft Internet Explorer 6.0 or 7.0

4.8.2.3 Other Components: SQL Server 2005 Database Engine. (This can be on a remote instance)


4.8.3.1 User Rights for Installation The person installing PAS must be a member of the Administrators group on the server where PAS is being installed (MSDELL‐WEBSRV2).

4.8.4 PAS Setup

4.8.4.1 The Setup Process In this section, we discuss the sequence of user actions in full‐GUI mode and code execution required to install PAS.

4.8.4.1.1 Standard Installation 1. Install ProClarity Analytics from the product CD. 2. On the Choose Installation Type page, select Full Product.


91

3. On the Set Up Web Site page, type in the name of the ProClarity Analytics Server Virtual Directory: PAS.

Figure 57. PAS Virtual Directory

4. In the Choose Location page, select the path for the ProClarity Web Standard files.

5. On the Select a Microsoft SQL Server page, select Choose another SQL Server and type the name of the SQL Server (If you installed SQL Server as a named Instance specify the SQL Server name as hostname/instance name). Type in credentials of a SQL Login with administrative privileges on the SQL Server.



Figure 58. PAS Database Setup

6. On the Set up Analytics Server database screen type a name for the ProClarity Analytics Server database. Setup creates a SQL Server Login to connect to the ProClarity database. Type in the new username and password.


93

Figure 59. PAS Database Access Account

7. Review the installation options

Note

For the purpose of demonstrating the configuration and settings that are required to implement Kerberos Constrained Delegation for a service that is not running under a dedicated domain user account, we are running ProClarity Analytics Server under the default application pool identity account of a built‐in system account (NETWORK SERVICE).

It is recommended to use a domain user account as the application pool identity account for ProClarity Analytics Server..

8. Browse to the http://MSDELL‐WEBSRV2/pas site to view the ProClarity Analytics Server home page.

Figure 60. PAS Home page

9. Update the ProClarity Analytics Server with the latest updates and patches: • ProClarity Analytics Server Cumulative Hotfix 2213 • ProClarity Analytics Server Cumulative Hotfix 2214

10. To enable ProClarity Web Professional as a download for users from the PAS site, copy the Web Professional folder from the setup media and place it in the PAS Virtual Directory folder. Open the ProClarity Administration Tool. Right‐click Components, click New Component.



Figure 61. PAS Administration Tool

11. Browse to the Web Professional folder you just copied over. Select the WebProfessional.xml component information file. Select Make this a Required download for Web Professional users.

Figure 62. New Component in PAS Administration Tool

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Kerberos Delegation: Setup and Configuration

95

5 Kerberos Delegation: Setup and Configuration Kerberos Delegation provides a secure means for clients and services on the network to identify and communicate with each other. It is the most secure means of authentication between services.

To implement Kerberos Delegation there are various levels of settings that need to be done at the domain controller, application layer, and client. In this section we shall take you through the setup and configuration of Kerberos Constrained Delegation in a multi‐server environment.

Note

Most of the settings that need to be done on the domain controller will need to be performed by a network administrator.

Caution

Settings like creating users in the Active Directory directory services, adding computers to the domain, and changing the delegation settings of user accounts and computers should to be performed with caution as it may impact other existing applications and servers on the network.

5.1 Active Directory Settings and Configurations

5.1.1 Domain Functional Level Windows 2000 domain functional level offers Unconstrained Delegation in which a service can delegate user credentials to any other service in the domain. This poses a security risk if a service is compromised by a malicious user. A more secure way of delegating credentials is to use Constrained Delegation which is new in Windows 2003. With a Windows 2003 domain functional level and using Constrained Delegation, we can explicitly define the resources or services to which a service can delegate users’ credentials.

For the purpose of this document we will consider Constrained Delegation.



5.1.2 Service Account Settings In our scenario, SQL Server 2005 Database Engine and SQL Server 2005 Analysis Services are the remote resources which need to be accessed by other Web services like Reporting Services, MOSS, PerformancePoint, and ProClarity Analytics Server. Hence these services need to identify SQL Server and Analysis Services on the network and delegate user credentials to them. SQL Server and Analysis Services do not need to delegate credentials further to any other service/resource on the network.

Figure 63. Credential Delegation

5.1.2.1 Service Principal Names A Service Principal Name (SPN) is a mapping in the Active Directory directory services of the service to the security principal or the account under which it is running. SPN helps a client uniquely identify an instance of a service and is used to support mutual authentication between a client application and a service.

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

To enable Kerberos Authentication we need to create SPNs for the domain user accounts under which the various services run.

The SETSPN command line utility is a part of the Windows 2003 Support Tools. It can also be downloaded from the Microsoft Download Center.


97

The general syntax of the SETSPN command to list SPNs created for a domain user account is:

setspn –l useraccount

To list SPNs created for a Server or host:

setspn –l hostname

To create SPNs for a service running under a domain user account:

setspn –a serviceclass/hostname:port useraccount setspn –a serviceclass/fully_qualified_domain_name:port useraccount

When you run a service under a built‐in system account you do not have to create an SPN because SPNs for built‐in system accounts are automatically created when the machine is joined to a domain. The service class used is HOST and covers most of the common services including HTTP.

The Service Class can be SQL Server Database (MSSQLsvc), Analysis Services (MSOLAPsvc.3), Web service (HTTP), Web service with Secure Socket Layers (HTTPS), HOST (it covers most of the commonly used services), and others.

The port number is required if the service is running under a different port than the default port for that service class.

5.1.2.1.1 SQL Server Database Engine To create a SPN for SQL Server Database Engine, log onto the domain controller using an account that has administrative privileges on the Domain Controller.

Open a command prompt. Browse to the SETSPN installation. The default location of the SETSPN command line utility is C:\Program Files\Resource Kit.

Run the following commands:

Syntax:

setspn -a MSSQLsvc/hostname:1433 useraccount setspn –a MSSQLsvc/hostname.mydomain.com:1433 useraccount

Example: setspn -a MSSQLsvc/MSDELL-SQL:1433 SQLServiceAccount setspn –a MSSQLsvc/MSDELL-SQL.MSDELLBI.COM:1433 SQLServiceAccount



Figure 64. Service Principle Name (SPN) Creation

5.1.2.1.2 SQL Server Analysis Services To create a SPN for SQL Server Analysis Services, log onto the domain controller using an account that has administrative privileges on the domain controller:

1. Open a command prompt. Browse to the SETSPN installation. The default location of the SETSPN command line utility is C:\Program Files\Resource Kit.

2. Run the following commands:

Syntax:

setspn -a MSOLAPsvc.3/hostname useraccount setspn –a MSOLAPsvc.3/hostname.mydomain.com useraccount

Example:

setspn -a MSOLAPsvc.3/ MSDELL-AS ASServiceAccount setspn –a MSOLAPsvc.3/MSDELL-AS.MSDELLBI.COM ASServiceAccount


99

Figure 65. SPN Creation for Analysis Services

5.1.2.1.3 SQL Server Reporting Services, Microsoft Office SharePoint Server 2007, Microsoft Office PerformancePoint Server 2007

To create a SPN for the Web services running on the Web server (MSDELL‐WEBSRV1), log onto the domain controller using an account that has administrative privileges on the domain controller.

1. Open a command prompt. Browse to the SETSPN installation. The default location of the SETSPN command line utility is C:\Program Files\Resource Kit.

Important

If more than one Web service is hosted on a single Web server, each Web service runs under a different port. For example: http://servername (default port 80) and http://servername:8888. Both Web applications are setup to use Kerberos Authentication. Clients access the Web applications through Internet Explorer using the URL http://servername and http://servername:8888. Internet Explorer has to obtain a Kerberos ticket to authenticate with the server. While passing the URL to obtain the ticket, Internet Explorer does not pass the port number. Hence Internet Explorer gets a valid ticket to authenticate with the Web service running under the default port 80 (http://servername) but is not able to use the Kerberos Protocol to authenticate with any other Web application on the same server that’s running under a different port. There are three ways you can work around this problem: • Run all the Web applications on the server using the same domain user account and

create one SPN for that service account using the appropriate service class. Trust the service account to delegate credentials to the other resources on the network.



Important

• You will have to create different Host Header names for each Website in IIS. Define the host header names in the DNS as class A entries. Create SPNs using the Host Header name instead of using the host name with different service accounts for each Web service. Trust the service accounts to delegate credentials to other resources on the network.

• Update IIS with a hotfix as described in the KB article http://support.microsoft.com/kb/908209/ This involves replacing a DLL on server and modifying the client registry settings to pass the port number while requesting the ticket.

Syntax: Setsetspn -a http/hostname useraccount setspn –a http/hostname.mydomain.com useraccount Example: setspn -a http/MSDELL-WEBSRV1 WebServiceAccount setspn –a http/MSDELL-WEBSRV1.MSDELLBI.COM WebServiceAccount

Figure 66. SPN Creation for Web Services

5.1.2.1.4 ProClarity Analytics Server ProClarity Analytics Server is installed on MSDELL‐WEBSRV2. It is a Web service running under the application pool identity of NETWORK SERVICE. In such a case we do not have to create a SPN to identify this service because SPNs for built‐in system


101

accounts are automatically created when the machine is joined to a domain. The service class used is HOST and covers most of the common services including HTTP.

5.1.2.2 Trust Account for Delegation The Web applications need to be configured to delegate credentials to other back‐end services. To implement Constrained Delegation we need to explicitly specify the services to which credentials can be delegated. This is a much more secure means of delegating credentials and is an added feature in Windows 2003 Domain Functional Level.

In our scenario, all the Web components running on MSDELL‐WEBSRV1 server are running under the credentials of MSDELLBI\WebServiceAccount. We need to trust this account to delegate user credentials to SQL Server Database Engine and SQL Server Analysis Services.

1. On the Domain Controller open Active Directory Users and Computers. Click Users. Right‐click WebServiceAccount and click Properties.

Figure 67. Trust Account for Delegation

2. Click the Delegation tab. By default every account is set as Do not trust this

user for delegation.



Figure 68. WebServiceAccount Properties

3. If you choose Trust this user for delegation to any service, the applications running under WebServiceAccount will be able to delegate the users’ credentials to any resource on the network like another SQL Server or Analysis Services instances. This could pose a security threat. To implement Constrained Delegation choose Trust this user for delegation to specified services only.


103

Figure 69. WebServiceAccount Properties – Specified Services

4. Click Add. Click Users or Computers.



Figure 70. Add Services

5. Type in the service account that you defined for SQL Server Database Engine, click Check Names. Click Ok. Click Users and Computers once again. Type the service account that you defined for SQL Server Analysis Services, click Check Names. Click Ok.

Figure 71. Select Users or Computers

6. Select both the service names that show up in the Add Services page and click Ok.


105

Figure 72. Add Services – Select All

7. These services are added to the list of services that WebServiceAccount can delegate credentials to. Click Apply and click Ok.



Figure 73. MSDELLBI\WebServiceAccount Properties

Now we have configured the service account of Reporting Services, SharePoint, and PerformancePoint to delegate credentials to SQL Server Database Engine and Analysis Services. Note

ProClarity Analytics Server is running under the NETWORK SERVICE account. Unlike in the case of the other Web services, which ran under the application pool identity of dedicated service accounts where we trusted the service account for delegation, to configure PAS for delegation we will have to trust the computer for delegation. This is covered in the next section.

8. None of the other service accounts need to be configured to delegate user

credentials. Ensure that for those accounts Do not trust this account for delegation is selected.


107

Figure 74. MSDELLBI\SQLServiceAccount Properties



Figure 75. MSDELLBI\ASServiceAccount Properties

Note

Ensure that for all the end user accounts the Account is sensitive and cannot be delegated check box is cleared.

5.1.3 Server Computer Settings The following section describes the configuration settings that need to be done in Active Directory to the various servers.

5.1.3.1 Trust Computer for Delegation In the case of services that run under domain user accounts we trust the account to delegate credentials. For services that do not run under domain user accounts we need to trust the machine account they are running on to delegate credentials. In our


109

scenario, ProClarity Analytics Server is running under the identity of NETWORK SERVICE. We need to trust MSDELL‐WEBSRV2 to delegate credentials to Analysis Services. 1. On the Domain Controller open Active Directory Users and Computers.

Note: You can also manage Active Directory Users and computers from a remote workstation using the Windows Server 2003 Administration Tools Pack.

2. Click Computers. Right‐click MSDELL‐WEBSRV2, click Properties.

Figure 76. Active Directory Users and Computers

3. Click Delegation tab. By default every computer is set to Do not trust this

computer for delegation. Choose Trust this computer for delegation to specified services only.



Figure 77. Server Properties ‐ Delegation

4. Click Add. Click Users and Computers.


111

Figure 78. Add Services ‐ Delegation

5. Type the Analysis Services service account name and click Check Names.

Figure 79. Select Analysis Services account name

6. Select the Analysis Services service account from the Add Service page.



Figure 80. Allow services to be delegated

7. Once the Analysis Services service account has been added to the list of services to which the MSDELL‐WEBSRV2 computer can delegate credentials to, click Apply.


113

Figure 81. MSDELLBI\MSDELL‐WEBSRV2 Properties

8. No other server in this setup is required to delegate credentials to other resources

on the network. Ensure that all the other computers are set to Do not trust this computer for Delegation.



Figure 82. MSDELLBI\MSDELL‐SQL Properties


115

Figure 83. MSDELLBI\MSDELL‐AS Properties



Figure 84. MSDELLBI\MSDELL‐WEBSRV1 Properties

5.2 Backend Server Settings

5.2.1 SQL Server Configurations For a client to authenticate with SQL Server it has to connect to SQL Server using TCP/IP. This can be accomplished by placing the TCP/IP protocol at the top of the client protocols list.

1. Open SQL Server Configuration Manager. 2. Expand the SQL Native Client Configuration. 3. Right‐click Client Protocols and click Properties. 4. If TCP/IP is disabled, click TCP/IP in the Disabled Protocols list and enable it. 5. Click TCP/IP and move it to the top of the list.


117

Figure 85. SQL Server Client Authentication

5.2.2 Analysis Services Configurations No additional configuration is required on Analysis Services to implement Kerberos Authentication and Delegation.

5.3 Web Application Settings

5.3.1.1 Anonymous Access When anonymous access is turned on, no authenticated user credentials are required to access the site. This option is best used when you want to grant public access to information that requires no security. When a user tries to connect to your Web site, IIS assigns the connection to the IUSER_ComputerName account, where ComputerName is the name of the server on which IIS is running. By default, the IUSER_ComputerName account is a member of the Guests group. This group has security restrictions, imposed by NTFS file system permissions, that designate the level of access and the type of content that is available to public users.



If you turn on anonymous access, IIS always tries to authenticate users by using anonymous authentication first, even if you turn on additional authentication methods.

5.3.2 Reporting Services Configurations The following section describes that configurations that need to done to Reporting Services to enable Kerberos.

5.3.2.1 Disable Anonymous Access Disable anonymous access to Reporting Services virtual directories.

1. Right‐click the ReportServer virtual directory. Click Properties. Click Directory Security. Click Edit under the Authentication and access control. Clear the Enable anonymous access box and select Integrated Windows authentication.

2. Repeat the same process for Report Manager virtual directory.

Figure 1. Authentication Methods in IIS


119

5.3.3 Microsoft Office SharePoint Server Configurations

1. Ensure that all the SharePoint Web sites and virtual directories have the Enable anonymous access cleared and Integrated Windows Authentication selected.

2. During configuration we set the authentication mode of SharePoint Web application

to NTLM. Using NTLM will not facilitate Impersonation of user credentials across the network. We now need to set it to use Kerberos. To change the authentication mode open SharePoint Central Administration home page. Click Application Management. Click Authentication Providers.

Figure 86. Application Management in Central Administration

3. In the Authentication Providers page ensure that your Web application is chosen in the drop down list. Click Default.



Figure 87. Authentication Providers in Web Applications

4. In the Edit Authentication page change the IIS Authentication Settings from NTML to Kerberos. You might be prompted that Kerberos Delegation requires additional settings by the Network Administrator. Click Yes and save.


121

Figure 88. Editing Authentication Providers

5. For Excel Services, by default the access model is set to Trusted subsystem. Set this to Delegation. Trusted subsystem (default in a SharePoint farm deployment) is a mode in which the front‐end and back‐end server components have a two‐way trust. This allows files to be retrieved from Office SharePoint Server 2007 by using the Excel Services account. However, even though Excel Services retrieves the files, it performs a security check to verify that the user requesting the file has the appropriate permissions. In this mode, the back‐end Excel Calculation Services server does know the user’s identity, but does not have a full user security token and so cannot delegate it to other computers. Delegation is a mode in which the front‐end servers of the farm always delegate the user’s identity to the back‐end servers. In this case, files are retrieved as the end user who is requesting the workbook instead of the Excel Services account. The back‐end Excel Calculation Services server has the user’s full identity (security token) and so can delegate it to other servers. To do this, you have to run these STSADM commands from the command prompt. Navigate to the directory where STSADM.exe is located. By default it’s installed at



C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\BIN, and type:

stsadm -o set-ecssecurity -ssp ShareServicesProviderName -accessmodel delegation stsadm -o execadmsvcjobs

Example: stsadm -o set-ecssecurity -ssp MSDELL-SSP -accessmodel delegation stsadm -o execadmsvcjobs

6. Once the Monitoring Server Web Parts are deployed on the SharePoint site, in the SharePoint Web.config file, change the Bpm.ServerConnectionPerUser value to True. The BPM.ServerConnectionPerUser configuration value forces the Monitoring Server to use the identity of the Authenticated user to access the remote resources like Analysis Services.

7. To identify the path of the Web.config file, open IIS Manager, right‐click the SharePoint Website and click Properties. On the Home Directory tab. the Local Path gives the folder location for that Web site’s Web.config file.

Figure 89. SharePoint Web.config

8. Ensure that the SharePoint Website in IIS supports both NTLM and Kerberos 9. Locate the numeric identifier for the SharePoint Web site.


123

10. Click Start, click Run, type inetmgr, and then press ENTER. 11. Expand the local computer node, and then click the Web Sites folder. The identifier

for each Web site is listed in the Identifier column. 12. Open a command prompt and change to the following directory:

%systemdrive%\Inetpub\adminscripts. 13. For the SharePoint identifier, run the following command to check what the current

Authentication Provider is set to. cscript adsutil.vbs GET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders.

14. If the result does not show Negotiate in it you need to set the Authentication provider using the following command: cscript adsutil.vbs SET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders "Negotiate,NTLM"

This setting is not always automatically applied. For information, see How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication in the Microsoft Knowledge Base.

Figure 90. Setting the Authentication mode of the SharePoint Website



5.3.4 Microsoft Office PerformancePoint Server Configurations

1. Ensure that all the PerformancePoint Web sites and virtual directories have the Enable anonymous access cleared and Integrated Windows Authentication selected.

2. In each of the PerformancePoint, WebServices and Preview folders, in the Web.config files change the BPM.ServerConnectionPerUser value to True. The BPM.ServerConnectionPerUser configuration value forces Monitoring Server to use the identity of the Authenticated user to access the remote resources like Analysis Services. To identify the path of the Web.config files, open IIS Manager, expand the PPSMonitoring Web site, right‐click WebService virtual directory and click Properties. On the Virtual Directory tab, the Local Path gives the folder location where the Web.config for that virtual directory is located. Similarly right‐click Preview and identify the location where the Web.config file for Preview virtual directory is located.

Figure 91. Identifying the location of the Web.config


125

Figure 92. Web.config for PPS WebService



Figure 93. Web.config for PPS Preview

3. Ensure that the PPSMonitoring Website in IIS supports both NTLM and Kerberos 4. Locate the numeric identifier for the PPSMonitoring Web site. 5. Click Start, click Run, type inetmgr, and then press ENTER. 6. Expand the local computer node, and then click the Web Sites folder. The identifier for

each Web site is listed in the Identifier column. 7. Open a command prompt and change to the following directory:

%systemdrive%\Inetpub\adminscripts 8. For the PPSMonitoring identifier, run the following command to check what is the

current Authentication Provider set to: cscript adsutil.vbs GET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders

9. If the result does not show Negotiate in it you need to set the Authentication provider using the following command: cscript adsutil.vbs SET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders "Negotiate,NTLM"

This setting is not always automatically applied. For information, see How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication in the Microsoft Knowledge Base.


127

Figure 94. Setting the Authentication mode of the PPS Website

5.3.5 ProClarity Analytics Server Configurations 1. Ensure that the PAS virtual directory has the Enable anonymous access cleared and

Integrated Windows Authentication selected. 2. Open the Global.asa file in C:\Inetpub\wwwroot\PAS and change the method named

pool.negotiateauthentication to True. This setting is required to ensure that ProClarity uses the authenticated user’s credentials to access Analysis Services.



Figure 95. ProClarity Global.asa

5.4 End User System Configurations

1. In Internet Explorer Advanced settings, enable Integrated Windows Authentication.


129

Figure 96. Integrated Windows Authentication

2. Add the SharePoint Web site, Reporting Services Web site and PAS Web site. Under User Authentication, see that the user browses to the Trusted Site collection and security for that zone to Automatic logon with current username and password.



Figure 97.

3. The user will need sufficient permissions on the local system to install end‐user components and development tools,.

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ User Access and Security Configurations

131

6 User Access and Security Configurations In a typical business intelligence scenario, there are multiple analytical solutions deployed with many users accessing them. Each user or user group has different sets of permissions.

These permissions include authorization to view reports, access backend database servers, role‐based security to restrict the data they can see, permission to alter or publish their own content, manage other users to see content, and others.

6.1 SQL Server 2005 Database Engine In the Microsoft Business Intelligence Technology Platform SQL Server is used for:

• Application Catalog Database: MOSS, Reporting Services, PerformancePoint, and ProClarity Analytics Server need SQL Server to host their catalog database.

• Report Data: In our scenario Reporting Services, PerformancePoint Server and MOSS access SQL Server to fetch data for reports.

• Analysis Services Processing: Analysis Services uses SQL Server database to fetch data to process the Cube.

Note: Report data can be fetched from Analysis Services, Excel or other data sources which support OLEDB, ODBC and other formats. Analysis Services can fetch data from other sources as well.

There are two ways the users can access the backend data source.

1. Stored Credentials: If the data source does not restrict data based on the user credentials or if the data security logic is implemented in the application itself, then the credentials (Windows account or SQL Server login) can be hard‐coded in the application’s data source connection string. There are other related security issues if you use stored credentials like ensuring the password is not stored as pain text or it is not sent over an unsecure network etc.

2. Windows Authentication: This is the safest way to access a backend database server. Logins and roles on the SQL Server define the level of access domain user or a user group has.



Figure 98. Windows User Login in SQL Server. The login could be for a single

user or a user group.


133

Figure 99. Permissions and Role Membership in SQL Server

6.2 SQL Server 2005 Analysis Services Analysis Services is a primary source for reporting and analytical applications like Reporting Services, PerformancePoint Server, ProClarity, Excel, and others.

Unlike the SQL Server database engine, Analysis Services has a role‐based security which not only defines what objects of the OLAP solution a user has access to, but also defines what data the user is permitted to see. This is normally used in business intelligence applications where different users/user groups have access to their regional or departmental data only.



Figure 100. Role


135

Figure 101. Role Membership. Single users or User Groups can be added as

members to a role



Figure 102. Defining Attribute security for a role

This role restricts the MSDELLBI\User1 with read permission to the Analysis Services database and the data for United States and Canada. Users belonging to this role will not be able to process or alter the database structure.


137

Figure 103. Excel Services View – User1. Restricted Role based access to

counties

Power users or Administrators can have un‐restricted access to the Analysis Services Database. They will be able to see all data, alter the database structure and process the database.



Figure 104. Excel Services View – DomainAdmin. Unrestricted data access

Note: Similar to the example shown above in Excel Services, other applications like Reporting Services and PerformancePoint Server can restrict data based on the user’s role in Analysis Services.

6.3 SQL Server 2005 Reporting Services In SQL Server Reporting Services, authorization is provided through a role‐based security model that is specific to Reporting Services. All users interact with Reporting Services within the context of a role. A user can be assigned to different kinds of roles for different items. For example, a user who is a member of the Content Manager role for one report may be a member of the Browser role for another report. Predefined roles are provided that group related tasks into logical units. Examples of some of the roles that are available include Content Manager, Publisher, and Browser. You can create new roles or modify the existing ones to customize the tasks that each role supports.


139

The user and group accounts that you specify in role assignments are created and managed through Active Directory directory services. Only valid accounts can be specified. Users can be given various levels of access on a Report Server. Some of the roles that Reporting Services provides by default are

Role Permissions Browser May view folders, reports and subscribe to reports. Content Manager May manage content in the Report Server. This includes folders,

reports, and resources. Publisher May publish reports and linked reports to the Report Server. Report Builder May view report definitions.

6.3.1 User Permissions 1. To provide user permissions at a report folder, open Report Manager, browse to the

folder and click Properties.

Figure 105. Report Manager Home (Root level folder)



2. Click New Role Assignment.

Figure 106. Properties for Home folder in Report Manager

3. Specify the username or the group account to which you want to give permissions to

view the Reporting Services Home folder. Select one or more Role Definitions to use with this assignment.


141

Figure 107. New Role Assignment

4. Now MSDELLBI\User2 has permissions on the Home folder of Reporting Services.



Figure 108. MSDELLBI\User2 added

5. To delete a user or group, select the user or group, and click Delete.


143

Figure 109. Deleting permissions for MSDELLBI\User2 from Reporting

Services

6. To edit a user role assignment, select Edit next to the user or group.



Figure 110. Editing permissions for MSDELLBI\User2

6.4 Microsoft Office PerformancePoint Server 2007

Monitoring Server, a component of PerformancePoint Server, has several roles for individuals who perform various activities. In small organizations, one or more people may be responsible for administering all the features of Monitoring Server. In larger organizations one group may be administrators on the system while another group creates libraries for reports and key performance indicators (KPIs), and designs and builds dashboards. Permissions are granted to roles and permissions are applied to any user who belongs to a role. There are four types of server roles for Monitoring Server:

• Administrator: This role provides complete control over Monitoring Server and access to all dashboard data. A member of the Administrator role can create, edit, and delete all dashboard elements, and can publish to the server.

• Creator: This role enables users to create reports, KPIs, scorecards, and other indicators. Members of the Creator role can publish dashboard elements to


145

Monitoring Server. A Creator member can also delete elements if there are Editor permissions on the element. After an element has been created, the identity of the Creator member is automatically added to the Editor role of the element.

• Data source manager: This role enables users to create and delete data sources. Members of the Data Source Manager role can also publish data sources to Monitoring Server.

• Power Reader: This role grants read‐only access to all dashboard elements on the Monitoring Server computer. This role is intended for use by service accounts or backend services that need complete access to the system.

PerformancePoint monitoring server roles are created and managed using dashboard designer.

6.4.1 User Permissions 1. Open Dashboard Designer using the credentials of User1. User1 will not be able to

create data sources or dashboard items using the designer as there are no permissions assigned to User1.

Figure 111. MSDELLBI\User1 has insufficient permissions to create a data

source

.



2. To add a User1 to a role, open dashboard designer using an account that has

Administrator privileges on Monitoring Server.

Figure 112. Dashboard designer operated by a user having admin rights on

PPS

3. Click the Office button and click Options.


147

Figure 113. Options

4. Click Connect to connect to Monitoring Server.



Figure 114. Connect to Monitoring Server

5. Click Permissions to view all the available roles on the server.


149

Figure 115. All Available Roles on the Server

6. Currently there are no roles defined for User1 on the Monitoring Server.



Figure 116. No Roles Defined

7. Click Add and type in the MSDELLBI\User1 and select Data Source Manager as the

role.


151

Figure 117. Added permissions for MSDELLBI\User1 as Data Source Manager

8. Now User1 will be able to create data sources using the Dashboard Designer.



Figure 118. MSDELLBI\User1 has permissions to create data sources

9. If a power user has created data sources, KPIs, reports, scorecards, and dashboards,

other users need to have permissions on those objects for them to be able to view or modify the objects. For example: To give a user permission on a scorecard, click the scorecard, click Properties and add the new user with Reader or Editor permissions based on the level of access you want to grant the user.


153

Figure 119. Providing MSDELLBI\User1 with read access to a scorecard

6.5 Microsoft Office SharePoint Server 2007

6.5.1 User Permissions 1. For a user to be able to open a SharePoint page, the user needs to have at least reader

permissions on the page.



Figure 120. MSDELLBI\User1 access denied to SharePoint site

2. To give User1 permissions on the SharePoint site, open the site using an account that has administrative privileges. Click Site Actions, click Site Settings.

3. In the Site Settings page under Users and Permissions click People and Groups.


155

Figure 121. Site Settings

4. To view the list of users who currently have permissions on the site click All People.

To assign MSDELLBI\User1 visitor permissions, click Visitors. Click New. 5. Type MSDELLBI\User1.



Figure 122. Assign Visitor Permissions

6. User1 now has permission to browse the SharePoint site.


157

Figure 123. User1 access granted to SharePoint site

6.6 ProClarity Analytics Server

6.6.1 User Permissions The Analytics Server security model provides a robust, yet flexible, structure for controlling access to Analytics Server and any referenced Microsoft Analysis Services servers. Because this role‐based model leverages existing Windows NT user information, it is easily integrated into Windows environments. Moreover, you can use Analytics Server security in combination with Analysis Services (OLAP) security.

The primary elements of the Analytics Server security model are roles, access rights, and permissions:

• Roles: Determine access. No user can access Analytics Server without being a member of an Analytics Server role.

• Access rights: Determine the type of access role members have to Analytics Server, the options being Administrator, Author, or Reader.



• Permissions: Associate a role with an item on Analytics Server, such as a library or briefing book. This association determines whether the item is visible to the role members. The Analytics Server security model uses the principle of inheritance to apply (propagate) security to all items on the server. Inheritance, combined with role membership, affects how permissions take precedence. While this system may appear complex at first, it provides great flexibility.

6.6.1.1 Granting Access to PAS Website 1. When a user tries to connect to a ProClarity Analytics Server page, the user receives a

message that there are no libraries available or the user does not have access to them.

Figure 124. MSDELLBI\User1 insufficient privileges to see libraries on PAS Site

2. To give a user access to the PAS Web site and libraries, open the ProClarity Administration Tool. Create a new role called Reader. Click the Membership tab and click Add. Type MSDELLBI\User1 and accept to add User1 to that role. You can specify additional Publishing and Access rights.


159

Figure 125. New Reader role on ProClarity Administration Tool



Figure 126. Adding MSDELLBI\User1 to Reader Role

3. Now User1 will be able to access the libraries and pages on the site.


161

Figure 127. MSDELLBI\User1 has sufficient permissions to view libraries on

PAS Site

4. You can also provide the user permission to invoke Web Professional from the site. In the ProClarity Administration tool click Users. Right‐click the user, click Properties. Select Allow Professional Access.



Figure 128. Providing MSDELLBI\User1 with Web Professional Access


163

Figure 129. Selecting Professional Access



7 Troubleshooting The following section summarizes the steps required to configure Kerberos Delegation for each Web application and also provides troubleshooting steps for some of the basic errors.

7.1 SQL Server Reporting Services 1. When you open the Report Server or Report Manager in a browse and you receive an

error “Service Unavailable.” Ensure that the Reporting Services Service is running. Open IIS Manager. Ensure that the Web site under which the reporting services virtual directories are created is not stopped and the reporting services application pools are not stopped.

2. If you are not able to see the deployed reports or report folders or if you get an error message “The permissions granted to user “Domain\Username” are insufficient for performing this operation.” Ensure that the user you are logging in as has permissions to view the reports. Log onto Report Manager using an Administrator account and make sure the user has permissions to view the reports. Refer to User Access and Security Configuration for details on how to assign a user to a role in Reporting Services.

3. If you are not able to connect to the data source and you receive an error “Cannot create a connection to data source “DataSourceName”. Login failed for user “Domain/Username.” You need to verify if the user has permissions to access the data source. For user permissions on SQL Server and Analysis Services refer to the User Access and Security Configuration section.

4. If you are not able to connect to the data source and you receive an error “Cannot create a connection to data source “DataSourceName”. Login failed for user “NT AUTHORITY\ANONYMOUS LOGON.” This error indicates that the user’s credentials are not passed across the network to the database server. You need to revisit the steps required to setup Kerberos Delegation.

5. If Reporting Services does not display the error and instead displays “For more information about this error, navigate to the report server on the local server machine, or enable remote errors.”

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Troubleshooting

165

You can open the report on the server instead of a remote workstation to view the error details or enable remote errors on Reporting Services. Refer to the following link to enable remote errors. http://msdn2.microsoft.com/en‐us/library/aa337165.aspx

For information on more Reporting Services errors and troubleshooting steps refer to the following SQL Server 2005 Books Online article http://msdn2.microsoft.com/en‐us/library/ms159135.aspx

7.2 Microsoft Office SharePoint Server 2007

1. If you are not able to access the SharePoint site or you get an “Error: Access Denied”. Ensure that the user you are logging in as has permissions to view the SharePoint site. Log onto SharePoint site using an Administrator account and make sure the user has permissions to view the site.

2. While browsing an Excel Services Report if you receive “Data Refresh Failed. Unable to retrieve external data for the following data connections: DataSourceName. The data sources may be unreachable, may not be responding, or may have denied you access.” Make sure the user you are logged in as a user who has permissions on the Data Source. If the user has permissions on the data source and you receive this error, you should make sure that the Data Connection Library is added to the Trusted Data Connection Libraries. Make sure you have enabled Windows Integrated Authentication in the data source and enabled “Always attempt to use this file to refresh data.” Make sure you have changed the access model from Trusted Subsystem to Delegationfor Excel Services. Run SQL Profiler to identify the user ID with which Excel Services is trying to connect to the data source. If the login is failing due to a “NT AUTHORITY\ANONYMOUS USER” you need to revisit the steps required to configure Kerberos for SharePoint and Excel Services.

7.3 PerformancePoint Server 2007

1. While creating a DataSource in Dashboard Designer, when you click Test Connection you receive an error “Data Source Connection Failed.” Ensure that the user has access to the data source. Run SQL Profiler to identify the user ID with which Dashboard Designer is trying to connect to the data source.



2. If you are not able to access a PerformancePoint Dashboard item from the SharePoint

site: Ensure that the user you are logging in as has permissions to view the PerformancePoint object. Using PerformancePoint Dashboard Designer, connect to PerformancePoint Server using an Administrator account and make sure the user has permissions to view the objects.

3. If you can view the dashboard on a SharePoint site but the data displayed is not according to the security defined in the Analysis Services roles. Run SQL Profiler to identify the user ID with which PerformancePoint Dashboard Viewer Web part is trying to connect to the data source. To ensure that PerformancePoint can impersonate the client user’s credentials to other services like SQL Server and Analysis Services ensure that BPM.ServerConnectionPerUser value is set to True in the Web.config file for PerformancePoint Server and SharePoint Server.

7.4 ProClarity Analytics Server 1. When you open the ProClarity Analytics Server page, you do not see any briefing

books. Run the ProClarity Administration tool using a ProClarity Administrator account and make sure the user has sufficient permissions to view the briefing book.

2. In the ProClarity Analytics Page you do not see the option for Launch Web Professional. Launch ProClarity Administration tool using a ProClarity Administration account and ensure that the user has “Allow Professional Access” checked.

3. When you open a ProClarity Analytics Server page and receive an error “The cube used

by this page could not be found.” Make sure the user you are logged in as has permissions on the cube. Run SQL Profiler to identify the user ID with which ProClarity Analytics Server is trying to connect to the data source. If the login is failing due to a “NT AUTHORITY\ANONYMOUS USER” you need to revisit the steps required to configure Kerberos for PAS.

A Guide for security and deployment options in a distributed Dell™ PowerEdge™ multi‐core Opteron™ based server environment ‐ Appendix

167

8 Appendix

8.1 Appendix A Functional Levels Background Information: http://technet2.microsoft.com/windowsserver/en/library/4a589ca2‐b572‐48cd‐94d2‐7d5b0c817f411033.mspx Whet’s New is SQL Server 2005 SP2: http://download.microsoft.com/download/2/B/5/2B5E5D37‐9B17‐423D‐BC8F‐B11ECD4195B4/WhatsNewSQL2005SP2.htm Deployment Modes for Reporting Services: http://msdn2.microsoft.com/en‐us/library/bb326345.aspx Report Server How‐to Topics (SharePoint Integrated Mode) : http://msdn2.microsoft.com/en‐us/library/bb283321.aspx Hardware and Software Requirements for Installing SQL Server 2005: http://technet.microsoft.com/en‐us/library/ms143506.aspx Installing SQL Server Database Engine: http://technet.microsoft.com/en‐us/library/ms144296.aspx Installing SQL Server Analysis Services: http://technet.microsoft.com/en‐us/library/ms143708.aspx Installing SQL Server Reporting Services: http://technet.microsoft.com/en‐us/library/ms143736.aspx Installing SharePoint in a stand‐alone machine: http://technet2.microsoft.com/Office/en‐us/library/bd99c3a9‐0333‐4c1c‐9793‐a145769e48e61033.mspx?mfr=true Deploying SharePoint in a simple Server Farm: http://technet2.microsoft.com/Office/en‐us/library/bd99c3a9‐0333‐4c1c‐9793‐a145769e48e61033.mspx?mfr=true Monitoring Server Hardware and Software Prerequisites: http://technet.microsoft.com/en‐us/library/bb838773.aspx



8.2 Appendix B SETSPN Overview: http://technet2.microsoft.com/windowsserver/en/library/b3a029a1‐7ff0‐4f6f‐87d2‐f2e70294a5761033.mspx?mfr=true Kerberos Authentication in Windows Server 2003: http://technet2.microsoft.com/windowsserver/en/technologies/featured/kerberos/default.mspx How to use Kerberos authentication in SQL Server: http://support.microsoft.com/kb/319723 How to configure SQL Server 2005 Analysis Services to use Kerberos authentication: http://support.microsoft.com/kb/917409/en‐us How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication: http://support.microsoft.com/kb/832769/ Configuring Kerberos for SharePoint 2007 Blog: http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring‐kerberos‐for‐sharepoint‐2007‐part‐1‐base‐configuration‐for‐sharepoint.aspx Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non‐standard port in Windows XP and in Windows Server 2003 : http://support.microsoft.com/kb/908209/ Essential Tips on Kerberos for SharePoint Deployers blog: http://blogs.msdn.com/james_world/archive/2007/08/20/essential‐guide‐to‐kerberos‐in‐sharepoint.aspx Kerberos authentication and delegation for Monitoring Server: http://technet.microsoft.com/en‐us/library/bb794629.aspx Configure Monitoring Server for Kerberos constrained delegation: http://technet.microsoft.com/en‐us/library/bb794629.aspx Using Analysis Services data in Excel Services :http://www.sharepointblogs.com/tonstegeman/archive/2007/03/11/using‐analysis‐services‐data‐in‐excel‐services‐part‐1‐preparing‐the‐ad‐for‐kerberos.aspx


169

How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000: http://support.microsoft.com/kb/244474 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication: http://support.microsoft.com/kb/215383

8.3 Appendix C

8.3.1 Running 32‐bit Applications on 64‐bit Windows (IIS 6.0)

Windows Server 2003TM, Service Pack 1 enables IIS 6.0 to run 32‐bit Web applications on 64‐bit Windows using the Windows‐32‐on‐Windows‐64 (WOW64) compatibility layer. IIS 6.0 using WOW64 is intended to run 32‐bit personal productivity applications needed by software developers and administrators, including 32‐bit Internet Information Services (IIS) Web applications.

8.3.1.1 To enable IIS 6.0 to run 32‐bit Web applications on 64‐bit Windows 1. Open a command prompt and navigate to the %windir%\Inetpub\AdminScripts

directory. 2. Type the following:

cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 “true”

3. Press ENTER. For additional information please refer to the following TechNet Article: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0aafb9a0‐1b1c‐4a39‐ac9a‐994adc902485.mspx?mfr=true

8.3.1.2 Additional Settings for ProClarity running on a 64‐bit Windows

Once you have run the command in the previous section to enable IIS to run in 32‐bit mode on x64 version of Windows, install ProClarity Analytics Server.

In some cases, a batch script is not executed during the installation phase while installing PAS on IIS running in 32 bit mode on 64‐bit Windows. Browse to the folder



C:\Inetpub\wwwroot\PAS\x64extra and check if the PInitx.bat file exists in the folder. If it exists, it has not been run. Double‐click the file to run it. Reboot the machine to complete installation.

After reboot, ensure that the Web Server Extension ASP.Net v2.0.50727 (32 bit) is set to Allowed.

8.4 Appendix D

8.4.1 Service Accounts Services in Windows are programs that run in the background. These can be set to start automatically when the system starts up or they can be started manually. They are not dependent on the user who is logged on to the computer.

The Service Account is the account that the service runs as. Services must have a log on account to operate. This requirement is necessary since all programs running in NT or later must have an account context to control the scope of their access. Since there is nobody logged on to the machine when it boots initially, the service account allows the service to start well before any user has logged onto a machine. The account requirement also allows a program to persist after someone has logged off of a machine. Services keep running under the context of the log on account for each service until each service is restarted or the machine is rebooted.

Using the right service account with the least possible permissions is very important. If not, an attacker could compromise the account to gain full and unrestricted access to the computer, domain, or even to the entire forest. So, we need to identify services that can run with lesser privileges, and downgrade those privileges methodically with just the right amount of access to the resources it needs.

A service account could be a built in system account or a domain user account. During installation most applications give you a default option of choosing the Local System account or Network Service account as startup accounts. For a standalone test machine this would work well, but an enterprise application server using built‐in system accounts has its own security implications. Normally, applications run on distributed environments and server‐to‐server communication is required. When services on the servers run under these built‐in system accounts, implementing certain required security configuration could be a challenge.

8.4.1.1 Built‐In System Accounts: • Local Service Account The Local Service account is a special, built‐in account that is similar to an authenticated user account. The Local Service account has the same level of access


171

to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials.

• Network Service Account The Network Service account is a special, built‐in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.

• Local System Account The Local System account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects.

It is recommended to use a domain user account as the service startup account and application pool identity account.

Setting up Windows Service Accounts: http://msdn2.microsoft.com/en‐us/library/ms143504.aspx#Use_startup_accounts

For more information on Services and Service Accounts Security, please refer to the following planning guide: http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx

8.4.2 Application Pools When you run IIS 6.0 in worker process isolation mode, you can separate different Web applications and Web sites into groups known as application pools. An application pool is a group of one or more URLs that are served by a worker process or set of worker processes. Any Web directory or virtual directory can be assigned to an application pool.

Every application within an application pool shares the same worker process. Because each worker process operates as a separate instance of the worker process executable, w3wp.exe, the worker process that services one application pool is separated from the worker process that services another. Each separate worker process provides a process boundary so that when an application is assigned to one application pool, problems in



other application pools do not affect the application. This ensures that if a worker process fails, it does not affect the applications running in other application pools.

8.4.2.1 Isolating Web Sites and Applications To provide comprehensive security for your Web sites and applications, you might have to ensure that the Web sites and applications are protected from other Web sites and applications that are hosted on the same server. By using different application pools for each Web site and applications in IIS Web server you can achieve isolation betweens the application and thus security.

For example, an enterprise organization might place its human resources Web site and its finance Web site on the same Web server, but in different application pools. Likewise, an ISP that hosts Web sites and applications for competing companies might run each company’s Web services on the same server, but in different application pools. Using different application pools to isolate applications helps prevent one customer from accessing, changing, or using confidential information from another customer’s site.

8.4.2.2 Application Pool Identity For each application pool, you can specify an application pool identity, which is a user account that is assigned to an application pool. After specifying the application pool identity, you assign permissions (such as NTFS permissions or SQL database permissions) for each application pool identity. Because individual application pools can use different identities, you can selectively grant or deny resource access to an application pool. The Web sites and applications running in an application pool have the same user rights and resource permissions assigned to the application pool identity.

For example, if you are running two Web applications on the same Web server, each application having its own SQL Server database and file share. The application pool identity under which one application runs should not have permissions on the other application’s database and file share, else this would compromise security of the other system.

For more information on isolating Web sites and applications please refer to the following Microsoft Windows Server 2003 MSDN article:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/60e38cf5‐5ba9‐4b30‐a4d4‐0da5976b83f3.mspx?mfr=true


173

8.5 Appendix E

8.5.1 SAN Information The SAN used in the test environment consist of 15 RAID disks each having 146 GB of space. The SAN supports different RAID levels including RAID‐0, RAID‐1, RAID‐5, RAID‐10 and RAID‐50 etc.

In our test environment we have configured SQL Server DB engine and SQL Server Analysis services Data and Log directories on SAN.

SAN consists of total 15 physical disks as follows

a. Physical Disk 1:0:0 b. Physical Disk 1:0:1 c. Physical Disk 1:0:2 d. Physical Disk 1:0:3 e. Physical Disk 1:0:4 f. Physical Disk 1:0:5 g. Physical Disk 1:0:6 h. Physical Disk 1:0:7 i. Physical Disk 1:0:8 j. Physical Disk 1:0:9 k. Physical Disk 1:0:10 l. Physical Disk 1:0:11 m. Physical Disk 1:0:12 n. Physical Disk 1:0:13 o. Physical Disk 1:0:14

We have configured different Data directories to use different physical disks on the SAN and the disk allocation for the directories is as follows

SQL Server Analysis Services DATA directory

a. Physical Disk 1:0:0 b. Physical Disk 1:0:1 c. Physical Disk 1:0:2 d. Physical Disk 1:0:3

SQL Server Analysis Services LOG directory

a. Physical Disk 1:0:4 b. Physical Disk 1:0:5

SQL Server DB Engine Data directory

a. Physical Disk 1:0:6



b. Physical Disk 1:0:7 c. Physical Disk 1:0:8 d. Physical Disk 1:0:9 e. Physical Disk 1:0:10 f. Physical Disk 1:0:11

SQL Server DB Engine LOG directory

a. Physical Disk 1:0:12 b. Physical Disk 1:0:13

8.5.2 SAN Configuration for SQL Server DATA Directory Here are the detailed steps for configuring SQL Server DATA directory on the SAN. We will allocate the physical disks for Data directory as mentioned in the previous section.

1. From Dell click Open, then click Manage Applications, and then navigate to Server Administrator and click Server Administrator to launch Dell OpenManage Server Administrator page.

2. Click Storage on the left pane and click Virtual Disks to view all the virtual Disks available on the server.

3. Click Go To Create Virtual Disk Wizard to add a new Virtual Disk to the server. 4. Click Go To Advanced Wizard and select RAID‐10 and type SS DATA as a name for

the Virtual Disk. 5. On the select physical disks page select desired physical disks select Physical Disk

1:0:6 to Physical Disk 1:0:11. 6. On the Select the Virtual Disk Attributes for RAID‐10 Page type SS DATA in the

Name field. 7. Click Finish on the next page to finish creating Virtual Disk on the server. Your

screen should look similar to the below screen.


175

Figure 130. Virtual Disk Finish Page

8. If you click Virtual Disks link on the left pane right pane should list your newly created Virtual Disk.

9. To initialize your newly created virtual disk select Fast Initialize from tasks and click Execute.

10. In the next page, it may give you a warning saying “Fast Initialize destroys all data on the disk.” Ignore the warning and click Fast Initialize button to complete the initialization.

11. Your final screen should look like the following image.



Figure 131. Adding Virtual Disk to the Server

12. To view the added virtual disk on the server go to Administrative Tools and click Computer Management.

13. In Computer Management ,click Disk Management in the left pane to view the newly added Virtual Disk and it will be shown as unallocated disk space.

14. Using Initialize and Convert Disk Wizard complete the Initialization and Conversion of Disk.

15. Right‐click the unallocated disk space and select New Volume to allocate a drive letter to the Virtual disk and start using it.


177

8.6 Appendix F

8.6.1 Tempdb Tempdb is a system database which is used during a lot of activities like creating

temporary tables, cursors, and indexes . In SQL Server 2005, tempdb requires more disk

space than earlier versions of SQL Server.

For optimal performance of tempdb you might want to consider:

• Moving tempdb to a faster drive.

• Set the recovery model of tempdb to SIMPLE. This model automatically reclaims

log space to keep space requirements small.

• Set the initial size of tempdb files to a large value based on the typical workload in

your environment. This avoids frequent growth of the tempdb files.

• There are cases when there is more workload and tempdb needs to grow. For such

cases you need to set the tempdb files to grow automatically.

• Ensure that the file growth increment is set reasonably. A very small value could

mean that tempdb might have to constantly keep expanding which is an expensive

process.

• Create many tempdb files to reduce contention. It’s a general practice to create

one file for each logical CPU on the server. Ensure that each tempdb file is the

same size, this allows for optimal proportional‐fill performance.

For more detailed information on Optimizing TempDB refer to the following MSDN article:


8.6.1.1 To Move TempDB In SQL Server 2005, it is possible to move system databases from one location to

another. Moving system databases may be useful in the following situations:

• Failure recovery. For example, the database is in Suspect mode or has shut

down because of a hardware failure.

• Planned relocation.

• Relocation for scheduled disk maintenance.

This section describes the steps involved to move Tempdb to a new location.

1. Open SQL Server Management Studio.



2. Open a new query window by clicking on File, clicking New, and then clicking Database Engine Query. In the Connect to Database Engine window, type the server name. In the Authentication drop down list choose Windows Authentication. If you choose SQL Server Authentication, specify the credentials of a SQL Server login with administrative rights on the SQL Server. Click Connect.

3. Run the following command to identify the path where the Tempdb files are located: SELECT name AS DBFileName, physical_name AS CurrentLocation,

state_desc AS CurrentState FROM sys.master_files WHERE database_id =

DB_ID(N”<database_name>“);

Example: SELECT name AS DBFileName, physical_name AS CurrentLocation,


DB_ID(N”tempdb”);

Figure 132. TempDB Path

4. For each file to be moved, run the following statement:

ALTER DATABASE database_name MODIFY FILE ( NAME = logical_name ,

FILENAME = “new_path/os_file_name” )

Example:

ALTER DATABASE tempdb MODIFY FILE ( NAME = tempdev , FILENAME =

“E:\Tempdev.mdf” )

ALTER DATABASE temodb MODIFY FILE ( NAME = templog , FILENAME =

“E:\Templog.ldf” )

5. To complete the move process, restart SQL Server Database Engine. Once SQL Server starts, it uses the Tempdb files from the new location.

6. Verify the file change by running the following query: SELECT name AS DBFileName, physical_name AS CurrentLocation,


DB_ID(N”<database_name>“);

Example: SELECT name AS DBFileName, physical_name AS CurrentLocation,


DB_ID(N”tempdb”);


179

Please refer to the following product documentation article for detailed information on moving system databases in SQL server 2005 http://msdn2.microsoft.com/en‐us/library/ms345408.aspx

8.6.1.2 To Add tempdb Files and Set Autogrowth To add additional files to tempdb:

1. Open SQL Server Management Studio.

2. In Object Explorer expand Databases. Expand System Databases. Right‐

click tempdb and click Properties.

3. Click Files.

4. Click Add to add a new file to tempdb. Type a name for each file you add.

5. Ensure that the path for the tempdb files is set to the folder where you want to

place them.

6. For each of the data files ensure that initial size is set to the same value.

7. Choose an appropriate autogrowth option.

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.

© 2008 Dell Inc.

Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.

Trademarks used in this text: AMD, and Opteron are registered trademarks of AMD Corporation; Microsoft, Windows, and Windows Server are registered trademarks of Microsoft Corporation.

Date post:	30-Nov-2014
Category:	Documents
Upload:	ariefmohd
View:	210 times
Download:	14 times