Microsoft SharePoint Online Customer Build Guide for SP2013...

Customer Build Guide

SharePoint Online – Dedicated

Office 365 for Enterprises

© 2015 Microsoft Corporation. All rights reserved.

Page 1 of 91

Microsoft SharePoint Online

Customer Build Guide for SP2013 Farms

Applies to: SharePoint Online - Dedicated

Topic Last Modified: 23-December-2015

Version: EO11.0

This document is provided “as-is”. Information and views expressed in this document, including URL and

other Internet Web site references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or

connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft

product. You may copy and use this document for your internal, reference purposes. You may modify this

document for your internal, reference purposes.>






Page 2 of 91

Contents Microsoft SharePoint Online ....................................................................................................................................................... 1

Customer Build Guide for SP2013 Farms ............................................................................................................................... 1

Introduction ............................................................................................................................................................................................ 6

Purpose ................................................................................................................................................................................................ 6

Audience .............................................................................................................................................................................................. 6

Process Overview ............................................................................................................................................................................. 7

SharePoint Online Hosted Environment ..................................................................................................................................... 8

Basic Characteristics of Host and Virtual Machines............................................................................................................ 9

Network and DNS Configuration ............................................................................................................................................ 11

Prepare Prerequisites ....................................................................................................................................................................... 15

Verify Accounts .............................................................................................................................................................................. 15

Least Privileges Model ............................................................................................................................................................ 15

Accounts from Managed Domain ...................................................................................................................................... 18

Accounts and Security Groups from the Customer Domain ................................................................................... 19

User Group Membership ....................................................................................................................................................... 19

Build the Platform ............................................................................................................................................................................. 20

Build Virtual Machines ................................................................................................................................................................ 20

Create Virtual Machines ............................................................................................................................................................. 21

Configure Virtual Machines ...................................................................................................................................................... 22

Configure Networking ............................................................................................................................................................ 22

Verify Connectivity to Default Gateway ........................................................................................................................... 23

Configure Page Files ................................................................................................................................................................ 23

Set End Point Antivirus Exceptions .................................................................................................................................... 23

Disable Recycle Bin .................................................................................................................................................................. 24

Disable IE ESC ............................................................................................................................................................................. 24

Disable User Account Control .............................................................................................................................................. 24

Disable Loopbackcheck .......................................................................................................................................................... 24

Configure Drives for SQL Server ......................................................................................................................................... 25

Disable SSL 2.0 and 3.0 Support ............................................................................................................................................. 25

Restrict SCHANNEL to FIPS Compliant Cipher Suites Only .......................................................................................... 26

Allow CredSSP Authentication ................................................................................................................................................. 27

Modify WinRM Shell Property Settings ................................................................................................................................ 28

Configure Common Machine Settings ..................................................................................................................................... 30





Page 3 of 91

Change Time Zone ................................................................................................................................................................... 30

Install .NET Framework 3.5 .................................................................................................................................................... 30

Configure SQ Server Settings ....................................................................................................................................................... 31

Create Inbound Firewall Rules ............................................................................................................................................. 31

Configure Disk Layout for SQ Servers .............................................................................................................................. 31

Install SQL Server ............................................................................................................................................................................... 33

Check for .NET 4.0 .................................................................................................................................................................... 33

Install SQL Server 2012 ........................................................................................................................................................... 33

Install SQL Server Cumulative Updates ............................................................................................................................ 34

Configure Security and Trace Flags ................................................................................................................................... 35

Allow Lock Pages in Memory ............................................................................................................................................... 35

Set Max Degree of Parallelism ............................................................................................................................................. 36

Configure SQLAgent Job History........................................................................................................................................ 36

Verify SQL Server is Working ............................................................................................................................................... 36

Build Web Servers ............................................................................................................................................................................. 38

Configure Inbound Firewall Rules ...................................................................................................................................... 38

Run the Prerequisite Installer ............................................................................................................................................... 40

Install IIS Advanced Logging ................................................................................................................................................ 40

Install Hotfixes ............................................................................................................................................................................ 40

Configure Advanced Logging .............................................................................................................................................. 41

Prepare Office Web App Machines ................................................................................................................................... 41

Delete Default IIS Sites and Application Pools.............................................................................................................. 41

Build the SharePoint Servers ......................................................................................................................................................... 42

Install SharePoint 2013 ........................................................................................................................................................... 42

Install Language Packs ............................................................................................................................................................ 42

Install the Latest SharePoint Updates SharePoint SP1 ............................................................................................... 42

Manage SSL Certificates ......................................................................................................................................................... 43

Update the Hosts File .............................................................................................................................................................. 45

Build the SharePoint Online 2013 Farm ................................................................................................................................... 46

Provision the Farm ................................................................................................................................................................... 46

Join Servers to the Farm......................................................................................................................................................... 46

Enable Licensing ........................................................................................................................................................................ 47

Register Managed Accounts ................................................................................................................................................ 47

Configure Services (Generic)..................................................................................................................................................... 47

Configure Distributed Cache ................................................................................................................................................ 47





Page 4 of 91

Create Quota Templates ............................................................................................................................................................ 52

Configure Outgoing Email ......................................................................................................................................................... 53

Create Web Applications ........................................................................................................................................................... 53

Create Web Application to Host SharePoint Apps ...................................................................................................... 55

Set Up People Picker for Each URL ........................................................................................................................................ 56

Configure Web Applications (Common Settings) ............................................................................................................ 57

General Settings ........................................................................................................................................................................ 57

Configure Managed Paths .................................................................................................................................................... 58

Configure Blocked File Types ............................................................................................................................................... 58

Enable the BLOB Cache .......................................................................................................................................................... 59

Apply Web App Policy and User Policy (Kiosk Worker) ............................................................................................ 60

Set Up Super User and Super Reader Accounts ........................................................................................................... 61

Add Administrators to Web App Policy ........................................................................................................................... 62

Configure List Throttle Settings .......................................................................................................................................... 63

Set Setup User Account as System ........................................................................................................................................ 63

Create Site Collections ................................................................................................................................................................ 64

Create Service Applications....................................................................................................................................................... 66

Configure the App Management Service ........................................................................................................................ 71

Create Host Header Site Collection for Monitoring Apps Management Site ................................................... 72

Configure Managed Metadata Service Application .................................................................................................... 72

Configure Excel Service Application .................................................................................................................................. 73

Configure InfoPath Forms Services.................................................................................................................................... 73

Configure Machine Translation Service Permissions .................................................................................................. 73

Configure Search Service Application .............................................................................................................................. 74

Configure the Visio Graphics Service Application ....................................................................................................... 78

Start the User Profile Synchronization Service .................................................................................................................. 78

Update WMI Control for Farm Account ............................................................................................................................... 79

Grant User Profile Permissions to Service Apps ................................................................................................................ 79

Manage User Permissions for the User Profile Service Application .......................................................................... 80

Change Default ULS Log Retention ....................................................................................................................................... 81

Configure Usage and Health Data Collection Service .................................................................................................... 81

Modify SPHA Rules ....................................................................................................................................................................... 82

Disable Selected Site Templates ............................................................................................................................................. 82

Disable Site Templates in the 14 Hive .............................................................................................................................. 83

Disable Site Templates in the 15 Hive .............................................................................................................................. 83

Configure Settings for Sandboxed Code ............................................................................................................................. 84

Confirm or Modify Service Account Associations ............................................................................................................ 85

Add Support for People Fields in Office Documents ...................................................................................................... 86





Page 5 of 91

Install and Configure Azure Workflow Server ........................................................................................................................ 88

Install Azure Workflow Server .............................................................................................................................................. 88

Install Azure Workflow Client ............................................................................................................................................... 88

Install Service Bus and Workflow Cumulative Updates ............................................................................................. 88

Pair the SharePoint Server farm with the Workflow Manager Client farm ........................................................ 89

Install Office Web Applications .................................................................................................................................................... 90

Prerequisites ............................................................................................................................................................................... 90

Install Office Web Apps Server ............................................................................................................................................ 90

Create Office Web Apps Farm ............................................................................................................................................. 90

Connect the SharePoint Farm to the Web App Farm ................................................................................................. 91

Configure Office Web Apps Licensing ............................................................................................................................. 91





Page 6 of 91

Introduction Topic Last Modified: 2014-01-23

This document details the processes associated with building and configuring the individual standard

components of a Microsoft SharePoint Online 2013 server farm. Use this instruction for new farm builds

only. This document does not include instructions for installing optional or customer-specific features.

Purpose This document was designed to assist customers in the creation of accurate development and test

environments to build out solutions on the hosted SharePoint environment. This document does not

include some key production farm components, such as backups, service continuity management,

monitoring, or SQL Maintenance. If you encounter references in this build document to any of these

applications or activities, please disregard them. They are not necessary for development and test

activities.

The goal of this document is to assist in producing a functional replica of our production configuration,

but it will not be identical. Activities such as performance testing will not yield the same results as a

production environment; however, the relative performance aligned to a baseline will produce data good

enough to interpolate.

Audience The Customer Build Guide is intended to be used by customers building development and test SharePoint

environments. Personnel performing the tasks detailed in this guide should be experienced and familiar

with the installation and operation of SharePoint, SQL Server, and Windows Server. An attempt has been

made in explaining how to perform a task to use plain language and added background, however a solid

familiarity with the operational aspects of all three products is recommended.





Page 7 of 91

Process Overview The Build Guide is designed to guide the installer through the following basic processes:

Validate Hardware provided

Configure Host Machines

Create Virtual Machines in Hyper-V on Host Machines

Configure General VM settings

Configure the SQL Role

Configure the Backup Role

Configure Front End and Application Roles

Create and configure SharePoint Farm

This document contains steps to virtualize the environment and setup the various SharePoint roles on

virtual machines.





Page 8 of 91

SharePoint Online Hosted Environment Topic Last Modified: 2014-01-29

The Online environment is structured to manage the hosting of multiple customer environments each

isolated to meet security and compliance requirements. The isolation begins with separate customer

Virtual Local Area Networks (VLANs) and separate managed customer Active Directory Forests (managed

Forest). The basic trust relationship and configuration is outlined in the diagram below. There are

generally 3 Forests, one for Management (named MGMT, central forest for all Management

Administration Accounts), one for Managed (named MGD, the forest where SharePoint is hosted), and

one forest provided by the customer (Customer Domain Accounts and Customer Data Sources).





Page 9 of 91

Trust relationship and configuration diagram

Basic Characteristics of Host and Virtual Machines Topic Last Modified: 2014-01-29

SharePoint Online has designed a network configuration tailored specifically for SharePoint 2013 that

would be difficult to replicate in this document and is not necessary for development and test purposes.

When developing applications, the domain trusts are generally more important than segmentation within

networks and separate VLANs.

The SharePoint farm requires some or all of the following Host Names:





Page 10 of 91

SKU Storage RAM CPU NIC Notes

HA 8 x 600 GB 10K

SAS

Array A (2:

[RAID1])

Array B (6:

[RAID 5])

96 GB 2 x 8 Core

Xeon

1 x 10 Gbit

SRF+

Multi-purpose

SKU Used for

PPE, App, WFE,

SQL Head Unit

HB 8 x 600 GB 10K

SAS

25 x 600 GB

10K SAS

Array A (2:

[RAID1])

Array B (6:

[RAID 5])

Array C (24:

[RAID 5])

96 GB 2 x 8 Core

Xeon

1 x 10 Gbit

SRF+

SQL Storage

SKU Used for

SQL Role

HD 12 x 4 TB 7.2K

SAS

Array A (2:

[RAID 1])

Array B (9:

[RAID 5])

32 GB 1 x 8 Core

Xeon

1 x 10 Gbit

SRF+

File

Server/Backup

SKU Used for

backups and

SQL mirror

witness role.

Note: For test/development purposes (assuming little to no performance testing) we recommend

using virtual machines and scale down the resources allocated to the servers above. The SharePoint 2013

service offering uses physical machines built out on the SKUs listed above.





Page 11 of 91

Network and DNS Configuration Topic Last Modified: 2014-02-11

SharePoint Online has designed a network configuration tailored specifically for SharePoint 2013 that

would be difficult to replicate in this document and is not necessary for development and test purposes.

When developing applications, the domain trusts are generally more important than segmentation within

networks and separate VLANs.

The SharePoint farm requires some or all of the following Host Names:

portal.contoso.com – portal web application

team.contoso.com – team sites web application

my.contoso.com – SkyDrive pro web application

partner.contoso.com – partner sites web application (optional)

wac.contoso.com – Office Web Applications farm

o365wfl.contoso.com – 2013 Workflow service end point (port 12290)

*.001dspoapp.com – SharePoint Apps namespace

What is important in setting up your development environment is to create a DNS entry for the wildcard

app zone (*.001dspoapp.com in the example above). All other host names can be managed either via DNS

or hosts files on the SharePoint and client windows servers.

In production, Microsoft uses the load balancer to create virtuals that map to different service endpoints

exposed to different networks. The following 2 diagrams are provided for reference purposes.





Page 12 of 91

Load Balancer VIPS, Virtuals, and Traffic Routing





Page 13 of 91

Traffic Flows and VIPs on Load Balancer

If you are configuring DNS, we recommend that you follow an approach similar to what is used in

production between the customer environment and SharePoint Online as outlined in the diagram below:





Page 14 of 91

DNS Settings on Customer Private (GNS)

There are a total of 3 zones above, this is not strictly necessary. The zones include a DNS Apps Zone for

the SharePoint applications that just contains the wildcard record for the farm. The DNS control zone is

optional; you can choose to just point your DNS records directly to an A record instead of using CNAME

aliases as illustrated above. The above example uses a managed DNS service hosted by Microsoft called

001d.mgd.msft.net. The third zone is the customer private zone that contains the contoso.com

namespace.

Note: If you do define DNS records, we recommend for dev/test environments you use URLs different

then production.





Page 15 of 91

Prepare Prerequisites Topic Last Modified: 2014-04-15

Before you begin, establish a remote desktop connection to each host machine with your installation

account.

Verify Accounts Topic Last Modified: 2014-04-15

Least Privileges Model When creating your development environment, SharePoint Online dedicated recommends that you

configure your farm using a least-privilege model to ensure the highest level of security. The following

tables describe the accounts and the minimum level of permissions required to deploy a farm.

Server farm-level accounts

Account Requirements

SQL Server service account Domain user account

Member of the Administrators group on the SQL

Server machine

Setup user account Domain user account

Member of the Administrators group on each

server on which Setup is run.

SQL Server login on the computer running SQL

Server.

Member of the Server admin SQL Server security

role.

Tip: If you run Stsadm commands that affect a

database, this account must be a member of the

db_owner fixed database role for the database.

Server farm account Domain user account





Page 16 of 91


Additional permissions are automatically granted

for this account on web servers and application

servers that are joined to a server farm. This

account is automatically added as a SQL Server

login on the computer running SQL Server and

added to the following SQL Server security roles:

dbcreator fixed server role

securityadmin fixed server role

db_owner fixed database role for all databases in

the server farm

Service application service accounts


SharePoint Server Search service account Must be a domain user account.

Must not be a member of the Farm Administrators

group.

The following are automatically configured:

Access to read from the configuration database,

administration content database, the search

administration database, crawl databases.

Full Control access to the index partitions on the

query servers.

Default content access account Must be a domain user account.

Must not be a member of the Farm Administrators

group.

Read access to external or secure content sources

that you want to crawl by using this account.

For sites that are not a part of the server farm, this

account must explicitly be granted Full Read





Page 17 of 91


permissions on the web applications that host the

sites.


Full Read permissions are automatically granted to

content databases hosted by the server farm.

Content access account Read access to external or secure content sources

that this account is configured to access.

For web sites that are not a part of the server

farm, this account must explicitly be granted Full

Read permissions on the web applications that

host the sites.

Profile import default access account Read access to the directory service.

The account must have the Replicate Changes

permission in AD DS.

Manage User Profiles personalization services

permission.

View permissions on entities used in Business

Data Catalog import connections.

Excel Services unattended service account Must be a domain user account.

Additional application pool identity accounts


Application pool identity No manual configuration is necessary


Membership in the SP_DATA_ACCESS role for

content databases and search databases

associated with the web application.

Membership in specific application pool roles for

the configuration and the

SharePoint_AdminContent databases.





Page 18 of 91


Additional permissions for this account to front-

end web servers and application servers are

automatically granted.

Accounts from Managed Domain Confirm that the following accounts (prefixed with ms-svc-*) exist in the managed domain for all

environments except Federal. For Federal (fed) environments, confirm that the following accounts exist

and are prefixed with mgd-svc-*.

Accounts from Managed Domain

Full Name MGD Account Name Service Account?

SharePoint 15 Farm Account ms-svc-frm Yes

SharePoint 15 SQL Service ms-svc-db Yes

SharePoint 15 Sandbox Service ms-svc-sbx Yes

SharePoint 15 Portal Super

Reader

ms-svc-psr No

SharePoint 15 Portal Super User ms-svc-psu No

SharePoint 15 Content Web App

Pools

ms-svc-wap Yes

SharePoint 15 Search Crawl

Account

ms-svc-crl No

SharePoint 15 Service

Applications

ms-svc-sa Yes

Windows Azure Workflow

Service

ms-svc-wrk Yes





Page 19 of 91

Accounts and Security Groups from the Customer Domain The following accounts and security groups must be present in the customer domain. This information is

available in the ToBuild Record, as noted below.

Accounts and security groups from the customer domain

Account or Group Description

Kiosk Workers One or more security groups or role claims that

represent all kiosk workers at the customer. Only

applicable if customer has purchased DW licenses.

Information Workers

Unattended Account An account name from the customer forest for

unattended data connections for Excel/Visio.

Optional, the account may not be provided by the

customer.

Partners One or more security groups or role claims that

represent all partner users for a customer. Only

applicable if customer has purchased PAL licenses.

People Picker AD Account and Profile Import

Account

One or more accounts with permissions to look up

users/groups from AD for configuration of the

people picker and profile import of AD users.

User Group Membership

Important: The user running the farm setup must be a member of the MGMT\MGMT-GSG-SPO-

SP2013FarmAdmins group.





Page 20 of 91

Build the Platform Topic Last Modified: 2014-05-06

When you configure a test/development environment, there are a few core elements that must be

replicated to adequately test any custom code built or tested by the customer:

All host URLs must use SSL certificates and be fully qualified i.e. https://team.contoso.com. Failure

to do so will mask potential problems in how the browser will treat the site with respect to zones

and protocols. This is especially important for connectivity with internal Line of Business systems

and data sources.

All customer accounts must come from a forest that has a one-way external trust between

managed and the customer forest. Failure to do so may mask authentication/impersonation

issues when connecting to Line-Of-Business applications or data sources within the customer

forest.

Note: Kerberos authentication is not supported; it doesn’t work across Forest and Domain boundaries.

Use a minimum of two Web Front End (FE) role machines to ensure that any and all custom code

properly deploys across multiple machines in a farm.

Use static IP addresses if at all possible. If you use dynamic IP addresses, there is a good chance

over time that the farm will have problems, especially with any load balancing solution you use.

This document does not detail a load-balancing solution. We use a hardware load balancing

solution in our production and pre-production environments, for test/development purposes

Windows Network Load Balancing (WNLB) should be adequate. There will be a difference in

performance that is unavoidable when contrasting hardware vs. software based load balancing

solutions.

Build Virtual Machines Topic Last Modified: 2014-01-29

In this section, you will create and configure virtual machines. There is no recommended order in terms of

the creation and the configuration of the machines; you may create all the machines first and then

configure them one by one, or complete the creation and immediately configure one machine at a time.

Note: All machines should be created before SharePoint is installed.





Page 21 of 91

Create Virtual Machines Topic Last Modified: 2014-05-06

1. Create the VMs in Hyper-V. The following Table should provide details on both the VHD

distribution and basic properties for each VM role.

VM Quantity Storage/VHDs RAM CPU NIC

AP 1 OS (200 GB) 14 GB 4 Cores 1 Virtual

FE 2 OS (200 GB) 14 GB 4 Cores 1 Virtual

AS 1 OS (200 GB) 14 GB 4 Cores 1 Virtual

WC 1 OS (200 GB) 14 GB 4 Cores 1 Virtual

SQ 1 OS (200 GB)

LOGS1 (1 TB)

DATA1 (2 TB)

16 GB 4 Cores 1 Virtual

2. The SQL role requires additional VHDs for both Data and Log drives. It is important that the SQL

Data drive be at least twice the size of the Log drive. For production we provision 6 TB spanned

Data Drives and a 1 TB Log drive.

VM Name Category Type Size File Name

SQ Data Dynamic 2040 GB SPSQXX_disk_1

SQ Logs Dynamic 1020 GB SPSQXX_disk_4

To create and start the virtual machines execute the following PowerShell script on the Hyper-V host

machine (HH01). This script configures the virtual machines with legacy network adapters in order to

install the operating system from the network.

$SharePointMachines = "FE01", "FE02", "AP01", "AS01" $SQLMachine = "SQ01" $vhdPath = "E:\Virtual Machines\" $defaultMemory = 16GB $defaultDiskSize = 200GB if ((Get-Item $vhdPath -ErrorAction SilentlyContinue) -eq $null) { New-Item -Path $vhdPath -Type directory | out-null } function CreateMachine($machineName, $memoryInBytes, $diskSizeBytes) { if ((Get-VM -Name $machineName -errorAction SilentlyContinue) -ne $null) { Write-Host "Virtual machine $machineName already exists. Skipping." -ForegroundColor DarkYellow





Page 22 of 91

continue; } Write-Host "Creating VHDX for $machineName" -ForegroundColor Green New-Item -Path $vhdPath -Name $machineName -Type directory -Force | out-null New-VHD -Path "$vhdPath\$machineName\$machineName.vhdx" -SizeBytes $diskSizeBytes | out-null Write-Host "Creating virtual machine for $machineName" -ForegroundColor Green New-VM -VHDPath "$vhdPath\$machineName\$machineName.vhdx" -Name $machineName -MemoryStartupBytes $memoryInBytes | out-null Add-VMNetworkAdapter -VMName $machineName -Name "Legacy Network Adapter" -IsLegacy $true -SwitchName "Default External Switch" Set-VMProcessor -VMName $machineName -Count 4 } foreach($machineName in $SharePointMachines) { CreateMachine $machineName $defaultMemory $defaultDiskSize } CreateMachine $SQLMachine $defaultMemory 1TB $allMachines = $SharePointMachines + $SQLMachine $allMachines | % { Write-Host "Starting $_" Start-VM $_ Start-Sleep -Seconds 30 } reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 w32tm /config /syncfromflags:DOMHIER /update net stop w32time & net start w32time w32tm /resync /force

Configure Virtual Machines Topic Last Modified: 2014-05-06

The following VM configuration steps are common to all VMs in the farm.

Configure Networking 1. In Control Panel, go to Network and Sharing Center | Change adapter settings.

2. Right-click the Local Area Connection network adapter, and then click Properties.

3. Clear the Internet Protocol Version 6 (TCP/IPv6) check box.

4. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.





Page 23 of 91

5. In the Properties dialog box, select Use the following IP address, and then enter the following

information. These settings must be supplied by the customer:

IP address

Subnet mask

Default gateway

DNS servers (preferred and alternate)

Verify Connectivity to Default Gateway 1. Open the command prompt, and ping the default gateway.

2. Verify that you get a reply. If you don’t get a reply, check the network settings and confirm a

VLAN was assigned to the VM.

Configure Page Files Page files will be configured to be system-managed for all host machines.

1. In Control Panel, go to System | Advanced system settings.

2. In the System Properties dialog box, on the Advanced tab, under Performance, click Settings.

3. In the Performance Options dialog box, on the Advanced tab, under Virtual memory, click

Change.

4. In the Virtual Memory dialog box, clear the Automatically manage paging file size for all

drives checkbox.

5. Under Paging file size, choose drive C:\, select the System managed size checkbox, and then

click Set.

6. Click OK on all open dialog boxes.

7. If prompted, choose to Restart Now.

Set End Point Antivirus Exceptions Configure your desktop anti-virus of choice installed on the VM to scan specific directories. For simplicity,

use the same rules for all virtualized servers, you should exclude the following directories:

C:\Program Files\Microsoft Office Server

C:\inetpub





Page 24 of 91

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions

C:\ProgramData\Microsoft\SharePoint

C:\windows\Microsoft.Net

C:\windows\temp

C:\Program Files\Microsoft SQL Server

E:\

F:\

Disable Recycle Bin 1. Right click the Recycle Bin icon on desktop, and then click Properties.

2. In the Recycle Bin Properties dialog box, for each drive, select the Don’t move files to the

Recycle Bin check box.

3. Click OK.

Disable IE ESC 1. In the Server Manager, under Security Information, click Configure IE ESC.

2. Turn off for both Administrators and Users.

3. Click OK.

Disable User Account Control 1. In Control Panel, on the User Accounts page, click Change User Account Control Settings.

2. Change to Never Notify.

3. Click OK.

Disable Loopbackcheck 1. At the command prompt, run regedit.exe.

2. In the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.

3. Right-click LSA, click New, and then click DWORD (32-bit) Value.

4. Name the new item DisableLoopbackCheck.





Page 25 of 91

5. Right-click DisableLoopbackCheck, and then click Modify.

6. In the Edit DWORD dialog box, set the Value data field to 1.

7. Click OK.

8. Restart the VM.

Configure Drives for SQL Server 1. Connect to the SQL Server machine.

2. Open Disk Management.

3. Right-click the D: drive and then select Format…

4. Name drive D: Data.

5. Right-click the E: drive and then select Format…

6. Name drive E: Logs.

Disable SSL 2.0 and 3.0 Support Topic Last Modified: 2014-05-06

To help harden the servers, by default we disable SSL 2.0 and SSL 3.0 support and allow only TLS 1.0.

1. At the command prompt, run regedit.exe

2. Navigate to: HKEY_LOCAL_MACHINE\

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\SSL

2.0\Server

3. Right-click Server, click New, and then click DWORD (32-bit) Value.

4. Name the new item Enabled.

5. Right-click Enabled, and then click Modify.

6. In the Edit DWORD Value dialog box, set the data value to 00000000.

7. Click OK.

8. Navigate to: HKEY_LOCAL_MACHINE\

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\SSL

3.0\Server

9. Right-click Server, click New, and then click DWORD (32-bit) Value.

10. Name the new item Enabled.





Page 26 of 91

11. Right-click Enabled, and then click Modify.

12. In the Edit DWORD Value dialog box, set the data value to 00000000.

13. Click OK.

14. Restart the VM.

Restrict SCHANNEL to FIPS Compliant Cipher Suites

Only Topic Last Modified: 2014-05-06

We disable certain Ciphers for our secure channel. This setting applied to all VMs removes support for the

following ciphers which are not FIPS compliant:

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

SSL_CK_RC4_128_WITH_MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5

TLS_RSA_WITH_NULL_SHA

TLS_RSA_WITH_NULL_SHA256

The following ciphers which are not present by default in Windows but are added:

TLS_RSA_WITH_NULL_MD5

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521

1. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration |

Administrative Templates | Network | SSL Configuration Settings.

2. Right-click SSL Cipher Suite Order, and then click Edit.

3. In the SSL Cipher Suite Order dialog box, select Enabled.

4. Under Options, in the SSL Cipher Suites text box, delete everything, and then copy and paste in

the following text:

http://msdn.microsoft.com/en-us/library/aa374757(VS.85).aspx





Page 27 of 91

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5

5. Click OK.

Allow CredSSP Authentication Topic Last Modified: 2014-05-06

To assist with automation efforts, enable CredSSP on all machines (host and VMs).

1. In the Microsoft Management Console, navigate to Local Computer Policy | Computer

Configuration | Administrative Templates | System | Credentials Delegation.

2. Right-click Allow Delegating Fresh Credentials, and then click Edit.

3. In the Allow Delegating Fresh Credentials dialog box, select the Enabled checkbox.

4. Under Options, click Show.

5. In the Show Contents dialog box, type the value WSMAN/*.

6. Click OK in all open dialog boxes.

7. In the MMC, navigate to Local Computer Policy | Computer Configuration | Administrative

Templates | Windows Components | Windows Remote Management | WinRM Client.

8. Right-click Allow CredSSP authentication, and then click Edit.

9. In the Allow CredSSP Authentication dialog box, select the Enabled checkbox.

10. Click OK.

11. In the MMC, navigate to Local Computer Policy | Computer Configuration | Policies |

Administrative Templates | Windows Components | Windows Remote Management |

WinRM Service.

12. Right click Allow automatic configuration of listeners, and then click Edit.

13. In the Allow automatic configuration of listeners dialog box, select the Enabled checkbox.

14. Under Options:

a. In the IPv4 filter box, type *.





Page 28 of 91

b. In the IPv6 filter box, type *.

15. Click OK.

16. In the MMC, navigate to Local Computer Policy | Computer Configuration | Policies |

Administrative Templates | Windows Components | Windows Remote Management |

WinRM Service.

17. Right-click Allow CredSSP authentication, and then click Edit.

18. In the Allow CredSSP authentication dialog box, select the Enabled checkbox.

19. Click OK.

Modify WinRM Shell Property Settings Topic Last Modified: 2014-05-06

To improve performance, we modify the default WinRM Shell property settings.


Administrative Templates | Windows Components | Windows Remote Shell

2. Right-click Specify maximum amount of memory in MB per Shell, and then click Edit.

3. In the Specify maximum amount of memory in MB per Shell dialog box, select the Enabled

checkbox.

4. Under Options, in the MaxMemoryPerShellMB text box, enter 1024.

5. Click OK.



7. Right-click Specify maximum number of process per Shell, and then click Edit.

8. In the Specify maximum number of processes per Shell dialog box, select the Enabled

checkbox.

9. Under Options, in the MaxProcessesPerShell text box, enter 64.

10. Click OK.



12. Right-click Specify maximum number of remote shells per user, and then click Edit.

13. In the Specify maximum number of remote shells per user dialog box, select the Enabled

checkbox.





Page 29 of 91

14. Under Options, in the MaxShellsPerUser text box, enter 16.

15. Click OK.





Page 30 of 91

Configure Common Machine Settings Topic Last Modified: 2014-05-06

Change Time Zone Change the time zone on each machine to match the datacenter time zone:

1. On the desktop of the Host server, right-click the date stamp in the bottom-right tray, and then

click Adjust date/time.

2. In the Date and Time dialog box, on the Date and Time tab, click Change Time Zone list.

3. In the Time Zone Settings dialog box, select the time zone in which the datacenter is located.


Install .NET Framework 3.5 Perform the following steps on every server in the farm (web servers and SQL servers):

1. In your browser, navigate to the .NET 3.5 download site.

2. Download and install the .NET Framework 3.5.

3. Restart your computer.

http://go.microsoft.com/fwlink/?LinkID=398259





Page 31 of 91

Configure SQ Server Settings Topic Last Modified: 2014-05-06

Before you begin, establish a remote desktop connection to the SQ server.

Create Inbound Firewall Rules 1. In the Windows Firewall with Advanced Security tool, click Inbound Rules.

2. In the Actions pane, click New Rule:

3. In the New Inbound Rule Wizard, use the following settings:

Rule Type: Port

Protocol: TCP

Specific local Port: 1433

Action: Allow the Connection

Profile: Domain

Name: SQL Server 1433

4. Click Finish.

Configure Disk Layout for SQ Servers The VHDs have been created, but the disk layout is incomplete. Use this procedure to span and format the

volumes.

1. In Server Manager, navigate to Storage | Disk Management | (C:).

2. Right click all disks and set to Online.

3. Create a spanned volume for Data drive:

a. Right click Disk 1 | Initialize disk | select all available drives (1-3).

b. Ensure format used is MBR.

c. Right click Disk 1 | New Spanned Volume

d. Select all 2 TB data drives

e. Assign Drive Letter E

f. Clear New Volume Name.





Page 32 of 91

4. Create and format Log Drive:

a. Right click Disk 4

b. Click new Simple Volume

c. Assign Drive Letter F

d. Clear New Volume Name

5. Restart the VM.





Page 33 of 91

Install SQL Server Topic Last Modified: 22-December-2015

Note: SQL Server should be installed on the following server roles: SQ, SS, BK, BS.

Check for .NET 4.0 1. Check to see if .NET 4.0 has been installed on the server. .NET 4.0 is not a prerequisite for SQL

Server but it may be present. If .NET 4.0 is present, perform step 2. If not, skip step 2 and continue

with the SQL Server installation.

2. Complete this step if .NET 4.0 has been installed on the server.

3. In order to install SQL Server from the network share, open an Administrative command prompt

and execute the following after replacing the {BUILD} text with the build location you are using:

%windir%\microsoft.net\framework64\v4.0.30319\caspol.exe -m -ag 1.2 -url file://{ BUILD}/* FullTrust

Example:

%windir%\microsoft.net\framework64\v4.0.30319\caspol.exe -m -ag 1.2 -url

file://\\10.224.1.83/Releases/* FullTrust

Install SQL Server 2012 If not called out below, use default values for the SQL installation.

1. Browse to your SQL installation path (we recommend an ISO image mounted to the VM) and

double-click setup.exe.

2. Navigate to Installation section and select New Installation or add features to an existing

installation.

3. Use your product key or specify a trial.

4. On License Terms select I accept the license terms and clear Send features usage…

checkboxes.

5. Complete Setup Support Files step.

6. On Setup Role choose SQL Server Feature Installation

7. On Feature Selection select the following components:

Database Engine Services





Page 34 of 91

SQL Server Replication

Client Tools Connectivity

Client Tools Backwards Compatibility

Management Tools - Basic

Management Tools – Complete

8. On the Server Configuration page set SQL Server Agent startup type to Automatic, click Use

the same account for all SQL services, and then enter managed\ms-svc-db and its password.

9. On the Database Engine Configuration page, on the Account Provisioning tab add the

following with a SysAdmin role:

managed\ms-svc-db

mgmt\MGMT-GSG-SPO-SP2013FarmAdmins

10. On the Database Engine Configuration page navigate to Data Directories tab and set or

confirm the following settings:

Directory Name Value

Data root directory E:\Program Files\Microsoft SQL Server\

User database directory E:\Program Files\Microsoft SQL

Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA

User Database log directory F:\Program Files\Microsoft SQL

Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA

Temp DB directory E:\Program Files\Microsoft SQL

Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data

Temp DB log directory F:\Program Files\Microsoft SQL

Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data

1. On Error Reporting page clear Send Windows and SQL Server Error Reports…

2. Complete installation with default settings on the rest of the pages.

Install SQL Server Cumulative Updates 1. Download the SQL Server Cumulative Update.

2. Execute SQLServer2012-KB3072100-x64.exe and follow the instructions.

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=3072100&kbln=en-us





Page 35 of 91

Configure Security and Trace Flags Two trace flag values are added 1222 (Return resources and types of locks participating in a deadlock)

and 3226 (Suppress log backup entries in the SQL error log) as requested by the operations team.

1. In the SQL Server Configuration Manager, under SQL Server Network Configuration, right-click

Protocols for MSSQLSERVER, and then click Properties

2. In the Protocols for MSSQLSERVER dialog box, set Hide Instance to Yes.

3. Click OK.

4. On the service storage group servers (SS01/SS02) only:

a. Double-click Protocols for MSSQLSERVER.

b. Right-click Named Pipes

c. Select Enable.

5. In the tree view on the left, click SQL Server Services.

6. In the right pane, double-click SQL Server (MSSQLSERVER)

7. In the SQL Server Properties (MSSQLSERVER) dialog box, on the Advanced tab, click Startup

Parameters.

8. Next to Startup Parameters, click the down arrow, and then add ;-T3226;-T1222 to the end of the

parameters text.

9. For example, a modified Startup Parameters list might appear as follows:

-dE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf; -eE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\LOG\ERRORLOG;-lE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf; -T3226;-T1222

10. Click OK.

11. Right-click SQL Server (MSSQLSERVER), and then click Restart.

Allow Lock Pages in Memory Give SQL server process account rights to lock pages in memory.

1. In Control Panel go to Administrative Tools | Local Security Policy.

2. Expand Local Computer Policy | Computer Configuration | Windows Settings | Security

Settings | Local Policies





Page 36 of 91

3. Select User Rights Assignment | double-click lock pages in memory policy | add user to

group

4. Add the SQL Server security group mgd\mgd-dsg-sp2013-SQLaccts

Set Max Degree of Parallelism 1. In SQL Server Management Studio, connect to the local database server.

2. In the Code Editor window, enter the following Transact-SQL statement:

sp_configure 'show advanced options', 1;

GO

RECONFIGURE WITH OVERRIDE;

GO

sp_configure 'max degree of parallelism', 1;

GO

RECONFIGURE WITH OVERRIDE;

GO

3. Select Query, and then click Execute or press F5 to execute the query.

Configure SQLAgent Job History The SQLAgent Job History should have the following settings:

jobhistory_max_rows=50000

jobhistory_max_rows_per_job=10000

Use the following PowerShell script to do this.

$null=[system.reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.Smo") $server=new-object Microsoft.SqlServer.Management.Smo.Server(".") $agent=$server.JobServer $agent.MaximumHistoryRows=50000 $agent.MaximumJobHistoryRows=10000 $agent.Alter()

Verify SQL Server is Working 1. In SQL Server Management Studio, confirm for each SQL instance that you can connect from

another machine using the SQL Server Management Studio.





Page 37 of 91

2. If you fail to connect, check that the firewall rules to allow 1433 are in place.





Page 38 of 91

Build Web Servers Topic Last Modified: 15-December-2015

Before you begin, establish a remote desktop connection to each FE, AP, AS and WC server in the farm.

Each step in this chapter must be completed on each machine, unless otherwise noted.

Configure Inbound Firewall Rules Create the following new inbound firewall rules:

1. In the Windows Firewall with Advanced Security tool, right-click Inbound Rules, and then click

New Rule.

2. In the New Inbound Rule Wizard, create a new rule with the following configuration:

Rule Type: Port

Protocol: TCP

Port: Specific | 443


Profile: Select Domain

Name: SharePoint 443

3. Click Finish

4. Create another new rule with the following settings:

Rule Type: Port

Protocol: TCP




Name: Central Admin 8888

5. Click Finish.


Rule Type: Port

Protocol: TCP






Page 39 of 91




7. Click Finish.


Rule Type: Port

Protocol: TCP





9. Click Finish.


Rule Type: Port

Protocol: TCP





11. Click Finish.

12. Open Windows Powershell and execute the following:

#SharePoint Search rule netsh advfirewall firewall delete rule name="SharePoint Search Ports" netsh advfirewall firewall add rule name="SharePoint Search Ports" dir=in action=allow localport="17000-17009,808,16500-16509" protocol=TCP profile=domain #Rules for Distributed Cache netsh advfirewall firewall delete rule name="AppFabric Caching Ports" netsh advfirewall firewall add rule name="AppFabric Caching Ports" dir=in action=allow localport="22233,34-36" protocol=TCP profile=domain netsh advfirewall firewall set rule group="AppFabric Server: AppFabric Caching Service" new enable=Yes netsh advfirewall firewall set rule name="Remote Service Management (RPC)" new enable=Yes netsh advfirewall firewall set rule name="Remote Service Management (RPC-EPMAP)" new enable=Yes





Page 40 of 91

netsh advfirewall firewall set rule name="Remote Service Management (NP-In)" new enable=Yes #Azure Workflow rule netsh advfirewall firewall delete rule name="Azure Workflow Ports" netsh advfirewall firewall add rule name="Azure Workflow Ports" dir=in action=allow localport="4446,5112,9000-9003,9354,12290" protocol=TCP profile=domain

Run the Prerequisite Installer

Important: Execute the steps in this section only on SharePoint FE, AP, and AS Servers (Common

Steps)

Note: At this time, we do not recommend running the prerequisite installer in unattend mode.

1. Open the SharePoint installation folder.

2. Execute PrerequisiteInstaller.exe and follow the prompts to reboot the computer as needed.

The prerequisite installer will automatically restart after each reboot.

3. Restart computer after prerequisite installer has completed.

Install IIS Advanced Logging SharePoint Online uses the features of IIS Advanced logging. This feature will need to be installed on all

SharePoint FE, AP, and AS Servers.

Important: Execute the steps in this section only on SharePoint FE, AP, WC, and AS Servers (Common

Steps)

1. Download the MSI file from http://www.microsoft.com/en-us/download/details.aspx?id=7211.

2. As administrator, execute advancedlogging64.msi.

Install Hotfixes A hotfix is available for the IIS Advanced logging that resolves a memory leak in application pools in

Windows Server 2012.

Important: Execute the steps in this section only on SharePoint FE, AP, and AS Servers (Common

Steps)

1. Download the MSI file from http://www.microsoft.com/en-us/download/details.aspx?id=41640

http://www.microsoft.com/en-us/download/details.aspx?id=7211

http://www.microsoft.com/en-us/download/details.aspx?id=41640





Page 41 of 91

2. As administrator, execute advancedlogging_update_64.msp.

Configure Advanced Logging Complete all steps in this section on ALL FE, AP, AS and WC servers in the farm.

1. If IIS Manager is open, close and re-open it to see the new Advanced Logging components.

2. In Internet Information Services (IIS) Manager, click the server on which you have installed

advanced logging.

3. In the middle pane, under IIS, double-click Advanced Logging.

4. On the Advanced Logging console, click Edit Logging Fields.

5. In the Edit Logging Fields dialog box, click Add Field.

6. In the Add Logging Field dialog box, set the following parameters:

Field ID: X-Forwarded-For

Category: Default

Source Type: Request Header

Source Name: X-Forwarded-For


Prepare Office Web App Machines Complete the following step on each of the Office Web Apps machines (WC01, WC02, etc).

1. In PowerShell, run the following command to install required Windows Roles/Features:

Add-WindowsFeature Web-Server,Net-Framework-45-Core, Net-Framework-45-ASPNET, Web-Asp-Net45, Web-Net-Ext45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Includes, Web-Windows-Auth, Web-Mgmt-Console, InkAndHandwritingServices -Restart

Delete Default IIS Sites and Application Pools Perform the following steps on all SharePoint (FE, AP, AS) and Office Web app (WC) servers in the farm

1. In the Internet Information Services (IIS) Manager, click Sites.

2. Under Default Web Site, delete any default Web sites.

3. Click Application Pools.

4. Remove all application pools.





Page 42 of 91

Build the SharePoint Servers Topic Last Modified: 2014-05-30

Perform the following on each SharePoint Server in the farm

Install SharePoint 2013 To install the SharePoint 2013 Server:

1. In Windows Explorer, browse to the SharePoint 2013 installation folder and run setup.exe.

2. Type your product key.

3. Choose a Server Farm installation and Complete Server Type.

Important: Do NOT run the Configuration Wizard (PSConfig.exe) at this time.

Install Language Packs 1. Browse to the path that contains the language packs you wish to install and run the language

pack.

2. Select the I accept the license terms check box, and then click Continue.

3. Follow the instructions in the wizard to install the language packs.

Install the Latest SharePoint Updates

SharePoint SP1 1. Remove the server from rotation to stop incoming requests to the servers

2. In your browser, download the SharePoint June 2013 CU

3. Run officeserversp2013-kb2880552-fullfile-x64-en-us.exe

4. Reboot the server

5. Add the updated server back into the load-balancing rotation.

When the installation is complete, the configuration database should be version 15.0.4569.1000 or higher

when viewed in the SharePoint Configuration Wizard.

http://support.microsoft.com/kb/2880552





Page 43 of 91

Install the App Fabric Cumulative Update

1. In your browser, download the App Fabric Cumulative Update

2. Run AppFabric1.1-RTM-KB2800726-x64-ENU.exe. Follow the instructions.

Manage SSL Certificates By default, Microsoft SharePoint Online Dedicated uses wildcard certificates for customer deployments.

This process outlines how to create or export a wildcard SSL certificate.

Complete Certificate Request

When a response is returned by the CA, perform the following steps on the same machine used to

request the certificate. This should be AP01.

1. In Internet Information Services (IIS) Manager, click the machine name, and then, under IIS,

double-click Server Certificates.

2. In the Actions pane, click Complete Certificate Request.

3. In the Complete Certificate Request dialog box, enter the required values:

File Name: provide a path to the file that contains response from certificate authority

Friendly Name: *.<customer.com name> Wildcard SSL certificate or <portal.customer.com>

SAN Certificate (For SAN certificate you cannot use a * but must use one of the DNS values

like portal.

4. Click OK.

Export Certificates

After a certificate has been issued, it must be exported so that it can be installed on all other FE machines.

For SAN Certificates:

If exporting a named (SAN) certificate, follow these directions (For First Machine) first. Only use these

instructions if SAN certificates are required. If using wildcard certificates, go to Import Certificates.

Note: This procedure is for SAN certificates only. To export wildcard certificates, see the “For Wildcard

Certificates” section later in this topic.

To use a named certificate within the IIS7 interface, you must update the friendly name on the certificate.

Follow these directions only for a named certificate.

http://support.microsoft.com/kb/2800726





Page 44 of 91

1. In the Microsoft Management Console, under Certificates (Local Computer) | Personal, click

Certificates.

2. Right-click the SAN Certificate you want to export, and then click Properties.

3. In the Properties dialog box, edit the Friendly Name field so the name starts with an * instead of

the host name.

4. Example: portal.contoso.com should be modified to *.contoso.com.

5. Click OK.

Import SSL Certificates

Once the new certificate has been received, Import the SSL certificate to all web servers for both

SharePoint and Office Web Apps (AP, AS, FE, WC).

1. In the Microsoft Management Console, under Certificates (Local Computer) | Personal, right-

click Certificates, click All Tasks, and then click Import.

2. In the Certificate Import Wizard, configure the following settings:

a. File Name: provide path to the file for the exported pfx certificate.

b. Password: provide password from previous step

c. Mark this key as exportable: Uncheck

3. Once the import is completed, permanently delete the temporary pfx files.

Note: In the file listed in step 2a, there should be an entry for each URL that is added. This file will be

different for new customers and existing customers. A new customer would typically have at least three

URLs to begin with: <portal>, <team>, and <my>. An existing customer would have two URLs: <team>

AND <my>.

Import STS Certificate

Obtain the new STS Certificates and import it to all web servers for SharePoint (AP, AS, FE) using the

following steps.

1. In the Microsoft Management Console, under Certificates (Local Computer) | Trusted Root

Certification, right-click Certificates, click All Tasks, and then click Import.


a. File Name: provide path to the file for the exported pfx certificate.

b. Password: provide password from previous step

c. Mark this key as exportable: Uncheck





Page 45 of 91

3. Once the import is completed, permanently delete the temporary pfx files.

Update the Hosts File To update the Hosts file:

1. Navigate to C:\windows\system 32\drivers\etc, and then open the hosts file as an

administrator.

2. Add records to the hosts file based on the following templates:

# Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com

FE servers (PPE):

# PPE My app URL 127.0.0.1 ppemy.contoso.com # PPE Team app URL 127.0.0.1 ppeteam.contoso.com # PPE Portal app URL 127.0.0.1 ppeportal.contoso.com # PPE Partners Access app URL 127.0.0.1 ppepartner.contoso.com # PPE Workflow service URL MGP_PPE_WFE_VIP ppeo365wfl.contoso.com # WAC service URL MGP_WAC_VIP o365wac.contoso.com # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com

AP/AS servers (PPE):

# PPE My app URL MGP_PPE_WFE_VIP ppemy.contoso.com # PPE Team app URL MGP_PPE_WFE_VIP ppeteam.contoso.com # PPE Portal app URL MGP_PPE_WFE_VIP ppeportal.contoso.com # PPE Partners Access app URL MGP_PPE_WFE_VIP ppepartner.contoso.com # WAC service URL MGP_WAC_VIP o365wac.contoso.com # PPE Workflow service URL MGP_PPE_WFE_VIP ppeo365wfl.contoso.com # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com

3. Save and close the file.





Page 46 of 91

Build the SharePoint Online 2013 Farm Topic Last Modified: 11-December-2015

Before you begin: Remote-desktop into the machine that will contain Central Admin (AP01).

Provision the Farm

Important: This step must be executed with PowerShell so that the server is not registered as a

distributed cache host. Adding machines as distributed cache hosts occurs later in this document.

1. Open the SharePoint 2013 Management Shell, and then execute the following:

$dbServer = "<First Content Storage DB Server>" $mgdDomain = "<MGD Domain for Customer>" $scaCred = Get-Credential "$mgdDomain\ms-svc-frm" New-SPConfigurationDatabase -DatabaseName "SharePoint_Config" -DatabaseServer $dbServer -AdministrationContentDatabaseName "SharePoint_Admin_Content" -FarmCredentials $scaCred -Passphrase (ConvertTo-SecureString "Password911!23" -AsPlainText -Force) -SkipRegisterAsDistributedCacheHost

2. Open the SharePoint 2013 Products Configuration Wizard.

3. Select Specify port number: 8888

4. Complete the wizard.

Join Servers to the Farm

Visual C# Note: This step must be executed with PowerShell so that the server is not registered as a

distributed cache host. Adding machines as distributed cache hosts occurs later in this document.

Before you can configure the farm, you must add the other AP, AS and FE servers to the farm:

1. Open the SharePoint 2013 Management Shell, and then edit and execute the following:

$dbServer = "<First Content Storage DB Server>" $mgdDomain = "<NETBIOS Domain Name of Customer, e.g. 001D>" $scaCred = Get-Credential "$mgdDomain\ms-svc-frm" Connect-SPConfigurationDatabase -DatabaseName "SharePoint_Config" -DatabaseServer $dbServer -Passphrase (ConvertTo-SecureString "Password911!23" -AsPlainText -Force) -SkipRegisterAsDistributedCacheHost

2. Open the SharePoint 2013 Products Configuration Wizard.

3. Complete the wizard





Page 47 of 91

Note: Repeat these steps for all other SharePoint Machines (AP, AS and FE). In the case of server

expansion or rebuild, only run the wizard on the new machines.

Enable Licensing 1. Open the SharePoint 15 Management Shell, and edit and then execute the following:

$allAuthUsers = New-SPClaimsPrincipal -Identity "NT Authority\Authenticated Users" -IdentityType WindowsSecurityGroupName

New-SPUserLicenseMapping -Claim $allAuthUsers -License "<<License Type value from TBR>>" | Add-SPUserLicenseMapping

Enable-SPUserLicensing

Register Managed Accounts 1. In Central Administration go to Security | Configure Managed Accounts

2. Ensure that the following accounts are registered.

managed/ms-svc-wap

managed/ms-svc-sa

managed/ms-svc-sbx

Configure Services (Generic) Topic Last Modified: 2014-05-06

Important: The instructions for configuring services are organized to get the farm up and running as

fast as possible. In order to ensure that nothing is missed it is recommended that each section relating to

service configuration be performed in the order presented.

Configure Distributed Cache Repeat the following on each FE server in the farm.

1. Open the SharePoint 15 Management Shell, and then edit and execute the following:

Add-SPDistributedCacheServiceInstance





Page 48 of 91

Configure Other Services

1. In Central Administration, go to System Settings | Servers | Manage services on server

Note: A drop down at the top of the list allows you to switch from server to server, so all servers

previously added to the farm can be configured from AP01.

2. Start the service on each machine as noted in the tables below.

FE Machines (FE01, FE02, FE03, etc.)

Service Status

Access Database Service 2010 Started

Access Services Started

App Management Service Started

Business Data Conectivity Service Started

Central Administration Stopped

Claims to Windows Token Services Stopped

Distributed Cache Started

Document Conversions Launcher Service Stopped

Document Conversions Load Balancer Service Stopped

Excel Calculation Services Started

Lotus Notes Connector Stopped

Machine Translation Service Stopped

Managed Metadata Web Service Started

Microsoft SharePoint Foundation Incoming E-Mail Started

Microsoft SharePoint Foundation Sandboxed

Code Service

Started

Microsoft SharePoint Foundation Subscription

Settings Service

Started

Microsoft SharePoint Foundation Web Application Started

Microsoft SharePoint Foundation Workflow Timer

Service

Started





Page 49 of 91

Service Status

PerformancePoint Service Stopped

PowerPoint Conversion Service Stopped

Request Management Stopped

Search Host Controller Service1 Started

Search Query and Site Setting Service Started

Secure Store Service Started

SharePoint Server Search2 Started

User Profile Service Started

User Profile Synchronization Service3 Stopped

Visio Graphics Service Started

Word Automation Services Stopped

Work Management Service Stopped

1This service will be started during the provisioning of the Search Service Application.


3Do not start the User Profile Synchronization Service now. It will be started later in this document.

AP (Admin Service) (AP01 only)

Service Status

Central Administration Started

AP (Admin Service) (AP01, AP02)

Service Status

Access Database Service 2010 Stopped

Access Services Stopped

App Management Service Stopped

Business Data Connectivity Service Stopped

Claims to Windows Token Service Stopped






Page 50 of 91

Service Status


Excel Calculation Services Stopped


Machine Translation Service Started

Managed Metadata Web Service Stopped

Microsoft SharePoint Foundation Incoming E-Mail Started


Code Service

Stopped


Settings Service

Started



Service

Started





Search Query and Site Setting Service Stopped

Secure Store Service Stopped


User Profile Service Stopped

User Profile Synchronization Service6 Stopped

Visio Graphics Service Stopped


Work Management Service Started







Page 51 of 91

6Do not start the User Profile Synchronization Service now. It will be started later in this document.

AS (Search) (AS01, AS02, AS03, etc.)

Service Status

Access Database Service 2010 Stopped

Access Services Stopped

App Management Service Stopped

Business Data Connectivity Service Stopped

Central Administration Stopped

Claims to Windows Token Services Stopped



Excel Calculation Services Stopped


Machine Translation Service Stopped

Managed Metadata Web Service Stopped

Microsoft SharePoint Foundation Incoming E-mail Started


Code Service

Stopped


Setting Service

Stopped



Service

Started





Search Query and Site Setting Service Stopped





Page 52 of 91

Service Status

Secure Store Service Stopped


User Profile Service Stopped

User Profile Synchronization Service Stopped

Visio Graphics Service Stopped


Work Management Service Stopped



Create Quota Templates Topic Last Modified: 2014-05-06

Create the quota templates before creating the web applications:

1. In Central Administration, go to Application Management | Site Collections | Specify quota

templates.

2. Create 8 new quota templates using the [new blank template] as per the table below:

Name Limit site

storage to a

max of:

Send warning

email when site

collection

storage

reaches:

Limit max

usage per day

to:

Send warning

email when

usage per day

reaches:

2GB 2000MB 1600MB 300 pt 100 pt

5GB 5000MB 4000MB 300 pt 100 pt

10GB 10000MB 8000MB 300 pt 100 pt

20GB 20000MB 16000MB 300 pt 100 pt

50GB 50000MB 40000MB 300 pt 100 pt

60GB 60000MB 48000MB 300 pt 100 pt





Page 53 of 91

Name Limit site

storage to a

max of:

Send warning

email when site

collection

storage

reaches:

Limit max

usage per day

to:

Send warning

email when

usage per day

reaches:

100GB 100000MB 80000MB 300 pt 100 pt

200GB 200000MB 160000MB 300 pt 100 pt

400GB 400000MB 320000MB 300 pt 100 pt

Personal Site 1024MB 820MB 300 pt 100 pt

Configure Outgoing Email Topic Last Modified: 2014-05-06

Important: This procedure should be skipped if the customer does not subscribe to SPO. For non-SPO

customers, SMTP configuration is not necessary.

By default, email should be disabled. It should be configured in SFS.

1. In Central Administration, go to System Settings | E-Mail and Text Messages (SMS) |

Configure outgoing e-mail settings.

2. Configure the following:

a. Provide an outbound SMTP server address (either from the MGD or customer forest) that

will accept routing requests from all SharePoint servers.

Note: The SMTP server address should be a fully qualified domain name. Do not use an IP address,

even if it is an F5 VIP.

b. Provide a From address: e.g., [email protected].

c. Provide a Reply-to address: e.g., [email protected].

Create Web Applications Topic Last Modified: 2014-05-06

We create web applications for customers using Central Administration. The following table outlines what

web applications to create.





Page 54 of 91

Note: Create all the web applications in all environments, with the following exception: the Partner

Access web application is only created if the customer has purchased that option.

1. In Central Administration, go to Application Management | Web Applications | Manage Web

Applications

2. For each of the specified web applications below, in the ribbon bar, click Contribute | New and

then supply specified settings:

Web Application Notes

My Sites https://my.contoso.com

Portal https://portal.contoso.com

Team https://team.contoso.com

Partner (optional) https://extranet.contoso.com

Settings for Web Applications Claims

Name Supplied by customer

IIS Web Site : Port 443

IIS Web Site : Host Header Supplied by customer

IIS Web Site : Path <Default value>

Security Configuration: Allow Anonymous No

Security Configuration: Use Secure Sockets Layer

(SSL)

Yes

Claims Authentication Types Enable Windows Authentication

Integrated Windows Authentication (checked)

1. NTLM

Public URL <Default value>

Application Pool Create a new app pool for each web application.

Create a new application pool named <<URL

Provided by the Customer>>. Use the

managed/ms-svc-wap account.

Database Name and Authentication: Database

Server

Primary SQL in content storage group (SQ01)





Page 55 of 91

Web Application Notes

Database Name and Authentication: Database

Name

The default naming scheme for databases is

<application>_content_<##>.

Failover Server <Leave blank>

Service Application Connections <Default value>

Customer Experience Improvement Program No

Create Web Application to Host SharePoint Apps To create an additional web application for hosting SharePoint applications, use the following settings.


Applications

2. For each of the specified web applications below, in the ribbon bar, click Contribute | New and

then supply specified settings:

Settings for Web

Applications

Claims

Name AppsManagementSite

IIS Web Site : Port 443

IIS Web Site : Host

Header

<Leave blank

IIS Web Site : Path E:\inetpub\wwwroot\wss\VirtualDirectories\AppsManagementSite443

Security Configuration:

Allow Anonymous

No

Security Configuration:

Use Secure Sockets

Layer (SSL)

Yes

Claims Authentication

Types

Enable Windows Authentication

Integrated Windows Authentication (checked)

2. NTLM

Public URL <Default value>





Page 56 of 91

Settings for Web

Applications

Claims

Application Pool Create a new application pool named AppsManagementSite. Use the

managed\ms-svc-wap account.

Database Name and

Authentication:

Database Server

Primary SQL in content storage group (SQ01)

Database Name and

Authentication:

Database Name

AppsManagementSite_content_01

Failover Server <Leave blank>

Service Application

Connections

<Default value>

Customer Experience

Improvement Program

No

Set Up People Picker for Each URL Topic Last Modified: 2014-04-02

SharePoint Online Dedicated service accounts are not automatically trusted by the customer Active

Directory due to one-way trust. Please specify the following:

1. Start the SharePoint 2013 Management Shell.

2. Execute the following where the password is a KeyPhrase provided from the KeePass database

located at: \\mgmt.msft.net\spo\Secured\000\000.kdbx:

stsadm -o setapppassword - password <KeyPhrase>;

3. Repeat step 2 on all SharePoint machines. Ensure you have completed step 2 on all SharePoint

machines before beginning step 4.

4. On AP01 in each farm, execute the following for all URLs including central admin. (Don’t run

unless step 2 has completed):

If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin"





Page 57 of 91

$PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $pn = "peoplepicker-searchadForests" #Include customer forests/domains variables in the first line #For additional customer forests/domains remove the "#" in the second line and make additional copies of it as needed $pv = "DOMAIN:< Customer Domain>,<Customer People Picker Account>,<Password>;" #$pv += "DOMAIN:<Customer Domain>,<Customer People Picker Account>,<Password>;" #Include the management domain #Set the people picker on content web applications Get-SPWebApplication | % { stsadm -o setproperty -url $_.Url -pn $pn -pv $pv } #Include the managed domain for central admin $pv += "DOMAIN:< Management Domain FQDN>,<Management People Picker Account>,<Password>;" $pv = $pv + "DOMAIN:001d.mgd7.msft.net;" #Set the people picker on central admin web app Get-SPWebApplication -IncludeCentralAdministration | where { $_.DisplayName -like "SharePoint Central Administration*" } | % { stsadm -o setproperty -url $_.Url -pn $pn -pv $pv }

Configure Web Applications (Common Settings) Topic Last Modified: 2014-05-06

The following common settings must be applied to each content web application (My, Portal, Team,

Partner Access).

General Settings 1. In Central Administration, go to Application Management | Web Applications | Manage web

applications | General Settings

2. Configure the following settings:

Time Zone: As specified in the discovery documentation

Default Quota (My Web App): Personal Site

Default Quota (Other Web Apps): 2 GB





Page 58 of 91

Browser File Handling: Permissive

Security Validation: 60 minutes

Recycle Bin | Delete items in the Recycle Bin: after 35 days

Maximum Upload Size: 2047 MB

3. Repeat step 2 for each content web application (Team, Portal, My, and Partner Access).

Configure Managed Paths 1. In Central Administration, go to Application Management | Web Applications | Manage web

applications | Managed Paths

2. Configure the following settings, delete any included paths not called out below:

Included Paths (My Web App): (root) - Explicit inclusion; personal – Wildcard inclusion

Included Paths (Other Web Apps): (root) – Explicit inclusion; sites – Wildcard inclusion

3. Repeat step 2 for each content web application.

Configure Blocked File Types Repeat the following for each web application.

1. In Central Administration, go to Application Management | Web Applications | Manage web

applications

2. Select the web application row, then click Blocked File Types

3. Remove all of the existing file types.

4. Enter the following list of file types:

ashx

asmx

asp

aspq

axd

cshtm

cshtml

json

rem





Page 59 of 91

shtm

shtml

soap

stm

svc

vbhtm

vbhtml

xamlx

5. Click OK.

Enable the BLOB Cache

Important: Do not make manual changes to the web.config files because manual changes will not be

automatically applied to new servers brought in to the farm or when web applications are extended into

new zones.

By default, the disk-based BLOB cache is off and must be enabled on each content web application of

each FE server and AP-01.

1. Open the SharePoint 2013 Management Shell and execute the following:

Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue Write-Host "Updating the Blob Cache" [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $BlobCachePath = "configuration/SharePoint/BlobCache" $WebConfigModifications=@{"path"="(?:(^.{0,160}))\.(gif|jpg|jpeg|jpe|jfif|bmp|dib|tif|tiff|ico|png|wdp|hdp|css|js|asf|avi|flv|m4v|mov|mp3|mp4|mpeg|mpg|rm|rmvb|wma|wmv|ogg|ogv|oga|webm|xap)$"; "enabled"="true"} $SPWebApps = Get-SPWebApplication $Method = [Microsoft.SharePoint.Administration.SPServiceCollection].GetMethod("GetValue", [string]) $GenericMethod = $Method.MakeGenericMethod([Microsoft.SharePoint.Administration.SPWebService]) $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local foreach ($SPWebApp in $SPWebApps){ Write-Host "Modifying the Web App $($SPWebApp.Name)" foreach ($Key in $WebConfigModifications.Keys){ $SPWebConfigModification= new-object Microsoft.SharePoint.Administration.SPWebConfigModification





Page 60 of 91

$SPWebConfigModification.Name= $Key $SPWebConfigModification.Owner= "SPO dedicated" $SPWebConfigModification.Path= $BlobCachePath $SPWebConfigModification.Type="EnsureAttribute" $SPWebConfigModification.Value=$WebConfigModifications[$Key] $SPWebApp.WebConfigModifications.Add($SPWebConfigModification) } $SPWebApp.Update() } $FarmService = $GenericMethod.Invoke($Farm.Services,"") $FarmService.ApplyWebConfigModifications() Write-Host "Updated the Blob cache successfully"

Apply Web App Policy and User Policy (Kiosk Worker)

Note: Skip this procedure if your organization does not employ kiosk workers.

For customers that have purchased the kiosk worker USL option, it is necessary to create a web

application policy to restrict the tasks that kiosk workers can perform in SharePoint. In addition to this

web app policy, you must create a user policy to associate this web app policy with a Role Claim or AD

Group.


applications | Permission Policy | Add Permission Policy Level


Name: Kiosk Workers

Description: Deny policy for kiosk workers

Manage Lists: Deny

Override List Behaviors: Deny

Approve Items: Deny

Manage Permissions: Deny

View Web Analytics Data: Deny

Create Subsites: Deny

Manage Web Site: Deny

Add and Customize Pages: Deny

Apply Themes and Borders: Deny

Apply Style Sheets: Deny

Create Groups: Deny





Page 61 of 91

Use Self-Service Site Creation: Deny

Enumerate Permissions: Deny

Manage Alerts: Deny

Use Client Integration Features: Deny

Manage Personal Views: Deny

Add/Remove Personal Web Parts: Deny

Update Personal Web Parts: Deny


applications | User Policy | Add Users


Zones: (All zones)

Users: Security group specified by the customer

Permissions: Kiosk Workers

Account operates as System: leave unchecked.

5. Repeat steps 1 through 4 for each content web application (Team, Portal, My, and Partner

Access.

Set Up Super User and Super Reader Accounts Publishing sites depend on the object cache for maximum performance. This is also a required setting for

claims authentication where the default users don’t resolve correctly and receive “Access Denied” error

messages when navigating to the site.

1. Edit lines 2 and 4 of the script below with the Portal Super User account and the Portal Super

Reader account.

2. Execute the script once on the AP01 server:

# Create Object Cache Account Settings $SuperUserAccount = "mgd\ms-svc-psu" # Use $SuperReaderAccount = "mgd\ms-svc-psr" $superReaderPropertyString = "portalsuperreaderaccount" $superUserPropertyString = "portalsuperuseraccount" $FullReadRoleName = "Full Read" $FullControlRoleName = "Full Control" Get-SPWebApplication | %{ $Zone = $_.IISSettings.Item("Default")





Page 62 of 91

if($Zone.UseClaimsAuthentication -eq $True){ $SuperUserPrincipal = New-SPClaimsPrincipal -Identity $SuperUserAccount -IdentityType WindowsSamAccountName $SuperUserAccountEncoded = $SuperUserPrincipal.ToEncodedString() $superReaderPrincipal = New-SPClaimsPrincipal -Identity $SuperReaderAccount -IdentityType WindowsSamAccountName $SuperReaderAccountEncoded = $superReaderPrincipal.ToEncodedString() } $SuperReaderPolicy = $_.Policies | WHERE {$_.DisplayName -eq "Object Cache Super Reader"} if ($SuperReaderPolicy -eq $Null){ $SuperReaderPolicy = $_.Policies.Add($SuperReaderAccountEncoded, "Object Cache Super Reader") } $Role = $_.PolicyRoles | where {$_.Name -like $FullReadRoleName} $SuperReaderPolicy.PolicyRoleBindings.Add($Role) $_.Properties[$superReaderPropertyString] = [System.String]$SuperReaderAccountEncoded $SuperUserPolicy= $_.Policies | WHERE {$_.DisplayName -eq "Object Cache Super User"} if ($SuperUserPolicy -eq $Null){ $SuperUserPolicy = $_.Policies.Add($SuperUserAccountEncoded, "Object Cache Super User") } $Role = $_.PolicyRoles | where {$_.Name -like $fullControlRoleName} $SuperUserPolicy.PolicyRoleBindings.Add($Role) $_.Properties[$superUserPropertyString] = [System.String]$SuperUserAccountEncoded $_.Update() } #endregion

Add Administrators to Web App Policy To facilitate troubleshooting customer issues all admins are granted rights to all content in each of the

web applications. This is done via a web app Policy set for each web application.


Applications | Select a Content Web Application | User Policy | Add Users

2. Add the following user with Full Control:

Zones: (All zones)

Users: Add your SharePoint farm administrators group

Permissions: Full Control





Page 63 of 91

Account operates as System: leave unchecked.

3. Repeat steps 1 and 2 for each content web application (My, Portal, Team, Partner Access).

4. Repeat this procedure to add customer provided admin groups if available.

Configure List Throttle Settings To allow for large list operations and the need to administer large lists, configure “happy hour” settings.


Applications | Select a Content Web Application | General Settings | Resource Throttling

ListView Threshold: 12

Daily Time Window for Large Queries

Enable a daily time window for large queries: enabled

Start Time: 6 pm 00

Duration: 6 hours

2. Repeat for each content web application (My, Portal, Team, and Partner Access)

Set Setup User Account as System Topic Last Modified: 2014-04-02

Important: The instructions for configuring services are organized to get the farm up and running as

fast as possible. In order to ensure that nothing is missed it is recommended that each section relating to

service configuration be performed in the order presented.

Add your management account as system to mask your user name when content visible to end users is

created:


Applications | Select a Content Web Application | User Policy | Add Users

Zones: (All zones)

Users: <add your mgmt account>

Permissions: Full Control

Account operates as System: Check this box.

2. Repeat for all content web applications (My, Team, and Portal).





Page 64 of 91

Create Site Collections Topic Last Modified: 2014-02-11

Site collections must be created at this stage to support creation of the Service Applications and to allow

Self-Service Site Creation to be enabled.

1. In Central Administration, go to Application Management | Site Collections | Create site

collections

2. Create root site collections for each web application using the parameters listed in the following

table:

Parameter My Portal Team Partner

Access

Title My Site Portal Team Partner

Access

Web

Application

Provided by customer Provided

by

customer

Provided by

customer

Provided by

customer

Template Enterprise | My Site Host Publishing

|

Publishing

Portal

Collaboration

| Team Site

Collaboration

| Team Site

Primary

Site

Collection

Admin

Provided

by

customer

Provided by

customer

Provided by

customer

Secondary

Site

Collection

Admin

n/a Provided

by

customer

Provided by

customer

Provided by

customer

Primary

Site

Collection

Provided

by

customer

Provided by

customer

Provided by

customer





Page 65 of 91

Parameter My Portal Team Partner

Access

Admin on

PPE

Secondary

Site

Collection

Admin on

PPE

n/a Provided

by

customer

Provided by

customer

Provided by

customer

Quota No quota 100 GB 5 GB 5 GB

Members

Group

All IW Users n/a n/a n/a

Visitors

Group

NT

AUTHORITY\authenticated

users

n/a n/a n/a

3. To support service applications, create a Content Hub site collection and a Broadcast Site site

collection. The following table provides the required setting parameters:

Parameter Content Hub9 Search Center

URL Team URL\sites\contenthub Team URL/sites/searchcenter

Template Collaboration | Team Site Enterprise | Enterprise Search

Center

Primary Site Collection Admin Provided by customer Provided by customer

Quota 5 GB 2 GB

Members Group Set by Customer After Service

Ready

Set by Customer After Service

Ready

Visitors Group Set by Customer After Service

Ready

NT Authority\Authenticated

Users

4. After creating the ContentHub site collection, navigate to the site collection and enable the

Content Type Syndication Hub site collection feature.





Page 66 of 91

Create Service Applications Topic Last Modified: 11-December-2015

Important: The instructions for configuring service applications are organized to get the farm up and

running as fast as possible. In order to ensure that nothing is missed, we recommend that each section

relating to service application configuration be performed in the order presented.

Most service applications will use default settings. Below we will highlight when configuring the service

application what settings to change. If this is a new customer, all settings will be default. If building out an

existing customer, build out first with the defaults and the delta (based on change requests) will be

applied afterwards

The generic steps to create service applications are as follows:

Note: Only login as the Farm Administrator account when configuring the Sync service.

1. In Central Administration, go to Application Management |Service Applications | Manage

service applications.

2. For each service click New and select Service Application

3. For Name choose the title of the type of Service Application (for example: Access Services

Application)

4. All databases should be created on SQ01 and use the provided database name if the service

application has an associated database (not all do).

5. All service applications should use the SharePoint Service Applications App Pool, created first for

Access Services.

6. Use the following settings for each service application:

Access Services Application

Name: Access Services Application

Application Pool: SharePoint Service Applications

App Management Service

Name: App Management Service Application

Database Name: App_Management_DB


Business Data Connectivity Service

Name: Business Data Connectivity Service Application





Page 67 of 91

Database Name: BDC_Service_DB


Excel Service Application

Name: Excel Service Application


Machine Translation Service

Name: Machine Translation Service Application

Application pool: SharePoint Service Applications

Add to Default Proxy List: Checked

Database Name: Machine_Translation_Service_DB

Manage Metadata Service Application

Name: Managed Metadata Service Application

Database Name: Managed_Metadata_DB


Content Type Hub: Provided by the customer.

User Profile Service Application

Name: User Profile Service Application

Application pool: SharePoint Service Applications

Profile database name: Profile_DB

Sync database name: Sync_DB

Social Tagging Database name: Social_DB

Profile Synchronization Instance: AP-01

My Site Host URL: https://<mysite URL>/

My Site Managed Path: /personal

Site Naming Format: Domain and user name (will not have conflicts)

Additional Connection Permissions for User Profile Service Application: MGMT\ms-

svc-orc

Full Control

Search Service Application –Do not provision at this time.

Secure Store Service Application

Name: Secure Store Service Application





Page 68 of 91

Database name: Secure_Store_Service_DB


Visio Graphics Service Application

Name: Visio Graphics Service Application


Work Management Service Application

7. On AP01, open the SharePoint 2013 Management Shell and execute the following PowerShell

script:

Add-PSSnapin Microsoft.SharePoint.PowerShell # Remove existing Work Management Service Application $svc = Get-SPServiceApplication | ? { $_.TypeName -eq "Work Management Service Application" } $svcPxy = Get-SPServiceApplicationProxy | ? { $_.TypeName -eq "Work Management Service Application Proxy" } #Find the web app app pool identity. Work management must use the same identity # as the web app so that it can aggregrate all the tasks for all web apps $webApp = Get-SPWebApplication | ? Name -ne AppsManagementSite | Select -First 1 $managedAccount = $webApp.ApplicationPool.ManagedAccount if ($svc.ApplicationPool.ProcessAccountName -eq $managedAccount.Username) { Write-Host "No changes are required. Work Management service and web app identities are the same." } else { if ($svcPxy) { Write-Host "Removing the Work Management Service Application Proxy..." -NoNewline $svcPxy | Remove-SPServiceApplicationProxy -Confirm:$false Write-Host "Done" -ForegroundColor Green } if ($svc) { Write-Host "Removing the Work Management Service Application..." -NoNewline $svc | Remove-SPServiceApplication -Confirm:$false Write-Host "Done" -ForegroundColor Green } #Find the web app app pool identity. Work management must use the same identity # as the web app so that it can aggregrate all the tasks for all web





Page 69 of 91

apps $webApp = Get-SPWebApplication | ? Name -ne AppsManagementSite | Select -First 1 $managedAccount = $webApp.ApplicationPool.ManagedAccount #Create a new service app pool for work management $appPoolName = "Work Management Service Application" if (-not (Get-SPServiceApplicationPool | ? { $_.Name -eq $appPoolName } )) { Write-Host "Creating $appPoolName app pool..." -NoNewline New-SPServiceApplicationPool -Name $appPoolName -Account $managedAccount | Out-Null Write-Host "Done" -ForegroundColor Green } else { Write-Host "$appPoolName app pool already exists" } #Create the Service Application using the new app pool if (-not (Get-SPServiceApplication | ? { $_.Name -eq "Work Management Service Application" } )) { Write-Host "Creating Work Management Service Application and Proxy..." -NoNewline New-SPWorkManagementServiceApplication -Name "Work Management Service Application" -ApplicationPool $appPoolName | Out-Null New-SPWorkManagementServiceApplicationProxy -Name "Work Management Service Application Proxy" -ServiceApplication "Work Management Service Application" -DefaultProxyGroup | Out-Null Write-Host "Done" -ForegroundColor Green } }

8. Subscription Settings Service Application

On AP01, open the SharePoint 15 Management Shell and execute the following PowerShell script:

If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $appPool = Get-SPServiceApplicationPool "SharePoint Service Applications" $appSubSvc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPool -Name "Subscription Settings Service Application" -DatabaseName "SubscriptionSettingsServiceDB" $proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $appSubSvc





Page 70 of 91

9. Start the State Service (via PowerShell)

a. On AP-01, in the SharePoint 15 Management Shell, execute the following PowerShell

script:

If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } Try { $StateServiceDB = "SharePoint_State_Service" $StateServiceName = "State Service Application" $StateServiceProxyName = "State Service Application" $GetSPStateServiceApplication = Get-SPStateServiceApplication If ($GetSPStateServiceApplication -eq $Null) { Write-Host -ForegroundColor White " - Provisioning State Service Application..." New-SPStateServiceDatabase -Name $StateServiceDB | Out-Null New-SPStateServiceApplication -Name $StateServiceName -Database $StateServiceDB | Out-Null Get-SPStateServiceDatabase | Initialize-SPStateServiceDatabase | Out-Null Write-Host -ForegroundColor White " - Creating State Service Application Proxy..." Get-SPStateServiceApplication | New-SPStateServiceApplicationProxy -Name $StateServiceProxyName -DefaultProxyGroup | Out-Null Write-Host -ForegroundColor White " - Done creating State Service Application." } Else {Write-Host -ForegroundColor White " - State Service Application already provisioned."} } Catch { Write-Output $_ }

10. Configure the SharePoint Server ASP.Net Session State Service (via PowerShell)

a. On AP-01, in the SharePoint 15 Management Shell, execute the following PowerShell

script:

If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null)





Page 71 of 91

{ Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } Try { if ((Get-SPSessionStateService).SessionStateEnabled -eq $false) { Write-Host -ForegroundColor White " - Enabling SP Session State Service..." Enable-SPSessionStateService -DatabaseName "Session_State_Service" Write-Host -ForegroundColor White " - Done enabling SP Session State Service." } Else {Write-Host -ForegroundColor White " - SP Session State Service already enabled."} } Catch { Write-Output $_ }

Configure the App Management Service 1. Open the SharePoint 15 Management shell and execute:

Set-SPAppDomain "<<999d>>spoapp.com" Set-SPAppSiteSubscriptionName -Name apps -Confirm:$false

Note: For PPE, the app domain must be set to ppe<<999d>>spoapp.com

Important: For AppsManagementSite, DO NOT perform step 2.

2. For each content web application (except for AppsManagementSite), in Central Administration, go

to Apps | App Management | Manage App Catalog.

3. Select the web application from the drop down at the top of the page.

4. Select Create a new app catalog site.

5. Click OK.

6. Use the following settings:

Title: SharePoint App Catalog

Description: Catalog site for SharePoint applications

URL:

My Sites :/personal/appcatalog





Page 72 of 91

All other Web Apps: /sites/appcatalog

Primary Site Collection Admin: Provided by the customer.

Secondary Site Collection Admin: Provided by the customer.

End Users: NT AUTHORITY\authenticated users

Quota Template: 5 GB

7. To verify configuration, attempt to navigate to

<servername>/_layouts/_WCF/UploadService.svc/mex. The location should not render.

Create Host Header Site Collection for Monitoring Apps Management

Site On AP01 server in each farm, execute the following PowerShell to create a host header site collection used

for monitoring the apps web application:

Add-PSSnapin Microsoft.SharePoint.PowerShell if (-not $cred) { $cred = Get-Credential (whoami) } $appDomain = Get-SPAppDomain $webAppName = "AppsManagementSite" if (-not $appDomain) { throw "Apps Domain is not properly set. Please following build guide steps for Set-SPAppDomain before continuing"; return; } $mgdDomainName = ((Get-SPFarm).DefaultServiceAccount).Name.Split("\")[0] $baseUrl = "https://monitor.$appDomain/" $webApp = Get-SPWebApplication $webAppName if (-not $webApp) { throw "Could not find web app $webAppName"; return; } New-SPSite $baseUrl -Template "STS#0" -OwnerAlias $webApp.ApplicationPool.Username -HostHeaderWebApplication $webApp

Configure Managed Metadata Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage

Service Applications.

2. Highlight the row for the Managed Metadata Service Application Proxy

3. Click Properties





Page 73 of 91

4. In the Service Connection dialog, select all of the check boxes.

5. Click OK.

Configure Excel Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage

Service Applications | Excel Services Application and then click Manage.

2. Click Trusted File Locations.

3. Hover the cursor over http:// and then click Edit. Change to https://.

4. Under Change Workbook Properties | Maximum Workbook Size, change from 10 to 250

(MB).

5. Navigate to Manage Excel Services Application, and then click Global Settings.

6. In the External Data section, set the Target Application ID to 101.

7. Click OK.

Configure InfoPath Forms Services 1. In Central Administration, go to General Application Settings | InfoPath Forms Services |

Configure InfoPath Forms Services.

2. Select Allow cross-domain data access for user form templates that use connection settings

in a data connection file.

Configure Machine Translation Service Permissions 1. In Central Administration, go to Application Management | Service Applications | Manage

Service Applications

2. Select the row for the Machine Translation Service Application

3. Click the Sharing | Permissions button in the ribbon

4. Add the ms-svc-sa account and grant it Full Control

5. Click OK.





Page 74 of 91

Configure Search Service Application On the AP01 machine, edit the first 18 lines of the PowerShell script below using Windows PowerShell ISE

and then execute the script to provision the Search Service application and correctly configure the farm.

Important: If needing redundancy for production or test, set $IsProduction = $true.

$contactEmailAddress = "[email protected]" # The server that is going to host central admin $CAServer="AP01" # Farm Machines $AdminMachines = @("AP01") $FEMachines = @("FE01") # IMPORTANT: Specify these machines in order so that the index pairs will be provisioned on the correct servers $SearchMachines = @("AS01", "AS02") #Specify the name of the SQL server in the first services storage group $SQLServer = "SS01" # IMPORTANT: you must specify if this is a production installation. If $true, the search system will be configured with redundancy. $IsProduction = $false $AppPoolAccount = "MGD\ms-svc-sa" ### ------------------------------- ### # Don't Change anything after this line ### ------------------------------- ### If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $CTSNodes = $SearchMachines $APENodes = $CTSNodes $CrawlNodes = $CTSNodes $IMSNodes = $FEMachines $AdminNodes = $AdminMachines $SearchNodes = ($SearchMachines + $FEMachines + $AdminMachines) | Select -Unique $searchAppName = "Search Service Application" $QueryNodes1stRow = @() $QueryNodes2ndRow = @() $estimatedMaxItemCount = $SearchMachines.Count * 10000000 $numCrawlDBs = $estimatedMaxItemCount / 20000000 $numLinkDbs = [System.Math]::Ceiling($estimatedMaxItemCount / 60000000) Write-Host "---------------------------" #Configure two search indexes per machine pair, each machine will host both a primary index # partition and a secondary index partition if ($IsProduction) {





Page 75 of 91

if (($SearchMachines.Count % 2) -ne 0) { throw "You must supply an even number of search machines" } 0..($SearchMachines.Count/2 - 1) | % { $index = $_ * 2 $QueryNodes1stRow += $SearchMachines[$index] $QueryNodes2ndRow += $SearchMachines[$index + 1] $QueryNodes1stRow += $SearchMachines[$index + 1] $QueryNodes2ndRow += $SearchMachines[$index] } } else { $QueryNodes1stRow = $SearchMachines } #---------------------------# #Start the search services Write-Output "Start search service on all Servers" $SearchNodes | Start-SPEnterpriseSearchServiceInstance Write-Output "Wait for all Search service instances to be started" do {sleep 2; $serviceInstances = Get-SPEnterpriseSearchServiceInstance | where{$_.Status -eq "Provisioning"}; Write-Output ".";}while($serviceInstances -ne $null) Get-SPEnterpriseSearchServiceInstance | Select TypeName, Server, Status, ID | ft Write-Output "Start SearchQueryAndSiteSettings service on Query Servers" $IMSNodes |Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance Write-Output "Wait for all SearchQueryAndSiteSettings service instances to be started" do {sleep 2; $serviceInstances = Get-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance | where{$_.Status -eq "Provisioning"}; Write-Output ".";}while($serviceInstances -ne $null) Get-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance | Select TypeName, Server, Status, ID | ft #--------------------------# #Create the service app Write-Output "Creating the Search service application" $appPoolName=$searchAppName + " AppPool" $managedAccount = get-SPManagedAccount -Identity $AppPoolAccount $appPool = Get-SPServiceApplicationPool -Identity $appPoolName -ErrorAction SilentlyContinue if ($appPool -eq $null) {$appPool = New-SPServiceApplicationPool -name $appPoolName -account $managedAccount.Username} $searchApp = Get-SPServiceApplication -Name $searchAppName if ($searchApp -eq $null) { $searchApp = New-SPEnterpriseSearchServiceApplication -Name $searchAppName -ApplicationPool $appPool -DatabaseServer $SQLServer } else { Write-Output "Search service application already exists" } foreach ($AdminNode in $AdminNodes) { Write-Output "Initializing the administration component on $AdminNode" $searchInstance = Get-SPEnterpriseSearchServiceInstance $AdminNode





Page 76 of 91

$searchApp | Get-SPEnterpriseSearchAdministrationComponent | Set-SPEnterpriseSearchAdministrationComponent -SearchServiceInstance $searchInstance $admin = ($searchApp | Get-SPEnterpriseSearchAdministrationComponent) Write-Output "Waiting for the admin component to be initialized on $AdminNode" $timeoutTime=(Get-Date).AddMinutes(20) do {Write-Output .;Start-Sleep 10;} while ((-not $admin.Initialized) -and ($timeoutTime -ge (Get-Date))) if (-not $admin.Initialized) { throw 'Admin Component could not get initialized on $AdminNode'} Write-Output "Admin component is initialized on $AdminNode" } # # O15 Search topology # Write-Output "Creating O15 Search topology" $searchApp = Get-SPEnterpriseSearchServiceApplication ### Search topology $topology = New-SPEnterpriseSearchTopology -SearchApplication $searchApp # Admin foreach($s in $AdminNodes) { New-SPEnterpriseSearchAdminComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Crawl foreach($s in $CrawlNodes) { New-SPEnterpriseSearchCrawlComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # CTS foreach($s in $CTSNodes) {New-SPEnterpriseSearchContentProcessingComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Analytics foreach($s in $APENodes) { New-SPEnterpriseSearchAnalyticsProcessingComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # IMS foreach($s in $IMSNodes) { New-SPEnterpriseSearchQueryProcessingComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Index $i = 0 foreach($s in $QueryNodes1stRow) { New-SPEnterpriseSearchIndexComponent -SearchTopology $topology -IndexPartition $i -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $QueryNodes1stRow[$i]) if ($QueryNodes2ndRow.Count -gt 0) { New-SPEnterpriseSearchIndexComponent -SearchTopology $topology -IndexPartition $i -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $QueryNodes2ndRow[$i]) } $i = $i + 1





Page 77 of 91

} $topology.Activate() $timeoutTime=(Get-Date).AddMinutes(20) do {Write-Output .;Start-Sleep 10;} while (($searchApp.GetTopology($topology.TopologyId).State -ne "Active") -and ($timeoutTime -ge (Get-Date))) if ($searchApp.GetTopology($topology.TopologyId).State -ne "Active") { throw 'Could not activate the search topology'} Write-Output "Search topology activated" #Create additional crawl databases $existingCrawlDbCount = (Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp).Count for($i = $existingCrawlDbCount+1; $i -le $numCrawlDBs; $i++) { Write-Host "Creating Crawl DB #$i" New-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp -DatabaseName "Search_Service_Application_CrawlStore_0$i" -DatabaseServer $SQLServer } $existingLinkDbCount = (Get-SPEnterpriseSearchLinksDatabase -SearchApplication $searchApp).Count for($i = $existingLinkDbCount+1; $i -le $numLinkDBs; $i++) { Write-Host "Creating Link DB #$i" New-SPEnterpriseSearchLinksDatabase -SearchApplication $searchApp -DatabaseName "Search_Service_Application_LinksStore_0$i" -DatabaseServer $SQLServer } #Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp | ? { $_.Name -eq $SQLServer } | Remove-SPEnterpriseSearchCrawlDatabase if ((Get-SPServiceApplicationProxy | ? { $_.Name -eq ($searchAppName+"_proxy") }) -eq $null) { Write-Output "Creating the Search application proxy" $searchAppProxy = New-SPEnterpriseSearchServiceApplicationProxy -name ($searchAppName+"_proxy") -SearchApplication $searchApp } else { Write-Output "Search application proxy already exists" } Write-Output "Search provisioning finished."

Verify Search Service Application Topology

When configured successfully, the search settings will appear as follows. The table below shows the search

components that should be running on each role. The actual number of machines in each role will vary

based on the environment being built. The number of Index Partitions will vary based on the number of

search servers (AS role) in the farm.

1. In Central Administration, go to Application Management | Service Applications | Search

Service Application.

Server Role Admin Crawler Content

Processing

Analytics

Processing

Query

Processing

Index Partition





Page 78 of 91

AP

AS

FE

Enable Search Crawling of the Profile Database

1. In Central Administration, go to Application Management | Service Applications | User Profile

Service Application | Administrators.

2. Add managed\ms-svc-crl.

3. Ensure the Retrieve People Data for Search Crawlers permission is checked.

4. Click OK.

Configure the Visio Graphics Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage

Service Applications | Visio Graphics Service Application | Manage.

2. Set Global Settings | External Data | Application ID to 101.

Start the User Profile Synchronization Service Topic Last Modified: 2014-05-06

Important: Do not start the User Profile Synchronization Service if the customer will be configured

with direct User Profile Import.

Important: To set up profile synchronization, it is critical that the farm account (ms-svc-frm) have

logon on locally rights with the AP01 server. To test this, try logging into the server (AP01) with that

account prior to this step.

1. On AP01, add the ms-svc-frm account to the local administrators group of the server

2. In Central Administration, go to Application Management | Service Applications | Manage

Services on server | AP01 | User Profile Synchronization Service | Start

Account Name: managed\ms-svc-frm

Password: < password for ms-svc-frm>





Page 79 of 91

3. Forefront Identity Manager (FIM) can take a few minutes to set up. Wait until status changes from

Starting to Started.

4. After the status changes to Started, remove the ms-svc-frm account from the local administrators

group of the server.

Update WMI Control for Farm Account Topic Last Modified: 2014-04-02

Perform the following steps on each AP server in each Farm:

1. In the Microsoft Management Console, in the File menu, click Add/Remove Snap-In

2. In the Add or Remove Snap-ins dialog box, under Available snap-ins, click WMI Control and

then click Add.

3. In the Change managed computer dialog box, select Local Computer, and then click Finish.

4. Click OK.

5. Right-click WMI Control in the left pane and then click Properties.

6. On the Security tab, click Root, and then click the Security button

7. In the Security for Root dialog box, under Group or user names, click Add

8. In the Select Users dialog box, enter the Farm Account and click OK

9. In the Security for Root dialog box, under Permissions for Authenticated Users, select Enable

Account and Remote Enable in the Allow column

10. Click OK twice.

11. In a Windows PowerShell window, enter the following:

Restart-Service sptimerV4

Grant User Profile Permissions to Service Apps Topic Last Modified: 2014-04-15

The Machine Translation Service requires Full Control permissions on the User Profile Service in order to

correctly create OAuth credentials. Do the following:

1. In Central Administration, go to Application Management | Service Applications | Manage

Service Applications.

2. Select the row for the User Profile Service Application.





Page 80 of 91

3. In the Ribbon, click Sharing | Permissions.

4. Add the ms-svc-sa account and grant it Full Control.

5. Click OK.

Manage User Permissions for the User Profile Service

Application Topic Last Modified: 2014-05-07

Kiosk workers (KWs) are not allowed to create My Sites. You need to create the permission policy to grant

the right to create a My Site to Information Workers (IWs) and revoke that right for KWs.

Note: If customers have no kiosk workers and all users should be able to create personal sites, use

social features, and use personal features, then skip this section. This is the default, unless:

The customer has purchased kiosk worker licenses

The customer has purchased Partner Access

1. In Central Administration, go to Application Management | Manage Service Applications |

User Profile Service Application | Manage | People | Manage User Permissions.

2. Remove permissions for NT Authority\Authenticated Users and All Authenticated Users.

For kiosk workers:

3. Enter the name of the security group, and then click Add. If the customer has more than one role

claim or group for Kiosk Workers, repeat this step to add each role claim or group.

4. Ensure the Security Group is selected in the box under Permissions for...

5. Make the following changes:

Create Personal Site (required for personal storage, newsfeed, and followed content): No

Follow People and Edit Profile: Yes

Use Tags and Notes: No

For information workers:

6. Enter the name of the security group, and then click Add. If the customer has more than one role

claim or group for Kiosk Workers, repeat this step to add each role claim or group.

7. Ensure the Security Group is selected in the box under Permissions for...

8. Make the following changes:






Page 81 of 91


Use Tags and Notes: No

For partners:

9. In the box under Permissions for..., make the following changes:



Use Tags and Notes: Yes

10. Click OK.

Change Default ULS Log Retention Topic Last Modified: 2014-05-08

The default ULS log retention period is 14 days. This setting must be changed to 7 days.

1. In Central Administration, go to Monitoring | Reporting | Configure diagnostic logging

Set Number of days to store log files from 14 to 7.

Configure Usage and Health Data Collection Service Topic Last Modified: 2014-05-08

1. In Central Administration, go to Monitoring | Reporting | Configure usage and health data

collection.

2. Select Enable usage data collection.

3. Select Enable health data collection:

Database server: <SS01>

Database Name: WSS_UsageApplication

4. Ensure the changes from Step 3 are complete and then, using the SharePoint 2013 Management

Shell, configure database retention period using the following script:

Get-SPUsageDefinition | Set-SPUsageDefinition -DaysRetained 31

5. Set the Page Requests usage definition to a larger value using the following script:





Page 82 of 91

Get-SPUsageDefinition "Page Requests" | Set-SPUsageDefinition -MaxTotalSizeInBytes 10000000000000

Modify SPHA Rules Topic Last Modified: 2014-02-05

Certain SPHA rules should be disabled or changed from their out of the box settings. Please reference the

following table for the changes.

Navigate to Central Administration | Monitoring | Health Analyzer | Review Rule Definitions:

Rule Change

Security: The server farm account should not be

used for other services.

Disable this rule

Performance: Databases used by SharePoint have

fragmented indices

Disable this rule

Performance: Search - One or more crawl

databases may have fragmented indices

Disable this rule

Configuration: Alternate access URLs have not

been configured

Disable this rule

Configuration: Missing server side dependencies Disable this rule

Availability: Drives are running out of free space Disable this rule

Availability: Drives used for SQL databases are

running out of free space

Disable this rule

Availability: One or more services have started or

stopped unexpectedly

Disable this rule

Disable Selected Site Templates Topic Last Modified: 2014-05-08

Perform the following procedures on all SharePoint machines.





Page 83 of 91

Note: Records Center is no longer offered and customers should not be able to create My Site Hosts.

Disable Site Templates in the 14 Hive 1. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server

Extensions\14\TEMPLATE\1033\XML\webtempoffile.xml

a. Modify the <Configuration /> element containing ID=”1” and change to:

<Configuration ID="1" Title="Records Center" Hidden="TRUE" ImageUrl="/_layouts/images/strc.png" Description="This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository." DisplayCategory="Enterprise" VisibilityFeatureDependency="97A2485F-EF4B-401f-9167-FA4FE177C6F6" > </Configuration>

2. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server

Extensions\14\TEMPLATE\1033\XML\webtempsps.xml.

b. Modify the <Configuration /> element containing ID=”0” Title=”My Site Host”

Configuration ID="0" Title="My Site Host" Type="0" RootWebOnly="TRUE" Hidden="TRUE" DisplayCategory="Enterprise" ImageUrl="../images/perstemp.gif" Description="A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details."> </Configuration>

3. If the customer has language packs installed, repeat steps 1 and 2 for each other locale. Just

replace 1033 (English) with the locale for the other language packs. A reference for locale IDs can

be found at the MSDN article Locale ID Chart.

Disable Site Templates in the 15 Hive 1. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server

Extensions\15\TEMPLATE\1033\XML\webtempoffile.xml

a. Modify the <Configuration /> element containing ID=”1” and change to:

<Configuration ID="1" Title="Records Center" Hidden="TRUE" ImageUrl="/_layouts/images/strc.png" Description="This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository." DisplayCategory="Enterprise"

http://go.microsoft.com/fwlink/p/?linkid=391432





Page 84 of 91

VisibilityFeatureDependency="97A2485F-EF4B-401f-9167-FA4FE177C6F6" > </Configuration>

2. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server

Extensions\15\TEMPLATE\1033\XML\webtempsps.xml

a) Modify the <Configuration /> element containing ID=”0” Title=”My Site Host”

Configuration ID="0" Title="My Site Host" Type="0" RootWebOnly="TRUE" Hidden="TRUE" DisplayCategory="Enterprise" ImageUrl="../images/perstemp.gif" Description="A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details."> </Configuration>

3. If the customer has language packs installed, repeat steps 1 and 2 for each other locale. Just

replace 1033 (English) with the locale for the other language packs. A reference for locale IDs can

be found at the MSDN article Locale ID Chart.

Note: If a need arises to re-create the MySite host site collection, the following PowerShell

command can be used.

New-SPSite -Url "https://my.mmsxl.com" -OwnerAlias <<MGD>>\ms-svc-wap -Template "SPSMSITEHOST#0" -Language 1033

Configure Settings for Sandboxed Code Topic Last Modified: 2014-04-02

We have changed the distribution/weighting of different metrics for resource point consumption to

match the values being used by standard. The following PowerShell scripts will set the point values.

1. On AP01, open the SharePoint 2013Management Shell.

2. Execute the following script:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $SPUserCode = [Microsoft.SharePoint.Administration.SPUserCodeService]::Local if ($SPUserCode -ne $null) { $SPUserCode.UseLocalServerOnly = $true $SPUserCode.Update() $SPUserCode.ResourceMeasures["AbnormalProcessTerminationCount"].ResourcesPerPoint = "0.25" $SPUserCode.ResourceMeasures["AbnormalProcessTerminationCount"].Update() $SPUserCode.ResourceMeasures["CPUExecutionTime"].ResourcesPerPoint = "100"

http://go.microsoft.com/fwlink/p/?linkid=391432





Page 85 of 91

$SPUserCode.ResourceMeasures["CPUExecutionTime"].Update() $SPUserCode.ResourceMeasures["ProcessCPUCycles"].ResourcesPerPoint = "40000000000" $SPUserCode.ResourceMeasures["ProcessCPUCycles"].Update() $SPUserCode.ResourceMeasures["UnhandledExceptionCount"].ResourcesPerPoint = "25" $SPUserCode.ResourceMeasures["UnhandledExceptionCount"].Update() }

Confirm or Modify Service Account Associations Topic Last Modified: 2014-02-05

Ensure that all services are correctly associated with the correct account.

1. In Central Administration, go to Security | General Security | Configure Service Accounts

2. Verify the following service account associations. Change any accounts that are incorrect:

Detail Account

Farm Account [ms-svc-frm]

Windows Service - Claims to Windows Token

Service

[Local System]

Windows Service – Distributed Cache [ms-svc-frm]

Windows Service – Document Conversions

Launcher Service

[Local System]

Windows Service – Document Conversions Load

Balancer Service

[Local Service]

Windows Service - Microsoft SharePoint

Foundation Sandboxed Code Service

[ms-svc-sbx]

Windows Service - Search Host Controller Service [ms-svc-frm]

Windows Service - SharePoint Server Search [ms-svc-frm]

Windows Service - User Profile Synchronization

Service

[ms-svc-frm]

Web Application Pool - <<URL Provided by the

Customer>>

[ms-svc-wap]





Page 86 of 91

Detail Account

Note: There will be one application pool per

web application.

Service Application Pool – Search Service

Application AppPool

[ms-svc-sa]

Service Application pool -

SecurityTokenServiceApplicationPool

[ms-svc-frm]

Service Application Pool - SharePoint Service

Applications

[ms-svc-sa]

Service Application Pool - SharePoint Web

Services System

[ms-svc-frm]

Add Support for People Fields in Office Documents Topic Last Modified: 2014-02-05

The web.config files for all front-end Web servers must be modified to enable the People fields in

Microsoft Office documents.

1. On AP01, in the SharePoint Management Shell, execute the following PowerShell command:

Write-Host "Updating the web.config to add support for People Fields in Office Documents" [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $modPath = "configuration/system.serviceModel/serviceHostingEnvironment" $modTemplate= '<baseAddressPrefixFilters><add prefix="{0}" /></baseAddressPrefixFilters>' $SPWebApps = Get-SPWebApplication | ? Name -ne "AppsManagementSite" $Method = [Microsoft.SharePoint.Administration.SPServiceCollection].GetMethod("GetValue", [string]) $GenericMethod = $Method.MakeGenericMethod([Microsoft.SharePoint.Administration.SPWebService]) $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local foreach ($SPWebApp in $SPWebApps){ Write-Host "Modifying the Web App $($SPWebApp.Name)" $myModValue = $modTemplate -F $SPWebApp.Url #Write-Host $myModValue





Page 87 of 91

$SPWebConfigModification= new-object Microsoft.SharePoint.Administration.SPWebConfigModification $SPWebConfigModification.Name = "baseAddressPrefixFilters" $SPWebConfigModification.Owner= "SPO dedicated" $SPWebConfigModification.Path= $modPath $SPWebConfigModification.Type="EnsureChildNode" $SPWebConfigModification.Value=$myModValue $SPWebApp.WebConfigModifications.Add($SPWebConfigModification) $SPWebApp.Update() } $FarmService = $GenericMethod.Invoke($Farm.Services,"") $FarmService.ApplyWebConfigModifications() Write-Host "Updated the web.config successfully"

2. Perform an IIS reset on all machines in the farm.





Page 88 of 91

Install and Configure Azure Workflow Server Topic Last Modified: 2015-12-08

Azure Workflow server is a new add-on component in the SharePoint 2013 architecture which supports

enables SharePoint 2013 workflows.

Install Azure Workflow Server Execute the following steps on FE01.

1. Navigate to the installation page by clicking the Windows Azure Workflow Installer. This installs

the Web Platform installer and automatically starts the Workflow Manager Client installer.

2. In the Prerequisites dialog box, accept the license agreement.

3. Once the Workflow Manager is installed, click Continue to start the Windows Azure Workflow

Manager Client Configuration wizard.

4. After completing the configuration wizard, click Finish to end the installation.

Install Azure Workflow Client Execute the following steps on all AP, AS, and FE servers where Workflow Server is not installed.

1. Navigate to the installation page by clicking the Windows Azure Workflow Manager, and then

execute WorkflowClient.exe to launch the Web Platform Installer.

2. Click Install, which will start the download and install of Workflow Manager Client 1.0 Cumulative

Update 3.

3. Click I accept.

4. Click Finish.

Install Service Bus and Workflow Cumulative Updates Execute the following steps on FE01.

1. In your browser, go to the March 2013 Service Bus PU and download the update.

2. Execute ServiceBus-KB2799752-x64-EN.exe and follow the instructions.

3. Execute the following steps on all AP, AS and FE servers:

a. In your browser, go to the March 2013 Workflow Manager PU and download the update

http://go.microsoft.com/fwlink?LinkID=252092

https://www.microsoft.com/en-us/download/details.aspx?id=35375







Page 89 of 91

b. Execute WorkflowManager-KB2799754-x64-EN.exe and follow the instructions.

Pair the SharePoint Server farm with the Workflow Manager Client

farm Determine whether you need to install the Workflow Manager Client on SharePoint Server prior to

running the Register-SPWorkflowService cmdlet. See the Install Azure Workflow Client procedure earlier

in this topic for more information.

1. Open the SharePoint Management Shell as an administrator.

2. Run the cmdlet Register-SPWorkflowService using the team site root URL and the Full Qualified

domain name of the FE01 server.

Example: Register-SPWorkflowService -SPSite "https://teamsites.contoso.com"

-WorkflowHostUri "http://fe01.mgd-contoso.com:12291" -AllowOAuthHttp





Page 90 of 91

Install Office Web Applications Topic Last Modified: 2014-05-08

In SharePoint 2013, Office Web Application Companions (WAC) is a stand-alone farm and is no longer

part of the SharePoint binary installation.

Prerequisites 1. Make note of the WAC URL. This URL will be used in the installation steps below.

2. Install the relevant customer Wildcard/SAN certificates that include the WAC URL.

3. Copy the certificate request to all SharePoint VMs.

4. In the Microsoft Management Console, under Certificates (Local Computer) Personal, right-

click Certificates, click All Tasks, and then click Import.


File Name: provide path to the file for the exported pfx certificate.

Password: provide password from previous step

6. Do NOT click Mark this key as exportable...

7. Place the certificate in the Personal store (verification step only).

8. Click Finish.

Install Office Web Apps Server 1. In your browser, go to the Microsoft Download Center and download the Office Web Apps Server.

2. Log on to WC01, and then run setup.exe as administrator.

3. Click to accept the EULA and click Continue.

4. In the File Location window, click Install Now.

5. Click Close.

Create Office Web Apps Farm Perform the following procedure on each WC server.

1. On the WC01 server, open PowerShell and verify the Friendly name of the certificate being used

for the WAC Farm by running the following command:






Page 91 of 91

gci Cert:\LocalMachine\my | fl dnsnamelist, friendlyname

2. In PowerShell, create the WAC Office Web Apps Farm by running the following command:

Import-Module OfficeWebApps New-OfficeWebAppsFarm -InternalURL "o365wac.<< customer.com>>" -CertificateName "<<Friendly Name from previous step>>" -EditingEnabled

Note: replace <<customer.com>> with the name of the team web app. Verify that the name

also appears in the certificate from step 1.

Connect the SharePoint Farm to the Web App Farm Perform the following steps once on one SharePoint 2013 server in the SharePoint Farm (server role does

not matter.)

1. On the SharePoint Server (AP01), open a browser to the WAC discovery URL:

https://<wacfqdn>/hosting/discovery and verify you get an XML response.

2. If you see a valid XML response, continue to step 3.

3. In the SharePoint Management Shell, run the following command to connect the SharePoint Farm

to the WAC Farm:

New-SPWOPIBinding -ServerName wac.contoso.com

Configure Office Web Apps Licensing Perform the following steps once on one SharePoint 2013 server in the SharePoint Farm (server role does

not matter.)

1. In the SharePoint Management Shell, enter the following command. Be sure to edit the first

command with the path to the customer WAC Editors group.

$account = New-SPClaimsPrincipal -Identity "<customer WAC Editors group>" -IdentityType WindowsSecurityGroupName

2. Enter the following command:

Get-SPWebApplication | select Url | %{ New-SPUserLicenseMapping -Claim $account -License "OfficeWebAppsEdit" -WebApplication $_.Url | Add-SPUserLicenseMapping

Date post:	31-May-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times