Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 1 of 91
Microsoft SharePoint Online
Customer Build Guide for SP2013 Farms
Applies to: SharePoint Online - Dedicated
Topic Last Modified: 23-December-2015
Version: EO11.0
This document is provided “as-is”. Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or
connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes. You may modify this
document for your internal, reference purposes.>
© 2015 Microsoft Corporation. All rights reserved.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 2 of 91
Contents Microsoft SharePoint Online ....................................................................................................................................................... 1
Customer Build Guide for SP2013 Farms ............................................................................................................................... 1
Introduction ............................................................................................................................................................................................ 6
Purpose ................................................................................................................................................................................................ 6
Audience .............................................................................................................................................................................................. 6
Process Overview ............................................................................................................................................................................. 7
SharePoint Online Hosted Environment ..................................................................................................................................... 8
Basic Characteristics of Host and Virtual Machines............................................................................................................ 9
Network and DNS Configuration ............................................................................................................................................ 11
Prepare Prerequisites ....................................................................................................................................................................... 15
Verify Accounts .............................................................................................................................................................................. 15
Least Privileges Model ............................................................................................................................................................ 15
Accounts from Managed Domain ...................................................................................................................................... 18
Accounts and Security Groups from the Customer Domain ................................................................................... 19
User Group Membership ....................................................................................................................................................... 19
Build the Platform ............................................................................................................................................................................. 20
Build Virtual Machines ................................................................................................................................................................ 20
Create Virtual Machines ............................................................................................................................................................. 21
Configure Virtual Machines ...................................................................................................................................................... 22
Configure Networking ............................................................................................................................................................ 22
Verify Connectivity to Default Gateway ........................................................................................................................... 23
Configure Page Files ................................................................................................................................................................ 23
Set End Point Antivirus Exceptions .................................................................................................................................... 23
Disable Recycle Bin .................................................................................................................................................................. 24
Disable IE ESC ............................................................................................................................................................................. 24
Disable User Account Control .............................................................................................................................................. 24
Disable Loopbackcheck .......................................................................................................................................................... 24
Configure Drives for SQL Server ......................................................................................................................................... 25
Disable SSL 2.0 and 3.0 Support ............................................................................................................................................. 25
Restrict SCHANNEL to FIPS Compliant Cipher Suites Only .......................................................................................... 26
Allow CredSSP Authentication ................................................................................................................................................. 27
Modify WinRM Shell Property Settings ................................................................................................................................ 28
Configure Common Machine Settings ..................................................................................................................................... 30
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 3 of 91
Change Time Zone ................................................................................................................................................................... 30
Install .NET Framework 3.5 .................................................................................................................................................... 30
Configure SQ Server Settings ....................................................................................................................................................... 31
Create Inbound Firewall Rules ............................................................................................................................................. 31
Configure Disk Layout for SQ Servers .............................................................................................................................. 31
Install SQL Server ............................................................................................................................................................................... 33
Check for .NET 4.0 .................................................................................................................................................................... 33
Install SQL Server 2012 ........................................................................................................................................................... 33
Install SQL Server Cumulative Updates ............................................................................................................................ 34
Configure Security and Trace Flags ................................................................................................................................... 35
Allow Lock Pages in Memory ............................................................................................................................................... 35
Set Max Degree of Parallelism ............................................................................................................................................. 36
Configure SQLAgent Job History........................................................................................................................................ 36
Verify SQL Server is Working ............................................................................................................................................... 36
Build Web Servers ............................................................................................................................................................................. 38
Configure Inbound Firewall Rules ...................................................................................................................................... 38
Run the Prerequisite Installer ............................................................................................................................................... 40
Install IIS Advanced Logging ................................................................................................................................................ 40
Install Hotfixes ............................................................................................................................................................................ 40
Configure Advanced Logging .............................................................................................................................................. 41
Prepare Office Web App Machines ................................................................................................................................... 41
Delete Default IIS Sites and Application Pools.............................................................................................................. 41
Build the SharePoint Servers ......................................................................................................................................................... 42
Install SharePoint 2013 ........................................................................................................................................................... 42
Install Language Packs ............................................................................................................................................................ 42
Install the Latest SharePoint Updates SharePoint SP1 ............................................................................................... 42
Manage SSL Certificates ......................................................................................................................................................... 43
Update the Hosts File .............................................................................................................................................................. 45
Build the SharePoint Online 2013 Farm ................................................................................................................................... 46
Provision the Farm ................................................................................................................................................................... 46
Join Servers to the Farm......................................................................................................................................................... 46
Enable Licensing ........................................................................................................................................................................ 47
Register Managed Accounts ................................................................................................................................................ 47
Configure Services (Generic)..................................................................................................................................................... 47
Configure Distributed Cache ................................................................................................................................................ 47
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 4 of 91
Create Quota Templates ............................................................................................................................................................ 52
Configure Outgoing Email ......................................................................................................................................................... 53
Create Web Applications ........................................................................................................................................................... 53
Create Web Application to Host SharePoint Apps ...................................................................................................... 55
Set Up People Picker for Each URL ........................................................................................................................................ 56
Configure Web Applications (Common Settings) ............................................................................................................ 57
General Settings ........................................................................................................................................................................ 57
Configure Managed Paths .................................................................................................................................................... 58
Configure Blocked File Types ............................................................................................................................................... 58
Enable the BLOB Cache .......................................................................................................................................................... 59
Apply Web App Policy and User Policy (Kiosk Worker) ............................................................................................ 60
Set Up Super User and Super Reader Accounts ........................................................................................................... 61
Add Administrators to Web App Policy ........................................................................................................................... 62
Configure List Throttle Settings .......................................................................................................................................... 63
Set Setup User Account as System ........................................................................................................................................ 63
Create Site Collections ................................................................................................................................................................ 64
Create Service Applications....................................................................................................................................................... 66
Configure the App Management Service ........................................................................................................................ 71
Create Host Header Site Collection for Monitoring Apps Management Site ................................................... 72
Configure Managed Metadata Service Application .................................................................................................... 72
Configure Excel Service Application .................................................................................................................................. 73
Configure InfoPath Forms Services.................................................................................................................................... 73
Configure Machine Translation Service Permissions .................................................................................................. 73
Configure Search Service Application .............................................................................................................................. 74
Configure the Visio Graphics Service Application ....................................................................................................... 78
Start the User Profile Synchronization Service .................................................................................................................. 78
Update WMI Control for Farm Account ............................................................................................................................... 79
Grant User Profile Permissions to Service Apps ................................................................................................................ 79
Manage User Permissions for the User Profile Service Application .......................................................................... 80
Change Default ULS Log Retention ....................................................................................................................................... 81
Configure Usage and Health Data Collection Service .................................................................................................... 81
Modify SPHA Rules ....................................................................................................................................................................... 82
Disable Selected Site Templates ............................................................................................................................................. 82
Disable Site Templates in the 14 Hive .............................................................................................................................. 83
Disable Site Templates in the 15 Hive .............................................................................................................................. 83
Configure Settings for Sandboxed Code ............................................................................................................................. 84
Confirm or Modify Service Account Associations ............................................................................................................ 85
Add Support for People Fields in Office Documents ...................................................................................................... 86
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 5 of 91
Install and Configure Azure Workflow Server ........................................................................................................................ 88
Install Azure Workflow Server .............................................................................................................................................. 88
Install Azure Workflow Client ............................................................................................................................................... 88
Install Service Bus and Workflow Cumulative Updates ............................................................................................. 88
Pair the SharePoint Server farm with the Workflow Manager Client farm ........................................................ 89
Install Office Web Applications .................................................................................................................................................... 90
Prerequisites ............................................................................................................................................................................... 90
Install Office Web Apps Server ............................................................................................................................................ 90
Create Office Web Apps Farm ............................................................................................................................................. 90
Connect the SharePoint Farm to the Web App Farm ................................................................................................. 91
Configure Office Web Apps Licensing ............................................................................................................................. 91
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 6 of 91
Introduction Topic Last Modified: 2014-01-23
This document details the processes associated with building and configuring the individual standard
components of a Microsoft SharePoint Online 2013 server farm. Use this instruction for new farm builds
only. This document does not include instructions for installing optional or customer-specific features.
Purpose This document was designed to assist customers in the creation of accurate development and test
environments to build out solutions on the hosted SharePoint environment. This document does not
include some key production farm components, such as backups, service continuity management,
monitoring, or SQL Maintenance. If you encounter references in this build document to any of these
applications or activities, please disregard them. They are not necessary for development and test
activities.
The goal of this document is to assist in producing a functional replica of our production configuration,
but it will not be identical. Activities such as performance testing will not yield the same results as a
production environment; however, the relative performance aligned to a baseline will produce data good
enough to interpolate.
Audience The Customer Build Guide is intended to be used by customers building development and test SharePoint
environments. Personnel performing the tasks detailed in this guide should be experienced and familiar
with the installation and operation of SharePoint, SQL Server, and Windows Server. An attempt has been
made in explaining how to perform a task to use plain language and added background, however a solid
familiarity with the operational aspects of all three products is recommended.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 7 of 91
Process Overview The Build Guide is designed to guide the installer through the following basic processes:
Validate Hardware provided
Configure Host Machines
Create Virtual Machines in Hyper-V on Host Machines
Configure General VM settings
Configure the SQL Role
Configure the Backup Role
Configure Front End and Application Roles
Create and configure SharePoint Farm
This document contains steps to virtualize the environment and setup the various SharePoint roles on
virtual machines.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 8 of 91
SharePoint Online Hosted Environment Topic Last Modified: 2014-01-29
The Online environment is structured to manage the hosting of multiple customer environments each
isolated to meet security and compliance requirements. The isolation begins with separate customer
Virtual Local Area Networks (VLANs) and separate managed customer Active Directory Forests (managed
Forest). The basic trust relationship and configuration is outlined in the diagram below. There are
generally 3 Forests, one for Management (named MGMT, central forest for all Management
Administration Accounts), one for Managed (named MGD, the forest where SharePoint is hosted), and
one forest provided by the customer (Customer Domain Accounts and Customer Data Sources).
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 9 of 91
Trust relationship and configuration diagram
Basic Characteristics of Host and Virtual Machines Topic Last Modified: 2014-01-29
SharePoint Online has designed a network configuration tailored specifically for SharePoint 2013 that
would be difficult to replicate in this document and is not necessary for development and test purposes.
When developing applications, the domain trusts are generally more important than segmentation within
networks and separate VLANs.
The SharePoint farm requires some or all of the following Host Names:
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 10 of 91
SKU Storage RAM CPU NIC Notes
HA 8 x 600 GB 10K
SAS
Array A (2:
[RAID1])
Array B (6:
[RAID 5])
96 GB 2 x 8 Core
Xeon
1 x 10 Gbit
SRF+
Multi-purpose
SKU Used for
PPE, App, WFE,
SQL Head Unit
HB 8 x 600 GB 10K
SAS
25 x 600 GB
10K SAS
Array A (2:
[RAID1])
Array B (6:
[RAID 5])
Array C (24:
[RAID 5])
96 GB 2 x 8 Core
Xeon
1 x 10 Gbit
SRF+
SQL Storage
SKU Used for
SQL Role
HD 12 x 4 TB 7.2K
SAS
Array A (2:
[RAID 1])
Array B (9:
[RAID 5])
32 GB 1 x 8 Core
Xeon
1 x 10 Gbit
SRF+
File
Server/Backup
SKU Used for
backups and
SQL mirror
witness role.
Note: For test/development purposes (assuming little to no performance testing) we recommend
using virtual machines and scale down the resources allocated to the servers above. The SharePoint 2013
service offering uses physical machines built out on the SKUs listed above.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 11 of 91
Network and DNS Configuration Topic Last Modified: 2014-02-11
SharePoint Online has designed a network configuration tailored specifically for SharePoint 2013 that
would be difficult to replicate in this document and is not necessary for development and test purposes.
When developing applications, the domain trusts are generally more important than segmentation within
networks and separate VLANs.
The SharePoint farm requires some or all of the following Host Names:
portal.contoso.com – portal web application
team.contoso.com – team sites web application
my.contoso.com – SkyDrive pro web application
partner.contoso.com – partner sites web application (optional)
wac.contoso.com – Office Web Applications farm
o365wfl.contoso.com – 2013 Workflow service end point (port 12290)
*.001dspoapp.com – SharePoint Apps namespace
What is important in setting up your development environment is to create a DNS entry for the wildcard
app zone (*.001dspoapp.com in the example above). All other host names can be managed either via DNS
or hosts files on the SharePoint and client windows servers.
In production, Microsoft uses the load balancer to create virtuals that map to different service endpoints
exposed to different networks. The following 2 diagrams are provided for reference purposes.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 12 of 91
Load Balancer VIPS, Virtuals, and Traffic Routing
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 13 of 91
Traffic Flows and VIPs on Load Balancer
If you are configuring DNS, we recommend that you follow an approach similar to what is used in
production between the customer environment and SharePoint Online as outlined in the diagram below:
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 14 of 91
DNS Settings on Customer Private (GNS)
There are a total of 3 zones above, this is not strictly necessary. The zones include a DNS Apps Zone for
the SharePoint applications that just contains the wildcard record for the farm. The DNS control zone is
optional; you can choose to just point your DNS records directly to an A record instead of using CNAME
aliases as illustrated above. The above example uses a managed DNS service hosted by Microsoft called
001d.mgd.msft.net. The third zone is the customer private zone that contains the contoso.com
namespace.
Note: If you do define DNS records, we recommend for dev/test environments you use URLs different
then production.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 15 of 91
Prepare Prerequisites Topic Last Modified: 2014-04-15
Before you begin, establish a remote desktop connection to each host machine with your installation
account.
Verify Accounts Topic Last Modified: 2014-04-15
Least Privileges Model When creating your development environment, SharePoint Online dedicated recommends that you
configure your farm using a least-privilege model to ensure the highest level of security. The following
tables describe the accounts and the minimum level of permissions required to deploy a farm.
Server farm-level accounts
Account Requirements
SQL Server service account Domain user account
Member of the Administrators group on the SQL
Server machine
Setup user account Domain user account
Member of the Administrators group on each
server on which Setup is run.
SQL Server login on the computer running SQL
Server.
Member of the Server admin SQL Server security
role.
Tip: If you run Stsadm commands that affect a
database, this account must be a member of the
db_owner fixed database role for the database.
Server farm account Domain user account
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 16 of 91
Account Requirements
Additional permissions are automatically granted
for this account on web servers and application
servers that are joined to a server farm. This
account is automatically added as a SQL Server
login on the computer running SQL Server and
added to the following SQL Server security roles:
dbcreator fixed server role
securityadmin fixed server role
db_owner fixed database role for all databases in
the server farm
Service application service accounts
Account Requirements
SharePoint Server Search service account Must be a domain user account.
Must not be a member of the Farm Administrators
group.
The following are automatically configured:
Access to read from the configuration database,
administration content database, the search
administration database, crawl databases.
Full Control access to the index partitions on the
query servers.
Default content access account Must be a domain user account.
Must not be a member of the Farm Administrators
group.
Read access to external or secure content sources
that you want to crawl by using this account.
For sites that are not a part of the server farm, this
account must explicitly be granted Full Read
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 17 of 91
Account Requirements
permissions on the web applications that host the
sites.
The following are automatically configured:
Full Read permissions are automatically granted to
content databases hosted by the server farm.
Content access account Read access to external or secure content sources
that this account is configured to access.
For web sites that are not a part of the server
farm, this account must explicitly be granted Full
Read permissions on the web applications that
host the sites.
Profile import default access account Read access to the directory service.
The account must have the Replicate Changes
permission in AD DS.
Manage User Profiles personalization services
permission.
View permissions on entities used in Business
Data Catalog import connections.
Excel Services unattended service account Must be a domain user account.
Additional application pool identity accounts
Account Requirements
Application pool identity No manual configuration is necessary
The following are automatically configured:
Membership in the SP_DATA_ACCESS role for
content databases and search databases
associated with the web application.
Membership in specific application pool roles for
the configuration and the
SharePoint_AdminContent databases.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 18 of 91
Account Requirements
Additional permissions for this account to front-
end web servers and application servers are
automatically granted.
Accounts from Managed Domain Confirm that the following accounts (prefixed with ms-svc-*) exist in the managed domain for all
environments except Federal. For Federal (fed) environments, confirm that the following accounts exist
and are prefixed with mgd-svc-*.
Accounts from Managed Domain
Full Name MGD Account Name Service Account?
SharePoint 15 Farm Account ms-svc-frm Yes
SharePoint 15 SQL Service ms-svc-db Yes
SharePoint 15 Sandbox Service ms-svc-sbx Yes
SharePoint 15 Portal Super
Reader
ms-svc-psr No
SharePoint 15 Portal Super User ms-svc-psu No
SharePoint 15 Content Web App
Pools
ms-svc-wap Yes
SharePoint 15 Search Crawl
Account
ms-svc-crl No
SharePoint 15 Service
Applications
ms-svc-sa Yes
Windows Azure Workflow
Service
ms-svc-wrk Yes
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 19 of 91
Accounts and Security Groups from the Customer Domain The following accounts and security groups must be present in the customer domain. This information is
available in the ToBuild Record, as noted below.
Accounts and security groups from the customer domain
Account or Group Description
Kiosk Workers One or more security groups or role claims that
represent all kiosk workers at the customer. Only
applicable if customer has purchased DW licenses.
Information Workers
Unattended Account An account name from the customer forest for
unattended data connections for Excel/Visio.
Optional, the account may not be provided by the
customer.
Partners One or more security groups or role claims that
represent all partner users for a customer. Only
applicable if customer has purchased PAL licenses.
People Picker AD Account and Profile Import
Account
One or more accounts with permissions to look up
users/groups from AD for configuration of the
people picker and profile import of AD users.
User Group Membership
Important: The user running the farm setup must be a member of the MGMT\MGMT-GSG-SPO-
SP2013FarmAdmins group.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 20 of 91
Build the Platform Topic Last Modified: 2014-05-06
When you configure a test/development environment, there are a few core elements that must be
replicated to adequately test any custom code built or tested by the customer:
All host URLs must use SSL certificates and be fully qualified i.e. https://team.contoso.com. Failure
to do so will mask potential problems in how the browser will treat the site with respect to zones
and protocols. This is especially important for connectivity with internal Line of Business systems
and data sources.
All customer accounts must come from a forest that has a one-way external trust between
managed and the customer forest. Failure to do so may mask authentication/impersonation
issues when connecting to Line-Of-Business applications or data sources within the customer
forest.
Note: Kerberos authentication is not supported; it doesn’t work across Forest and Domain boundaries.
Use a minimum of two Web Front End (FE) role machines to ensure that any and all custom code
properly deploys across multiple machines in a farm.
Use static IP addresses if at all possible. If you use dynamic IP addresses, there is a good chance
over time that the farm will have problems, especially with any load balancing solution you use.
This document does not detail a load-balancing solution. We use a hardware load balancing
solution in our production and pre-production environments, for test/development purposes
Windows Network Load Balancing (WNLB) should be adequate. There will be a difference in
performance that is unavoidable when contrasting hardware vs. software based load balancing
solutions.
Build Virtual Machines Topic Last Modified: 2014-01-29
In this section, you will create and configure virtual machines. There is no recommended order in terms of
the creation and the configuration of the machines; you may create all the machines first and then
configure them one by one, or complete the creation and immediately configure one machine at a time.
Note: All machines should be created before SharePoint is installed.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 21 of 91
Create Virtual Machines Topic Last Modified: 2014-05-06
1. Create the VMs in Hyper-V. The following Table should provide details on both the VHD
distribution and basic properties for each VM role.
VM Quantity Storage/VHDs RAM CPU NIC
AP 1 OS (200 GB) 14 GB 4 Cores 1 Virtual
FE 2 OS (200 GB) 14 GB 4 Cores 1 Virtual
AS 1 OS (200 GB) 14 GB 4 Cores 1 Virtual
WC 1 OS (200 GB) 14 GB 4 Cores 1 Virtual
SQ 1 OS (200 GB)
LOGS1 (1 TB)
DATA1 (2 TB)
16 GB 4 Cores 1 Virtual
2. The SQL role requires additional VHDs for both Data and Log drives. It is important that the SQL
Data drive be at least twice the size of the Log drive. For production we provision 6 TB spanned
Data Drives and a 1 TB Log drive.
VM Name Category Type Size File Name
SQ Data Dynamic 2040 GB SPSQXX_disk_1
SQ Logs Dynamic 1020 GB SPSQXX_disk_4
To create and start the virtual machines execute the following PowerShell script on the Hyper-V host
machine (HH01). This script configures the virtual machines with legacy network adapters in order to
install the operating system from the network.
$SharePointMachines = "FE01", "FE02", "AP01", "AS01" $SQLMachine = "SQ01" $vhdPath = "E:\Virtual Machines\" $defaultMemory = 16GB $defaultDiskSize = 200GB if ((Get-Item $vhdPath -ErrorAction SilentlyContinue) -eq $null) { New-Item -Path $vhdPath -Type directory | out-null } function CreateMachine($machineName, $memoryInBytes, $diskSizeBytes) { if ((Get-VM -Name $machineName -errorAction SilentlyContinue) -ne $null) { Write-Host "Virtual machine $machineName already exists. Skipping." -ForegroundColor DarkYellow
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 22 of 91
continue; } Write-Host "Creating VHDX for $machineName" -ForegroundColor Green New-Item -Path $vhdPath -Name $machineName -Type directory -Force | out-null New-VHD -Path "$vhdPath\$machineName\$machineName.vhdx" -SizeBytes $diskSizeBytes | out-null Write-Host "Creating virtual machine for $machineName" -ForegroundColor Green New-VM -VHDPath "$vhdPath\$machineName\$machineName.vhdx" -Name $machineName -MemoryStartupBytes $memoryInBytes | out-null Add-VMNetworkAdapter -VMName $machineName -Name "Legacy Network Adapter" -IsLegacy $true -SwitchName "Default External Switch" Set-VMProcessor -VMName $machineName -Count 4 } foreach($machineName in $SharePointMachines) { CreateMachine $machineName $defaultMemory $defaultDiskSize } CreateMachine $SQLMachine $defaultMemory 1TB $allMachines = $SharePointMachines + $SQLMachine $allMachines | % { Write-Host "Starting $_" Start-VM $_ Start-Sleep -Seconds 30 } reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 w32tm /config /syncfromflags:DOMHIER /update net stop w32time & net start w32time w32tm /resync /force
Configure Virtual Machines Topic Last Modified: 2014-05-06
The following VM configuration steps are common to all VMs in the farm.
Configure Networking 1. In Control Panel, go to Network and Sharing Center | Change adapter settings.
2. Right-click the Local Area Connection network adapter, and then click Properties.
3. Clear the Internet Protocol Version 6 (TCP/IPv6) check box.
4. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 23 of 91
5. In the Properties dialog box, select Use the following IP address, and then enter the following
information. These settings must be supplied by the customer:
IP address
Subnet mask
Default gateway
DNS servers (preferred and alternate)
Verify Connectivity to Default Gateway 1. Open the command prompt, and ping the default gateway.
2. Verify that you get a reply. If you don’t get a reply, check the network settings and confirm a
VLAN was assigned to the VM.
Configure Page Files Page files will be configured to be system-managed for all host machines.
1. In Control Panel, go to System | Advanced system settings.
2. In the System Properties dialog box, on the Advanced tab, under Performance, click Settings.
3. In the Performance Options dialog box, on the Advanced tab, under Virtual memory, click
Change.
4. In the Virtual Memory dialog box, clear the Automatically manage paging file size for all
drives checkbox.
5. Under Paging file size, choose drive C:\, select the System managed size checkbox, and then
click Set.
6. Click OK on all open dialog boxes.
7. If prompted, choose to Restart Now.
Set End Point Antivirus Exceptions Configure your desktop anti-virus of choice installed on the VM to scan specific directories. For simplicity,
use the same rules for all virtualized servers, you should exclude the following directories:
C:\Program Files\Microsoft Office Server
C:\inetpub
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 24 of 91
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
C:\ProgramData\Microsoft\SharePoint
C:\windows\Microsoft.Net
C:\windows\temp
C:\Program Files\Microsoft SQL Server
E:\
F:\
Disable Recycle Bin 1. Right click the Recycle Bin icon on desktop, and then click Properties.
2. In the Recycle Bin Properties dialog box, for each drive, select the Don’t move files to the
Recycle Bin check box.
3. Click OK.
Disable IE ESC 1. In the Server Manager, under Security Information, click Configure IE ESC.
2. Turn off for both Administrators and Users.
3. Click OK.
Disable User Account Control 1. In Control Panel, on the User Accounts page, click Change User Account Control Settings.
2. Change to Never Notify.
3. Click OK.
Disable Loopbackcheck 1. At the command prompt, run regedit.exe.
2. In the Registry Editor, navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. Right-click LSA, click New, and then click DWORD (32-bit) Value.
4. Name the new item DisableLoopbackCheck.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 25 of 91
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Edit DWORD dialog box, set the Value data field to 1.
7. Click OK.
8. Restart the VM.
Configure Drives for SQL Server 1. Connect to the SQL Server machine.
2. Open Disk Management.
3. Right-click the D: drive and then select Format…
4. Name drive D: Data.
5. Right-click the E: drive and then select Format…
6. Name drive E: Logs.
Disable SSL 2.0 and 3.0 Support Topic Last Modified: 2014-05-06
To help harden the servers, by default we disable SSL 2.0 and SSL 3.0 support and allow only TLS 1.0.
1. At the command prompt, run regedit.exe
2. Navigate to: HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\SSL
2.0\Server
3. Right-click Server, click New, and then click DWORD (32-bit) Value.
4. Name the new item Enabled.
5. Right-click Enabled, and then click Modify.
6. In the Edit DWORD Value dialog box, set the data value to 00000000.
7. Click OK.
8. Navigate to: HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\SSL
3.0\Server
9. Right-click Server, click New, and then click DWORD (32-bit) Value.
10. Name the new item Enabled.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 26 of 91
11. Right-click Enabled, and then click Modify.
12. In the Edit DWORD Value dialog box, set the data value to 00000000.
13. Click OK.
14. Restart the VM.
Restrict SCHANNEL to FIPS Compliant Cipher Suites
Only Topic Last Modified: 2014-05-06
We disable certain Ciphers for our secure channel. This setting applied to all VMs removes support for the
following ciphers which are not FIPS compliant:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_SHA256
The following ciphers which are not present by default in Windows but are added:
TLS_RSA_WITH_NULL_MD5
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
1. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration |
Administrative Templates | Network | SSL Configuration Settings.
2. Right-click SSL Cipher Suite Order, and then click Edit.
3. In the SSL Cipher Suite Order dialog box, select Enabled.
4. Under Options, in the SSL Cipher Suites text box, delete everything, and then copy and paste in
the following text:
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 27 of 91
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5
5. Click OK.
Allow CredSSP Authentication Topic Last Modified: 2014-05-06
To assist with automation efforts, enable CredSSP on all machines (host and VMs).
1. In the Microsoft Management Console, navigate to Local Computer Policy | Computer
Configuration | Administrative Templates | System | Credentials Delegation.
2. Right-click Allow Delegating Fresh Credentials, and then click Edit.
3. In the Allow Delegating Fresh Credentials dialog box, select the Enabled checkbox.
4. Under Options, click Show.
5. In the Show Contents dialog box, type the value WSMAN/*.
6. Click OK in all open dialog boxes.
7. In the MMC, navigate to Local Computer Policy | Computer Configuration | Administrative
Templates | Windows Components | Windows Remote Management | WinRM Client.
8. Right-click Allow CredSSP authentication, and then click Edit.
9. In the Allow CredSSP Authentication dialog box, select the Enabled checkbox.
10. Click OK.
11. In the MMC, navigate to Local Computer Policy | Computer Configuration | Policies |
Administrative Templates | Windows Components | Windows Remote Management |
WinRM Service.
12. Right click Allow automatic configuration of listeners, and then click Edit.
13. In the Allow automatic configuration of listeners dialog box, select the Enabled checkbox.
14. Under Options:
a. In the IPv4 filter box, type *.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 28 of 91
b. In the IPv6 filter box, type *.
15. Click OK.
16. In the MMC, navigate to Local Computer Policy | Computer Configuration | Policies |
Administrative Templates | Windows Components | Windows Remote Management |
WinRM Service.
17. Right-click Allow CredSSP authentication, and then click Edit.
18. In the Allow CredSSP authentication dialog box, select the Enabled checkbox.
19. Click OK.
Modify WinRM Shell Property Settings Topic Last Modified: 2014-05-06
To improve performance, we modify the default WinRM Shell property settings.
1. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration |
Administrative Templates | Windows Components | Windows Remote Shell
2. Right-click Specify maximum amount of memory in MB per Shell, and then click Edit.
3. In the Specify maximum amount of memory in MB per Shell dialog box, select the Enabled
checkbox.
4. Under Options, in the MaxMemoryPerShellMB text box, enter 1024.
5. Click OK.
6. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration |
Administrative Templates | Windows Components | Windows Remote Shell
7. Right-click Specify maximum number of process per Shell, and then click Edit.
8. In the Specify maximum number of processes per Shell dialog box, select the Enabled
checkbox.
9. Under Options, in the MaxProcessesPerShell text box, enter 64.
10. Click OK.
11. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration |
Administrative Templates | Windows Components | Windows Remote Shell
12. Right-click Specify maximum number of remote shells per user, and then click Edit.
13. In the Specify maximum number of remote shells per user dialog box, select the Enabled
checkbox.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 29 of 91
14. Under Options, in the MaxShellsPerUser text box, enter 16.
15. Click OK.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 30 of 91
Configure Common Machine Settings Topic Last Modified: 2014-05-06
Change Time Zone Change the time zone on each machine to match the datacenter time zone:
1. On the desktop of the Host server, right-click the date stamp in the bottom-right tray, and then
click Adjust date/time.
2. In the Date and Time dialog box, on the Date and Time tab, click Change Time Zone list.
3. In the Time Zone Settings dialog box, select the time zone in which the datacenter is located.
4. Click OK in all open dialog boxes.
Install .NET Framework 3.5 Perform the following steps on every server in the farm (web servers and SQL servers):
1. In your browser, navigate to the .NET 3.5 download site.
2. Download and install the .NET Framework 3.5.
3. Restart your computer.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 31 of 91
Configure SQ Server Settings Topic Last Modified: 2014-05-06
Before you begin, establish a remote desktop connection to the SQ server.
Create Inbound Firewall Rules 1. In the Windows Firewall with Advanced Security tool, click Inbound Rules.
2. In the Actions pane, click New Rule:
3. In the New Inbound Rule Wizard, use the following settings:
Rule Type: Port
Protocol: TCP
Specific local Port: 1433
Action: Allow the Connection
Profile: Domain
Name: SQL Server 1433
4. Click Finish.
Configure Disk Layout for SQ Servers The VHDs have been created, but the disk layout is incomplete. Use this procedure to span and format the
volumes.
1. In Server Manager, navigate to Storage | Disk Management | (C:).
2. Right click all disks and set to Online.
3. Create a spanned volume for Data drive:
a. Right click Disk 1 | Initialize disk | select all available drives (1-3).
b. Ensure format used is MBR.
c. Right click Disk 1 | New Spanned Volume
d. Select all 2 TB data drives
e. Assign Drive Letter E
f. Clear New Volume Name.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 32 of 91
4. Create and format Log Drive:
a. Right click Disk 4
b. Click new Simple Volume
c. Assign Drive Letter F
d. Clear New Volume Name
5. Restart the VM.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 33 of 91
Install SQL Server Topic Last Modified: 22-December-2015
Note: SQL Server should be installed on the following server roles: SQ, SS, BK, BS.
Check for .NET 4.0 1. Check to see if .NET 4.0 has been installed on the server. .NET 4.0 is not a prerequisite for SQL
Server but it may be present. If .NET 4.0 is present, perform step 2. If not, skip step 2 and continue
with the SQL Server installation.
2. Complete this step if .NET 4.0 has been installed on the server.
3. In order to install SQL Server from the network share, open an Administrative command prompt
and execute the following after replacing the {BUILD} text with the build location you are using:
%windir%\microsoft.net\framework64\v4.0.30319\caspol.exe -m -ag 1.2 -url file://{ BUILD}/* FullTrust
Example:
%windir%\microsoft.net\framework64\v4.0.30319\caspol.exe -m -ag 1.2 -url
file://\\10.224.1.83/Releases/* FullTrust
Install SQL Server 2012 If not called out below, use default values for the SQL installation.
1. Browse to your SQL installation path (we recommend an ISO image mounted to the VM) and
double-click setup.exe.
2. Navigate to Installation section and select New Installation or add features to an existing
installation.
3. Use your product key or specify a trial.
4. On License Terms select I accept the license terms and clear Send features usage…
checkboxes.
5. Complete Setup Support Files step.
6. On Setup Role choose SQL Server Feature Installation
7. On Feature Selection select the following components:
Database Engine Services
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 34 of 91
SQL Server Replication
Client Tools Connectivity
Client Tools Backwards Compatibility
Management Tools - Basic
Management Tools – Complete
8. On the Server Configuration page set SQL Server Agent startup type to Automatic, click Use
the same account for all SQL services, and then enter managed\ms-svc-db and its password.
9. On the Database Engine Configuration page, on the Account Provisioning tab add the
following with a SysAdmin role:
managed\ms-svc-db
mgmt\MGMT-GSG-SPO-SP2013FarmAdmins
10. On the Database Engine Configuration page navigate to Data Directories tab and set or
confirm the following settings:
Directory Name Value
Data root directory E:\Program Files\Microsoft SQL Server\
User database directory E:\Program Files\Microsoft SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA
User Database log directory F:\Program Files\Microsoft SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA
Temp DB directory E:\Program Files\Microsoft SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data
Temp DB log directory F:\Program Files\Microsoft SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data
1. On Error Reporting page clear Send Windows and SQL Server Error Reports…
2. Complete installation with default settings on the rest of the pages.
Install SQL Server Cumulative Updates 1. Download the SQL Server Cumulative Update.
2. Execute SQLServer2012-KB3072100-x64.exe and follow the instructions.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 35 of 91
Configure Security and Trace Flags Two trace flag values are added 1222 (Return resources and types of locks participating in a deadlock)
and 3226 (Suppress log backup entries in the SQL error log) as requested by the operations team.
1. In the SQL Server Configuration Manager, under SQL Server Network Configuration, right-click
Protocols for MSSQLSERVER, and then click Properties
2. In the Protocols for MSSQLSERVER dialog box, set Hide Instance to Yes.
3. Click OK.
4. On the service storage group servers (SS01/SS02) only:
a. Double-click Protocols for MSSQLSERVER.
b. Right-click Named Pipes
c. Select Enable.
5. In the tree view on the left, click SQL Server Services.
6. In the right pane, double-click SQL Server (MSSQLSERVER)
7. In the SQL Server Properties (MSSQLSERVER) dialog box, on the Advanced tab, click Startup
Parameters.
8. Next to Startup Parameters, click the down arrow, and then add ;-T3226;-T1222 to the end of the
parameters text.
9. For example, a modified Startup Parameters list might appear as follows:
-dE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf; -eE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\LOG\ERRORLOG;-lE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf; -T3226;-T1222
10. Click OK.
11. Right-click SQL Server (MSSQLSERVER), and then click Restart.
Allow Lock Pages in Memory Give SQL server process account rights to lock pages in memory.
1. In Control Panel go to Administrative Tools | Local Security Policy.
2. Expand Local Computer Policy | Computer Configuration | Windows Settings | Security
Settings | Local Policies
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 36 of 91
3. Select User Rights Assignment | double-click lock pages in memory policy | add user to
group
4. Add the SQL Server security group mgd\mgd-dsg-sp2013-SQLaccts
Set Max Degree of Parallelism 1. In SQL Server Management Studio, connect to the local database server.
2. In the Code Editor window, enter the following Transact-SQL statement:
sp_configure 'show advanced options', 1;
GO
RECONFIGURE WITH OVERRIDE;
GO
sp_configure 'max degree of parallelism', 1;
GO
RECONFIGURE WITH OVERRIDE;
GO
3. Select Query, and then click Execute or press F5 to execute the query.
Configure SQLAgent Job History The SQLAgent Job History should have the following settings:
jobhistory_max_rows=50000
jobhistory_max_rows_per_job=10000
Use the following PowerShell script to do this.
$null=[system.reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.Smo") $server=new-object Microsoft.SqlServer.Management.Smo.Server(".") $agent=$server.JobServer $agent.MaximumHistoryRows=50000 $agent.MaximumJobHistoryRows=10000 $agent.Alter()
Verify SQL Server is Working 1. In SQL Server Management Studio, confirm for each SQL instance that you can connect from
another machine using the SQL Server Management Studio.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 37 of 91
2. If you fail to connect, check that the firewall rules to allow 1433 are in place.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 38 of 91
Build Web Servers Topic Last Modified: 15-December-2015
Before you begin, establish a remote desktop connection to each FE, AP, AS and WC server in the farm.
Each step in this chapter must be completed on each machine, unless otherwise noted.
Configure Inbound Firewall Rules Create the following new inbound firewall rules:
1. In the Windows Firewall with Advanced Security tool, right-click Inbound Rules, and then click
New Rule.
2. In the New Inbound Rule Wizard, create a new rule with the following configuration:
Rule Type: Port
Protocol: TCP
Port: Specific | 443
Action: Allow the Connection
Profile: Select Domain
Name: SharePoint 443
3. Click Finish
4. Create another new rule with the following settings:
Rule Type: Port
Protocol: TCP
Port: Specific | 8888
Action: Allow the Connection
Profile: Select Domain
Name: Central Admin 8888
5. Click Finish.
6. Create another new rule with the following settings:
Rule Type: Port
Protocol: TCP
Port: Specific | 32843
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 39 of 91
Action: Allow the Connection
Profile: Select Domain
Name: SharePoint 32843
7. Click Finish.
8. Create another new rule with the following settings:
Rule Type: Port
Protocol: TCP
Port: Specific | 32844
Action: Allow the Connection
Profile: Select Domain
Name: SharePoint 32844
9. Click Finish.
10. Create another new rule with the following settings:
Rule Type: Port
Protocol: TCP
Port: Specific | 32845
Action: Allow the Connection
Profile: Select Domain
Name: SharePoint 32845
11. Click Finish.
12. Open Windows Powershell and execute the following:
#SharePoint Search rule netsh advfirewall firewall delete rule name="SharePoint Search Ports" netsh advfirewall firewall add rule name="SharePoint Search Ports" dir=in action=allow localport="17000-17009,808,16500-16509" protocol=TCP profile=domain #Rules for Distributed Cache netsh advfirewall firewall delete rule name="AppFabric Caching Ports" netsh advfirewall firewall add rule name="AppFabric Caching Ports" dir=in action=allow localport="22233,34-36" protocol=TCP profile=domain netsh advfirewall firewall set rule group="AppFabric Server: AppFabric Caching Service" new enable=Yes netsh advfirewall firewall set rule name="Remote Service Management (RPC)" new enable=Yes netsh advfirewall firewall set rule name="Remote Service Management (RPC-EPMAP)" new enable=Yes
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 40 of 91
netsh advfirewall firewall set rule name="Remote Service Management (NP-In)" new enable=Yes #Azure Workflow rule netsh advfirewall firewall delete rule name="Azure Workflow Ports" netsh advfirewall firewall add rule name="Azure Workflow Ports" dir=in action=allow localport="4446,5112,9000-9003,9354,12290" protocol=TCP profile=domain
Run the Prerequisite Installer
Important: Execute the steps in this section only on SharePoint FE, AP, and AS Servers (Common
Steps)
Note: At this time, we do not recommend running the prerequisite installer in unattend mode.
1. Open the SharePoint installation folder.
2. Execute PrerequisiteInstaller.exe and follow the prompts to reboot the computer as needed.
The prerequisite installer will automatically restart after each reboot.
3. Restart computer after prerequisite installer has completed.
Install IIS Advanced Logging SharePoint Online uses the features of IIS Advanced logging. This feature will need to be installed on all
SharePoint FE, AP, and AS Servers.
Important: Execute the steps in this section only on SharePoint FE, AP, WC, and AS Servers (Common
Steps)
1. Download the MSI file from http://www.microsoft.com/en-us/download/details.aspx?id=7211.
2. As administrator, execute advancedlogging64.msi.
Install Hotfixes A hotfix is available for the IIS Advanced logging that resolves a memory leak in application pools in
Windows Server 2012.
Important: Execute the steps in this section only on SharePoint FE, AP, and AS Servers (Common
Steps)
1. Download the MSI file from http://www.microsoft.com/en-us/download/details.aspx?id=41640
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 41 of 91
2. As administrator, execute advancedlogging_update_64.msp.
Configure Advanced Logging Complete all steps in this section on ALL FE, AP, AS and WC servers in the farm.
1. If IIS Manager is open, close and re-open it to see the new Advanced Logging components.
2. In Internet Information Services (IIS) Manager, click the server on which you have installed
advanced logging.
3. In the middle pane, under IIS, double-click Advanced Logging.
4. On the Advanced Logging console, click Edit Logging Fields.
5. In the Edit Logging Fields dialog box, click Add Field.
6. In the Add Logging Field dialog box, set the following parameters:
Field ID: X-Forwarded-For
Category: Default
Source Type: Request Header
Source Name: X-Forwarded-For
7. Click OK in all open dialog boxes.
Prepare Office Web App Machines Complete the following step on each of the Office Web Apps machines (WC01, WC02, etc).
1. In PowerShell, run the following command to install required Windows Roles/Features:
Add-WindowsFeature Web-Server,Net-Framework-45-Core, Net-Framework-45-ASPNET, Web-Asp-Net45, Web-Net-Ext45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Includes, Web-Windows-Auth, Web-Mgmt-Console, InkAndHandwritingServices -Restart
Delete Default IIS Sites and Application Pools Perform the following steps on all SharePoint (FE, AP, AS) and Office Web app (WC) servers in the farm
1. In the Internet Information Services (IIS) Manager, click Sites.
2. Under Default Web Site, delete any default Web sites.
3. Click Application Pools.
4. Remove all application pools.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 42 of 91
Build the SharePoint Servers Topic Last Modified: 2014-05-30
Perform the following on each SharePoint Server in the farm
Install SharePoint 2013 To install the SharePoint 2013 Server:
1. In Windows Explorer, browse to the SharePoint 2013 installation folder and run setup.exe.
2. Type your product key.
3. Choose a Server Farm installation and Complete Server Type.
Important: Do NOT run the Configuration Wizard (PSConfig.exe) at this time.
Install Language Packs 1. Browse to the path that contains the language packs you wish to install and run the language
pack.
2. Select the I accept the license terms check box, and then click Continue.
3. Follow the instructions in the wizard to install the language packs.
Install the Latest SharePoint Updates
SharePoint SP1 1. Remove the server from rotation to stop incoming requests to the servers
2. In your browser, download the SharePoint June 2013 CU
3. Run officeserversp2013-kb2880552-fullfile-x64-en-us.exe
4. Reboot the server
5. Add the updated server back into the load-balancing rotation.
When the installation is complete, the configuration database should be version 15.0.4569.1000 or higher
when viewed in the SharePoint Configuration Wizard.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 43 of 91
Install the App Fabric Cumulative Update
1. In your browser, download the App Fabric Cumulative Update
2. Run AppFabric1.1-RTM-KB2800726-x64-ENU.exe. Follow the instructions.
Manage SSL Certificates By default, Microsoft SharePoint Online Dedicated uses wildcard certificates for customer deployments.
This process outlines how to create or export a wildcard SSL certificate.
Complete Certificate Request
When a response is returned by the CA, perform the following steps on the same machine used to
request the certificate. This should be AP01.
1. In Internet Information Services (IIS) Manager, click the machine name, and then, under IIS,
double-click Server Certificates.
2. In the Actions pane, click Complete Certificate Request.
3. In the Complete Certificate Request dialog box, enter the required values:
File Name: provide a path to the file that contains response from certificate authority
Friendly Name: *.<customer.com name> Wildcard SSL certificate or <portal.customer.com>
SAN Certificate (For SAN certificate you cannot use a * but must use one of the DNS values
like portal.
4. Click OK.
Export Certificates
After a certificate has been issued, it must be exported so that it can be installed on all other FE machines.
For SAN Certificates:
If exporting a named (SAN) certificate, follow these directions (For First Machine) first. Only use these
instructions if SAN certificates are required. If using wildcard certificates, go to Import Certificates.
Note: This procedure is for SAN certificates only. To export wildcard certificates, see the “For Wildcard
Certificates” section later in this topic.
To use a named certificate within the IIS7 interface, you must update the friendly name on the certificate.
Follow these directions only for a named certificate.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 44 of 91
1. In the Microsoft Management Console, under Certificates (Local Computer) | Personal, click
Certificates.
2. Right-click the SAN Certificate you want to export, and then click Properties.
3. In the Properties dialog box, edit the Friendly Name field so the name starts with an * instead of
the host name.
4. Example: portal.contoso.com should be modified to *.contoso.com.
5. Click OK.
Import SSL Certificates
Once the new certificate has been received, Import the SSL certificate to all web servers for both
SharePoint and Office Web Apps (AP, AS, FE, WC).
1. In the Microsoft Management Console, under Certificates (Local Computer) | Personal, right-
click Certificates, click All Tasks, and then click Import.
2. In the Certificate Import Wizard, configure the following settings:
a. File Name: provide path to the file for the exported pfx certificate.
b. Password: provide password from previous step
c. Mark this key as exportable: Uncheck
3. Once the import is completed, permanently delete the temporary pfx files.
Note: In the file listed in step 2a, there should be an entry for each URL that is added. This file will be
different for new customers and existing customers. A new customer would typically have at least three
URLs to begin with: <portal>, <team>, and <my>. An existing customer would have two URLs: <team>
AND <my>.
Import STS Certificate
Obtain the new STS Certificates and import it to all web servers for SharePoint (AP, AS, FE) using the
following steps.
1. In the Microsoft Management Console, under Certificates (Local Computer) | Trusted Root
Certification, right-click Certificates, click All Tasks, and then click Import.
2. In the Certificate Import Wizard, configure the following settings:
a. File Name: provide path to the file for the exported pfx certificate.
b. Password: provide password from previous step
c. Mark this key as exportable: Uncheck
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 45 of 91
3. Once the import is completed, permanently delete the temporary pfx files.
Update the Hosts File To update the Hosts file:
1. Navigate to C:\windows\system 32\drivers\etc, and then open the hosts file as an
administrator.
2. Add records to the hosts file based on the following templates:
# Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com
FE servers (PPE):
# PPE My app URL 127.0.0.1 ppemy.contoso.com # PPE Team app URL 127.0.0.1 ppeteam.contoso.com # PPE Portal app URL 127.0.0.1 ppeportal.contoso.com # PPE Partners Access app URL 127.0.0.1 ppepartner.contoso.com # PPE Workflow service URL MGP_PPE_WFE_VIP ppeo365wfl.contoso.com # WAC service URL MGP_WAC_VIP o365wac.contoso.com # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com
AP/AS servers (PPE):
# PPE My app URL MGP_PPE_WFE_VIP ppemy.contoso.com # PPE Team app URL MGP_PPE_WFE_VIP ppeteam.contoso.com # PPE Portal app URL MGP_PPE_WFE_VIP ppeportal.contoso.com # PPE Partners Access app URL MGP_PPE_WFE_VIP ppepartner.contoso.com # WAC service URL MGP_WAC_VIP o365wac.contoso.com # PPE Workflow service URL MGP_PPE_WFE_VIP ppeo365wfl.contoso.com # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com
3. Save and close the file.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 46 of 91
Build the SharePoint Online 2013 Farm Topic Last Modified: 11-December-2015
Before you begin: Remote-desktop into the machine that will contain Central Admin (AP01).
Provision the Farm
Important: This step must be executed with PowerShell so that the server is not registered as a
distributed cache host. Adding machines as distributed cache hosts occurs later in this document.
1. Open the SharePoint 2013 Management Shell, and then execute the following:
$dbServer = "<First Content Storage DB Server>" $mgdDomain = "<MGD Domain for Customer>" $scaCred = Get-Credential "$mgdDomain\ms-svc-frm" New-SPConfigurationDatabase -DatabaseName "SharePoint_Config" -DatabaseServer $dbServer -AdministrationContentDatabaseName "SharePoint_Admin_Content" -FarmCredentials $scaCred -Passphrase (ConvertTo-SecureString "Password911!23" -AsPlainText -Force) -SkipRegisterAsDistributedCacheHost
2. Open the SharePoint 2013 Products Configuration Wizard.
3. Select Specify port number: 8888
4. Complete the wizard.
Join Servers to the Farm
Visual C# Note: This step must be executed with PowerShell so that the server is not registered as a
distributed cache host. Adding machines as distributed cache hosts occurs later in this document.
Before you can configure the farm, you must add the other AP, AS and FE servers to the farm:
1. Open the SharePoint 2013 Management Shell, and then edit and execute the following:
$dbServer = "<First Content Storage DB Server>" $mgdDomain = "<NETBIOS Domain Name of Customer, e.g. 001D>" $scaCred = Get-Credential "$mgdDomain\ms-svc-frm" Connect-SPConfigurationDatabase -DatabaseName "SharePoint_Config" -DatabaseServer $dbServer -Passphrase (ConvertTo-SecureString "Password911!23" -AsPlainText -Force) -SkipRegisterAsDistributedCacheHost
2. Open the SharePoint 2013 Products Configuration Wizard.
3. Complete the wizard
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 47 of 91
Note: Repeat these steps for all other SharePoint Machines (AP, AS and FE). In the case of server
expansion or rebuild, only run the wizard on the new machines.
Enable Licensing 1. Open the SharePoint 15 Management Shell, and edit and then execute the following:
$allAuthUsers = New-SPClaimsPrincipal -Identity "NT Authority\Authenticated Users" -IdentityType WindowsSecurityGroupName
New-SPUserLicenseMapping -Claim $allAuthUsers -License "<<License Type value from TBR>>" | Add-SPUserLicenseMapping
Enable-SPUserLicensing
Register Managed Accounts 1. In Central Administration go to Security | Configure Managed Accounts
2. Ensure that the following accounts are registered.
managed/ms-svc-wap
managed/ms-svc-sa
managed/ms-svc-sbx
Configure Services (Generic) Topic Last Modified: 2014-05-06
Important: The instructions for configuring services are organized to get the farm up and running as
fast as possible. In order to ensure that nothing is missed it is recommended that each section relating to
service configuration be performed in the order presented.
Configure Distributed Cache Repeat the following on each FE server in the farm.
1. Open the SharePoint 15 Management Shell, and then edit and execute the following:
Add-SPDistributedCacheServiceInstance
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 48 of 91
Configure Other Services
1. In Central Administration, go to System Settings | Servers | Manage services on server
Note: A drop down at the top of the list allows you to switch from server to server, so all servers
previously added to the farm can be configured from AP01.
2. Start the service on each machine as noted in the tables below.
FE Machines (FE01, FE02, FE03, etc.)
Service Status
Access Database Service 2010 Started
Access Services Started
App Management Service Started
Business Data Conectivity Service Started
Central Administration Stopped
Claims to Windows Token Services Stopped
Distributed Cache Started
Document Conversions Launcher Service Stopped
Document Conversions Load Balancer Service Stopped
Excel Calculation Services Started
Lotus Notes Connector Stopped
Machine Translation Service Stopped
Managed Metadata Web Service Started
Microsoft SharePoint Foundation Incoming E-Mail Started
Microsoft SharePoint Foundation Sandboxed
Code Service
Started
Microsoft SharePoint Foundation Subscription
Settings Service
Started
Microsoft SharePoint Foundation Web Application Started
Microsoft SharePoint Foundation Workflow Timer
Service
Started
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 49 of 91
Service Status
PerformancePoint Service Stopped
PowerPoint Conversion Service Stopped
Request Management Stopped
Search Host Controller Service1 Started
Search Query and Site Setting Service Started
Secure Store Service Started
SharePoint Server Search2 Started
User Profile Service Started
User Profile Synchronization Service3 Stopped
Visio Graphics Service Started
Word Automation Services Stopped
Work Management Service Stopped
1This service will be started during the provisioning of the Search Service Application.
2This service will be started during the provisioning of the Search Service Application.
3Do not start the User Profile Synchronization Service now. It will be started later in this document.
AP (Admin Service) (AP01 only)
Service Status
Central Administration Started
AP (Admin Service) (AP01, AP02)
Service Status
Access Database Service 2010 Stopped
Access Services Stopped
App Management Service Stopped
Business Data Connectivity Service Stopped
Claims to Windows Token Service Stopped
Document Conversions Launcher Service Stopped
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 50 of 91
Service Status
Document Conversions Load Balancer Service Stopped
Excel Calculation Services Stopped
Lotus Notes Connector Stopped
Machine Translation Service Started
Managed Metadata Web Service Stopped
Microsoft SharePoint Foundation Incoming E-Mail Started
Microsoft SharePoint Foundation Sandboxed
Code Service
Stopped
Microsoft SharePoint Foundation Subscription
Settings Service
Started
Microsoft SharePoint Foundation Web Application Started
Microsoft SharePoint Foundation Workflow Timer
Service
Started
PerformancePoint Service Stopped
PowerPoint Conversion Service Stopped
Request Management Stopped
Search Host Controller Service4 Started
Search Query and Site Setting Service Stopped
Secure Store Service Stopped
SharePoint Server Search5 Started
User Profile Service Stopped
User Profile Synchronization Service6 Stopped
Visio Graphics Service Stopped
Word Automation Services Stopped
Work Management Service Started
4This service will be started during the provisioning of the Search Service Application.
5This service will be started during the provisioning of the Search Service Application.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 51 of 91
6Do not start the User Profile Synchronization Service now. It will be started later in this document.
AS (Search) (AS01, AS02, AS03, etc.)
Service Status
Access Database Service 2010 Stopped
Access Services Stopped
App Management Service Stopped
Business Data Connectivity Service Stopped
Central Administration Stopped
Claims to Windows Token Services Stopped
Document Conversions Launcher Service Stopped
Document Conversions Load Balancer Service Stopped
Excel Calculation Services Stopped
Lotus Notes Connector Stopped
Machine Translation Service Stopped
Managed Metadata Web Service Stopped
Microsoft SharePoint Foundation Incoming E-mail Started
Microsoft SharePoint Foundation Sandboxed
Code Service
Stopped
Microsoft SharePoint Foundation Subscription
Setting Service
Stopped
Microsoft SharePoint Foundation Web Application Started
Microsoft SharePoint Foundation Workflow Timer
Service
Started
PerformancePoint Service Stopped
PowerPoint Conversion Service Stopped
Request Management Stopped
Search Host Controller Service7 Started
Search Query and Site Setting Service Stopped
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 52 of 91
Service Status
Secure Store Service Stopped
SharePoint Server Search8 Started
User Profile Service Stopped
User Profile Synchronization Service Stopped
Visio Graphics Service Stopped
Word Automation Services Stopped
Work Management Service Stopped
7This service will be started during the provisioning of the Search Service Application.
8This service will be started during the provisioning of the Search Service Application.
Create Quota Templates Topic Last Modified: 2014-05-06
Create the quota templates before creating the web applications:
1. In Central Administration, go to Application Management | Site Collections | Specify quota
templates.
2. Create 8 new quota templates using the [new blank template] as per the table below:
Name Limit site
storage to a
max of:
Send warning
email when site
collection
storage
reaches:
Limit max
usage per day
to:
Send warning
email when
usage per day
reaches:
2GB 2000MB 1600MB 300 pt 100 pt
5GB 5000MB 4000MB 300 pt 100 pt
10GB 10000MB 8000MB 300 pt 100 pt
20GB 20000MB 16000MB 300 pt 100 pt
50GB 50000MB 40000MB 300 pt 100 pt
60GB 60000MB 48000MB 300 pt 100 pt
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 53 of 91
Name Limit site
storage to a
max of:
Send warning
email when site
collection
storage
reaches:
Limit max
usage per day
to:
Send warning
email when
usage per day
reaches:
100GB 100000MB 80000MB 300 pt 100 pt
200GB 200000MB 160000MB 300 pt 100 pt
400GB 400000MB 320000MB 300 pt 100 pt
Personal Site 1024MB 820MB 300 pt 100 pt
Configure Outgoing Email Topic Last Modified: 2014-05-06
Important: This procedure should be skipped if the customer does not subscribe to SPO. For non-SPO
customers, SMTP configuration is not necessary.
By default, email should be disabled. It should be configured in SFS.
1. In Central Administration, go to System Settings | E-Mail and Text Messages (SMS) |
Configure outgoing e-mail settings.
2. Configure the following:
a. Provide an outbound SMTP server address (either from the MGD or customer forest) that
will accept routing requests from all SharePoint servers.
Note: The SMTP server address should be a fully qualified domain name. Do not use an IP address,
even if it is an F5 VIP.
b. Provide a From address: e.g., [email protected].
c. Provide a Reply-to address: e.g., [email protected].
Create Web Applications Topic Last Modified: 2014-05-06
We create web applications for customers using Central Administration. The following table outlines what
web applications to create.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 54 of 91
Note: Create all the web applications in all environments, with the following exception: the Partner
Access web application is only created if the customer has purchased that option.
1. In Central Administration, go to Application Management | Web Applications | Manage Web
Applications
2. For each of the specified web applications below, in the ribbon bar, click Contribute | New and
then supply specified settings:
Web Application Notes
My Sites https://my.contoso.com
Portal https://portal.contoso.com
Team https://team.contoso.com
Partner (optional) https://extranet.contoso.com
Settings for Web Applications Claims
Name Supplied by customer
IIS Web Site : Port 443
IIS Web Site : Host Header Supplied by customer
IIS Web Site : Path <Default value>
Security Configuration: Allow Anonymous No
Security Configuration: Use Secure Sockets Layer
(SSL)
Yes
Claims Authentication Types Enable Windows Authentication
Integrated Windows Authentication (checked)
1. NTLM
Public URL <Default value>
Application Pool Create a new app pool for each web application.
Create a new application pool named <<URL
Provided by the Customer>>. Use the
managed/ms-svc-wap account.
Database Name and Authentication: Database
Server
Primary SQL in content storage group (SQ01)
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 55 of 91
Web Application Notes
Database Name and Authentication: Database
Name
The default naming scheme for databases is
<application>_content_<##>.
Failover Server <Leave blank>
Service Application Connections <Default value>
Customer Experience Improvement Program No
Create Web Application to Host SharePoint Apps To create an additional web application for hosting SharePoint applications, use the following settings.
1. In Central Administration, go to Application Management | Web Applications | Manage Web
Applications
2. For each of the specified web applications below, in the ribbon bar, click Contribute | New and
then supply specified settings:
Settings for Web
Applications
Claims
Name AppsManagementSite
IIS Web Site : Port 443
IIS Web Site : Host
Header
<Leave blank
IIS Web Site : Path E:\inetpub\wwwroot\wss\VirtualDirectories\AppsManagementSite443
Security Configuration:
Allow Anonymous
No
Security Configuration:
Use Secure Sockets
Layer (SSL)
Yes
Claims Authentication
Types
Enable Windows Authentication
Integrated Windows Authentication (checked)
2. NTLM
Public URL <Default value>
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 56 of 91
Settings for Web
Applications
Claims
Application Pool Create a new application pool named AppsManagementSite. Use the
managed\ms-svc-wap account.
Database Name and
Authentication:
Database Server
Primary SQL in content storage group (SQ01)
Database Name and
Authentication:
Database Name
AppsManagementSite_content_01
Failover Server <Leave blank>
Service Application
Connections
<Default value>
Customer Experience
Improvement Program
No
Set Up People Picker for Each URL Topic Last Modified: 2014-04-02
SharePoint Online Dedicated service accounts are not automatically trusted by the customer Active
Directory due to one-way trust. Please specify the following:
1. Start the SharePoint 2013 Management Shell.
2. Execute the following where the password is a KeyPhrase provided from the KeePass database
located at: \\mgmt.msft.net\spo\Secured\000\000.kdbx:
stsadm -o setapppassword - password <KeyPhrase>;
3. Repeat step 2 on all SharePoint machines. Ensure you have completed step 2 on all SharePoint
machines before beginning step 4.
4. On AP01 in each farm, execute the following for all URLs including central admin. (Don’t run
unless step 2 has completed):
If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin"
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 57 of 91
$PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $pn = "peoplepicker-searchadForests" #Include customer forests/domains variables in the first line #For additional customer forests/domains remove the "#" in the second line and make additional copies of it as needed $pv = "DOMAIN:< Customer Domain>,<Customer People Picker Account>,<Password>;" #$pv += "DOMAIN:<Customer Domain>,<Customer People Picker Account>,<Password>;" #Include the management domain #Set the people picker on content web applications Get-SPWebApplication | % { stsadm -o setproperty -url $_.Url -pn $pn -pv $pv } #Include the managed domain for central admin $pv += "DOMAIN:< Management Domain FQDN>,<Management People Picker Account>,<Password>;" $pv = $pv + "DOMAIN:001d.mgd7.msft.net;" #Set the people picker on central admin web app Get-SPWebApplication -IncludeCentralAdministration | where { $_.DisplayName -like "SharePoint Central Administration*" } | % { stsadm -o setproperty -url $_.Url -pn $pn -pv $pv }
Configure Web Applications (Common Settings) Topic Last Modified: 2014-05-06
The following common settings must be applied to each content web application (My, Portal, Team,
Partner Access).
General Settings 1. In Central Administration, go to Application Management | Web Applications | Manage web
applications | General Settings
2. Configure the following settings:
Time Zone: As specified in the discovery documentation
Default Quota (My Web App): Personal Site
Default Quota (Other Web Apps): 2 GB
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 58 of 91
Browser File Handling: Permissive
Security Validation: 60 minutes
Recycle Bin | Delete items in the Recycle Bin: after 35 days
Maximum Upload Size: 2047 MB
3. Repeat step 2 for each content web application (Team, Portal, My, and Partner Access).
Configure Managed Paths 1. In Central Administration, go to Application Management | Web Applications | Manage web
applications | Managed Paths
2. Configure the following settings, delete any included paths not called out below:
Included Paths (My Web App): (root) - Explicit inclusion; personal – Wildcard inclusion
Included Paths (Other Web Apps): (root) – Explicit inclusion; sites – Wildcard inclusion
3. Repeat step 2 for each content web application.
Configure Blocked File Types Repeat the following for each web application.
1. In Central Administration, go to Application Management | Web Applications | Manage web
applications
2. Select the web application row, then click Blocked File Types
3. Remove all of the existing file types.
4. Enter the following list of file types:
ashx
asmx
asp
aspq
axd
cshtm
cshtml
json
rem
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 59 of 91
shtm
shtml
soap
stm
svc
vbhtm
vbhtml
xamlx
5. Click OK.
Enable the BLOB Cache
Important: Do not make manual changes to the web.config files because manual changes will not be
automatically applied to new servers brought in to the farm or when web applications are extended into
new zones.
By default, the disk-based BLOB cache is off and must be enabled on each content web application of
each FE server and AP-01.
1. Open the SharePoint 2013 Management Shell and execute the following:
Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue Write-Host "Updating the Blob Cache" [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $BlobCachePath = "configuration/SharePoint/BlobCache" $WebConfigModifications=@{"path"="(?:(^.{0,160}))\.(gif|jpg|jpeg|jpe|jfif|bmp|dib|tif|tiff|ico|png|wdp|hdp|css|js|asf|avi|flv|m4v|mov|mp3|mp4|mpeg|mpg|rm|rmvb|wma|wmv|ogg|ogv|oga|webm|xap)$"; "enabled"="true"} $SPWebApps = Get-SPWebApplication $Method = [Microsoft.SharePoint.Administration.SPServiceCollection].GetMethod("GetValue", [string]) $GenericMethod = $Method.MakeGenericMethod([Microsoft.SharePoint.Administration.SPWebService]) $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local foreach ($SPWebApp in $SPWebApps){ Write-Host "Modifying the Web App $($SPWebApp.Name)" foreach ($Key in $WebConfigModifications.Keys){ $SPWebConfigModification= new-object Microsoft.SharePoint.Administration.SPWebConfigModification
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 60 of 91
$SPWebConfigModification.Name= $Key $SPWebConfigModification.Owner= "SPO dedicated" $SPWebConfigModification.Path= $BlobCachePath $SPWebConfigModification.Type="EnsureAttribute" $SPWebConfigModification.Value=$WebConfigModifications[$Key] $SPWebApp.WebConfigModifications.Add($SPWebConfigModification) } $SPWebApp.Update() } $FarmService = $GenericMethod.Invoke($Farm.Services,"") $FarmService.ApplyWebConfigModifications() Write-Host "Updated the Blob cache successfully"
Apply Web App Policy and User Policy (Kiosk Worker)
Note: Skip this procedure if your organization does not employ kiosk workers.
For customers that have purchased the kiosk worker USL option, it is necessary to create a web
application policy to restrict the tasks that kiosk workers can perform in SharePoint. In addition to this
web app policy, you must create a user policy to associate this web app policy with a Role Claim or AD
Group.
1. In Central Administration, go to Application Management | Web Applications | Manage web
applications | Permission Policy | Add Permission Policy Level
2. Configure the following settings:
Name: Kiosk Workers
Description: Deny policy for kiosk workers
Manage Lists: Deny
Override List Behaviors: Deny
Approve Items: Deny
Manage Permissions: Deny
View Web Analytics Data: Deny
Create Subsites: Deny
Manage Web Site: Deny
Add and Customize Pages: Deny
Apply Themes and Borders: Deny
Apply Style Sheets: Deny
Create Groups: Deny
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 61 of 91
Use Self-Service Site Creation: Deny
Enumerate Permissions: Deny
Manage Alerts: Deny
Use Client Integration Features: Deny
Manage Personal Views: Deny
Add/Remove Personal Web Parts: Deny
Update Personal Web Parts: Deny
3. In Central Administration, go to Application Management | Web Applications | Manage web
applications | User Policy | Add Users
4. Configure the following settings:
Zones: (All zones)
Users: Security group specified by the customer
Permissions: Kiosk Workers
Account operates as System: leave unchecked.
5. Repeat steps 1 through 4 for each content web application (Team, Portal, My, and Partner
Access.
Set Up Super User and Super Reader Accounts Publishing sites depend on the object cache for maximum performance. This is also a required setting for
claims authentication where the default users don’t resolve correctly and receive “Access Denied” error
messages when navigating to the site.
1. Edit lines 2 and 4 of the script below with the Portal Super User account and the Portal Super
Reader account.
2. Execute the script once on the AP01 server:
# Create Object Cache Account Settings $SuperUserAccount = "mgd\ms-svc-psu" # Use $SuperReaderAccount = "mgd\ms-svc-psr" $superReaderPropertyString = "portalsuperreaderaccount" $superUserPropertyString = "portalsuperuseraccount" $FullReadRoleName = "Full Read" $FullControlRoleName = "Full Control" Get-SPWebApplication | %{ $Zone = $_.IISSettings.Item("Default")
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 62 of 91
if($Zone.UseClaimsAuthentication -eq $True){ $SuperUserPrincipal = New-SPClaimsPrincipal -Identity $SuperUserAccount -IdentityType WindowsSamAccountName $SuperUserAccountEncoded = $SuperUserPrincipal.ToEncodedString() $superReaderPrincipal = New-SPClaimsPrincipal -Identity $SuperReaderAccount -IdentityType WindowsSamAccountName $SuperReaderAccountEncoded = $superReaderPrincipal.ToEncodedString() } $SuperReaderPolicy = $_.Policies | WHERE {$_.DisplayName -eq "Object Cache Super Reader"} if ($SuperReaderPolicy -eq $Null){ $SuperReaderPolicy = $_.Policies.Add($SuperReaderAccountEncoded, "Object Cache Super Reader") } $Role = $_.PolicyRoles | where {$_.Name -like $FullReadRoleName} $SuperReaderPolicy.PolicyRoleBindings.Add($Role) $_.Properties[$superReaderPropertyString] = [System.String]$SuperReaderAccountEncoded $SuperUserPolicy= $_.Policies | WHERE {$_.DisplayName -eq "Object Cache Super User"} if ($SuperUserPolicy -eq $Null){ $SuperUserPolicy = $_.Policies.Add($SuperUserAccountEncoded, "Object Cache Super User") } $Role = $_.PolicyRoles | where {$_.Name -like $fullControlRoleName} $SuperUserPolicy.PolicyRoleBindings.Add($Role) $_.Properties[$superUserPropertyString] = [System.String]$SuperUserAccountEncoded $_.Update() } #endregion
Add Administrators to Web App Policy To facilitate troubleshooting customer issues all admins are granted rights to all content in each of the
web applications. This is done via a web app Policy set for each web application.
1. In Central Administration, go to Application Management | Web Applications | Manage Web
Applications | Select a Content Web Application | User Policy | Add Users
2. Add the following user with Full Control:
Zones: (All zones)
Users: Add your SharePoint farm administrators group
Permissions: Full Control
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 63 of 91
Account operates as System: leave unchecked.
3. Repeat steps 1 and 2 for each content web application (My, Portal, Team, Partner Access).
4. Repeat this procedure to add customer provided admin groups if available.
Configure List Throttle Settings To allow for large list operations and the need to administer large lists, configure “happy hour” settings.
1. In Central Administration, go to Application Management | Web Applications | Manage Web
Applications | Select a Content Web Application | General Settings | Resource Throttling
ListView Threshold: 12
Daily Time Window for Large Queries
Enable a daily time window for large queries: enabled
Start Time: 6 pm 00
Duration: 6 hours
2. Repeat for each content web application (My, Portal, Team, and Partner Access)
Set Setup User Account as System Topic Last Modified: 2014-04-02
Important: The instructions for configuring services are organized to get the farm up and running as
fast as possible. In order to ensure that nothing is missed it is recommended that each section relating to
service configuration be performed in the order presented.
Add your management account as system to mask your user name when content visible to end users is
created:
1. In Central Administration, go to Application Management | Web Applications | Manage Web
Applications | Select a Content Web Application | User Policy | Add Users
Zones: (All zones)
Users: <add your mgmt account>
Permissions: Full Control
Account operates as System: Check this box.
2. Repeat for all content web applications (My, Team, and Portal).
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 64 of 91
Create Site Collections Topic Last Modified: 2014-02-11
Site collections must be created at this stage to support creation of the Service Applications and to allow
Self-Service Site Creation to be enabled.
1. In Central Administration, go to Application Management | Site Collections | Create site
collections
2. Create root site collections for each web application using the parameters listed in the following
table:
Parameter My Portal Team Partner
Access
Title My Site Portal Team Partner
Access
Web
Application
Provided by customer Provided
by
customer
Provided by
customer
Provided by
customer
Template Enterprise | My Site Host Publishing
|
Publishing
Portal
Collaboration
| Team Site
Collaboration
| Team Site
Primary
Site
Collection
Admin
Provided
by
customer
Provided by
customer
Provided by
customer
Secondary
Site
Collection
Admin
n/a Provided
by
customer
Provided by
customer
Provided by
customer
Primary
Site
Collection
Provided
by
customer
Provided by
customer
Provided by
customer
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 65 of 91
Parameter My Portal Team Partner
Access
Admin on
PPE
Secondary
Site
Collection
Admin on
PPE
n/a Provided
by
customer
Provided by
customer
Provided by
customer
Quota No quota 100 GB 5 GB 5 GB
Members
Group
All IW Users n/a n/a n/a
Visitors
Group
NT
AUTHORITY\authenticated
users
n/a n/a n/a
3. To support service applications, create a Content Hub site collection and a Broadcast Site site
collection. The following table provides the required setting parameters:
Parameter Content Hub9 Search Center
URL Team URL\sites\contenthub Team URL/sites/searchcenter
Template Collaboration | Team Site Enterprise | Enterprise Search
Center
Primary Site Collection Admin Provided by customer Provided by customer
Quota 5 GB 2 GB
Members Group Set by Customer After Service
Ready
Set by Customer After Service
Ready
Visitors Group Set by Customer After Service
Ready
NT Authority\Authenticated
Users
4. After creating the ContentHub site collection, navigate to the site collection and enable the
Content Type Syndication Hub site collection feature.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 66 of 91
Create Service Applications Topic Last Modified: 11-December-2015
Important: The instructions for configuring service applications are organized to get the farm up and
running as fast as possible. In order to ensure that nothing is missed, we recommend that each section
relating to service application configuration be performed in the order presented.
Most service applications will use default settings. Below we will highlight when configuring the service
application what settings to change. If this is a new customer, all settings will be default. If building out an
existing customer, build out first with the defaults and the delta (based on change requests) will be
applied afterwards
The generic steps to create service applications are as follows:
Note: Only login as the Farm Administrator account when configuring the Sync service.
1. In Central Administration, go to Application Management |Service Applications | Manage
service applications.
2. For each service click New and select Service Application
3. For Name choose the title of the type of Service Application (for example: Access Services
Application)
4. All databases should be created on SQ01 and use the provided database name if the service
application has an associated database (not all do).
5. All service applications should use the SharePoint Service Applications App Pool, created first for
Access Services.
6. Use the following settings for each service application:
Access Services Application
Name: Access Services Application
Application Pool: SharePoint Service Applications
App Management Service
Name: App Management Service Application
Database Name: App_Management_DB
Application Pool: SharePoint Service Applications
Business Data Connectivity Service
Name: Business Data Connectivity Service Application
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 67 of 91
Database Name: BDC_Service_DB
Application Pool: SharePoint Service Applications
Excel Service Application
Name: Excel Service Application
Application Pool: SharePoint Service Applications
Machine Translation Service
Name: Machine Translation Service Application
Application pool: SharePoint Service Applications
Add to Default Proxy List: Checked
Database Name: Machine_Translation_Service_DB
Manage Metadata Service Application
Name: Managed Metadata Service Application
Database Name: Managed_Metadata_DB
Application Pool: SharePoint Service Applications
Content Type Hub: Provided by the customer.
User Profile Service Application
Name: User Profile Service Application
Application pool: SharePoint Service Applications
Profile database name: Profile_DB
Sync database name: Sync_DB
Social Tagging Database name: Social_DB
Profile Synchronization Instance: AP-01
My Site Host URL: https://<mysite URL>/
My Site Managed Path: /personal
Site Naming Format: Domain and user name (will not have conflicts)
Additional Connection Permissions for User Profile Service Application: MGMT\ms-
svc-orc
Full Control
Search Service Application –Do not provision at this time.
Secure Store Service Application
Name: Secure Store Service Application
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 68 of 91
Database name: Secure_Store_Service_DB
Application Pool: SharePoint Service Applications
Visio Graphics Service Application
Name: Visio Graphics Service Application
Application Pool: SharePoint Service Applications
Work Management Service Application
7. On AP01, open the SharePoint 2013 Management Shell and execute the following PowerShell
script:
Add-PSSnapin Microsoft.SharePoint.PowerShell # Remove existing Work Management Service Application $svc = Get-SPServiceApplication | ? { $_.TypeName -eq "Work Management Service Application" } $svcPxy = Get-SPServiceApplicationProxy | ? { $_.TypeName -eq "Work Management Service Application Proxy" } #Find the web app app pool identity. Work management must use the same identity # as the web app so that it can aggregrate all the tasks for all web apps $webApp = Get-SPWebApplication | ? Name -ne AppsManagementSite | Select -First 1 $managedAccount = $webApp.ApplicationPool.ManagedAccount if ($svc.ApplicationPool.ProcessAccountName -eq $managedAccount.Username) { Write-Host "No changes are required. Work Management service and web app identities are the same." } else { if ($svcPxy) { Write-Host "Removing the Work Management Service Application Proxy..." -NoNewline $svcPxy | Remove-SPServiceApplicationProxy -Confirm:$false Write-Host "Done" -ForegroundColor Green } if ($svc) { Write-Host "Removing the Work Management Service Application..." -NoNewline $svc | Remove-SPServiceApplication -Confirm:$false Write-Host "Done" -ForegroundColor Green } #Find the web app app pool identity. Work management must use the same identity # as the web app so that it can aggregrate all the tasks for all web
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 69 of 91
apps $webApp = Get-SPWebApplication | ? Name -ne AppsManagementSite | Select -First 1 $managedAccount = $webApp.ApplicationPool.ManagedAccount #Create a new service app pool for work management $appPoolName = "Work Management Service Application" if (-not (Get-SPServiceApplicationPool | ? { $_.Name -eq $appPoolName } )) { Write-Host "Creating $appPoolName app pool..." -NoNewline New-SPServiceApplicationPool -Name $appPoolName -Account $managedAccount | Out-Null Write-Host "Done" -ForegroundColor Green } else { Write-Host "$appPoolName app pool already exists" } #Create the Service Application using the new app pool if (-not (Get-SPServiceApplication | ? { $_.Name -eq "Work Management Service Application" } )) { Write-Host "Creating Work Management Service Application and Proxy..." -NoNewline New-SPWorkManagementServiceApplication -Name "Work Management Service Application" -ApplicationPool $appPoolName | Out-Null New-SPWorkManagementServiceApplicationProxy -Name "Work Management Service Application Proxy" -ServiceApplication "Work Management Service Application" -DefaultProxyGroup | Out-Null Write-Host "Done" -ForegroundColor Green } }
8. Subscription Settings Service Application
On AP01, open the SharePoint 15 Management Shell and execute the following PowerShell script:
If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $appPool = Get-SPServiceApplicationPool "SharePoint Service Applications" $appSubSvc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPool -Name "Subscription Settings Service Application" -DatabaseName "SubscriptionSettingsServiceDB" $proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $appSubSvc
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 70 of 91
9. Start the State Service (via PowerShell)
a. On AP-01, in the SharePoint 15 Management Shell, execute the following PowerShell
script:
If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } Try { $StateServiceDB = "SharePoint_State_Service" $StateServiceName = "State Service Application" $StateServiceProxyName = "State Service Application" $GetSPStateServiceApplication = Get-SPStateServiceApplication If ($GetSPStateServiceApplication -eq $Null) { Write-Host -ForegroundColor White " - Provisioning State Service Application..." New-SPStateServiceDatabase -Name $StateServiceDB | Out-Null New-SPStateServiceApplication -Name $StateServiceName -Database $StateServiceDB | Out-Null Get-SPStateServiceDatabase | Initialize-SPStateServiceDatabase | Out-Null Write-Host -ForegroundColor White " - Creating State Service Application Proxy..." Get-SPStateServiceApplication | New-SPStateServiceApplicationProxy -Name $StateServiceProxyName -DefaultProxyGroup | Out-Null Write-Host -ForegroundColor White " - Done creating State Service Application." } Else {Write-Host -ForegroundColor White " - State Service Application already provisioned."} } Catch { Write-Output $_ }
10. Configure the SharePoint Server ASP.Net Session State Service (via PowerShell)
a. On AP-01, in the SharePoint 15 Management Shell, execute the following PowerShell
script:
If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null)
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 71 of 91
{ Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } Try { if ((Get-SPSessionStateService).SessionStateEnabled -eq $false) { Write-Host -ForegroundColor White " - Enabling SP Session State Service..." Enable-SPSessionStateService -DatabaseName "Session_State_Service" Write-Host -ForegroundColor White " - Done enabling SP Session State Service." } Else {Write-Host -ForegroundColor White " - SP Session State Service already enabled."} } Catch { Write-Output $_ }
Configure the App Management Service 1. Open the SharePoint 15 Management shell and execute:
Set-SPAppDomain "<<999d>>spoapp.com" Set-SPAppSiteSubscriptionName -Name apps -Confirm:$false
Note: For PPE, the app domain must be set to ppe<<999d>>spoapp.com
Important: For AppsManagementSite, DO NOT perform step 2.
2. For each content web application (except for AppsManagementSite), in Central Administration, go
to Apps | App Management | Manage App Catalog.
3. Select the web application from the drop down at the top of the page.
4. Select Create a new app catalog site.
5. Click OK.
6. Use the following settings:
Title: SharePoint App Catalog
Description: Catalog site for SharePoint applications
URL:
My Sites :/personal/appcatalog
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 72 of 91
All other Web Apps: /sites/appcatalog
Primary Site Collection Admin: Provided by the customer.
Secondary Site Collection Admin: Provided by the customer.
End Users: NT AUTHORITY\authenticated users
Quota Template: 5 GB
7. To verify configuration, attempt to navigate to
<servername>/_layouts/_WCF/UploadService.svc/mex. The location should not render.
Create Host Header Site Collection for Monitoring Apps Management
Site On AP01 server in each farm, execute the following PowerShell to create a host header site collection used
for monitoring the apps web application:
Add-PSSnapin Microsoft.SharePoint.PowerShell if (-not $cred) { $cred = Get-Credential (whoami) } $appDomain = Get-SPAppDomain $webAppName = "AppsManagementSite" if (-not $appDomain) { throw "Apps Domain is not properly set. Please following build guide steps for Set-SPAppDomain before continuing"; return; } $mgdDomainName = ((Get-SPFarm).DefaultServiceAccount).Name.Split("\")[0] $baseUrl = "https://monitor.$appDomain/" $webApp = Get-SPWebApplication $webAppName if (-not $webApp) { throw "Could not find web app $webAppName"; return; } New-SPSite $baseUrl -Template "STS#0" -OwnerAlias $webApp.ApplicationPool.Username -HostHeaderWebApplication $webApp
Configure Managed Metadata Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage
Service Applications.
2. Highlight the row for the Managed Metadata Service Application Proxy
3. Click Properties
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 73 of 91
4. In the Service Connection dialog, select all of the check boxes.
5. Click OK.
Configure Excel Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage
Service Applications | Excel Services Application and then click Manage.
2. Click Trusted File Locations.
3. Hover the cursor over http:// and then click Edit. Change to https://.
4. Under Change Workbook Properties | Maximum Workbook Size, change from 10 to 250
(MB).
5. Navigate to Manage Excel Services Application, and then click Global Settings.
6. In the External Data section, set the Target Application ID to 101.
7. Click OK.
Configure InfoPath Forms Services 1. In Central Administration, go to General Application Settings | InfoPath Forms Services |
Configure InfoPath Forms Services.
2. Select Allow cross-domain data access for user form templates that use connection settings
in a data connection file.
Configure Machine Translation Service Permissions 1. In Central Administration, go to Application Management | Service Applications | Manage
Service Applications
2. Select the row for the Machine Translation Service Application
3. Click the Sharing | Permissions button in the ribbon
4. Add the ms-svc-sa account and grant it Full Control
5. Click OK.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 74 of 91
Configure Search Service Application On the AP01 machine, edit the first 18 lines of the PowerShell script below using Windows PowerShell ISE
and then execute the script to provision the Search Service application and correctly configure the farm.
Important: If needing redundancy for production or test, set $IsProduction = $true.
$contactEmailAddress = "[email protected]" # The server that is going to host central admin $CAServer="AP01" # Farm Machines $AdminMachines = @("AP01") $FEMachines = @("FE01") # IMPORTANT: Specify these machines in order so that the index pairs will be provisioned on the correct servers $SearchMachines = @("AS01", "AS02") #Specify the name of the SQL server in the first services storage group $SQLServer = "SS01" # IMPORTANT: you must specify if this is a production installation. If $true, the search system will be configured with redundancy. $IsProduction = $false $AppPoolAccount = "MGD\ms-svc-sa" ### ------------------------------- ### # Don't Change anything after this line ### ------------------------------- ### If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $CTSNodes = $SearchMachines $APENodes = $CTSNodes $CrawlNodes = $CTSNodes $IMSNodes = $FEMachines $AdminNodes = $AdminMachines $SearchNodes = ($SearchMachines + $FEMachines + $AdminMachines) | Select -Unique $searchAppName = "Search Service Application" $QueryNodes1stRow = @() $QueryNodes2ndRow = @() $estimatedMaxItemCount = $SearchMachines.Count * 10000000 $numCrawlDBs = $estimatedMaxItemCount / 20000000 $numLinkDbs = [System.Math]::Ceiling($estimatedMaxItemCount / 60000000) Write-Host "---------------------------" #Configure two search indexes per machine pair, each machine will host both a primary index # partition and a secondary index partition if ($IsProduction) {
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 75 of 91
if (($SearchMachines.Count % 2) -ne 0) { throw "You must supply an even number of search machines" } 0..($SearchMachines.Count/2 - 1) | % { $index = $_ * 2 $QueryNodes1stRow += $SearchMachines[$index] $QueryNodes2ndRow += $SearchMachines[$index + 1] $QueryNodes1stRow += $SearchMachines[$index + 1] $QueryNodes2ndRow += $SearchMachines[$index] } } else { $QueryNodes1stRow = $SearchMachines } #---------------------------# #Start the search services Write-Output "Start search service on all Servers" $SearchNodes | Start-SPEnterpriseSearchServiceInstance Write-Output "Wait for all Search service instances to be started" do {sleep 2; $serviceInstances = Get-SPEnterpriseSearchServiceInstance | where{$_.Status -eq "Provisioning"}; Write-Output ".";}while($serviceInstances -ne $null) Get-SPEnterpriseSearchServiceInstance | Select TypeName, Server, Status, ID | ft Write-Output "Start SearchQueryAndSiteSettings service on Query Servers" $IMSNodes |Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance Write-Output "Wait for all SearchQueryAndSiteSettings service instances to be started" do {sleep 2; $serviceInstances = Get-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance | where{$_.Status -eq "Provisioning"}; Write-Output ".";}while($serviceInstances -ne $null) Get-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance | Select TypeName, Server, Status, ID | ft #--------------------------# #Create the service app Write-Output "Creating the Search service application" $appPoolName=$searchAppName + " AppPool" $managedAccount = get-SPManagedAccount -Identity $AppPoolAccount $appPool = Get-SPServiceApplicationPool -Identity $appPoolName -ErrorAction SilentlyContinue if ($appPool -eq $null) {$appPool = New-SPServiceApplicationPool -name $appPoolName -account $managedAccount.Username} $searchApp = Get-SPServiceApplication -Name $searchAppName if ($searchApp -eq $null) { $searchApp = New-SPEnterpriseSearchServiceApplication -Name $searchAppName -ApplicationPool $appPool -DatabaseServer $SQLServer } else { Write-Output "Search service application already exists" } foreach ($AdminNode in $AdminNodes) { Write-Output "Initializing the administration component on $AdminNode" $searchInstance = Get-SPEnterpriseSearchServiceInstance $AdminNode
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 76 of 91
$searchApp | Get-SPEnterpriseSearchAdministrationComponent | Set-SPEnterpriseSearchAdministrationComponent -SearchServiceInstance $searchInstance $admin = ($searchApp | Get-SPEnterpriseSearchAdministrationComponent) Write-Output "Waiting for the admin component to be initialized on $AdminNode" $timeoutTime=(Get-Date).AddMinutes(20) do {Write-Output .;Start-Sleep 10;} while ((-not $admin.Initialized) -and ($timeoutTime -ge (Get-Date))) if (-not $admin.Initialized) { throw 'Admin Component could not get initialized on $AdminNode'} Write-Output "Admin component is initialized on $AdminNode" } # # O15 Search topology # Write-Output "Creating O15 Search topology" $searchApp = Get-SPEnterpriseSearchServiceApplication ### Search topology $topology = New-SPEnterpriseSearchTopology -SearchApplication $searchApp # Admin foreach($s in $AdminNodes) { New-SPEnterpriseSearchAdminComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Crawl foreach($s in $CrawlNodes) { New-SPEnterpriseSearchCrawlComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # CTS foreach($s in $CTSNodes) {New-SPEnterpriseSearchContentProcessingComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Analytics foreach($s in $APENodes) { New-SPEnterpriseSearchAnalyticsProcessingComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # IMS foreach($s in $IMSNodes) { New-SPEnterpriseSearchQueryProcessingComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Index $i = 0 foreach($s in $QueryNodes1stRow) { New-SPEnterpriseSearchIndexComponent -SearchTopology $topology -IndexPartition $i -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $QueryNodes1stRow[$i]) if ($QueryNodes2ndRow.Count -gt 0) { New-SPEnterpriseSearchIndexComponent -SearchTopology $topology -IndexPartition $i -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $QueryNodes2ndRow[$i]) } $i = $i + 1
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 77 of 91
} $topology.Activate() $timeoutTime=(Get-Date).AddMinutes(20) do {Write-Output .;Start-Sleep 10;} while (($searchApp.GetTopology($topology.TopologyId).State -ne "Active") -and ($timeoutTime -ge (Get-Date))) if ($searchApp.GetTopology($topology.TopologyId).State -ne "Active") { throw 'Could not activate the search topology'} Write-Output "Search topology activated" #Create additional crawl databases $existingCrawlDbCount = (Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp).Count for($i = $existingCrawlDbCount+1; $i -le $numCrawlDBs; $i++) { Write-Host "Creating Crawl DB #$i" New-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp -DatabaseName "Search_Service_Application_CrawlStore_0$i" -DatabaseServer $SQLServer } $existingLinkDbCount = (Get-SPEnterpriseSearchLinksDatabase -SearchApplication $searchApp).Count for($i = $existingLinkDbCount+1; $i -le $numLinkDBs; $i++) { Write-Host "Creating Link DB #$i" New-SPEnterpriseSearchLinksDatabase -SearchApplication $searchApp -DatabaseName "Search_Service_Application_LinksStore_0$i" -DatabaseServer $SQLServer } #Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp | ? { $_.Name -eq $SQLServer } | Remove-SPEnterpriseSearchCrawlDatabase if ((Get-SPServiceApplicationProxy | ? { $_.Name -eq ($searchAppName+"_proxy") }) -eq $null) { Write-Output "Creating the Search application proxy" $searchAppProxy = New-SPEnterpriseSearchServiceApplicationProxy -name ($searchAppName+"_proxy") -SearchApplication $searchApp } else { Write-Output "Search application proxy already exists" } Write-Output "Search provisioning finished."
Verify Search Service Application Topology
When configured successfully, the search settings will appear as follows. The table below shows the search
components that should be running on each role. The actual number of machines in each role will vary
based on the environment being built. The number of Index Partitions will vary based on the number of
search servers (AS role) in the farm.
1. In Central Administration, go to Application Management | Service Applications | Search
Service Application.
Server Role Admin Crawler Content
Processing
Analytics
Processing
Query
Processing
Index Partition
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 78 of 91
AP
AS
FE
Enable Search Crawling of the Profile Database
1. In Central Administration, go to Application Management | Service Applications | User Profile
Service Application | Administrators.
2. Add managed\ms-svc-crl.
3. Ensure the Retrieve People Data for Search Crawlers permission is checked.
4. Click OK.
Configure the Visio Graphics Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage
Service Applications | Visio Graphics Service Application | Manage.
2. Set Global Settings | External Data | Application ID to 101.
Start the User Profile Synchronization Service Topic Last Modified: 2014-05-06
Important: Do not start the User Profile Synchronization Service if the customer will be configured
with direct User Profile Import.
Important: To set up profile synchronization, it is critical that the farm account (ms-svc-frm) have
logon on locally rights with the AP01 server. To test this, try logging into the server (AP01) with that
account prior to this step.
1. On AP01, add the ms-svc-frm account to the local administrators group of the server
2. In Central Administration, go to Application Management | Service Applications | Manage
Services on server | AP01 | User Profile Synchronization Service | Start
Account Name: managed\ms-svc-frm
Password: < password for ms-svc-frm>
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 79 of 91
3. Forefront Identity Manager (FIM) can take a few minutes to set up. Wait until status changes from
Starting to Started.
4. After the status changes to Started, remove the ms-svc-frm account from the local administrators
group of the server.
Update WMI Control for Farm Account Topic Last Modified: 2014-04-02
Perform the following steps on each AP server in each Farm:
1. In the Microsoft Management Console, in the File menu, click Add/Remove Snap-In
2. In the Add or Remove Snap-ins dialog box, under Available snap-ins, click WMI Control and
then click Add.
3. In the Change managed computer dialog box, select Local Computer, and then click Finish.
4. Click OK.
5. Right-click WMI Control in the left pane and then click Properties.
6. On the Security tab, click Root, and then click the Security button
7. In the Security for Root dialog box, under Group or user names, click Add
8. In the Select Users dialog box, enter the Farm Account and click OK
9. In the Security for Root dialog box, under Permissions for Authenticated Users, select Enable
Account and Remote Enable in the Allow column
10. Click OK twice.
11. In a Windows PowerShell window, enter the following:
Restart-Service sptimerV4
Grant User Profile Permissions to Service Apps Topic Last Modified: 2014-04-15
The Machine Translation Service requires Full Control permissions on the User Profile Service in order to
correctly create OAuth credentials. Do the following:
1. In Central Administration, go to Application Management | Service Applications | Manage
Service Applications.
2. Select the row for the User Profile Service Application.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 80 of 91
3. In the Ribbon, click Sharing | Permissions.
4. Add the ms-svc-sa account and grant it Full Control.
5. Click OK.
Manage User Permissions for the User Profile Service
Application Topic Last Modified: 2014-05-07
Kiosk workers (KWs) are not allowed to create My Sites. You need to create the permission policy to grant
the right to create a My Site to Information Workers (IWs) and revoke that right for KWs.
Note: If customers have no kiosk workers and all users should be able to create personal sites, use
social features, and use personal features, then skip this section. This is the default, unless:
The customer has purchased kiosk worker licenses
The customer has purchased Partner Access
1. In Central Administration, go to Application Management | Manage Service Applications |
User Profile Service Application | Manage | People | Manage User Permissions.
2. Remove permissions for NT Authority\Authenticated Users and All Authenticated Users.
For kiosk workers:
3. Enter the name of the security group, and then click Add. If the customer has more than one role
claim or group for Kiosk Workers, repeat this step to add each role claim or group.
4. Ensure the Security Group is selected in the box under Permissions for...
5. Make the following changes:
Create Personal Site (required for personal storage, newsfeed, and followed content): No
Follow People and Edit Profile: Yes
Use Tags and Notes: No
For information workers:
6. Enter the name of the security group, and then click Add. If the customer has more than one role
claim or group for Kiosk Workers, repeat this step to add each role claim or group.
7. Ensure the Security Group is selected in the box under Permissions for...
8. Make the following changes:
Create Personal Site (required for personal storage, newsfeed, and followed content): No
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 81 of 91
Follow People and Edit Profile: Yes
Use Tags and Notes: No
For partners:
9. In the box under Permissions for..., make the following changes:
Create Personal Site (required for personal storage, newsfeed, and followed content): No
Follow People and Edit Profile: Yes
Use Tags and Notes: Yes
10. Click OK.
Change Default ULS Log Retention Topic Last Modified: 2014-05-08
The default ULS log retention period is 14 days. This setting must be changed to 7 days.
1. In Central Administration, go to Monitoring | Reporting | Configure diagnostic logging
Set Number of days to store log files from 14 to 7.
Configure Usage and Health Data Collection Service Topic Last Modified: 2014-05-08
1. In Central Administration, go to Monitoring | Reporting | Configure usage and health data
collection.
2. Select Enable usage data collection.
3. Select Enable health data collection:
Database server: <SS01>
Database Name: WSS_UsageApplication
4. Ensure the changes from Step 3 are complete and then, using the SharePoint 2013 Management
Shell, configure database retention period using the following script:
Get-SPUsageDefinition | Set-SPUsageDefinition -DaysRetained 31
5. Set the Page Requests usage definition to a larger value using the following script:
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 82 of 91
Get-SPUsageDefinition "Page Requests" | Set-SPUsageDefinition -MaxTotalSizeInBytes 10000000000000
Modify SPHA Rules Topic Last Modified: 2014-02-05
Certain SPHA rules should be disabled or changed from their out of the box settings. Please reference the
following table for the changes.
Navigate to Central Administration | Monitoring | Health Analyzer | Review Rule Definitions:
Rule Change
Security: The server farm account should not be
used for other services.
Disable this rule
Performance: Databases used by SharePoint have
fragmented indices
Disable this rule
Performance: Search - One or more crawl
databases may have fragmented indices
Disable this rule
Configuration: Alternate access URLs have not
been configured
Disable this rule
Configuration: Missing server side dependencies Disable this rule
Availability: Drives are running out of free space Disable this rule
Availability: Drives used for SQL databases are
running out of free space
Disable this rule
Availability: One or more services have started or
stopped unexpectedly
Disable this rule
Disable Selected Site Templates Topic Last Modified: 2014-05-08
Perform the following procedures on all SharePoint machines.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 83 of 91
Note: Records Center is no longer offered and customers should not be able to create My Site Hosts.
Disable Site Templates in the 14 Hive 1. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\14\TEMPLATE\1033\XML\webtempoffile.xml
a. Modify the <Configuration /> element containing ID=”1” and change to:
<Configuration ID="1" Title="Records Center" Hidden="TRUE" ImageUrl="/_layouts/images/strc.png" Description="This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository." DisplayCategory="Enterprise" VisibilityFeatureDependency="97A2485F-EF4B-401f-9167-FA4FE177C6F6" > </Configuration>
2. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\14\TEMPLATE\1033\XML\webtempsps.xml.
b. Modify the <Configuration /> element containing ID=”0” Title=”My Site Host”
Configuration ID="0" Title="My Site Host" Type="0" RootWebOnly="TRUE" Hidden="TRUE" DisplayCategory="Enterprise" ImageUrl="../images/perstemp.gif" Description="A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details."> </Configuration>
3. If the customer has language packs installed, repeat steps 1 and 2 for each other locale. Just
replace 1033 (English) with the locale for the other language packs. A reference for locale IDs can
be found at the MSDN article Locale ID Chart.
Disable Site Templates in the 15 Hive 1. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\15\TEMPLATE\1033\XML\webtempoffile.xml
a. Modify the <Configuration /> element containing ID=”1” and change to:
<Configuration ID="1" Title="Records Center" Hidden="TRUE" ImageUrl="/_layouts/images/strc.png" Description="This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository." DisplayCategory="Enterprise"
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 84 of 91
VisibilityFeatureDependency="97A2485F-EF4B-401f-9167-FA4FE177C6F6" > </Configuration>
2. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\15\TEMPLATE\1033\XML\webtempsps.xml
a) Modify the <Configuration /> element containing ID=”0” Title=”My Site Host”
Configuration ID="0" Title="My Site Host" Type="0" RootWebOnly="TRUE" Hidden="TRUE" DisplayCategory="Enterprise" ImageUrl="../images/perstemp.gif" Description="A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details."> </Configuration>
3. If the customer has language packs installed, repeat steps 1 and 2 for each other locale. Just
replace 1033 (English) with the locale for the other language packs. A reference for locale IDs can
be found at the MSDN article Locale ID Chart.
Note: If a need arises to re-create the MySite host site collection, the following PowerShell
command can be used.
New-SPSite -Url "https://my.mmsxl.com" -OwnerAlias <<MGD>>\ms-svc-wap -Template "SPSMSITEHOST#0" -Language 1033
Configure Settings for Sandboxed Code Topic Last Modified: 2014-04-02
We have changed the distribution/weighting of different metrics for resource point consumption to
match the values being used by standard. The following PowerShell scripts will set the point values.
1. On AP01, open the SharePoint 2013Management Shell.
2. Execute the following script:
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $SPUserCode = [Microsoft.SharePoint.Administration.SPUserCodeService]::Local if ($SPUserCode -ne $null) { $SPUserCode.UseLocalServerOnly = $true $SPUserCode.Update() $SPUserCode.ResourceMeasures["AbnormalProcessTerminationCount"].ResourcesPerPoint = "0.25" $SPUserCode.ResourceMeasures["AbnormalProcessTerminationCount"].Update() $SPUserCode.ResourceMeasures["CPUExecutionTime"].ResourcesPerPoint = "100"
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 85 of 91
$SPUserCode.ResourceMeasures["CPUExecutionTime"].Update() $SPUserCode.ResourceMeasures["ProcessCPUCycles"].ResourcesPerPoint = "40000000000" $SPUserCode.ResourceMeasures["ProcessCPUCycles"].Update() $SPUserCode.ResourceMeasures["UnhandledExceptionCount"].ResourcesPerPoint = "25" $SPUserCode.ResourceMeasures["UnhandledExceptionCount"].Update() }
Confirm or Modify Service Account Associations Topic Last Modified: 2014-02-05
Ensure that all services are correctly associated with the correct account.
1. In Central Administration, go to Security | General Security | Configure Service Accounts
2. Verify the following service account associations. Change any accounts that are incorrect:
Detail Account
Farm Account [ms-svc-frm]
Windows Service - Claims to Windows Token
Service
[Local System]
Windows Service – Distributed Cache [ms-svc-frm]
Windows Service – Document Conversions
Launcher Service
[Local System]
Windows Service – Document Conversions Load
Balancer Service
[Local Service]
Windows Service - Microsoft SharePoint
Foundation Sandboxed Code Service
[ms-svc-sbx]
Windows Service - Search Host Controller Service [ms-svc-frm]
Windows Service - SharePoint Server Search [ms-svc-frm]
Windows Service - User Profile Synchronization
Service
[ms-svc-frm]
Web Application Pool - <<URL Provided by the
Customer>>
[ms-svc-wap]
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 86 of 91
Detail Account
Note: There will be one application pool per
web application.
Service Application Pool – Search Service
Application AppPool
[ms-svc-sa]
Service Application pool -
SecurityTokenServiceApplicationPool
[ms-svc-frm]
Service Application Pool - SharePoint Service
Applications
[ms-svc-sa]
Service Application Pool - SharePoint Web
Services System
[ms-svc-frm]
Add Support for People Fields in Office Documents Topic Last Modified: 2014-02-05
The web.config files for all front-end Web servers must be modified to enable the People fields in
Microsoft Office documents.
1. On AP01, in the SharePoint Management Shell, execute the following PowerShell command:
Write-Host "Updating the web.config to add support for People Fields in Office Documents" [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $modPath = "configuration/system.serviceModel/serviceHostingEnvironment" $modTemplate= '<baseAddressPrefixFilters><add prefix="{0}" /></baseAddressPrefixFilters>' $SPWebApps = Get-SPWebApplication | ? Name -ne "AppsManagementSite" $Method = [Microsoft.SharePoint.Administration.SPServiceCollection].GetMethod("GetValue", [string]) $GenericMethod = $Method.MakeGenericMethod([Microsoft.SharePoint.Administration.SPWebService]) $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local foreach ($SPWebApp in $SPWebApps){ Write-Host "Modifying the Web App $($SPWebApp.Name)" $myModValue = $modTemplate -F $SPWebApp.Url #Write-Host $myModValue
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 87 of 91
$SPWebConfigModification= new-object Microsoft.SharePoint.Administration.SPWebConfigModification $SPWebConfigModification.Name = "baseAddressPrefixFilters" $SPWebConfigModification.Owner= "SPO dedicated" $SPWebConfigModification.Path= $modPath $SPWebConfigModification.Type="EnsureChildNode" $SPWebConfigModification.Value=$myModValue $SPWebApp.WebConfigModifications.Add($SPWebConfigModification) $SPWebApp.Update() } $FarmService = $GenericMethod.Invoke($Farm.Services,"") $FarmService.ApplyWebConfigModifications() Write-Host "Updated the web.config successfully"
2. Perform an IIS reset on all machines in the farm.
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 88 of 91
Install and Configure Azure Workflow Server Topic Last Modified: 2015-12-08
Azure Workflow server is a new add-on component in the SharePoint 2013 architecture which supports
enables SharePoint 2013 workflows.
Install Azure Workflow Server Execute the following steps on FE01.
1. Navigate to the installation page by clicking the Windows Azure Workflow Installer. This installs
the Web Platform installer and automatically starts the Workflow Manager Client installer.
2. In the Prerequisites dialog box, accept the license agreement.
3. Once the Workflow Manager is installed, click Continue to start the Windows Azure Workflow
Manager Client Configuration wizard.
4. After completing the configuration wizard, click Finish to end the installation.
Install Azure Workflow Client Execute the following steps on all AP, AS, and FE servers where Workflow Server is not installed.
1. Navigate to the installation page by clicking the Windows Azure Workflow Manager, and then
execute WorkflowClient.exe to launch the Web Platform Installer.
2. Click Install, which will start the download and install of Workflow Manager Client 1.0 Cumulative
Update 3.
3. Click I accept.
4. Click Finish.
Install Service Bus and Workflow Cumulative Updates Execute the following steps on FE01.
1. In your browser, go to the March 2013 Service Bus PU and download the update.
2. Execute ServiceBus-KB2799752-x64-EN.exe and follow the instructions.
3. Execute the following steps on all AP, AS and FE servers:
a. In your browser, go to the March 2013 Workflow Manager PU and download the update
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 89 of 91
b. Execute WorkflowManager-KB2799754-x64-EN.exe and follow the instructions.
Pair the SharePoint Server farm with the Workflow Manager Client
farm Determine whether you need to install the Workflow Manager Client on SharePoint Server prior to
running the Register-SPWorkflowService cmdlet. See the Install Azure Workflow Client procedure earlier
in this topic for more information.
1. Open the SharePoint Management Shell as an administrator.
2. Run the cmdlet Register-SPWorkflowService using the team site root URL and the Full Qualified
domain name of the FE01 server.
Example: Register-SPWorkflowService -SPSite "https://teamsites.contoso.com"
-WorkflowHostUri "http://fe01.mgd-contoso.com:12291" -AllowOAuthHttp
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 90 of 91
Install Office Web Applications Topic Last Modified: 2014-05-08
In SharePoint 2013, Office Web Application Companions (WAC) is a stand-alone farm and is no longer
part of the SharePoint binary installation.
Prerequisites 1. Make note of the WAC URL. This URL will be used in the installation steps below.
2. Install the relevant customer Wildcard/SAN certificates that include the WAC URL.
3. Copy the certificate request to all SharePoint VMs.
4. In the Microsoft Management Console, under Certificates (Local Computer) Personal, right-
click Certificates, click All Tasks, and then click Import.
5. In the Certificate Import Wizard, configure the following settings:
File Name: provide path to the file for the exported pfx certificate.
Password: provide password from previous step
6. Do NOT click Mark this key as exportable...
7. Place the certificate in the Personal store (verification step only).
8. Click Finish.
Install Office Web Apps Server 1. In your browser, go to the Microsoft Download Center and download the Office Web Apps Server.
2. Log on to WC01, and then run setup.exe as administrator.
3. Click to accept the EULA and click Continue.
4. In the File Location window, click Install Now.
5. Click Close.
Create Office Web Apps Farm Perform the following procedure on each WC server.
1. On the WC01 server, open PowerShell and verify the Friendly name of the certificate being used
for the WAC Farm by running the following command:
Customer Build Guide
SharePoint Online – Dedicated
Office 365 for Enterprises
© 2015 Microsoft Corporation. All rights reserved.
Page 91 of 91
gci Cert:\LocalMachine\my | fl dnsnamelist, friendlyname
2. In PowerShell, create the WAC Office Web Apps Farm by running the following command:
Import-Module OfficeWebApps New-OfficeWebAppsFarm -InternalURL "o365wac.<< customer.com>>" -CertificateName "<<Friendly Name from previous step>>" -EditingEnabled
Note: replace <<customer.com>> with the name of the team web app. Verify that the name
also appears in the certificate from step 1.
Connect the SharePoint Farm to the Web App Farm Perform the following steps once on one SharePoint 2013 server in the SharePoint Farm (server role does
not matter.)
1. On the SharePoint Server (AP01), open a browser to the WAC discovery URL:
https://<wacfqdn>/hosting/discovery and verify you get an XML response.
2. If you see a valid XML response, continue to step 3.
3. In the SharePoint Management Shell, run the following command to connect the SharePoint Farm
to the WAC Farm:
New-SPWOPIBinding -ServerName wac.contoso.com
Configure Office Web Apps Licensing Perform the following steps once on one SharePoint 2013 server in the SharePoint Farm (server role does
not matter.)
1. In the SharePoint Management Shell, enter the following command. Be sure to edit the first
command with the path to the customer WAC Editors group.
$account = New-SPClaimsPrincipal -Identity "<customer WAC Editors group>" -IdentityType WindowsSecurityGroupName
2. Enter the following command:
Get-SPWebApplication | select Url | %{ New-SPUserLicenseMapping -Claim $account -License "OfficeWebAppsEdit" -WebApplication $_.Url | Add-SPUserLicenseMapping