Roux Visser’s SharePoint Blog

From Joel Oleson’s Blog (http://blogs.msdn.com/joelo/)

Configuring Service Principle Names (SPNs)

The first thing you need to do in order to enable Kerberos for SharePoint is configure Service Principle Names (SPNs) for your SharePoint service accounts in Active Directory. Here lies the first stumbling block… depending on your configuration it is very hard to figure out which SPNs need to be applied to which accounts.

If you are installing SharePoint properly, you’ll use the ‘least privilege account principle’; this basically means that each distinct service inside the SharePoint farm will have its own domain user account. These accounts should have the minimum privileges that they need to perform their jobs. There is a great document which goes into detail on each different account (8+ accounts) here, however in summary, you should have the following accounts:

• SQL Server Service Account: Account used by SQL to run all SQL services
  

• Server Farm Account
  

• SSP Service Account
  

• Office SharePoint Server Search Account
  

• Default Content Access Account
  

• User Profile and Properties Content Access Account
  

• Excel Services Unattended Account
  

• One account per application pool: This is typically three accounts; SSPAdministration, MySite and your main ‘Portal’ or ‘Intranet’.
  

SPNs are used by Kerberos to ensure that only certain accounts have permission to delegate a specific service on a user’s behalf. An SPN needs to be configured for each service and address that the account needs to delegate for. SPNs are configured by using SetSPN.exe (download here) which is a command line  provided as part of the Windows 2003 resource kit. This table outlines the commands that are required to create the right SPNs for each of the relevant SharePoint service accounts, however please bear the following points in mind:

• Some services require the fully qualified domain name (FQDN) even if your users only use the host name. For example if user type http://portal to get to you main portal and you Active Directory is called Domain.local then the FQDN is Portal.Domain.Local
  

• Some SPNs require the host name which is the FQDN without the .domain.local bit on the end. In the example above, this would simply be portal
  

• For all user accounts you must include the domain prefix.
  

• To make the table easier to understand, I have included an example for a single server farm in a domain called ‘Domain.local’ where the MOSS server is called ‘Server’ and I have three host headers for web applications which are called ‘My Site’, ‘Portal’ and ‘SSPAdmin’. The ‘least privilege account principle’ has been used in this example and the accounts are fairly descriptively named.
  

Command	Notes
Setspn.exe -A HTTP/%SHAREPOINTSERVERFQDN% %SERVERFARMACCOUNT%	%SHAREPOINTSERVERFQDN% = the FQDN of your SharePoint server’s NetBIOS name (local machine name) %SERVERFARMACCOUNT% = Server Farm Account Example: Setspn.exe -A HTTP/server.domain.local domain\serverfarm
Setspn.exe -A HTTP/%MYSITEURLFQDN% %MYSITEAPPPOOLACCOUNT%	%MYSITEURLFQDN% = the FQDN of the host header for the My Site Web Application %MYSITEAPPPOOLACCOUNT% = The application pool account that the My Site web application uses Example: Setspn.exe -A HTTP/mysite.domain.local domain\mysiteapppool or Setspn.exe -A HTTP/server.domain.local domain\mysiteapppool
Setspn.exe -A HTTP/%MYSITEURLHOST% %MYSITEAPPPOOLACCOUNT%	%MYSITEURLHOST% = the host name (i.e. without the .domain.local bit) for the My Site web application %MYSITEAPPPOOLACCOUNT% = The application pool account that the My Site web application uses Example: Setspn.exe -A HTTP/mysite domain\mysiteapppool or Setspn.exe -A HTTP/server domain\mysiteapppool
Setspn.exe -A HTTP/%PORTALURLFQDN% %PORTALAPPPOOLACCOUNT%	%PORTALURLFQDN% = the FQDN of the host header for the main portal or intranet Web Application %MYSITEAPPPOOLACCOUNT% = The application pool account that the Portal web application uses Example: Setspn.exe -A HTTP/portal.domain.local domain\portalapppool
Setspn.exe -A HTTP/%PORTALURLHOST% %PORTALAPPPOOLACCOUNT%	% PORTALURLHOST % = the host name (i.e. without the .domain.local bit) for the Portal web application %MYSITEAPPPOOLACCOUNT% = The application pool account that the Portal web application uses Example: Setspn.exe -A HTTP/portal domain\portalapppool
Setspn.exe -A HTTP/%SSPADMINURLFQDN% %SSPADMINAPPPOOLACCOUNT%	% SSPADMINURLFQDN % = the FQDN of the host header for the SSP Administration Web Application % SSPADMINAPPPOOLACCOUNT % = The application pool account that the SSP Administration web application uses Example: Setspn.exe -A HTTP/sspadmin.domain.local domain\sspadminapppool
Setspn.exe -A HTTP/%SSPADMINURLHOST% %SSPADMINAPPPOOLACCOUNT%	% SSPADMINURLHOST % = the host name (i.e. without the .domain.local bit) for the SSP Administration web application % SSPADMINAPPPOOLACCOUNT % = The application pool account that the SSP Administration web application uses Example: Setspn.exe -A HTTP/sspadmin domain\sspadminapppool

Trust for Delegation

In addition to setting the SPNs for each of your service accounts, you also need to trust each of the computer accounts and some of the service accounts for delegation. Trusting for delegation means that the accounts are allowed to delegate on a user’s behalf.

In order to trust for delegation you need to open Active Directory Users and Computers as a user with domain administration rights and follow these instructions

• Repeat the process for each of the following
  

• MOSS Server (Computer Account)
  

• SQL Server (Computer Account)
  

• FarmService (User Account)
  

• MySiteAppPool (User Account)
  

• SSPAdminAppPool (User Account)
  

• PortalAppPool (User Account)
  

• Locate the account and click ‘properties’
  

• Navigate to the ‘Delegation’ tab
  

• Choose ‘Trust this user/computer for delegation to any service (Kerberos)’
  

Enable Kerberos on your web applications

In MOSS 2007, the switch between Kerberos and NTLM is very simple and is undertaken via Central Administration.

If you are creating your farm from scratch, be sure to set Central Administration itself to use Kerberos which you can set as part of the ‘SharePoint Products and Technologies Configuration Wizard’, however if the farm is pre-created you can easily enable Kerberos by following these steps:

• Open Central Administration
  

• Navigation to Application Management > Authentication Providers
  

• Choose the web application you wish to configure from the drop-down in the top right corner (this includes the Central Administration web application)
  

• Click on ‘Default’
  

• Set the authentication to Negotiate (Kerberos)
  

• IISRESET
  

Enable Kerberos on your SSP

In this step you enable Kerberos on your SSP. Follow these steps:

• Open a Command Prompt and navigate to your ‘12\Bin’ directory (normally c:\program files\common files\microsoft shared\web server extensions\12\bin) 
  

• Run ‘STSADM.exe -o SetSharedWebServiceAuthn -negotiate’
  

Component Services Configuration

This is one of the lesser documented steps. You need to set various permissions in Component Services. Follow these steps:

• Open Component Services on the MOSS server
  

• Navigation to Component Services > Computers > My Computer
  

• Click on Properties (for My Computer) > Default Properties > Default Impersonation Level = Delegate (see http://support.microsoft.com/kb/917409)
  

• Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service
  

• Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab
  

• Edit Launch and Activate Permissions
  

• Grant all three of your application pool account ‘Local Activation’ permissions (see http://support.microsoft.com/kb/920783). In our example, these accounts would be domain\MySiteAppPool, domain\SSPAdminAppPool, domain\PortalAppPool
  

Testing Kerberos Configuration

The thing with Kerberos is that it can be difficult to see if it is working properly. There are several things you can do to check:

• Do your web applications work from a client computer? If they do, then this is a good sign
  

• Keep an eye on your System event log on both your MOSS and SQL servers. Kerberos related errors are logged here.
  

• Make sure all the servers in the loop (MOSS, SQL and Domain Controllers) have the same time set. Inconsistent time settings are one of the primary causes of Kerberos related issues.
  

Configure Kerberos for MOSS

The first step in configuring this scenario is to get your base MOSS configuration sorted. Follow the steps in my first article to do this

Configure Permissions in SQL AS

This section specifically relates to using SQL Analysis Services, but similar steps will be required for normal SQL or Reporting Services.

In order that users can access your SQL AS cube, you need to configure permissions inside SQL Management Studio. Follow these steps:

• Open SQL Management Studio
  

• Connect to Analysis Services
  

• Right-click on the server level and go to properties
  

• Go to the Security tab
  

• Give the relevant users access. If you want everyone to have access, add ‘authenticated users’
  

This will means that user have access to actually read the data from the AS cube

Configure Excel Services for Delegation

One of the key things that people get caught out with on when attempting this scenario is configuring Excel Services to use Delegation (i.e. to use Kerberos rather than NTLM). This is a setting that you can only set by using STSADM.exe; you cannot set it through the SharePoint Administration pages and it is not well documented. The discussion thread outlines this step: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1224539&SiteID=17

Follow these steps:

• On your SharePoint server, open a command prompt and navigate to c:\program files\common files\microsoft shared\web server extensions\12\bin
  

• Run the following command where %SSPNAME% is the name of your Shared Service Provider:
  

• stsadm.exe -o set-ecssecurity -ssp %SSPNAME% -accessmodel delegation
  

• Now run the following command:
  

• stsadm.exe -o execadmsvcjobs
  

• Now perform and IISRESET
  

Create your Data Connection file

Now Excel Services has been configured, you need to make sure that the data connection has the right settings for Kerberos. Typically in this scenario, a data connection file will be created and stored in a SharePoint data connections library. This ensures that you only have to set the data connection up once and use it many times.

There are several key settings that must be in the data connection file in order for Kerberos to work, these include using the FQDN of the SQL server and adding SSPI=Kerberos to the connection string. Follow these steps:

• Open Excel 2007 (Client)
  

• Go to the ‘Data’ ribbon
  

• In the ‘Get external data’ area click on ‘From Other Sources’ and choose ‘From Analysis Services’
  

• Enter the FQDN of your SQL server here (i.e. server.domain.local, not just server), leave the default of ‘Use Windows Authentication’ and click Next
  

• Choose the database and cube that you wish to connect to and click Next. Click Finish on the following screen.
  

• Choose to show a pivot table (this is not relevant and will not be used at this stage) and click OK
  

• Once the pivot table is displayed, it is a good idea to test it out to make sure you got the right settings
  

• Go to the ‘Data’ ribbon and click ‘Properties’
  

• Go to the ‘Definition’ tab of the connection properties dialog
  

• Add ‘;SSPI=Kerberos’ (without the ‘) at the end of the connection string (after MDX Missing Member Mode=Error)
  

• Now Export your data connection to SharePoint by clicking ‘Export Connection File’
  

• Enter the full URL to the Data connection library that you wish to save you data connection to and click ‘Save’.
  

• You may now close Excel and disregard the spreadsheet (you have got the data connection in SharePoint which is the bit you need)
  

Configure your site

Now you have created the data connection, you can go ahead and configure your site.

Generally one of the first things to do is to add an ‘SQL Server 2005 Analysis Services Filter’ webpart which uses the data connection to provide filters to other webparts on your site. This is one of the first places to test Kerberos. When you add the SQL AS Webpart, you will first need to choose the data connection. Upon doing this the Dimension drop-down should populate with dimensions from SQL. If this works then Kerberos is working!

A server farm typically consists of one or two back-end database servers and one or more front-end servers that provide Web services and Office SharePoint Server 2007 services, such as search, Excel Services, and indexing.

 Hardware and Software requirements

Before you install and configure Office SharePoint Server 2007, make sure your servers have the recommended hardware and software. To deploy a server farm, you need at least one server computer acting as a Web server and an application server, and one server computer acting as a database server. The server computers must meet the following requirements:

Hardware Requirements

• Front-end Web server and application server computers: a dual-processor computer with processor clock speeds of 2.5-gigahertz (GHz) or higher and a minimum of 2 gigabytes (GB) of RAM.
  
• Back-end database server: a dual-processor computer with processor clock speeds of 2.0 GHz or higher and a minimum of 2 GB of RAM.
  

 Software Requirements

• Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter, or Web Edition) with Service Pack 1 (SP1)
  
• Microsoft .Net Framework 2.0
  
• Microsoft .Net Framework 3.0
  
• The Web server and application server computers must be configured as Web servers running Microsoft Internet Information Services (IIS) in IIS 6.0 worker process isolation mode.
  
• Each of the computers must be using the NTFS file system. Windows Server 2003 includes a conversion utility (Convert.exe) that you can use to convert an existing file allocation table (FAT) volume to NTFS without losing data.
  

SQL Server Preparation

Back-End Database Server

The back-end database server computer must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with Service Pack 3 (SP3) or later. It is assumed that you have installed and configured the database program on the back-end server computer. You do not need to set up or create specific databases for Office SharePoint Server 2007. The Office SharePoint Server 2007 Setup program will create the necessary databases when you install and configure Office SharePoint Server 2007.

In addition to these requirements, if you are using SQL Server 2005, you need to configure area settings. Use the following procedure to do this.

 Configure Surface area settings in SQL Server 2005

1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Surface Area Configuration.
   
2. In the SQL Server Surface Area Configuration dialog box, click Surface Area Configuration for Services and Connections.
   
3. In the tree, open your instance of SQL Server, open Database Engine, and then click Remote Connections.
   
4. Click Local and Remote Connections, click Using both TCP/IP and named pipes, and then click OK.
   

Security Account requirements for SQL

To install Office SharePoint Server 2007 in a server farm environment, at-least 2 accounts are required:

• A user account that you can use to install Office SharePoint Server 2007 and run the SharePoint Products and Technologies Configuration Wizard. This account must be:
  
• A domain user account.
  
• A member of the Administrators group on each of your front-end servers.
  
• A member of the SQL Server Logins, which grants login access to your SQL Server instance.
  
• A member of the SQL Server Database Creator server role, which grants permission to create and alter databases.
  
• A member of the SQL Server Security Administrators server role, which grants permission to manage server logins.
  

A unique domain user account that you can specify as the Office SharePoint Server 2007 service account. This user account is used to access your SharePoint configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. It is recommended that you follow the principle of least privilege and do not make this user account a member of any particular security group on your front-end servers or your back-end servers.

Security Account requirements for SharePoint

The Service Accounts for Creating a Web Application are:

• SPApppool needs to be member of the Domain Users, IIS_WGP, WSS_WPG Group
  
• SPContent needs to be a member of the Domain Users Group
  
• SPDatabse needs to be a member of the Domain Users IIS_WGP, WSS_ADMIN_WPG Group
  
• SSPSearch needs to be a member of the Domain Users and WSS_WPG Group
  

The Service Accounts required for SharePoint Installation are:

• SPInstall needs to be a member of the Administrators and WSS_ADMIN_WPG Group
  
• SPSite(for site creation and administration) needs to be member of the Administrators and WSS_ADMIN_WPG Group
  

The Service Account required for SQL is:

• SQLService needs to be a member of the Domain Users Group
  

    The Service Account required for Single-Sign On is:

• SSOService needs to be a member of the Administrators Group, IIS_WPG, WSS_WPG and WSS_ADMIN_WPG
  

• EntApp needs to be a member of the Administrators Group, IIS_WPG, WSS_WPG and WSS_ADMIN_WPG
  


 

Application Server – Configure a Web Server

Before you install and configure Office SharePoint Server 2007, you must install and configure the required software on each of your front-end servers. This includes installing and configuring IIS so your front-end servers act as Web servers, installing Windows .NET Framework 2.0, enabling ASP.NET 2.0, and installing Windows Workflow Foundation Runtime Components Beta 2.2 (build 3807.7).

 Install and configure IIS

IIS is not installed or enabled by default in Windows Server 2003. To make your server a Web server, you must install and enable IIS, and you must make sure that IIS is running in IIS 6.0 worker process isolation mode.

• Click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard.
  
• On the Welcome to the Configure Your Server Wizard page, click Next.
  
• On the Preliminary Steps page, click Next.
  
• On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.
  
• On the Application Server Options page, click Next.
  
• On the Summary of Selections page, click Next.
  
• Click Finish.
  
• Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  
• In the IIS Manager tree, click the plus sign ( ) next to the server name, and then right-click the Web Sites folder and select Properties.
  
• In the Web Sites Properties dialog box, click the Service tab.
  
• In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.
  

Note: The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.

The Windows 2003 support tools are a collection of resources with the aim of assisting administrators to simplify management tasks. These include: troubleshooting operating systems, configuring networking and security features, managing Active Directory, and automating application deployment. With the use of these tools, the user is able to pin-point problematic issues with the system and will therefore be able to find a solution more easily.

The Windows 2003 Support Tools consist of a number of command-line utilities, visual basic scripts, GUI based applications, and documents - all of which you must install from a seperate application.

Note:

The Support Tools are not automatically installed when you install Windows 2003; their installation isn’t an option in the Windows 2003 setup. The installation program is located on the CD-ROM in the \support\tools folder and the setup file (suptools.msi) must be opened manually to initiate the installation.

The setup program installs the Support Tools files onto your hard disk and requires approximately 24 MB of free space for a full installation. You must be logged on as the Administrator or have Administrator privileges to be able to install them. Setup creates a Windows 2003 Support Tools folder within the Programs folder on the Start menu. The setup also adds the \program files\support tools directory (or the directory name you choose for installing the tools) to your computer’s path environment variable – this allows you to run the command line tools from any folder on your system.

Once the installation is complete, you can click on Start > Programs > Windows 2003 Support Tools to open the command prompt in the Program Files\Support Tools directory and start using them. All the GUI-based tools, along with the command line ones, can be found in the \Program Files\Support Tools folder (or whichever location you chose at installation).

Installing the support tools

As mentioned previously, the support tools are located in the \support\tools folder on the Windows 2003 CD-ROM. Navigate to that location and double click the “suptools.msi” file to start the installation wizard.

Press Next and browse through the screens, select “I Agree” when the license agreement screen comes up. You will be prompted to choose a location in which to install the tools. By default, the location is c:\program files\support tools\

Press the “Install Now” button and the installation will proceed. The installation will take a couple of minutes to be complete. Press “Finish” and close all windows to be able to start using the tools.

The support tools explained

This section will display the list of support tools found on the Windows Server 2003 CD-ROM in alphabetical order.

To use the command line format tools, open the command prompt and type the filename followed by the appropriate parameters. If you are unaware of the parameters of the tool you wish to use then type: filename /? to show the list of available parameters.

Tool Name:	ACL Diagnostics
Filename:	acldiag.exe
Format:	Command Line
Description:	Detects and displays the permission problems found in the Access Control Lists of objects in Active Directory
Tool Name:	Active Directory Replication Monitor
Filename:	replmon.exe
Description:	Allows the control of Active Directory replication information
Tool Name:	Active Directory Search Tool
Filename:	search.vbs
Format:	Command Line
Description:	A script used to search an LDAP (Lightweight Directory Access Protocol) directory

Tool Name:	Application Deployment Diagnostics
Filename:	addiag.exe
Format:	Command Line
Description:	Gives you a list of the software implemented on a local computer using group policy

Tool Name:	ADSI Edit
Filename:	adsiedit.msc
Description:	Allows the editing of objects in Active Directory in a low-level style editor

Tool Name:	BITS Administration Utility
Filename:	bitsadmin.exe
Description:	Adminsters the Background Intelligent Transfer Service which controls background file transfers for Internet Information Services

Tool Name:	Browser Status
Filename:	browstat.exe
Description:	Displays network browser status

Tool Name:	Clone Principal
Filename:	clonepr.dll
Description:	This dynamic link library clones windows NT 4.0 users and groups to allow migration to a Windows Server 2003 forest

Tool Name:	Dependancy Walker
Filename:	depends.exe
Description:	Allows you to view all the dependencies of a file. You are able to check which DLLs are dependant on others. This can be very useful when investigating a problem related to a missing file. The image below shows the GUI interface of the dependancy viewer. To demonstrate, I have loaded the twain_32.dll file - as you can see, this dll depends on three other dlls for it to work.

Tool Name:	Device Console Utility
Filename:	devcon.exe
Description:	The command prompt version of the device manager in the hardware tab of system properties

Tool Name:	DFS and SYSVOL Replication Topology Analysis Tool
Filename:	topchk.cmd
Description:	Shows the FRS replication topology

Tool Name:	DHCP Server Locator Utility
Filename:	dhcploc.exe
Description:	Shows a list of all DHCP servers on the subnet

Tool Name:	Directory Disk Usage
Filename:	diruse.exe
Description:	Displays directory sizes and compression information

Tool Name:	Directory Services ACL Editor
Filename:	dcaslc.exe
Description:	Manages access control lists for Active Directory objects

Tool Name:	Directory Services Utility
Filename:	dsastat.exe
Description:	Compare and contrast two directory trees in the same domain or across different domains

Tool Name:	Distributed File System (DFS) Utility
Filename:	dfsutil.exe
Description:	Manages DFS, limits clients to targets within the same site and enables windows server 2003 based DFS servers to select remote targets

Tool Name:	Diskprobe
Filename:	dskprobe.exe
Description:	Allows you to edit the disk sector information directly (includes also the MBR)

Tool Name:	Disk Manager Diagnostics
Filename:	dmdiag.exe
Description:	Provides detailed diagnostic information about hard disk drives

Tool Name:	DNS Server Troubleshooting Tool
Filename:	dnscmd.exe
Description:	Administrators are able to view and modify DNS servers, zones and resources

Tool Name:	Domain Controller Diagnostic Tool
Filename:	dcdiag.exe
Description:	Analyzes and reports on the state of a domain controller

Tool Name:	Encrypting File System Information
Filename:	efsinfo.exe
Description:	Provides information about files that have been encrypted using EFS. This is a very helpful tool when you want to analyze which files and folders are encrypted. If I were to go to the C: drive in the command prompt and type “efsinfo”, a list of all the files and their encryption related information will be displayed. This can be seen in the example below:

Tool Name:	Extensible Performance Counter List
Filename:	Exctrlst.exe
Description:	Displays information about the programs that use the registry to provide performance counters

Tool Name:	File and Directory Comparison
Filename:	windiff.exe
Description:	Compares ASCII text files or folders

Tool Name:	File Replication Utility
Filename:	ntfrsutil.exe
Description:	Displays the status of the NT file replication service onto the screen and dumps it in a file

Tool Name:	FileVer
Description:	States version information of a file or folder

Tool Name:	FRS Connection Status Report
Filename:	connstat.cmd
Description:

Tool Name:	FRS Health Check
Filename:	health_chk.cmd
Description:	States the health of the FRS of a specified domain controller

Tool Name:	FRS Inbound and Outbound Logs Report Tool
Filename:	lologsum.cmd
Description:	Displays information about FRS replication

Tool Name:	Get Security ID
Filename:	getsid.exe
Description:	Checks if a user account database is corrupt by comparing the SIDs of the account on two domain controllers

Tool Name:	Global Flags Editor
Filename:	gflags.exe
Description:	Allows you to edit global registry settings or flags that are in use by the kernel

Tool Name:	HTTP Configuration Utility
Filename:	httpcfg.exe
Description:	Manages the HTTP Application Programming Interface

Tool Name:	IAS Parse Tool
Filename:	iasparse.exe
Description:	Parses RAS and IAS log files and displays the results in IAS or ODBC format

Tool Name:	Kerberos Keytab Setup
Filename:	ktpass.exe
Description:	Configures a non-windows 2003 kerberos service to be a security principle in Windows Server 2003

Tool Name:	Kerberos Setup
Filename:	ksetup.exe
Description:	Configures Windows Server 2003 clients to use an MIT Kerberos Server

Tool Name:	LDP Tool
Filename:	ldp.exe
Description:	Performs Lightweight Directory Access Protocol operations

Tool Name:	Manipulate Service Principle Names for Accounts
Filename:	setspn.exe
Description:	Manipulates SPNs for active directory service accounts

Tool Name:	Memory Pool Monitor
Filename:	poolmon.exe
Description:	Shows information about the system’s memory pool.

Tool Name:	Memory Profiling Tool
Filename:	memsnap.exe
Description:	Allows you to save a list of the memory resources being used by all processes

Tool Name:	Move Users
Filename:	movetree.exe
Description:	Moves objects between domains

Tool Name:	Network Connectivity Tester
Filename:	netdiag.exe
Description:	Troubleshoots network connectivity by running various tests on your configuration and displaying the results. This tool does not require any extra parameters, which allows the administrator to instruct a user to run this command, pass on the results and allow them to be analyzed. Thus, making it less complicated if say, a senior admin was at home instructing the junior admin to do this on the servers at the office. The image below only displays the first phase of the results.

Tool Name:	Network Monitor Capture Utility
Filename:	netcap.exe
Description:	Acts as a packet sniffer by using Network Monitor to capture packets and log them to a file

Tool Name:	NItest
Filename:	nitest.exe
Description:	Queries the status of trusts; lists primary domain controllers; forces a shutdown and forces a user database in syncronization

Tool Name:	Poolmon
Filename:	poolmon.exe
Description:	Helps to detect memory leaks by displaying detailed information about the allocation of memory. As soon as you type “poolmon” from the command prompt, the following kind of data will be shown. This includes the total amount of memory in the system and the memory available, amongst others.

Tool Name:	Port Query
Filename:	portqry.exe
Description:	Allows you to troubleshoot TCP and UDP ports. This helps the administrator to determine the state of any given port. If you type “portqryt -n computer_name -e port_number” the name will be resolved to the ip address and the port number will be queried. Details such as the service assigned to that port, the port type (TCP, UDP), the state of the port and also any held data will be displayed.

Tool Name:	Process Viewer
Filename:	pviewer.exe
Description:	Allows you to change a process priority or kill a process. This can be described as more advanced version of the “process viewer” available in the task manager. With this tool you are able to set the priority of the thread and process or kill a process altogether. Pressing on the memory detail button will bring up a window displaying in-depth information as to where the memory of the process is going.

Tool Name:	Remote Command Line
Filename:	remote.exe
Description:	Runs command line programs on remote computers using only named pipes

Tool Name:	Remote Storage Diagnostics Utility
Filename:	rsdiag.exe
Description:	Queries and reports on remote storage databases

Tool Name:	Remote Storage File Analysis Utility
Filename:	rsdir.exe
Description:	Displays information form files in remote storage

Tool Name:	Replication Diagnostics Tool
Filename:	repadmin.exe
Description:	Allows the doagnosis of replication problems between controllers in Windows Server 2003

Tool Name:	Security Administration Tools
Filename:	sidwalk.exe, showaccs.exe, sidwalk.msc
Description:	Manages access control lists

Tool Name:	Security Descriptor Check Utility
Filename:	sdcheck.exe
Description:	Displays access controls on an object

Tool Name:	Service Pack Check
Filename:	spcheck.exe
Description:	Creates a file containing a list of the service pack versions of important system files. This tool requires you to have the spcheck.ini file in the directory in which you are going to execute the command. If you do not have this file available, then you may download it from the Microsoft website. Type “spcheck” and a report will be created and dumped into the current directory. You will then have to go to the file and open it will a text editor (notepad.exe will do fine). The report contains a list of important system files and which service pack they have installed or if they are missing.

Tool Name:	Windows Domain Manager
Filename:	netdom.exe
Description:	Provides command line administration of domains and trusts

Tool Name:	Windows Installer Cleanup Utility
Filename:	msicuu.exe
Description:	Removes excess registry entries from a faulty installation

Tool Name:	Windows Installer Zapper
Filename:	msizap.exe
Description:	The same as the widows installer cleanup utility, only a more in depth version

Tool Name:	Xcacls.exe
Filename:	xcacls.exe
Description:	Sets and displays files ACLs

Summary

As you can see, there have been quite a few additions to the support tools in Microsoft Windows Server 2003. They help you to troubleshoot any problems that may occur in your network setup and servers and provide valuable information for maintenance related tasks. The support as a whole has improved in Windows Server 2003; it’s easier to find what you want, there is more information about certain topics and the layout is better structured.

During SharePoint Health Check’s it is common to find that SharePoint MySites have been installed on the same Web Application as the main portal Site Collection, this does not follow Microsoft Best Practice guidelines with regards to manageability, performance and backups and as a result it is recommended to created a new Web Applications exclusively for MySites and migrated the existing MySites from the Audatex site collection to the new MySite site collection.

Run the following SharePoint command operations to enumerate the existing MySites and to migrate these to the new host location:

• Enumerate the existing MySites
  

Stsadm –o enumsites –url http://oldservername –databasename OldMySitesContentDB > MySites.xml

• Move the existing MySites to the new Content Database
  

Stsadm –o mergcontentdbs –url http://oldservername –sourcedatabasename OldMySiteContentDB –destinationdatabasename MySiteContentDB –operation 3 –filename MySites.xml

Now detached the newly created database which is the MySites host and re-attached this to the new MySite Web Application.

I have not been able to determine the exact cause of this issue, however I believe it has to do with the order of SharePoint installation with regards to Windows Server 2003 Service Pack and Patch installation, Microsoft are aware of this error and have released the following hotfix to rectify this, http://support.microsoft.com/?id=946517, for a detailed account on the cause of this error please see the hotfix information by selecting the link.

If you are affected by this issue, you will not be able to browse websites in IIS even when attempting to ‘Connect to the Local Machine’. See image below.

After applying the Hotfix, IIS will be available as per usual:

Source:	Office SharePoint Server
Date:	20/10/2008 00:20:26
Event ID:	6482
Task Category:	(1328)
Level:	Error
Keywords:	Classic
Computer:
Description:	Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance

        

Source:	Office SharePoint Server
Date:	20/10/2008 00:20:26
Event ID:	7076
Task Category:	(1328)
Level:	Error
Keywords:	Classic
Computer:
Description:	Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance

This error can be corrected with the following hotfix:
http://support.microsoft.com/?id=946517

Source:	Office SharePoint Server
Date:	20/10/2008 00:20:26
Event ID:	6398
Task Category:	(1328)
Level:	Error
Keywords:	Classic
Computer:
Description:	Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance

This error can be corrected with the following hotfix:
http://support.microsoft.com/?id=946517

    

Source:	Office SharePoint Server
Date:	20/10/2008 00:20:26
Event ID:	27745
Task Category:	(1328)
Level:	Error
Keywords:	Classic
Computer:
Description:	The description for Event ID (27745) in Source (Windows SharePoint Services 3) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the / = flag to retrieve this description; see Help and Support for details. The following information is part of the event: #50071: Unable to connect to the database SharePoint_Config on SharePointSQLServer_Dev. Check the database connection information and make sure that the database server is running..

This error can be corrected with the following hotfix:
http://support.microsoft.com/kb/923028

    

A common SharePoint Backup Configuration Error can be seen from the information below, this post will highlight how this can be rectified.

Error: Object SharePoint_Config failed in event OnBackup. For more information, see the error log located in the backup directory. SqlException: Cannot open backup device ‘\\servername\backup\spbr0001\0000001.bak’. Operating system error 5(error not found).

This can be seen in the screenshot below:

Follow these steps to allow successful SharePoint Backups:

• Set the SQL Server (MSSQLSERVER) Windows service to run as a domain account. Will require a restart of the service and IIS.
• Setup sharing on the backup folder. Grant access for the identity that the Central Administration Application Pool runs under, the database SQL account, the identity that the Timer service runs under, to change and read rights.
• On each of the SharePoint servers check you can access the share.
• On each of the database servers check you can access the share.
• Set the folder security, grant privileges for the identity that the Central Administration Application Pool runs under, the database SQL account, the identity that the Timer service runs under to all rights apart from Full Control.
• When running the backup specify the UNC path to the backup share, instead of the folder location (K:\backups\).  For example: \\SPSDev\Backups

The SharePoint Central Administration Site is the central location for configuring and administering SharePoint 2007 (MOSS). Many SharePoint implementations were originally ‘hammered’ in by IT departments without major consideration for the growth and scalability of their SharePoint implementation, and without the realisation that SharePoint could fast become mission critical. As a result many IT departments face the challenge of rebuilding their implementations. A SharePoint re-build can consist of many factors; a common area to focus on is to re-assign the correct Service Accounts to the various SharePoint Services.

To reduce downtime and to minimise the effects visible to a business a batch file can be used to change the SharePoint Service accounts:

 

I have carried out many Health Check’s of SharePoint 2007 environments and I acknowledge that SharePoint 2007 is a very complex installation which makes use of numerous Microsoft components, such as IIS, Active Directory, SQL, Windows Server technologies and ASP.NET. As a result it is very easy to install SharePoint 2007 incorrectly. I have seen a common trend in mistakes made at many of my clients in the past due to the complexity of a SharePoint installation and configuration and the pitfalls it presents.

 As a result I have decided to share some of these common SharePoint installation and configuration blunders.

Issues	Risk
Incorrect Service Accounts	Very High
No IIS (IIS corruption)	Very High
No Valid Backups*	Very High
SharePoint Content Database Size	Very High
No Enterprise Search Configuration**	Medium
Farm Topology	Medium
W2K3 Server Errors	Low
Path Levels	Low
Web Applications	Medium

* No valid backups exist due to incorrect installation

**Enterprise search has not been configured as a result of an incorrect installation (no Service Account access to Search and Content Databases)

Many of my clients have implemented a SharePoint solution without any expectations on user adoption and the realisation that this solution can fast become a business critical application and without recognition that ‘SharePoint Sprawl’ is very real.

As a result no initial considerations are made in terms of availability, redundancy, administration and the SharePoint installation itself, until in most cases real issues occur.

Service Accounts

Many of my clients have attempted installing SharePoint 2007 themselfs and one of the most common mistakes is the incorrect use of service accounts, in most cases a single account is used for all the SharePoint services, resulting in a number of issues further down the line. This becomes apparent when logging into the SharePoint Central Administration Site with this installation account the system defaults to the ‘System Account’.

SharePoint requires eight Service Accounts and these are outlined below:

Service Account	Reason	Permissions Requirements	Suggested Naming Convention
The Portal Application Pool Service Account	Used to access the web application for the SharePoint Portal	Domain User	SPApppool_Portal
The MySite Application Pool Service Account	used to access the web application for the SharePoint Portal	Domain User	SPApppool_MySite
The Content Access Service Account	Used to access the content held in the SQL content databases	Domain User	SPContent
The Database Access Service Account	Used to create and access the SharePoint configuration database	Domain User	SPData
The SharePoint Search Service Account	Used to for Search Queries	Domain User	SPSearch
The SharePoint Index Service Accounts	Used to Index Search Content	Domain User	SPService
The Single Sign-On Service Account	Used for the Single Sign-On Service	Domain Admins (Initially)Domain Users	SSPOService
The Enterprise Application Service Account	Used for the Enterprise Application Service in Single-Sign On	Domain Users	EntAppService
The SharePoint Install Service Account	This account will be used to install and configure SharePoint	Domain AdminsDomain Users	SPInstall

The use of correct Service Accounts is critical in a SharePoint 2007 implementation and is at the core of many of the issues that are experienced further down the line.

Database Sizes

I have found in most cases that there is  only one content database for all the MOSS data usually summing up to huge amounts of data, this is a critical issue, as the recommended maximum data size is between 100GB and 200GB per content database, depending on the specification of the SQL Server. Database configurations that are greater than the recommended size will result in poor performance as well as long backup windows. For more detial please see The SharePoint Storage and Storage Performance White Paper.

Server Farm

Many clients have implemented SharePoint 2007 in a ‘single-farm’ environment. This environment is recommended for Pilot or Development scenario’s only, below are some recommended farm topologies for a highly available SharePoint 2007 solutions.

Four-server farm

The smallest server farm that builds in availability consists of four servers:

·         Servers one and two: Web servers and query role installed on both computers. Additional application server roles, such as Excel Calculation Services, can be installed on one or both servers.

·         Servers three and four: clustered or mirrored database server.  The caveat with this farm size, however, is the choice of where to deploy the index server role. If the index role is installed on the same server computer as the query role, the index role no longer propagates content indexes to external query servers. Consequently, if you install the index server role to one of the Web servers, you lose the ability to host the query role on both Web servers. You can install the index role on the database server, achieving availability of the query role on the Web servers. However, the performance of the database server will be affected.

Five-server farmThe most common highly available server farm topology introduces a middle tier and consists of five server computers.

Given this topology, you can install all application server roles on the dedicated application server. This design optimizes the performance of the front-end Web server computers by enabling you to offload one or more application server roles to the middle tier. The primary planning decision to make with this topology is where to install application server roles. The index server role should remain on the dedicated application server. However, your decision about where to install additional application server roles depends on whether you want to optimise the server farm for performance or for availability. If redundancy of application server roles is a priority, you can install application server roles that are designed to be redundant (Excel Calculation Services, query, and Microsoft Office Project Server 2007) on the two front-end Web server computers. To optimize for performance, consider moving first the Excel Services role to the application server and next the query role.