Microsoft SharePoint Products and Technologies Administrators Pocket Consultant

The server farm operations interface is very similar in Windows SharePoint Services and SharePoint Server. Therefore, in this chapter we discuss server farm operations together, with the differences noted as required. As you progress through the many screens of SharePoint Products management, notice the numerous breadcrumb trail and navigation options that are provided.

After installing Windows SharePoint Services, you must enable several services for full functionality of your server farm. Choosing to disable these services can leave portions of your installation, such as Help, inoperable. Figure 3-1 shows the navigation to access these services.

Figure 3-1: To access Windows SharePoint Services topology settings, browse from the Home tab and select a server to view under the Farm Topology Web Part.

The default services after installation are described below:

Defining SharePoint Server 2007 Farm Services

After installing SharePoint Server, you must enable several services in Central Administration. You may access these services through either the Farm Topology Web Part in Home as shown in Figure 3-1 or through Central Administration > Operations > Topology And Services > Services On Server as shown in Figure 3-2.

Figure 3-2: To access SharePoint Server 2007 Services, browse to the Services On Server option under Topology And Services.

Once in the Services On Server options page, you can change the current server as shown in Figure 3-3 or select the type of server you want to configure.

Figure 3-3: Verify that you are managing the correct server before starting or stopping services.

Always verify that you are working with the intended server before changing service status because modifying the incorrect server can cause service outages. Changing the radio button to another server role only modifies the suggested services view; it does not start or stop services.

There are several server roles in SharePoint Server 2007:

E-mail Configuration

There are three places to configure your e-mail, two of which are here in farm operations management; the third is in Application Management and is covered in Application Management settings.

Outgoing E-mail Settings

Outgoing e-mail is required for alerts and other e-mail services to function properly. Configuring outgoing e-mail is a straightforward process. You must enter an outbound SMTP server and desired e-mail addresses. The only caveat is that the SMTP server selected for outbound e-mail must allow relaying from the WFE's primary IP address. SharePoint Products and Technologies do not allow for authenticated outbound e-mail.

Incoming E-mail Settings

Incoming e-mail allows documents to be sent directly to document libraries, tasks to be sent from e-mail to task lists, or calendar events to be sent to calendar lists. To implement correctly, incoming e-mail configuration requires several configuration steps. You must (1) make Active Directory Changes when using the Directory Management Service, (2) configure your WFE, and (3) correctly configure incoming e-mail in Central Administration.

Caution 

Verify that the server used for incoming e-mail never changes. The contact and list information created in Active Directory are set to a single server address (for instance, doclib2@wfe01.contoso.msft), not the farm. Therefore, if you lose that server in the farm, all incoming e-mail flow stops instantly. The incoming e-mail server has to be brought back up with the same name, the SMTP service needs to be installed, and related IIS settings made before incoming e-mail will start working again.

To enable incoming mail, do the following:

Figure 3-4: You need to create an Organizational Unit in Active Directory for the Directory Management service to create contacts that correlate to Document Libraries and lists.

Figure 3-5: Carefully enter the location for the OU to contain distribution lists and contacts, and always use the FQDN for the incoming mail SMTP server.

The following choices must also be made, but unless you are in a highly secure environment, the defaults are usually sufficient.

Managing Service Accounts

New in Windows SharePoint Services and SharePoint Server 2007 is the ability to change service and application pool credentials from Central Administration. Exceptions are services managed directly from a dedicated interface, such as Windows SharePoint Search and SharePoint Server Search; these service accounts are managed directly from their respective interfaces. Both of these services are modified by accessing the corresponding hyperlink from Central Administration > Operations > Services On Server. By default, you can manage three Windows Service Accounts from Service Account management:

  1. Document Conversions Launcher Service

  2. Document Conversions Launcher Load Balancer Service

  3. Single Sign-on Service

As a general rule, these services run as the server farm account. They can be changed if you are in an environment that requires frequent password changes or if you develop a customized single sign-on service with specific authentication requirements.

You can also define the username and password for your IIS web application pools. Although it can be done from the IIS Manager snap-in, Central Administration provides a centralized interface on which to make changes. You first need to select a Web service and then the application pool identity you wish to modify. Figure 3-6 shows an example of selecting a Web application pool for modification.

Figure 3-6: To change an application pool identity, first select a Web service and then the desired application pool.

After selecting an application pool identity to manage, you have two choices:

  1. Predefined defaults are Network Service and Local. With the exception of Basic or Stand-alone installations, you should use dedicated accounts for Web application pool identities.

  2. Configurable accounts should have proper access to SQL Server databases and Windows Server services. These permissions were assigned automatically during installation. Changing these identities to accounts not defined during installation can cause service failure. For detailed information on required security account permissions, see Chapter 2.

    Tip 

    You can modify the server farm account using stsadm -o updatefarmcredentials -identitytype <configurableid | networkservice> -userlogin <domain\name> -password <password>. You must manually perform an IISreset on all members of the farm to update credential caches.

Enabling Information Rights Management

SharePoint Products and Technologies can be integrated with Windows Rights Management Services (RMS). The optional use of an RMS server can restrict the access and distribution of sensitive documents by attaching a security policy, thus limiting the availability of the content to others. RMS integrates with Microsoft Office, Windows SharePoint Services, SharePoint Server, and Exchange Server. RMS, in conjunction with Windows SharePoint Services and SharePoint Server, can create a seamless transition from a client working in a Microsoft Office application to creating a secure workplace in a SharePoint site collection. When a user creates a document workspace in a site collection, the users and their associated rights defined in the document's security policy are transferred to the document workspace created. To configure Information Rights Management correctly, you must do the following:

Updating the Farm Administrator's Group

Use caution when adding users to the Farm Administrator's group. Users added to this group can access Central Administration and disable services, causing widespread service outages. When you open the People and Groups interface, you see that the server administrator, server administrator group, and the farm account are administrators. You can add local users and groups or preferably add Active Directory users and groups.

Important 

If you decide to use local accounts for Administrative access, be sure to create these accounts on each server in your farm.

The safest course of action is to add only administrators to this group, giving them Full Control (Farm Administrators) access. Never modify the default Farm Administrator's group settings. Because Central Administration is simply a specialized site collection, it is possible to granularly control access, but it should be reserved for Site Designers or a custom group.

Note 

Central Administration is a site collection and can therefore be modified to extend the interface with your implementation-specific software, or customized to meet your organization's design requirements. Always have a backup of the server farm before modifying the Central Administration site collection.

It might also be used for restricted Helpdesk access or temporary personnel. Figure 3-7 shows the default view when adding users to the Farm Administrator's group.

Figure 3-7: Use caution when adding or customizing permissions for server Farm Administrators.

Tip 

You can use the CTRL+K combination to verify user and group items.

Understanding Timer Jobs

The Windows SharePoint Services timer, SPTimerV3 (Owstimer.exe), is responsible for scheduling such tasks as notifications, alerts, and content deployment. It is a Windows SharePoint Services application and should always be running on every server in the farm. It should use the server farm account for service log on, with local server administrator privileges. The following is a sample of critical events that are controlled by SPTimerV3:

As you can see from this list, SPTimerV3 is crucial to the well-being of your farm. In the event of farm configuration replication errors or other unexplained errors, you should check the SPTimerV3 service first. Verify that the service is running and is using the correct credentials with proper permissions and that the service account is not locked out.

You can access the status and definitions of timer jobs from Central Administration > Operations > Global Configuration. You should select Timer Job Definitions to disable or delete timer jobs, as shown in Figure 3-8.

Figure 3-8: You can view and modify current timer job definitions from Central Administration > Operations > Global Settings > Timer Job Definitions.

Alternate Access Mappings

Alternate Access Mappings (AAMs) provide a way to change your Web application URLs, configure Network Load Balanced Web applications, and add additional URLs for alternative access.. For example, if you served content from a single Web application via multiple host headers for security, you would need to map the additional host headers with alternate access URLs. Figure 3-9 shows an example of the Web application http://portal.contoso.msft being served securely and externally as https://external.contoso.msft.

Figure 3-9: You must add an alternate access mapping for each additional URL that you configure for a Web application.

In this example, the internal URL would already exist, but you must add an alternate access mapping for the external URL. If you did not add the alternate access URL, the host field returned in an external user's browser would be incorrect. Therefore, an external user would be returned http://portal.contoso.msft, when in fact the user should be returned https://external.contoso.msft. In addition, the embedded URLS in alert e-mails would be sent incorrectly.

Caution 

Absolute URLs (URLs that are hard coded on a Web page or document) cannot be mapped.

There are three choices when modifying AAMs:

Figure 3-10: To add public URLs for a Web application, choose Edit Public URLs in the Alternate Access Mappings management interface.

Figure 3-11: You must define an alternate access mapping for every URL to which a Web application will serve content.

Figure 3-12: To edit the default internal URL, simply select the hyperlink of the Web application to modify.

Quiesce Farm

Quiesce Farm is a new feature in this version that allows a graceful method to disallow new connections to the entire farm, without disrupting active sessions. You may define the amount of time to fully quiesce the farm, but be aware that any sessions still open at the end of that time period will be forcibly disconnected. Using the Quiesce Farm feature is useful for routine maintenance or disaster recovery of a farm. You may still back up, restore, and configure application servers and many other items when a farm is in the quiesced state. Note that the time given to be fully quiesced is in UTC (Coordinated Universal Time), and probably not the time zone your server is in. It will continue to show Stop Quiescing until you manually stop.

Tip 

You may quiesce the farm from the command line by running stsadm -o quiescefarm -maxduration <duration in minutes> and see quiesced status by stsadm -o quiescefarmstatus. Note that maxduration refers to the maximum amount of time to continue connections, not the amount of time to remain quiesced. To unquiesce a farm, run stsadm -o unquiescefarm.

The other options in Central Administration > Operations are covered in their respective chapters. Please refer to the index to find their configuration.

Категории