TS: Microsoft Windows SharePoint Services 3.0, Configuring
SumITUp
A Complete Summary for
Our 70-631 Practice Test
SumITUp is a great summary recap of the objectives & material
covered on the exam. Use it in addition to or in concert with your
practice test as:
A bulleted overview of the exam scope and objectives before
you start your study to provide you with “the big picture”
objective by objective.
A checklist & review of topics covered within each objective to
ensure you have studied all the critical areas.
A tool you can print out for review on the go.
Deploy Windows SharePoint Services 3.0 (WSS)
Configure WSS server roles
• Different roles and components can be divided into three tiers - WFE (Web Front End) server(s)
- Search Server(s) - SQL Database server(s)
Configure WSS topology
• Microsoft WSS 3.0 can be implemented based on two general topologies - Single Server
o You can install a single server and designate all roles on a single server o Less complexity and low cost but limited performance
o Suitable for small implementations - Servers Farm
o You separate different roles, such as multiple WFE servers and back-end database servers o More complexity and higher cost but higher performance and easily scalable
o Suitable for medium and large implementations
Create WSS namespace
• Sites are implemented in Web applications
• You can create or extend a Web application
- By creating a new Web application, you can create a new application pool, a new database to store its data, and a different authentication methods to access to the database server
- By extending an existing Web application, you use the same content database and application pool to provide users with the same content and data they had in an existing Web application
o This feature is useful in situations where you need to provide users in a different environment with access to the same content with different domain names and security configurations, such as an extranet
• For each Web application, you can define managed paths to customize the naming and structure of the URL addresses to meet your needs
• You can manage your WSS 3.0 environments by using different URLs for different purposes
- You can use AAM (Alternate Access Mappings) to associate Web applications with a collection of different mappings between internal and public URLs
Upgrade WSS 3.0 from WSS 2.0
• In-place upgrade
- You can upgrade the content and configuration data at one time - Usually is a straight forward procedure
- You cannot revert the upgraded sites to the original versions - Ideal for small environments and over-the-weekend plans
• Gradual upgrade
- Generally a complex procedure
- Provides you with more control over the whole process
- You can install the new version side-by-side with the older version
- You can control the list of site collections nominated to upgrade and decide about the time of their upgrade
- You can revert the upgraded sites to the original versions - You ensure that all sites are accessible through the original URLs
- It will not cause major downtime in the WSS environment because only the sites under the current upgrade operation will be affected
- Ideal for step-by-step upgrade plans in medium and large WSS environments
• Advanced (manual) upgrade
- Generally is a tricky and complex procedure - You need to build-up a new farm with WSS 3.0
- You need to manually migrate your database to the new farm - Extra space on SQL servers is required
- Ideal for migrating to new hardware and servers during the upgrade - Necessary for WSS 2.0 environments that are using scalable hosting mode
- Necessary for WSS 2.0 environments that are using the account creation mode for the Active Directory service
Install WSS
• Minimum hardware requirements to deploy WSS 3.0
- WSS 3.0 needs a server with a 2.5 GHz processor for either stand-alone or farm front-end installations - WSS 3.0 needs at least 1 GHz of physical memory for stand-alone and 2 GHz for front-end farm
implementations
• Software requirements
- In clean installations, WSS 3.0 runs on Windows Server 2003 with SP1 or later - In farm implementations, WSS 3.0 needs Active Directory services
- Due to limitations in hosting databases, Windows Server 2003 Web edition does not support Basic installation of Windows SharePoint Services 3.0
- Microsoft .NET Framework version 3.0 must be installed on WFE server(s) - ASP.NET 2.0 must be enabled in IIS console
- In clean installations, you should configure the stand-alone or WFE servers to use IIS 6.0 worker process isolation mode
- If your installation plan is an upgrade from IIS 5.0 on Windows Server 2000, the IIS 5.0 isolation mode option is enabled and you must change this configuration to use IIS 6.0 worker process isolation mode - You should install SMTP (Simple Mail Transfer Protocol) to take advantage of the various messaging
- In farm implementations, the database server role must have SQL Server 2000 with SP3a or later or Microsoft SQL Server 2005 SP1 or later
• You can control and customize the WSS 3.0 installation process by using Config.xml file
- You should use setup.exe /config [path and file name] to use a configuration file during the installation of WSS 3.0
• It is highly recommended that you install WSS 3.0 on a server with a clean operating system installation and avoid installing WSS on a server where WSS has been uninstalled
Monitor Windows SharePoint Services
Maintain storage performance
• You can configure quotas by setting the maximum limit for the site quotas based on your requirements to restrict the size of the site to a limited amount
• You can define and apply a quota template to the Site Collections
- You can send and customize limitation exceeded warning messages
- As a general rule you can estimate that the size for the site quota could be equal to the total amount of disk space available for content databases divided by the total number of sites per Site Collection - You can use the Locks to control the size of the sites and your site collections to turn them into
read-only sites in the case of any limitation violation
• Sooner or later you will face shortage of disk space on your servers
- Other than extending physical storages, there are a couple of strategies to recover disk space o You can archive and delete old sites on WFE servers
o You can ask your DBA (database administrator) to truncate log files on the SQL servers
Configure centralized monitoring for WSS
• The official solution for centralized monitoring of WSS is Microsoft Operations Manager (MOM) 2005
- You can download the latest version of the localized (multi-language) WSS 3.0 Management Pack for MOM 2005 from the Microsoft Web site
- You can use MOM to centrally monitor farm services and error messages across the servers in the farm
Configuring performance monitor
• You must regularly check performance of WSS servers
• You can use Usage analysis processing and run it during specific times to monitor how your Web sites are being used
- WSS 3.0 keeps the Usage analysis data for a period of three months (daily and monthly information is 31 days and 24 months respectively)
Identify WSS problems using the Web Event Viewer
• You can use diagnostic logging and event throttling to determine the least critical event to report to the event log and prevent the less important events from piling up in the event log
Monitor log
• You can use the IIS logs on the WFE servers
• Regular inspection of the IIS log files can help you verify users' access to WFE servers, used addresses, and requested objects
Configure Security for Windows SharePoint Services
Configure Web application authentication
• In WSS 3.0, you can use different authentication providers to validate the user's identity
• The following authentication provider methods are available in WSS 3.0 - Windows
o All standard IIS Windows authentication provider methods are supported: Anonymous, Basic, Digest, Kerberos, NTLM, and Certificate
- ASP.NET forms
o You need to register the membership provider in the Web.config file for your Web application o You may need to register the role manager in the Web.config file for your Web application o You need to register the membership provider in the Web.config file for the Central
Administration site
o Ideal for deploying WSS 3.0 in the environments that do not use Active Directory services - Web SSO
o You need to register the membership provider in the Web.config file for your Web application o You may need to register the role manager in the Web.config file for your Web application o You need to register the membership provider in the Web.config file for the Central
Administration site
o You need to register an HTTP module for the Web SSO provider
o You can implement WSS 3.0 in an environment that uses federated authentication o Active Directory Federation Services requires SSL
Configure a Web application for SSL
• In many cases, using SSL to create HTTPS sites is the preferred method of communication between your WFE server and various client computers
• You can use SSL to ensure that unauthorized people are not able to read or modify traffic streams to/from your application
- Although, they are still able to intercept, capture, and try to crack your encryptions
• You can use SSL in a wide variety implementations - Intra-farm SSP
• You can use SSL to provide a secure and encrypted communication for a particular application on your server, whereas IPSec generally will provide you with a complete encryption and protection over the communications to/from your WSS server
- The model of protection provided by IPSec is not suitable for some scenarios, such as dealing with external servers and clients with no IPSec support
- SSL takes advantage of public key mechanism and is more widely supported than IPSec
o You can install the SSL Web certificates on your WFE or ISA 2006 servers to provide secure communications for your internal users as well as external clients
o It is recommended that for WSS sites that are accessible to external users, you buy and install commercial Web server certificates from a well-known CA (certificate authority) to prevent users from receiving annoying warning messages while browsing HTTPS Web sites secured by private and internal certificate sources (e.g. your internal CA)
• When creating and extending WSS 3.0 Web applications, you can choose to use HTTPS addresses
Configure NT Local Area Network Manager (NTLM) or Kerberos authentication
• You can use NTLM (Integrated Windows), which is easy to set up and requires little administrative effort to configure and maintain
- If you create a Web application by accepting all default settings, the default zone for that Web application will be configured to use NTLM
- In NTLM, the user name and password of the users are hashed before being sent across the network
• You also can use the more complex Kerberos protocol as your WSS authentication method - This protocol works based on a ticketing mechanism
o Once authenticated, the user will be given a ticket, which can be used to gain access to various services across the network
- You should configure an Service Principal Name (SPN) for the domain user account to use this method o You must be a member of the Domain Admins group to do so
o If you choose Kerberos authentication and do not configure the SPN, only the server administrators will be able to authenticate successfully to the SharePoint sites
Configure roles and site permissions
• You can protect your WSS sites by defining different permissions for site users - Users can be grouped for easy management
- You can use Permission levels (a predefined set of permissions) to enable your site users to perform specific actions
- There are four default permission levels o Read
o Contribute o Design o Full Control
- The following entities are available for configuring fine-grained permissions o Site
o List and library o Folder
o Item and document
- By default, sub sites inherit permissions from the parent site
o You can break the inheritance relationship to meet your special needs
Implement access policies
• By implementing access policies, you can limit the ability of your users to manipulate, print, or copy text from downloaded files
- By using Information Rights Management (IRM), you can encrypt the downloaded files and determine which users are allowed to decrypt these files
Manage database permissions
• There are two general methods of database authentication - Windows authentication
o This is the recommended method
o In this method, the users' corporate domain accounts are used for all WSS 3.0 service and administration accounts, including application pool accounts
o In secure extranet implementations where SQL database servers reside in the corporate network, you need to create a one-way trust relationship between two domains so the domain of the perimeter network will trust to the corporate domain
- SQL authentication
o You need to specify the account and password that will be used to connect to the database o In secure extranet implementations where SQL database servers reside in the corporate
network, you do not need to create any trust relationship between your networks and domains
• In the Operations page, if you change the Default Database Server, all new Web applications will use the new database
Configure IRM
• If you need to implement IRM in your WSS infrastructure, you need to enable IRM in the Central Administration on your WSS server
- To enable IRM on your WSS server, the Microsoft Windows RMS Client with Service Pack 2 should be installed on all WFE servers
- To enable IRM on your WSS server, you need to determine a RMS server source that can be a Windows Server 2003 with the RMS package and Service Pack 1 installed
• You need to apply IRM through the Settings menu of libraries and lists to protect downloaded files against misuse and illegal distribution
Administer Windows SharePoint Services
Configure site settings
• In the site settings of each WSS site, you can configure the following categories and their important options, including
- Users and Permissions
o You can define different levels of access for users and groups - Look and Feel
o You can save a site as a template with .stp extension for creating future sites o You can use Reset to reset the site definition option to cancel customizations quickly - Galleries
o You can add new or modify existing content types and columns o You can control the Management of Master pages and Workflows - Site Administration
o You can customize lists and libraries
o You can manage site features and usage reports - Site Collection Administration
o You can manage the site collection view of Recycle Bin
o You can manage the site hierarchical model and its connection to other portal sites
Manage Central admin
• After completion of the installation process, you run the SharePoint Products and Technologies Configuration Wizard to create the Central Administration Web site
- In the wizard, you can specify a TCP port to access to the Central Administration Web site or you can accept the suggested randomly generated port number
- In the wizard, you can specify the authentication provider for the Web application used by the Central Administration Web site
o NTLM (default setting) o Negotiate (Kerberos)
• If prompted for your credentials, add the SharePoint Central Administration Web site to the list of trusted sites and then configure user authentication settings in Internet Explorer
Administer Windows SharePoint Services by using STSADM
• Some important operations available through STSADM are - stsadm -o backup
o Used to do a backup from a site collection, an individual database Web application, or an entire farm
- stsadm -o restore
o Used to add WSP (CAB) solution files - stsadm -o activatefeature
o Used to activate an available feature in WSS - stsadm -o deactivatefeature
o Used to deactivate an activated feature in WSS - stsadm -o migrateuser
o Turns an existing user account in Microsoft Windows SharePoint Services 3.0 into a different login name and binary ID
o Useful for changing the login names while maintaining the same level of access to WSS resources
- stsadm -o createsiteinnewdb
o Can be used to create a separate content database for each site collection
Configure backup and restore (disaster/recovery)
• To protect your WSS infrastructure against disaster, you can use either Web-based backup settings in WSS 3.0 or the STSADM tool to provide reliable backup files
• In WSS 3.0, you can use the double-stage Recycle Bin for efficient and quick document recovery - During the first stage the file is held in the user and the site collection Recycle Bins
- After 30 days or a manual deletion from the user's Recycle Bin, the deleted file will be kept in the site collection Recycle Bin only
o At this stage only administrator can delete forever or restore the file o You can limit this stage by configuring a disk space limitation
Manage Customization
Configure master page
• WSS 3.0 takes advantage of ASP.NET 2.0 and its master page facilities
• On your WSS 3.0 server, all sites use the default.master global master page located in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\GLOBAL directory
• Administrators can use ASP.NET 2.0 master pages to create a consistent and fixed layout for their Web pages in the WSS structure
• You can customize a master page in WSS-compatible editors such as Microsoft Office SharePoint Designer - It is recommended that, before any customization, you keep the original files in a safe location
Customize pages by using SharePoint Designer
• Microsoft Office SharePoint Designer is the replacement for the Microsoft FrontPage tool in older versions
• Microsoft Office SharePoint Designer is the official and recommended tool for customizing a master page
Customize pages using browser
• In WSS 3.0, you can use your browser to make some relatively simple changes to created sites such as arrangement of Web Parts on your Web pages
• You can use Microsoft Office SharePoint Designer to insert a Web Part zone, which is actually a Web Part container, on your site pages
- It is a necessary step, if you want to customize them later in your browser and have a control over the users' ability to modify them in their browsers in the future
Configure code access security
• By using the .NET framework, administrators have to deal with the Code Access Security and code permissions
• Web applications and their Web Parts run at a Trust Level, which is defined in the Web.Config file
• By default, the Web application runs with the Minimal trust level
• At times, 3rd party applications need to use a higher trust level to function properly (e.g. Medium or Full); it is a trade-off and WSS administrators should consider the security consequences of the modifications
- After evaluating all the security consequences and actions involved, you can create a copy of WSS_minimaltrust.config and apply the required changes to meet the developer requirements
o You also need to create a new TrustLevel element in the Web.config file of your Web application to take advantage of the custom trust configuration file
Configure Network Infrastructure for Windows SharePoint
Services
Configure names resolution
• WSS 3.0 relies on Domain Name System (DNS) for its name resolution
• You need to create zones and appropriate records for your sites
• In NLB (Network Load Balancing) scenarios, you need to create a HOST (A) record for the IP address of your NLB cluster
Configuring NLB
• You can take advantage of Microsoft Windows Server 2003 NLB Services to distribute the load across your WFE servers
• In NLB scenarios, you usually deal with two types of communications
- Inter-Array communications (between NLB servers and the rest of the network) - Intra-Array communications (between NLB servers)
• Based on the number of available NICs in the NLB servers, there are four general models to use when configuring this service to distribute the load across WFE servers
• You cannot select the Unicast mode while you have only one NIC on each of your NLB servers and you want to have the intra-array communications between them
• Within each cluster, you should configure all network adapters either in the Multicast or in the Unicast mode and a mixed configuration is not supported
Configure WSS to support perimeter network
• You can implement a perimeter network (DMZ) to provide a higher level of security for your WSS servers
• In a perimeter network design, you protect WSS servers from both internal and external (Internet) users
• There are two general perimeter network implementations for WSS - Multi-homed firewall implementation
o Generally a cheaper solution by using a firewall with more than two network interfaces o The provided security is acceptable for many networks
- Back-to-back firewall implementation
o Generally the more expensive solution by using two firewalls and a perimeter network that is logically between them
o The provided security is higher than in the multi-homed model and is suitable for highly secure environments
• You need to carefully configure open ports on your firewall(s) and the direction of the allowed traffic over each port
- In many cases, you would need to place WFE server(s) into the perimeter network and provide access to their HTTP (TCP 80) and HTTPS (TCP 443) ports
- In many cases, you would prefer to place your back-end SQL database server(s) into the internal network and provide access to their Microsoft SQL server ports (TCP 1433)
- In some special cases, you will need to open few more ports on your firewall for Active Directory, other Microsoft services like SMTP, or 3rd party applications
o You should monitor and inspect the ongoing traffic through your firewalls and their open ports
Configure Internet Security and Acceleration (ISA) Server
• Microsoft ISA server 2006 is the recommended firewall solution for securing WSS environments
• You can use ISA server 2006 to create secure perimeter networks either in the multi-homed or back-to-back implementations
• You can use ISA server 2006 to securely publish WSS 3.0 servers to your users
- Generally, for publishing HTTPS SharePoint sites you need to install your Web certificate on the ISA server
• By using ISA server 2006, you can inspect and monitor ongoing traffic through the open firewall ports
• When designing large WSS environments, you can install more than one ISA server 2006 and create an NLB cluster with them
• Other than the firewall and its application layer intelligent inspection role you can use your ISA server 2006 server(s) for various network tasks including (but not limited to) the following operations
- Path redirection
- SSL tunneling and bridging
- Wide range of common authentication methods are available to evaluate client credentials including LDAP, RADIUS, RADUIS OTP and RSA
Acronyms
Acronym Definition
AAM Alternate Access Mappings
CA Certificate Authority
DBA Database Administrator
DNS Domain Name System
HTTP Hypertext Transfer Protocol
IIS Internet Information Services
IPSec Internet Protocol Security
IRM Information Rights Management
LDAP Lightweight Directory Access Protocol
MOM Microsoft Operations Manager
NIC Network Interface Card
NTLM NT Local Area Network Manager
OTP One-Time Password
RADIUS Remote Authentication Dial-In User Service
RMS Rights Management Services
RSA Rivest Shamir Adleman
SMTP Simple Mail Transfer Protocol
SP Service Pack
SPN Service Principal Name
SSL Secure Sockets Layer
SSO Single Sign-On
SSP Shared Services Providers
TCP Transmission Control Protocol
URL Uniform Resource Locator
WFE Web Front End