42

Physical Topology Logical Topology Authentication Licensing

Embed Size (px)

Citation preview

Page 1: Physical Topology Logical Topology Authentication Licensing
Page 2: Physical Topology Logical Topology Authentication Licensing

Designing Your SharePoint Server 2013 Enterprise DeploymentSteve [email protected]

SPC119

Luca [email protected]

Page 3: Physical Topology Logical Topology Authentication Licensing

• That you are deploying for an Enterprise Scenario

• You want the highest possible availability• You want lowest possible maintenance and

operations costs• You want an “elastic” architecture that can

grow with your deployment in a predictable way

Assumptions

Page 4: Physical Topology Logical Topology Authentication Licensing

• Provide the prescriptive architecture for SharePoint 2013 On-Premises

• Simplify SharePoint On-Premises deployments to align with our SharePoint Online configuration

Goals

Page 5: Physical Topology Logical Topology Authentication Licensing

• We think that this is the “Best Way” to run SharePoint

• Through our learnings operating our service at scale, we are optimizing for this configuration

• We have the highest level of confidence with this configuration• It receives the most real world usage and validation

• We are building features moving forward that align with this configuration (our new app model as a good example)

Why Align with the Cloud

Page 6: Physical Topology Logical Topology Authentication Licensing

• Physical Topology• Logical Topology• Authentication• Licensing

Areas

Page 7: Physical Topology Logical Topology Authentication Licensing

Physical Topology

Page 8: Physical Topology Logical Topology Authentication Licensing

Physical Topology - 2007

Hyper–V host A Hyper–V host B

Web tier

Application tier

Database tier

Page 9: Physical Topology Logical Topology Authentication Licensing

Physical Topology - 2010

Hyper–V host A Hyper–V host B

Web tier

Application tier

Database tier

Page 10: Physical Topology Logical Topology Authentication Licensing

On Critical Path For Most Requests

Interactive / Serving End-user Requests

Doing Background Processing

Request ManagementDistributed Cache

User Profile ApplicationMetadata ServicesBusiness Data ConnectivitySecure StoreState Session StateAccess User CodeSearch Query PerformancePointVisioExcel ServicesPowerPivotProject

User Profile SyncCrawl TargetContent DB JobsWorkflowWMAMachine TranslationSearch Crawl Document Conversion

How we think about Service Applications

Very Low Latency

Low Latency

More tolerant Latency

SPC19211/13 1:45 PM

Page 11: Physical Topology Logical Topology Authentication Licensing

Physical Topology - 2013

Front EndLow latency

Back EndMore tolerant latency

Database tier

Routing and CachingVery low latency

Request ManagementDistributed CacheUser Profile ApplicationMetadata ServicesBusiness Data ConnectivitySecure StoreState Session StateAccess User CodeSearch QueryPerformancePointVisioExcel ServicesPowerPivotProject

User Profile SyncCrawl TargetContent DB JobsWorkflowWMAMachine TranslationSearch CrawlDocument Conversion

Page 12: Physical Topology Logical Topology Authentication Licensing

Physical Topology – 2013 +Search

Front EndLow latency

Back EndMore tolerant latency

Database tier

Routing and CachingVery low latency

Search (Query, Index, Admin)Low latency

For all but the smallest enterprise deployments, you will want to split Search Query functionality to a separate tier

SPC00711/13 9:00 AM

Page 13: Physical Topology Logical Topology Authentication Licensing

• Add Satellite farms based on business requirements or governance needs.

• Simplifies operations, maintenance and patching for all but the most complex environments

• Predictable in sizing and capacity• Reduced Hardware vs Default Split Farm for

services and content• Reduced complexity for vast majority of

implementations

Begin with a single “Primary” Content and Services Farm

Page 14: Physical Topology Logical Topology Authentication Licensing

Design with an eye to reduce farms• How many farms do you want to patch ?

Upgrade ?

Page 15: Physical Topology Logical Topology Authentication Licensing

4 Farms rather than 6• Which is easier to maintain ?

Primary Farm (Services and Content)

Application Pool

IIS Web Site— �͞SharePoint Web Services �͞

Excel Services

App Management

Word Automation

Access Services

Visio Graphics

Work Management

Secure Store Service

Farm B - Content

Application Pool

Application Pool

IIS Web Site—�͞SharePoint Web Services �͞

Excel Services

App Management

Word Automation

Access Services

Visio Graphics

Work Management

Farm C - Content

Application Pool

Application Pool

IIS Web Site—�͞SharePoint Web Services �͞

Excel Services

App Management

Word Automation

Access Services

Visio Graphics

Work Management

Default group Default group

Farm D - Content

Application Pool

Application Pool

IIS Web Site—�͞SharePoint Web Services �͞

Excel Services

App Management

Word Automation

Access Services

Visio Graphics

Work Management

Default group

Web Application—Team Sites and community sites

Web Application—Team Sites and community sites

Web Application—Team Sites and community sites

http://my/personal/<user>

http://my

My Site Host & Personal Sites

Default group

Business Data Connectivity

Managed Metadata

Machine Translation

Search

User Profile

http://content/sites/foo

Primary Content Sites

Office Web Applications

Page 16: Physical Topology Logical Topology Authentication Licensing

• Have a reason why – a real business reason

• Physical Isolation – Sometimes there’s no other way to achieve

• Legacy Applications– Example: Need to allow full trust solutions for a specific business unit. Better to isolate those from your pristine, beautiful primary farm.

• Geo – Need regional content farms for regulatory reasons or low bandwidth satellite deployments.

What leads me to multiple farms ?

Page 17: Physical Topology Logical Topology Authentication Licensing

Logical Topology

Page 18: Physical Topology Logical Topology Authentication Licensing

“Legacy Topology” – Multiple Web Apps

Application Pool 4

Web application: Team Sites

Zone Load-Balanced URL

Default https://teams.fabrikam.com

Default https://teams.fabrikam.com/sites/Team1https://teams.fabrikam.com/sites/Team2https://teams.fabrikam.com/sites/Team3

Web application: My Sites

Database settings: Target size per database = 175 gigabytes (GB) Site size limits per site = 1 GB Reserved for second-stage recycle bin = 15% Maximum number of sites = 180 Site level warning = 150

https: //my.fabrikam.com

https: //my.fabrikam.com/personal/<site_ name>Team1 Team2 Team3

https: // teams.fabrikam.com

Zone Team Sites

Zone Load-Balanced URL

Default https://my.fabrikam.com

Default https://my.fabrikam.com/personal/User1https://my.fabrikam.com/personal/User2https://my.fabrikam.com/personal/User3

Zone Self-Service Sites

Web application: Partner Web

Application Pool 5

Project1 Project2 Project3

https: //partnerweb.fabrikam.com

Database settings: Target size per database = 200 GB Storage quota per site = 5 GB Maximum number of sites = 40

Zone Load-Balanced URL

Default https://partnerweb.fabrikam.com

Default

Zone Partner Web Sites

https://partnerweb.fabrikam.com/sites/Project1https://partnerweb.fabrikam.com/sites/Project2https://partnerweb.fabrikam.com/sites/Project3

Application Pool 2

Managed Metadata

I IS Web Site—³ SharePoint Web Services´

Unpartitioned services

Access Services

Visio Graphics Service

Excel Services

Word Automation Services

Work Management

Secure Store Service

Business Data Connectivity

Search User Profile

Default group

Web application: Published I ntranet Content

Application Pool 3

HR Facilities Purchasing

https: // intranet.fabrikam.com

Zone Load-Balanced URL

Default https://intranet.fabrikam.com

Default

Zone Published Intranet Sites

https://intranet.fabrikam.comhttps://intranet.fabrikam.com/hrhttps://intranet.fabrikam.com/facilitieshttps://intranet.fabrikam.com/purchasing

Web servers

Application servers

Load Balancer

Managed Metadata

Partitioned services

Custom group

Partitioned by project in the Partner Web site collection

Subscription Settings

Search

Database settings: Target size per database = 200 gigabytes (GB)

Database settings: Target size per database = 200 gigabytes (GB) Site size limits per site = 30 GB Reserved for second-stage recycle bin = 10% Maximum number of sites = 6 Site level warning = 5

App Management

Machine Translation

Web application:Central Administration Site

Application Pool 1

Database servers with SQL Server installed and configured to support SQL clustering, mirroring, or AlwaysOn (AlwaysOn applies to SQL Server 2012 only)• Each Application Pool

requires additional resources on each Web Role Machine

• Caching of common assemblies alone is significant overhead

• Leads to multiple farm architectures very quickly with high numbers of web applications !!

Page 19: Physical Topology Logical Topology Authentication Licensing

Recommended Logical Topology

Application Pool ”SharePoint”

Logical functionality ”My Sites”

Site Collection (MySite Host)https://my.company.com

Personal My Sites (My Site)https://my.company.com/personal/<users>

Logical functionality ”Intranet”

Division Sites (Team site)https://intranet.company.com/sites/<site>

Corporate Intranet (Team site)https://intranet.company.com

Search Center (Enterprise Search Center)https://intranet.company.com/sites/search

Logical functionality ”Teams”

Team Collaboration Sites (Team site)https://intranet.company.com/sites/<site>

Team Collaboration Sites (Team site)https://teams.company.com

Logical functionality ”Communities”

Community Sites (community site)https://intranet.company.com/sites/<site>

Community Sites (community portal)https://communties.company.com

Logical functionality ”Projects”

Community Sites (community site)https://intranet.company.com/sites/<site>

Community Sites (community portal)https://projects.company.com

IIS Web Site – ”SharePoint”

Page 20: Physical Topology Logical Topology Authentication Licensing

Recap: Logical Architecture• One Web application, one zone

• Have a good business reason why you deviate from this

• Use Host Named Site Collections• Scales Better• Reduced Resource Consumption (Memory for App

Pools, Cache, etc)• Mitigates x-site scripting risks the same as multiple

web apps• SSA (Secure Site Access) - You can still have

multiple host names !

Page 21: Physical Topology Logical Topology Authentication Licensing

HN Site Collections – Custom Site Provisioning

Steve Walker

Page 22: Physical Topology Logical Topology Authentication Licensing

Authentication

Page 23: Physical Topology Logical Topology Authentication Licensing

Authentication• Use a single web application with a single zone

configured for the various auth methods that you require

• Use Claims based auth (Win or FBA)• For SAML Claims IP STS needs to support wildcard

domain WSFedEndpoint • We are working with ADFS Team to enable this

scenario• Anonymous on the same web app?

• Extend the web app to another zone and configure that for Anonymous

SPC20911/13 5:00 PM

Page 24: Physical Topology Logical Topology Authentication Licensing

Authentication• Be Ready for oAuth

• In oAuth Farm 2 Farm conversation only a subset of attributes are provided

• SharePoint S2S depends on mapping to a user account through the user profile application

• User Token is rehydrated on the destination farm• UPA stores user attributes (claims) used for rehydratation

• Be sure all claims are in the UPA• Otherwise, new custom claims provider might be needed

• Be ready for the Cloud and Hybrid• Be sure attributes are all in your Directory Service

(e.g. AD)• Be sure your Directory Service can fully sync to

MSODS

SPC24311/13 9:00 AM

Page 25: Physical Topology Logical Topology Authentication Licensing

Licensing

Page 26: Physical Topology Logical Topology Authentication Licensing

Licensing Improvements• What we had in SharePoint 2010:

• Licensing control was per farm. If you had to differentiate licensing model:

• You needed 1 farm for Standard• You needed 1 farm for Enterprise

• Ah, and we only had 2 different licenses• Different mix & matches were not possible

Page 27: Physical Topology Logical Topology Authentication Licensing

Licensing Improvements• 2013: Increased ability to manage

licensing vs previous versions.• Licenses and licenses check are per user• Requires Claims auth: licenses are “assigned” by

mapping claims to users• E.g. assigning an enterprise license to an Active

Directory Group• Works for SharePoint (Enterprise & Standard), OWA

and Project Server• 4 licenses provided OOB

Page 28: Physical Topology Logical Topology Authentication Licensing

Licensing

Luca Bandinelli

Page 29: Physical Topology Logical Topology Authentication Licensing

Licensing Improvements• Configured and controlled by PowerShell

• •Get-SPUserLicensing • •Enable-SPUserLicensing • •Disable-SPUserLicensing • •Get-SPUserLicense • •Get-SPUserLicenseMapping • •New-SPUserLicenseMapping • •Add-SPUserLicenseMapping • •Remove-SPUserLicenseMapping

• Licensing enforcement:• Web Parts• Web Part Gallery• Web Templates• Document Libraries

Page 30: Physical Topology Logical Topology Authentication Licensing

Evaluate this session now on MySPC using your laptop or mobile device: http://myspc.sharepointconference.com

MySPC

Page 31: Physical Topology Logical Topology Authentication Licensing

Q & A

Page 32: Physical Topology Logical Topology Authentication Licensing

• Is stretched farm supported ?• No – Officially unsupported – Do not ask us to re-visist this decision. We are firm.

• Do we need to enable MT ?• Yes – But only a single tenant

• How many farms do I need ?• One

• How Many Web Applications do I need ?• One – With one Zone

• What about Anonymous access ?• This is the “Exception Case” for a single zone. Anonymous will require extending

to a second zone.• Cloud App Model only works on the default zone !!

Recap Q&A

Page 33: Physical Topology Logical Topology Authentication Licensing

Recap Q & A: Subscription Service• Multi tenant feature: yes

• Subscription Settings Service required for new cloud App Model

• This should be the extent of your utilization of MT Multiple tenants on the same farm: better not• MT is the “Deep End of the Pool” – There is

a high level of investment in both development as well as maintenance

• MT Only becomes cost effective when tenant numbers scale into the multiple thousand range.

Page 34: Physical Topology Logical Topology Authentication Licensing

Appendix

Page 35: Physical Topology Logical Topology Authentication Licensing

Custom Site Provisioning

Page 36: Physical Topology Logical Topology Authentication Licensing

“New Site” Link – Ability to override at

the Web Application /

Tenant Level !!

Page 37: Physical Topology Logical Topology Authentication Licensing

SSSC – O365: Tenant Admin > Settings

Page 38: Physical Topology Logical Topology Authentication Licensing

SSSC – On-Prem: Web Application Settings

Page 39: Physical Topology Logical Topology Authentication Licensing

SSSC: Insert your own Logic !

Page 40: Physical Topology Logical Topology Authentication Licensing
Page 41: Physical Topology Logical Topology Authentication Licensing

©2012 Microsoft Corporation. All rights reserved.

Recap – Pointers to UA content - TBD

Page 42: Physical Topology Logical Topology Authentication Licensing

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.