The Top 5 Infrastructure Concerns of a SharePoint Environment
Michael NoelConvergent ComputingTwitter: @MichaelTNoel
Michael Noel Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint
2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .
Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
Top 5 Infrastructure Concerns
Data Management
Server and Farm Sprawl
Security
Upgrade and MigrationHigh Availability/Disaster Recovery
1
2
3
4
5
CONCERN #1DATA MANAGEMENT
SharePoint Content Growth Issues
SharePoint Products and Technologies are growing faster than any other MS product
SharePoint Document Management environments are on the rise
All of that content is being stored in SharePoint Content Databases
SharePoint Content Database Limitations
Every version of every document in SharePoint is stored in full in the content database
This can lead to Content Databases growing in size quickly
Microsoft recommends 100GB-200GB max for Content DBs
Site Collections can only reside in a single Content DB.
Binary Large OBject (BLOB) Storage
BLOBs are unstructured content stored in SQL Includes all documents, pictures, and files
stored in SharePoint Excludes Metadata and Context, information
about the document, version #, etc. Until recently, could not be removed from
SharePoint Content Databases Classic problem of structured vs. unstructured
data – unstructured data doesn’t really belong in a SQL Server environment
Getting your BLOBs out of SharePoint Can reduce dramatically the size of Content DBs, as
upwards of 80%-90% of space in content DBs is composed of BLOBs
Can move BLOB storage to more efficient/cheaper storage
Improve performance and scalability of your SharePoint deployment
CONCERN #2SERVER AND FARM SPRAWL
Infrastructure Sprawl and Scalability•SharePoint Environments generally need
more than one farm•Dev, Test, and Prod Farms and a Minimum•Can lead to Server and Storage Sprawl
Multiple Farms
•Multiple Servers in a farm for DR•Data in Multiple locations•Dedicated Servers for specific tasks
Servers for HA and
DR
•SharePoint 2010 much more scalable•Scale up and scale out•Use Service Application architecture to expand
Scalability
2 Dedicated Web Servers (NLB)
2 Service Application Servers
2 Database Servers (Clustered or Mirrored)
1 or 2 Index Partitions with equivalent query components
SharePoint 2010 ArchitectureBest Practice “Six Server Farm”
SharePoint 2010 ArchitectureScalable to Large Farms
Multiple Dedicated Web Servers
Multiple Dedicated Service App Servers
Multiple Dedicated Query Servers
Multiple Dedicated Crawl Servers, with multiple Crawl DBs to increase parallelization of the crawl process
Multiple distributed Index partitions (max of 10 million items per index partition)
Two query components for each Index partition, spread among servers
Service Application Matrix
Service applications Description SharePoint Foundation 2010
SharePoint Server 2010 Standard
SharePoint Server 2010 Enterprise
Access ServicesLets users view, edit, and interact with Access 2010 databases in a Web browser.
X
Business Data Connectivity service
Gives access to line-of-business data systems. X X X
Excel Services Application
Lets users view and interact withExcel 2010 files in a Web browser.
X
Managed Metadata service
Manages taxonomy hierarchies, keywords and social tagging infrastructure, and publish content types across site collections.
X X
PerformancePoint Service Application
Provides the capabilities of PerformancePoint. X
Search serviceCrawls content, produces index partitions, and serves search queries.
X X
Secure Store serviceProvides single sign-on authentication to access multiple applications or services.
X X
State serviceProvides temporary storage of user session data for SharePoint Server components.
X X
Usage and Health Data Collection service
Collects farm wide usage and health data, and provides the ability to view various usage and health reports.
X X X
User Profile serviceAdds support for My Site Web sites, profile pages, social tagging and other social computing features.
X X
Visio Graphics ServiceLets users view and refresh published Visio 2010 diagrams in a Web browser.
X
Web Analytics service Provides Web service interfaces. X XWord Automation Services
Performs automated bulk document conversions. X X
Microsoft SharePoint Foundation Subscription Settings Service
Provides multi-tenant functionality for service applications. Tracks subscription IDs and settings for services that are deployed in partitioned mode. Deployed through Windows PowerShell only.
X X X
Tool for Combating Sprawl?– Server Virtualization•Direct Server over consumption /
Utility Bills / “Greener” technology•Less Physical space to consume •Less cost to cool multiple servers
Reduce Costs
•Reduce number of physical servers•Get rid of legacy hardware•Dedicated specialty servers and SAN storage
Consolidate /
Dedicate
•Optimized use of memory/processor•No proliferation of disk volumes•Large number of servers can run on a single box•De-Dup Technologies and Clone capabilities for Test/Dev
Optimize Investme
nt
Allows Organizations that wouldn’t normally be able to have a test environment to run one
Allows for separation of the database role onto a dedicated server Can be more easily scaled out in the future
Virtualized Farm ArchitectureCost-effective Virtual Environment / No HA
High-Availability across Hosts
All components Virtualized
Uses only two Windows Ent Edition Licenses
Can take advantage of various storage options
Virtualized Farm ArchitectureHighly Available Farm with only Two Servers
Highest transaction servers are physical
Multiple farm support, with DBs for all farms on the SQL cluster
Tie into consolidate storage tier
Virtualized Farm ArchitectureBest Practice Virtual/Physical with HA/Perf
CONCERN #3SECURITY
Address all Layers of Security
Infrastructure Security and Best Practices Best Practice Service Account Setup Kerberos Authentication
Data Security SharePoint Security ACLs and Role Based Access
Control (RBAC) Transparent Data Encryption (TDE) of SQL Databases
Transport Security Secure Sockets Layer (SSL) from Server to Client IPSec from Server to Server Inbound Internet Security (Forefront UAG/TMG) / Certs
Rights Management
Use Multiple Service AccountsSample Service Accounts
Service Account Name Role of Service Account
Special Permissions
COMPANYABC\SRV-SP-Setup SharePoint Installation Account
Local Admin on all SharePoint servers
COMPANYABC\SRV-SP-SQL SQL Service Account Local Admin on Database Serverr(s)
COMPANYABC\SRV-SP-Farm SharePoint Farm Account;Application Pool Identity account for the Central Admin App Pool
N/A
COMPANYABC\SRV-SP-Search Search Account N/ACOMPANYABC\SRV-SP-Content Default Content Access
AccountRead rights to any external data sources to be crawled
COMPANYABC\SRV-SP-Prof Default Profiles Content Account
Member of Domain Users (to be able to read attributes from users in domain.
COMPANYABC\SRV-SP-MySite Application Pool Identity account for the MySite App Pool
N/A
COMPANYABC\SRV-SP-Home Application Pool Identity account for the Home App Pool
N/A
When creating any Web Applications for Content, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD.
Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites.
KerberosBest practice: Enable Kerberos!
Use SharePoint-Aware Antivirus
Protecting the Edge
DirectAccess
HTTPS (443)
Layer3 VPN
Business Partners /Sub-Contractors
AD, ADFS, RADIUS, LDAP….
Home / Friend / Kiosk
Employees Managed Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Terminal / Remote Desktop Services
Non web
HTTPS /
HTTP
NPS, ILM
Internet
Transparent Data Encryption (TDE) New in SQL Server
2008 Only Available
with the Enterprise Edition
Seamless Encryption of Individual Databases
Transparent to Applications, including SharePoint
Transparent Data Encryption (TDE) When enabled, encrypts Database, log file,
any info written to TempDB, snapshots, backups, and Mirrored DB instance, if applicable
Operates at the I/O level through the buffer pool, so any data written into the MDF is encrypted
Can be selectively enabled on specific databases
Backups cannot be restored to other servers without a copy of the private key, stolen MDF files are worthless to the thief
Easier Administration, Minimal server resources required (3%-5% performance hit)
Rights Protection of ContentActive Directory Rights Management Services AD RMS is a form of Digital Rights
Management (DRM) technology, used in various forms to protect content
Used to restrict activities on files AFTER they have been accessed: Cut/Paste Print Save As…
Directly integrates with SharePoint DocLibs
CONCERN #4UPGRADE AND MIGRATION
Upgrade and Migration Data Management Challenges
Most risk-averse migration/upgrade approach is Database Attach model or 3rd Party tool model
Requires double the current amount of disk space as the new farm needs to be built as a ‘greenfield’
Disk IO levels are also generally higher in SharePoint 2010
CONCERN #5HIGH AVAILABILITY AND DISASTER
RECOVERY
High Availability at the 3 Tiers
Web = Network Load Balancing (Hardware or Software)
Service Application = Install on Multiple Systems
Data = MCSC Clustering or High Availability Mirroring
Mirroring vs. Clustering
Clustering is Shared Storage, can’t survive storage failure, makes Mirroring more attractive
Clustering fails over quicker Mirroring is not supported for all
databases, but Clustering is Both Clustering and Mirroring can be
used at the same time
Introduced in SQL 2005 SP1 Greatly improved in SQL 2008 and now SQL 2008 R2 Available in Enterprise and Standard (Synchronous
only) editions Works by keeping a mirror copy of a database or
databases on two servers Can be used locally, or the mirror can be remote Can be set to use a two-phase commit process to
ensure integrity of data across both servers Can be combined with traditional shared storage
clustering to further improve redundancy SharePoint 2010 is now Mirroring aware!
SQL Database MirroringProviding for HA and DR for SharePoint Content
Mirroring Limitations
Some Service Apps store data outside of the data tier, including: Excel Services Application Access Services
If a Service App Server hosting these functions goes down, the end user is affected (for that session only.) They can still use another server to re-initiate the session
Only Content DBs and the Secure Store DB are supported for Asynchronous Mirroring
All DBs except a few minor ones are supported for Synchronous Mirroring
Single Site HA Mirrored Farm
Single Site Synchronous
Replication Uses a SQL
Witness Server to Failover Automatically
Mirror all SharePoint DBs in the Farm
Use a SQL Alias to switch to Mirror Instance
Cross-Site Mirrored HA Farm
Two Sites 1 ms
Latency 1GB
Bandwidth
Farm Servers in each location
Auto Failover
Two Farm / Mirrored Content DBs
Two Sites Two
Farms Mirror
only Content DBs
Failover is Manual
Must Re-index and recreate Svc. Apps
Configuring the FarmNetwork Load Balancing
Hardware Based Load Balancing (F5, Cisco, Citrix NetScaler – Best performance and scalability
Software Windows Network Load Balancing fully supported by MS, but requires Layer 2 VLAN (all packets must reach all hosts.) Layer 3 Switches must be configured to allow Layer 2 to the specific VLAN.
If using Unicast, use two NICs on the server, one for communications between nodes.
If using Multicast, be sure to configure routers appropriately
Set Affinity to Single (Sticky Sessions) If using VMware, note fix to NLB RARP issue (
http://tinyurl.com/vmwarenlbfix)
Clustering Best PracticeTake Advantage of both Nodes on SQL Server
For More Information
SharePoint 2010 Unleashed (SAMS Publishing) http://www.samspublishing.com
Microsoft ‘Virtualizing SharePoint Infrastructure’ Whitepaper http://tinyurl.com/virtualsp
Microsoft ‘SQL RBS’ Whitepaperhttp://tinyyurl.com/remoteblobsp
Microsoft SQL Mirroring Case Studyhttp://tinyurl.com/mirrorsp
Failover Mirror PowerShell Scripthttp://tinyurl.com/failovermirrorsp
Contact us at CCO.com
Thanks!
Michael NoelTwitter: @MichaelTNoel
www.cco.com