Monthly Archives: Jul 2016

Overview of SharePoint 2013 Multibox installation and configuration

Here is a list of setup and correct procedural instructions for creating SharePoint 2013 three-tier farm.

For most of these steps I used powershell scripts.

1. Create Self-Signed SSL certificate or Order SSL certificate for URL domain(s)
2. configure hardware load balancing (if load balancing)
3. Provision physical or virtual servers – Windows 2012 (preferred) or Windows 2008 R2 SP1+
4. Install SSL certificate on servers
5. Create DNS entries for domains to resolve to Forefront/load balancer
6. Copy setup media to servers

  • Copy SharePoint 2013 setup files to SharePoint servers
  • Copy SharePoint 2013 Language Packs to SharePoint servers

7. Provision SQL Server 2014

  • Set Up SQL Server 2014 as a SharePoint 2013 Database Server
  • Configure SQL Server 2014 for SharePoint 2013
    • Setting the Maximum Amount of RAM
    • Enabling Compressed Backups
    • Setting the model Database’s Recovery Model
    • Configure the max degree of parallelism Server Configuration Option

8. Provision service accounts in Active Directory and grant permissions

  • Create Domain Accounts and Administration Groups
  • Assigned Group Policy
    • Grant SP Setup service account local Administrator on SharePoint servers
    • Grant SP Setup “Replicate Directory Changes” AD permissions
    • Grant SP Setup SQL Server permissions – DB Creator and Security Admin

9. Identify SharePoint 2013 and Office Web Apps 2013 product keys
10. Configure Kerberos Authentication

  • Register Service Principal Names (SPN)
  • Activate Kerberos Delegation for SharePoint Server in Active Directory
  • Activate Kerberos Authentication on Web Application in Central Admininstration

11. Identify outbound e-mail server details

  • An SMTP address for SharePoint outbound email (for alerts, etc.)
  • An e-mail address for the “From” or “Reply To” address in system e-mails

12. Configure Firewall Ports

13. Prepare the farm servers

  • Install SMTP Server
  • Add Local Groups and Domain Users to Groups
  • Configure Windows Server Firewall Ports

14. SQL/SharePoint Database Preparation

  • Configure SQL Database Performance

15. Install the following prerequisite software

  • .NET Framework 4.5
  • Windows Management Framework 3.0 (CTP2) – PowerShell 3.0
  • Microsoft SQL Server 2008 r2 Native Client
  • Windows Identity Foundation (KB974405)
  • Microsoft Sync Framework Runtime v1.0 SP1 (x64)
  • Windows Server AppFabric
  • Windows Identity Extensions
  • Microsoft Information Protection and Control Client
  • Microsoft WCF Data Services 5.0
  • CU Package 1 for Microsoft AppFabric 1.1 for Windows Server (KB2671…

16. Install SharePoint 2013 media files on ALL the farm servers

17. Perform A Windows Update

18. Reboot Windows 2012 Server

19. Create New Farm – (Run on First Application Server)

  • 7.1 Create the SharePoint Administration & Configuration content database.
  • 7.2 Add Administrators to Farm
  • 7.3 Create Managed Accounts in SharePoint
  • 7.4 Configure People Picker

20. Install SQL Add-ons

  • 8.1 Install SharePoint Reporting Add-on for SharePoint
  • 8.2 Install SharePoint PowerPivort Add-on for SharePoint

 

21. Run SharePoint Configuration Wizard on each server

22. Join Web Server to Farm

  • Install Web Servers
  • Install Services
  • Caims to Windows Token Service
  • App Management Service
  • Business Data Connectivity Service
  • Microsoft SharePoint Foundation Workflow Timer Service
  • Microsoft SharePoint Foundation Incoming E-Mail
  • Microsoft SharePoint Foundation Web Application
  • Secure Store Service
  • Microsoft SharePoint Foundation Subscription Settings Service
  • Managed Metadata Web Service
  • Search Host Controller Service
  • Search Query and Site Settings Service

23. Install Applications

  • Secure Store Service
  • Subscription Settings
  • App Management Service
  • Managed Metadata Service
  • Create Default Web Application
  • Search Service Application

24. Business Data Connectivity Service

25. Restore Site Collection

26. Install Language Packs

27. Join Application Server to Far

28. Install Application Server

  • Install Services
    • Distributed Cache
    • Machine Translation Service
    • Word Automation Services
    • Work Management Service
    • PowerPoint Conversion Service
    • PerformancePoint Service
    • SQL Server PowerPivot System Service
  • Install SharePoint Applications
    • Usage and Health Data Collection
    • Machine Translation Service
    • State Service Application
    • Word Automation Services
    • Work Management Service Application
    • PerformancePoint Service Application
    • Excel Services Application
    • Visio Graphics Service

29. Run SharePoint Configuration Wizard

30. Configure Secure Store

31. User Profile Synchronization

32. Configure email integration for a SharePoint 2013 farm

  • Configure incoming email for a SharePoint 2013 farm

33. Configure outgoing email for a SharePoint 2013 farm

34. Run SharePoint Configuration Wizard

35. Perform A Windows Update

Read More

The Top Three Content Migration Tools for SharePoint

Over past several years, I have been involved in a projects migration SharePoint content, legacy systems and file shares to SharePoint. Enterprise level migration from SharePoint 2003 to SharePoint 2013.

Many clients determine that the best approach to complete the migration in a manner that conformed to their practices and procedures they wanted to purchase a third party tool.
Many tools were considered. In the end, the list of options came down to three tools. I have compared three products with SharePoint OOTB and with those functions within each product. Each product has been looked into in detail, over 170 sub functions, and are highlighted in the table below.

FunctionSharePoint OOTB (%)AvePoint (%)Metalogix (%)Sharegate (%)
High Level Features66.67100100100
Farm Migration0100100100
Site Migration9.0990.91100100
Content Migration0100100100
Import files to SharePoint0100100100
Export From SharePoint075100100
Reporting085.7110085.71
Powersell and Development tools501007575
Supported SP Legacy Versions0100100100
Support0100100100
Backup11.1194.4483.3333.33
RBLOB Management16.6710091.670
End User Content Management00100100
Office 365 Migration/Management0010063.64
OneDrive Migration/Management0071.4385.71
Overall (%)9.6071.6388.8459.23

AvePoint – DocAve Migrators
AvePoint is the established leader in enabling enterprise collaboration across platforms and devices. Focusing on helping enterprises in their digitization journey to enable their information workers to collaborate with confidence, AvePoint is first to market with a unique solution that centralizes access and control of information assets residing in disparate collaboration and document management systems on-premises and in the cloud. AvePoint solutions and services aim to bring together business, IT, as well as compliance and risk officers to serve key business objectives such as big data, cloud integration, compliance, enterprise content management, and mobile data access monitoring.
New Features

End-User Reporting – DocAve Report Center includes new end-user reporting web parts, allowing easy access to information such as site traffic, search usage, active users, checked-out documents, and top documents in order to help business users make more informed decisions.

Compliance and Governance Reporting – Usage Pattern Alerting for DocAve Report Center provides SharePoint administrators as well as security and compliance officers with new reports to quickly identify suspicious user activity in order to take actions that can help reduce the potential of data breaches.

Office 365 Support for Records Management – DocAve Archiver now offers customized records management solutions for both on-premises and SharePoint Online deployments – including new features to retain a document’s original content types and metadata properties upon moving to Record Center sites as well as the ability for administrators to set automated conflict resolution rules when archiving content.

Content Archiving Approval – Archiver Approval Center allows administrators to generate reports that empower end-users to review content before archiving takes place, allowing those closest to the content to determine whether or not it should be archived.

Office 365 Support for Deployment Management – DocAve Deployment Manager now supports Office 365 as well as hybrid infrastructures, enabling organizations to quickly deploy customizations and design elements such as apps between SharePoint 2013 on-premises and SharePoint Online environments.
Virtual Machine Backups: DocAve Backup and Restore combines its best-of-breed platform backup solution with new ability to protect virtualized elements such as web front end servers, Central Administration, and app servers.

Existing Features

  • Security Trimming
  • Source Content Pre-scan
  • Customizable And Reusable Migration Plans
  • Full Or Incremental Migration
  • Migration With Full Fidelity
  • Source And Destination Environment Coexistence During Migration
  • Online Or Offline Migration
  • Data Synchronization With Customized Scheduling

AvePoint is a well established player in the migration market these days. There tools are excellent but, for many customers, that software requires being installed on the production environments was a major issue and most declined this product for this reason. ________________________________________

Metalogix – Content Matrix
The most comprehensive tool on the market. Content Matrix allows you to migrate directly to SharePoint 2013, OneDrive for Business or Office 365 from SharePoint 2007 or SharePoint 2010 in one hop. No need for intermediate SharePoint versions or an on-premises staging farm for a move to Office 365.
Selected by Microsoft as the only pre-approved, MSO-CAF certified SharePoint migration tool for migrating to Office 365 Dedicated.

Features

  • Simple Setup
  • Rearrange Post-Migration
  • File Share Pre-migration tools
  • No Server Side Install
  • Migrate Discrete Elements
  • Powerful File Migration Capabilities
  • Choose What Migrates
  • Create New Structure
  • Analyze Metadata and Filter What You Need
  • Keep Current Farm Running
  • Migrate to 2013 MySites
  • Externalize BLOBS Before Migration
  • Site Collection Migration
  • Split/Merge Lists
  • Migrate Nintex Workflows
  • Clean Before Migration
  • Reusable Migration Tasks
  • Advanced Analysis & Migration Capabilities
  • Extensible Migration Engine

Sharegate – SharePoint Migration Tool

ShareGate Migration one of the most popular migration tools one of the reasons for this are its wonderful nicely design interface and it’s price. Single user license are around £2900 and is for migrating data only.

Here, is a list of the most common and interesting features available with ShareGate.

Copy Site Objects
This is a feature for migrating SharePoint site objects from one SharePoint site to another. With a simple drag and drop, it’s possible to copy site collections, sites, lists, libraries, site columns, site content types, users, groups, permission levels, managed metadata and workflows. Choose what you want to copy and let this feature do all the work.

Copy SharePoint Content
This feature can be used for copying SharePoint list items as well as SharePoint documents between lists or libraries. With a simple Drag and Drop, you can migrate your content while bringing over all metadata, including version history, attachments, permissions, authors and timestamps.

Import Files to SharePoint – Use this feature to import from your file system or file shares to SharePoint. With a simple drag and drop, it is possible to migrate a complete folder hierarchy to SharePoint while applying content types and metadata at the same time.

Export from SharePoint – This feature can be used for archiving content from SharePoint lists, libraries and sites. With a simple drag and drop, you can export all your content while bringing over all the metadata, including version history and attachments.

Bulk Metadata Editor – This feature provides bulk editing capabilities on SharePoint lists and libraries. In just a few clicks, it is possible to massively edit the SharePoint metadata of over thousands of documents, folders, document sets and list items without having to modify their properties one by one. You will find more details here.

Import from Google Drive – Use this feature to import from your Google Drive environment. With a simple Drag and Drop, you can migrate your content while bringing over all metadata, including version history, permissions, author information and timestamps.

Read More

Health Analyzer – Secondary Logon service (seclogon) is disabled

Summary: The Secondary Logon service is used to generate thumbnail images of Power Pivot workbooks in the Power Pivot Gallery. By default, the Secondary Logon service is set to manual startup.

If the service is disabled, thumbnail generation will fail. Additionally, the ULS logs will contain the following error: “The error 1058 can have as a root cause the fact the Windows service “Secondary Logon” is disabled.”

To check service configuration, use the Services console application to find Secondary Logon and change its Startup Type to Manual,  but the Health Rule checks if the Secondary Logon service has a Status of Running, not a Startup Type of Manual (or Automatic), so you can change this to Running.

Secondary Logon Properties

If you cannot enable the service, your organization might have a group policy that disables it. Check with an administrator to determine whether this is the case.

After you enable the service, thumbnail or snapshot images will refresh over time. Optionally, you can force a refresh by restarting the service and opening and then resaving the property pages of a specific report.

 

Read More

Health Analyzer – Verify that OAuth is configured correctly for the Machine Translation Service application proxy

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

Summary: Resolve the SharePoint Health Analyzer rule “Verify that OAuth is configured correctly for the Machine Translation Service application proxy.”

Rule Name:  Verify that OAuth is configured correctly for the Machine Translation Service application proxy.

Cause:  OAuth is not configured correctly for the Machine Translation Service application proxy.

Resolution: Ensure that every Web application with a Machine Translation Service application proxy has a connection to a User Profile service application and an App Management service application, and is in claims-based authentication mode.

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  2. On the Central Administration website, clickApplication Management.
  3. On the Application Management page, in theService Applications section, click Configure service application associations.
  4. In theApplication Proxy Group column, click the proxy group for the Web application or service application that you want to configure. Usually it is the default Application Proxy Group.
  5. Select theUser Profile Service Application Proxy check box and the App Management Service Application Proxy check box.
  6. Go back to the Central Administration Home page. In theApplication Management section, click Manage web applications.
  7. Click the Web application you want to configure, and then click theAuthentication Providers button on the ribbon.
    1. Ensure that the Membership Provider Name for theDefault zone is Claims Based Authentication. If not, you have to migrate the Web applications from classic mode to claims-based authentication. For more information, see Migrate from classic-mode to claims-based authentication in SharePoint 2013.
Read More

User Profile Synchronization Errors In SharePoint 2013

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

Summary: Permission and the errors when creating the user profile synchronising job of SharePoint 2013.

During testing of SharePoint 2013 I experienced the Application Event Log errors below.  When the errors occurred I was unable to run a User Profile Synchronization with Active Directory.

Event ID 6398, category Timer

The Execute method of job definition Microsoft.Office.Server.UserProfiles.UserProfileImportJob (ID 0afab701-a201-4df9-bfc7-590838da8809) threw an exception. More information is included below.

Generic Failure

Event ID 1004, category None

Detection of product ‘{90150000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’, component ‘{1C12B6E6-898C-4D58-9774-AAAFBDFE273C}’ failed. The resource ‘C:Program FilesMicrosoft Office Servers15.0ServiceMicrosoft.ResourceManagement.Service.exe’ does not exist.

Event ID 1001, category None

Detection of product ‘{90150000-104C-0000-1000-0000000FF1CE}’, feature ‘PeopleILM’ failed during request for component ‘{1681AE41-ADA8-4B70-BC11-98A5A4EDD046}’

Resolution

The resolution is to grant read access to the Network Service account to the c:Program FilesMicrosoft Office Servers15.0 folder

Read More

Configuring the Windows Firewall for SharePoint Farm Traffic (Muti-Tier)

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

This document outlines the firewall ports required to be opened and on which server depending on the services running (Windows, SharePoint, Database Server) for a mutli-tiered SharePoint Server farm.

Of course, this is only one scenario and it all depends on SharePoint farm and network configuration you have and whether you configured behind gateways, firewalls etc.

SharePoint Network Diagram – An example

SharePoint Farm Firewall Ports

Web Front End Server
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPOutPorts required for the AppFabric Caching Service
80TCPInhttp
443TCPInhttps/ssl
25TCPInSMTP for e-mail integration
16500 – 16519TCPInPorts used by the search index component
1433TCPOutServer default communication port (if no alias or custom port)
1434UDPOutSQL Server default port used to establish connection (if no alias or custom port)

Distributed Cache
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPIn/OutDistributed Cache

Application Server
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPOutPorts required for the AppFabric Caching Service
80TCPInClient to SharePoint web server traffic (SharePoint – Office Web Apps communication)
443TCPInEncrypted client to SharePoint web server traffic (Encrypted SharePoint – Office Web Apps communication)
CustomTCPInSharePoint Central Administration v4
25TCPInSMTP for e-mail integration
16500 – 16519TCPInPorts used by the search index component
32843-32845TCPInCommunication between Web servers and service applications Inbound rule Added to Windows firewall by SharePoint
32846TCPIn/OutSharePoint User Code Service Inbound rule Added to Windows firewall by SharePoint
808-809TCPInOffice Web Apps

Search Index Query Server
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCPOutPorts required for the AppFabric Caching Service
16500 – 16519TCPInPorts used by the search index component
137 - 139TCPOutSMB – Index Propagation / File Shares crawl ( TCP )
445TCP / UDPInSMB – Index Propagation / File Shares crawl ( NetBIOS )

Search Administration & Crawl Content Processing
When a range is specified all ports between the range must be opened.

PortsProtocolBoundUsage
22233-22236TCP Outhttp
80TCP Outhttps/ssl
443TCP Out
16500 – 16519 TCPIn / OutPorts used by the search index component
137 - 139TCPOutSMB – Index Propagation / File Shares crawl ( TCP )
445TCP / UDPOutSMB – Index Propagation / File Shares crawl ( NetBIOS )
1433TCPOutServer default communication port (if no alias or custom port)
32843-32845TCPIn Communication between Web servers and service applications Inbound rule Added to Windows firewall by SharePoint

Routes to the to query server
The crawl component processes crawls of content resources, and propagates the resulting index fragment files to query server components:
• TCP Port 32845 (SML/Named Pipes)

Routes to the Webserver
Windows Communication Foundation (WCF)
• TCP port 32843
• TCP port 32844 (SSL)

Routes to the Database server
Database communication:
On the Query Server, the query processor (also known as the Search Query and Settings Service) communicates with the following two databases in SQL Server:

• Search Administration database
• Property database types

On the Crawl Server, each crawl component is attached to a crawl database in SQL Server. The crawl component adds information such as content resource location and crawl schedules to its associated crawl database.

• TCP/SSL port 1433 (default) for default instance (customizable)
• TCP/SSL random port for named instances (customizable)

Routes to the Webserver
Search crawling —The crawl component on the Crawl Server processes crawls of content resources. Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content; this configuration can result in custom ports.
• TCP 80
• TCP 443 (SSL)
• Custom ports

Active Directory Server

The following table lists the port requirements for inbound connections from each server role to an Active Directory Domain Services domain controller.

PortsProtocolBoundUsage
88TCP / UDPInUser Profile Synchronization Service(FIM) (Kerberos)
445TCP / UDPInWhen SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP port 445
389TCP / UDPInUser Profile Synchronization Service(FIM) (LDAP )
464TCP / UDPInUser Profile Service(FIM) -User List Resolution / Kerberos password change
5725TCPInUser Profile Synchronization Service(FIM) - Synchronizing profiles between SharePoint 2013 and Active Directory Domain Services (AD DS) on the server that runs the Forefront Identity Management agent

LDAP/LDAPS ports are required for server roles based on the following conditions:

  • Web servers   Use LDAP/LDAPS ports if LDAP authentication is configured.
  • Query server   Role requires LDAP/LDAPS ports for importing profiles from the domain controllers that are configured as profile import sources, wherever these reside.

Names Resolution (DNS) Server

The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory Domain Services domain controller and the DNS server.

PortsProtocolBoundUsage
53TCP / UDPInUser Profile Synchronization Service(FIM) - DNS

Distributed Cache Server

SQL Server

The following table lists the port requirements for inbound connections from each server role to a server running SQL Server. Most database connections are on TCP port 1433 by default for the default instance, but this is customizable. (Because TCP port 1433 is a well-known port for accessing a SQL Server, you could configure your server running SQL Server to listen on a different port and block port 1433.) For named instances, you can choose a random port.

PortsProtocolBoundUsage
1433TCPInServer default communication port (if no alias or custom port)
1434UDPInSQL Server default port used to establish connection (if no alias or custom port)
445TCPInSQL Server using named pipes
2383TCPInSQL Analysis Server default communication port (if no alias or custom port)

External Content File Share Server

PortsProtocolBoundUsage
137TCP InSMB – Index Propagation / File Shares crawl ( TCP )
138TCP InSMB – Index Propagation / File Shares crawl ( TCP )
139TCP InSMB – Index Propagation / File Shares crawl ( TCP )
445TCP / UDPInSMB – Index Propagation / File Shares crawl ( NetBIOS )

External Content (OLAP) Server

PortProtocolBoundUsage
1433TCPInSQL (Default Instance)
1434UDPInSQL (Default Instance)

SMTP Server

E-mail integration requires the use of the Simple Mail Transport Protocol (SMTP) service using TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (inbound connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer running Microsoft Exchange Server.

PortsProtocolBoundUsage
25TCPInSMTP - Cannot be configured

Read More

Configuring the Windows Firewall for SharePoint Farm Traffic (Single Server)

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

What ports do I need to open? Which Firewall ports and where to open them are detailed in this document. If you cannot access the web server, application server or databases due to gateways, firewalls then this document is for you.

I have compiled a complete list of all the ports used. Most are configured by SharePoint but some needs to be manually configured. Of course, this is only one scenario and it all depends on network configuration you have and whether you have a single farm, or a multi-tiered farm configured behined gateways, firewalls etc.

On each SharePoint 2013 Server, you will need to set a firewall rule to allow SharePoint intra-farm traffic and HTTP/HTTPS traffic. Also, I have listed which SharePoint server (WFE or Application, Search etc) ports are required. This will help your scenario.

So deploying SharePoint farms on servers with an active Windows firewall requires opening several ports to achieve a fully functional farm,

Please Note : For best practice manage these firewall settings using domain policies.

PortsProtocolBoundUsage
80TCPInhttp
443TCPInhttps/ssl
25TCPInSMTP for e-mail integration
16500 – 16519TCPInPorts used by the search index component
22233-22236TCPIn / OutPorts required for the AppFabric Caching Service
32843-32845TCPInCommunication between Web servers and service applications
32846TCPIn / OutSharePoint User Code Service
808-809TCPInOffice Web Apps
5725TCPInUser Profile Synchronization Service
389TCP+UDPInUser Profile Synchronization Service (LDAP Service)
88TCP+UDPInUser Profile Synchronization Service (Kerberos)
53TCP+UDPIn / OutUser Profile Synchronization Service (DNS)
1433TCPOutServer default communication port (if no alias or custom port)
1434UDPOutSQL Server default port used to establish connection (if no alias or custom port)
445TCPOutSQL Server over named pipes
2383TCPOutSQL Analysis Server default communication port (if no alias or custom port)

Read More

SharePoint 2013 Service Accounts Best Practices

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

The document describes how important Service Accounts were in the installation of SharePoint 2013, if they are not set up correctly they can open big security holes in your organization and give you serious problems further down the road.

The document also suggested that you cannot have only one set of Service accounts for every scenario, since not all scenarios require the same security (ex: a development environment does not require same security a UAT and likewise the production one). So, I suggested three sets of service accounts for different deployment scenarios of SharePoint 2013.

This document explains all the three sets of service accounts, explaining the difference between the sets and also what every account does!

NOTE: These sets only cover the basic installation and configuration of SharePoint 2013 and SQL. Other Service accounts will be needed for some Service Applications (Ex: Excel, Visio, Performance Point, etc)

Low Security Option

Summary

The Low security option is of course the one with the least accounts possible to install SharePoint in a proper manner. It uses only 1 SQL account that will be the SQL administrator and also run the services, and 5 SharePoint accounts: The Farm Administrator, the Web Application pool account, the SharePoint Service Application Pool account the Crawl account and the User Profile Synchronization account. More details under each section

For the SQL Server

NameDescriptionLocal RightsDomain Rights
SQL_Adminwrite vThe SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. SQL Admin on the SQL ServeralueLocal Administrator on the SQL ServerDomain User

Explanation
As Stated previously, in the Low Security Option, we only use one Service Account for our SQL Server. This account needs to be a Local Administrator on the SQL server in order to be able to install SQL. We will also run the SQL AGENT and the Database Engine services with this account. This the account that will have the full power on your SQL server and you will use it to grant rights to your SP_Farm.

For the SharePoint Server

NameDescriptionLocal RightsDomain Rights
SP_FarmThe server farm account is used to perform the following tasks: -Setup -SharePoint Products Configuration Wizard -Configure and manage the server farm. -Act as the application pool identity for the SharePoint Central Administration Web site. -Run the Microsoft SharePoint Foundation Workflow Timer Service. Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL InstanceDomain User
SP_PoolThe Pool account is used to run the Web Application PoolsNoneDomain User
SP_ServicesThe Services Account is used to run the Service Application PoolNoneDomain User
SP_CrawlThe Default Content Access Account for the Search Service ApplicationNoneDomain User
SP_UserProfilesThe User Profile Synchronization AccountNoneReplicate Directory Changes permission on the domain

Explanation
The Low Security Option uses the minimum amount of accounts while also keeping a level of security. Here is the account breakdown:

SP_Farm is your main SharePoint account in this configuration. It needs to have Local Administrator rights to be able to install SharePoint Server and also the Securityadmin and DBcreator roles on the SQL Server to create the configuration and other databases. This account will be your main Farm Administrator and also run the Timer Service and the web application for Central Administration use to access the SharePoint content database

SP_Pool is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!

SP_Services is a domain account used for the Service Applications Pools. ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!

SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications. It will also run the SharePoint Windows Search Service.

SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization

Medium Security Option (Sweet Spot)

Summary
The Medium Security option is the Sweet Spot of a SharePoint installation. It uses slightly more accounts than the Low Security Option however it provides a huge security improvement. By giving less rights to each account you limit the possible damage in case an account gets hacked and also follow Microsoft’s recommendation of installing SharePoint 2013 with least-privilege administration. More details on the changes under every section!

For the SQL Server

NameDescriptionLocal RightsDomain Rights
SQL_AdminSQL Admin on the SQL Server. Used to Install the SQL Server.Local Administrator on the SQL ServerDomain User
SQL_ServicesIt is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT.NoneDomain User

Explanation

The difference between the Low Security and the Medium Security option for the SQL is that we now use two different accounts :The SQL_Admin and the SQL_Services. The big security improvement is that the account running the Agent and Database Engine services is not a local administrator anymore. Here is the account breakdown:

SQL_Admin: This will be your main SQL Administrator!. It needs Local Administrator rights in order to install the SQL server.

SQL_Services: This account does not have any local rights, it is only used to run the SQL Agent and Database Engine windows services.

For the SharePoint Server

NameDescriptionLocal RightsDomain Rights
SP_FarmThe server farm account is used to perform the following tasks: -Configure and manage the server farm. -Act as the application pool identity for the SharePoint Central Administration Web site. -Run the Microsoft SharePoint Foundation Workflow Timer Service.SecurityAdmin and DB_Creator rights on the SQL InstanceDomain User
SP_AdminThe server farm account is used to perform the following tasks: -Setup -SharePoint Products Configuration WizardLocal Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL InstanceDomain User
SP_PoolThe Pool account is used to run the Web Application PoolsNoneDomain User
SP_ServicesThe Services Account is used to run the Service Application PoolNoneDomain User
SP_CrawlThe Default Content Access Account for the Search Service ApplicationNoneDomain User
SP_SearchService Account to run the SharePoint Search “Windows Service”NoneDomain User
SP_UserProfilesThe User Profile Synchronization AccountNoneDomain User

Explanation

In the Medium Security option we increase the security by adding two new accounts: The SP_Admin and the SP_Search. Instead of giving all the Farm Administration power to the SP_Farm account, the SP_Admin will be the one that installs and configures SharePoint 2013 and have the local administrator rights, while the SP_Farm will only run the services and connect to the database. Furthermore, instead of letting the SP_Crawl account run both the Windows Service and have FULL-READ rights on all the web applications, the SP_Search will now run the Windows Service. Here is the breakdown of the accounts:

SP_Farm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.

SP_admin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard for SharePoint 2013.The SPAdmin account is the only account that requires local Administrator rights. To configure the SPAdmin account in a minimum privilege scenario, it should be a member of the roles securityadmin and dbcreator on the SQL server.

SP_Pool is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!

SP_Services is a domain account used for the Service Applications Pools. ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!

SP_Crawl is used within the Search Service Application to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.

SP_Search Is used to run the SharePoint Windows Search Service.

SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization.

High Security Option

Summary

The High Security Option is the ones that provides the best security and of course the most Service Accounts. This only ads a small amount of extra security to the farm, however that extra security might be needed in some scenarios

For the SQL Server

NameDescriptionLocal RightsDomain Rights
SQL_AdminSQL Admin on the SQL Server. Used to Install the SQL Server.Local Administrator on the SQL ServerDomain User
SQL_AGENTIt is the service account for the following SQL Server services: SQL SERVER AGENTNoneDomain User
SQL_ENGINEIt is the service account for the following SQL Server services: Database Engine.NoneDomain User

Explanation

The difference between the Medium Security and High Security Option is that we now have a separate account for each of the two base services: SQL_Agent and Database Engine. Nothing changes for the SQL_Admin

SQL_Admin: This will be your main SQL Administrator!. It needs Local Administrator rights in order to install the SQL server.

SQL_Agent: This account does not have any local rights, it is only used to run the SQL Agent Windows Service

SQL_Engine: This account does not have any local rights, it is only used to run the Database Engine windows service.

For the SharePoint Server

NameDescriptionLocal RightsDomain Rights
SP_FarmThe server farm account is used to perform the following tasks: -Configure and manage the server farm. -Act as the application pool identity for the SharePoint Central Administration Web site. -Run the Microsoft SharePoint Foundation Workflow Timer Service. SecurityAdmin and DB_Creator rights on the SQL InstanceDomain User
SP_AdminThe server farm account is used to perform the following tasks: -Setup -SharePoint Products Configuration WizardLocal Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL InstanceDomain User
SP_PoolThe Pool account is used to run the Web Application PoolsNoneDomain User
SP_ServicesThe Services Account is used to run the Service Application PoolNoneDomain User
SP_CrawlThe Default Content Access Account for the Search Service ApplicationNoneDomain User
SP_SearchService Account to run the SharePoint Search “Windows Service”NoneDomain User
Sp_MySitePoolUsed for the My Sites Web ApplicationNoneDomain User
SP_UserProfilesThe User Profile Synchronization AccountNoneReplicate Directory Changes permission on the domain.

Explanation

The only difference between the Medium security and the High Security option is that we now have a separate account for the Web Application Pool hosting the ‘My Sites’ since it has a different security policy than the other Web Applications . I will only give the details for the new account in the breakdown:

SP_MySitePool is a domain account used for the My Sites Web Application Pool Identity. It’s very similar to the SP_Pool, however it is only used for the My Sites Web Application.

Read More

Recommend Service accounts for SharePoint 2013

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

This article describes SharePoint administrative and services account to be used in the following areas: Microsoft SQL Server, the file system, file shares, and registry entries.

Important. Do not use service account names that contain the symbol $.
Service Accounts

Service accounts are in the AD domain account. The service accounts should form to a syntax standard and should be different for each environment i.e. development, UAT and production. The rights are to be configured via group policy.

Here are the list of recommended service accounts.

AccountNameDescription
SetupSP_SetupThe server farm account is used to perform the following tasks: -Setup -SharePoint Products Configuration Wizard -Configure the server farm.
FarmSP_FarmThe server farm account is used to perform the following tasks: -SharePoint Products Configuration Wizard -Manage the server farm. -Act as the application pool identity for the SharePoint Central Administration Web site. -Run the Microsoft SharePoint Foundation Workflow Timer Service.
PoolSP_AppPoolThe Pool Account is used to run the Web Application Pools
ServicesSP_ServicesThe Services Account is used to run the Window Services
Excel ServicesSP_ExcelThe Services Account for the Excel service
Visio ServicesSP_VisioThe Services Account for the Visio service
Performance PointSP_PerPointThe Services Account for the Performance Point service
User Profile ServiceADSP_ProfileService Account to run the SharePoint UPS Service Application
Search ServiceSP_SearchService Account to run the SharePoint Search “Windows Service”
Default Content Access SP_CrawlThe Default Content Access Account for the Search Service Application
My SiteSP_MyPoolThe MyPool Web Application Account
Visio GraphicsSP_VisioUIt runs the Unattended Service account for Visio
ExcelSP_ExcelUIt runs the Unattended Service account for Excel
PowerPivotSP_PowPivtUIt runs the Unattended Service account for PowerPivot
Claims to Windows TokenSP_C2WTSIt runs the Claims to Windows Token Service Account

Read More
1 2 3