The Top 5 Infrastructure Concerns of a SharePoint Environment

Michael NoelConvergent ComputingTwitter: @MichaelTNoel

Michael Noel Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint

2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .

Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security

Top 5 Infrastructure Concerns

Data Management

Server and Farm Sprawl

Security

Upgrade and MigrationHigh Availability/Disaster Recovery

1

2

3

4

5

CONCERN #1DATA MANAGEMENT

SharePoint Content Growth Issues

SharePoint Products and Technologies are growing faster than any other MS product

SharePoint Document Management environments are on the rise

All of that content is being stored in SharePoint Content Databases

SharePoint Content Database Limitations

Every version of every document in SharePoint is stored in full in the content database

This can lead to Content Databases growing in size quickly

Microsoft recommends 100GB-200GB max for Content DBs

Site Collections can only reside in a single Content DB.

Binary Large OBject (BLOB) Storage

BLOBs are unstructured content stored in SQL Includes all documents, pictures, and files

stored in SharePoint Excludes Metadata and Context, information

about the document, version #, etc. Until recently, could not be removed from

SharePoint Content Databases Classic problem of structured vs. unstructured

data – unstructured data doesn’t really belong in a SQL Server environment

Getting your BLOBs out of SharePoint Can reduce dramatically the size of Content DBs, as

upwards of 80%-90% of space in content DBs is composed of BLOBs

Can move BLOB storage to more efficient/cheaper storage

Improve performance and scalability of your SharePoint deployment

CONCERN #2SERVER AND FARM SPRAWL

Infrastructure Sprawl and Scalability•SharePoint Environments generally need

more than one farm•Dev, Test, and Prod Farms and a Minimum•Can lead to Server and Storage Sprawl

Multiple Farms

•Multiple Servers in a farm for DR•Data in Multiple locations•Dedicated Servers for specific tasks

Servers for HA and

DR

•SharePoint 2010 much more scalable•Scale up and scale out•Use Service Application architecture to expand

Scalability

2 Dedicated Web Servers (NLB)

2 Service Application Servers

2 Database Servers (Clustered or Mirrored)

1 or 2 Index Partitions with equivalent query components

SharePoint 2010 ArchitectureBest Practice “Six Server Farm”

SharePoint 2010 ArchitectureScalable to Large Farms

Multiple Dedicated Web Servers

Multiple Dedicated Service App Servers

Multiple Dedicated Query Servers

Multiple Dedicated Crawl Servers, with multiple Crawl DBs to increase parallelization of the crawl process

Multiple distributed Index partitions (max of 10 million items per index partition)

Two query components for each Index partition, spread among servers

Service Application Matrix

Service applications Description SharePoint Foundation 2010

SharePoint Server 2010 Standard

SharePoint Server 2010 Enterprise

Access ServicesLets users view, edit, and interact with Access 2010 databases in a Web browser.

X

Business Data Connectivity service

Gives access to line-of-business data systems. X X X

Excel Services Application

Lets users view and interact withExcel 2010 files in a Web browser.

X

Managed Metadata service

Manages taxonomy hierarchies, keywords and social tagging infrastructure, and publish content types across site collections.

X X

PerformancePoint Service Application

Provides the capabilities of PerformancePoint. X

Search serviceCrawls content, produces index partitions, and serves search queries.

X X

Secure Store serviceProvides single sign-on authentication to access multiple applications or services.

X X

State serviceProvides temporary storage of user session data for SharePoint Server components.

X X

Usage and Health Data Collection service

Collects farm wide usage and health data, and provides the ability to view various usage and health reports.

X X X

User Profile serviceAdds support for My Site Web sites, profile pages, social tagging and other social computing features.

X X

Visio Graphics ServiceLets users view and refresh published Visio 2010 diagrams in a Web browser.

X

Web Analytics service Provides Web service interfaces. X XWord Automation Services

Performs automated bulk document conversions. X X

Microsoft SharePoint Foundation Subscription Settings Service

Provides multi-tenant functionality for service applications. Tracks subscription IDs and settings for services that are deployed in partitioned mode. Deployed through Windows PowerShell only.

X X X

Tool for Combating Sprawl?– Server Virtualization•Direct Server over consumption /

Utility Bills / “Greener” technology•Less Physical space to consume •Less cost to cool multiple servers

Reduce Costs

•Reduce number of physical servers•Get rid of legacy hardware•Dedicated specialty servers and SAN storage

Consolidate /

Dedicate

•Optimized use of memory/processor•No proliferation of disk volumes•Large number of servers can run on a single box•De-Dup Technologies and Clone capabilities for Test/Dev

Optimize Investme

nt

Allows Organizations that wouldn’t normally be able to have a test environment to run one

Allows for separation of the database role onto a dedicated server Can be more easily scaled out in the future

Virtualized Farm ArchitectureCost-effective Virtual Environment / No HA

High-Availability across Hosts

All components Virtualized

Uses only two Windows Ent Edition Licenses

Can take advantage of various storage options

Virtualized Farm ArchitectureHighly Available Farm with only Two Servers

Highest transaction servers are physical

Multiple farm support, with DBs for all farms on the SQL cluster

Tie into consolidate storage tier

Virtualized Farm ArchitectureBest Practice Virtual/Physical with HA/Perf

CONCERN #3SECURITY

Address all Layers of Security

Infrastructure Security and Best Practices Best Practice Service Account Setup Kerberos Authentication

Data Security SharePoint Security ACLs and Role Based Access

Control (RBAC) Transparent Data Encryption (TDE) of SQL Databases

Transport Security Secure Sockets Layer (SSL) from Server to Client IPSec from Server to Server Inbound Internet Security (Forefront UAG/TMG) / Certs

Rights Management

Use Multiple Service AccountsSample Service Accounts

Service Account Name Role of Service Account

Special Permissions

COMPANYABC\SRV-SP-Setup SharePoint Installation Account

Local Admin on all SharePoint servers

COMPANYABC\SRV-SP-SQL SQL Service Account Local Admin on Database Serverr(s)

COMPANYABC\SRV-SP-Farm SharePoint Farm Account;Application Pool Identity account for the Central Admin App Pool

N/A

COMPANYABC\SRV-SP-Search Search Account N/ACOMPANYABC\SRV-SP-Content Default Content Access

AccountRead rights to any external data sources to be crawled

COMPANYABC\SRV-SP-Prof Default Profiles Content Account

Member of Domain Users (to be able to read attributes from users in domain.

COMPANYABC\SRV-SP-MySite Application Pool Identity account for the MySite App Pool

N/A

COMPANYABC\SRV-SP-Home Application Pool Identity account for the Home App Pool

N/A

When creating any Web Applications for Content, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD.

Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites.

KerberosBest practice: Enable Kerberos!

Use SharePoint-Aware Antivirus

Protecting the Edge

DirectAccess

HTTPS (443)

Layer3 VPN

Business Partners /Sub-Contractors

AD, ADFS, RADIUS, LDAP….

Home / Friend / Kiosk

Employees Managed Machines

Mobile

Exchange

CRM

SharePoint

IIS based

IBM, SAP, Oracle

Terminal / Remote Desktop Services

Non web

HTTPS /

HTTP

NPS, ILM

Internet

Transparent Data Encryption (TDE) New in SQL Server

2008 Only Available

with the Enterprise Edition

Seamless Encryption of Individual Databases

Transparent to Applications, including SharePoint

Transparent Data Encryption (TDE) When enabled, encrypts Database, log file,

any info written to TempDB, snapshots, backups, and Mirrored DB instance, if applicable

Operates at the I/O level through the buffer pool, so any data written into the MDF is encrypted

Can be selectively enabled on specific databases

Backups cannot be restored to other servers without a copy of the private key, stolen MDF files are worthless to the thief

Easier Administration, Minimal server resources required (3%-5% performance hit)

Rights Protection of ContentActive Directory Rights Management Services AD RMS is a form of Digital Rights

Management (DRM) technology, used in various forms to protect content

Used to restrict activities on files AFTER they have been accessed: Cut/Paste Print Save As…

Directly integrates with SharePoint DocLibs

CONCERN #4UPGRADE AND MIGRATION

Upgrade and Migration Data Management Challenges

Most risk-averse migration/upgrade approach is Database Attach model or 3rd Party tool model

Requires double the current amount of disk space as the new farm needs to be built as a ‘greenfield’

Disk IO levels are also generally higher in SharePoint 2010

CONCERN #5HIGH AVAILABILITY AND DISASTER

RECOVERY

High Availability at the 3 Tiers

Web = Network Load Balancing (Hardware or Software)

Service Application = Install on Multiple Systems

Data = MCSC Clustering or High Availability Mirroring

Mirroring vs. Clustering

Clustering is Shared Storage, can’t survive storage failure, makes Mirroring more attractive

Clustering fails over quicker Mirroring is not supported for all

databases, but Clustering is Both Clustering and Mirroring can be

used at the same time

Introduced in SQL 2005 SP1 Greatly improved in SQL 2008 and now SQL 2008 R2 Available in Enterprise and Standard (Synchronous

only) editions Works by keeping a mirror copy of a database or

databases on two servers Can be used locally, or the mirror can be remote Can be set to use a two-phase commit process to

ensure integrity of data across both servers Can be combined with traditional shared storage

clustering to further improve redundancy SharePoint 2010 is now Mirroring aware!

SQL Database MirroringProviding for HA and DR for SharePoint Content

Mirroring Limitations

Some Service Apps store data outside of the data tier, including: Excel Services Application Access Services

If a Service App Server hosting these functions goes down, the end user is affected (for that session only.) They can still use another server to re-initiate the session

Only Content DBs and the Secure Store DB are supported for Asynchronous Mirroring

All DBs except a few minor ones are supported for Synchronous Mirroring

Single Site HA Mirrored Farm

Single Site Synchronous

Replication Uses a SQL

Witness Server to Failover Automatically

Mirror all SharePoint DBs in the Farm

Use a SQL Alias to switch to Mirror Instance

Cross-Site Mirrored HA Farm

Two Sites 1 ms

Latency 1GB

Bandwidth

Farm Servers in each location

Auto Failover

Two Farm / Mirrored Content DBs

Two Sites Two

Farms Mirror

only Content DBs

Failover is Manual

Must Re-index and recreate Svc. Apps

Configuring the FarmNetwork Load Balancing

Hardware Based Load Balancing (F5, Cisco, Citrix NetScaler – Best performance and scalability

Software Windows Network Load Balancing fully supported by MS, but requires Layer 2 VLAN (all packets must reach all hosts.) Layer 3 Switches must be configured to allow Layer 2 to the specific VLAN.

If using Unicast, use two NICs on the server, one for communications between nodes.

If using Multicast, be sure to configure routers appropriately

Set Affinity to Single (Sticky Sessions) If using VMware, note fix to NLB RARP issue (

http://tinyurl.com/vmwarenlbfix)

Clustering Best PracticeTake Advantage of both Nodes on SQL Server

For More Information

SharePoint 2010 Unleashed (SAMS Publishing) http://www.samspublishing.com

Microsoft ‘Virtualizing SharePoint Infrastructure’ Whitepaper http://tinyurl.com/virtualsp

Microsoft ‘SQL RBS’ Whitepaperhttp://tinyyurl.com/remoteblobsp

Microsoft SQL Mirroring Case Studyhttp://tinyurl.com/mirrorsp

Failover Mirror PowerShell Scripthttp://tinyurl.com/failovermirrorsp

Contact us at CCO.com

Thanks!

Michael NoelTwitter: @MichaelTNoel

www.cco.com