2007
Microsoft Corporation
Published: March 2009
Author: Microsoft Office System and Servers Team (o12ITdx@microsoft.com)
Abstract
This book provides deployment instructions for Microsoft Office SharePoint Server 2007. The
audiences for this book include application specialists, line-of-business application specialists,
and IT administrators who are ready to deploy Office SharePoint Server 2007 and want
installation steps. Before using the instructions in this book you should read the Planning and
architecture for Office SharePoint Server (http://technet.microsoft.com/en-
us/library/cc261834.aspx) and plan your deployment. For a complete list of downloadable books
for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc262788.aspx).
The content in this book is a copy of selected content in the Office SharePoint Server technical
library (http://go.microsoft.com/fwlink/?LinkId=84739) as of the publication date. For the most
current content, see the technical library on the Web.
2
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, email address, logo, person, place
or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer,
OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and
Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
ii
Contents
Deployment for Office SharePoint Server 2007........................................................................1
Abstract..............................................................................................................................1
Contents...................................................................................................................................iii
Getting Help...........................................................................................................................xiv
iii
Verify that servers meet hardware and software requirements........................................26
Run Setup and build the farm...........................................................................................28
Run Setup on the first server............................................................................................30
Run the SharePoint Products and Technologies Configuration Wizard............................31
Add the SharePoint Central Administration Web site to the list of trusted sites................32
Configure proxy server settings to bypass the proxy server for local addresses..............33
Add servers to the farm....................................................................................................33
Run the SharePoint Products and Technologies Configuration Wizard on additional
servers..........................................................................................................................35
Start the Windows SharePoint Services Search service (optional)..................................35
Stop the Central Administration service on all index servers............................................36
Disable the Windows SharePoint Services Web Application service on all servers not
serving content.............................................................................................................36
Create and configure a Shared Services Provider..................................................................37
Start the Office SharePoint Server Search service..........................................................37
Create a Web application to host the SSP and create the SSP.......................................39
Perform additional configuration tasks....................................................................................40
Create a site collection and a SharePoint site........................................................................41
Configure the trace log...........................................................................................................46
Install Office SharePoint Server 2007 with least privilege administration by using the
command line....................................................................................................................111
Install software requirements................................................................................................112
Determine required accounts for least-privilege administration............................................112
Install Microsoft Office SharePoint Server 2007 by using least-privilege administration.......115
Configure the server by using the Psconfig command-line tool............................................117
Configure SharePoint Server 2007 on a stand-alone server..........................................117
Configure SharePoint Server 2007 on a farm.................................................................118
Perform additional configuration tasks..................................................................................120
Create a Shared Services Provider by using the Stsadm command-line tool.......................120
Create a site collection by using the Stsadm command-line tool..........................................123
Configure the trace log.........................................................................................................124
Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008
..........................................................................................................................................135
Hardware and software requirements...................................................................................136
IIS 6.0 Management Compatibility role service..............................................................136
Microsoft .NET Framework version 3.0..........................................................................136
Perform installation steps.....................................................................................................137
Configure SharePoint Products and Technologies.........................................................138
Perform post-installation steps.............................................................................................140
Configure the trace log.........................................................................................................141
Configure Windows Server Backup......................................................................................142
v
Chapter overview: Install Office SharePoint Server 2007 in a server farm environment.......145
Suggested topologies...........................................................................................................145
Before you begin deployment...............................................................................................146
Overview of the deployment process....................................................................................147
Phase 1: Deploy and configure the server infrastructure...............................................147
Phase 2: Create and configure a Shared Services Provider..........................................148
Phase 3: Deploy and configure SharePoint site collections and sites............................148
Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies
configuration wizard..........................................................................................................152
Recommended order of configuration..................................................................................152
Add servers to the farm..................................................................................................154
Run Setup on the first server................................................................................................154
Run the SharePoint Products and Technologies Configuration Wizard................................155
Add the SharePoint Central Administration Web site to the list of trusted sites....................157
Configure proxy server settings to bypass the proxy server for local addresses..................157
Add servers to the farm........................................................................................................157
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
..........................................................................................................................................159
Start the Windows SharePoint Services Search service (optional).......................................160
Stop the Central Administration service on all index servers................................................160
Disable the Windows SharePoint Services Web Application service on all servers not serving
content..............................................................................................................................161
vi
Configure the Office SharePoint Server Search service.......................................................174
Server-level configuration.....................................................................................................174
Install protocol handlers.................................................................................................174
Install and register IFilters..............................................................................................175
Farm-level configuration.......................................................................................................177
Create crawler impact rules............................................................................................177
Configure farm-level search settings..............................................................................178
Configure the trace log...................................................................................................179
SSP-level configuration........................................................................................................180
Open the administration page for the SSP.....................................................................180
Specify the default content access account...................................................................180
Create content sources..................................................................................................180
Create crawl rules..........................................................................................................182
Reorder your crawl rules................................................................................................183
Configure the file type inclusions list..............................................................................184
Crawl the content...........................................................................................................184
Create managed properties............................................................................................185
Create shared scopes....................................................................................................186
Create scope rules.........................................................................................................187
Specify authoritative pages............................................................................................191
Create server name mappings.......................................................................................192
Manage search-based alerts..........................................................................................192
Site collection–level configuration.........................................................................................193
Create scopes at the site collection level.......................................................................193
Create scope rules at the site collection level................................................................194
Manage display groups..................................................................................................196
Create keywords and Best Bets.....................................................................................198
A. Configure personalization.................................................................................................200
vii
Configure user profiles.........................................................................................................213
viii
Configure business data search...........................................................................................248
Ensure availability of business data......................................................................................248
Configure and crawl business data content sources............................................................248
Configure and customize query options for business data...................................................249
ix
Chapter overview: Additional configuration tasks.................................................................272
Configure additional administrative settings.........................................................................272
x
Configure and start the Microsoft Single Sign-On service....................................................298
Configure Single Sign-On for Office SharePoint Server 2007..............................................299
Manage the encryption key...................................................................................................301
Create a new encryption key..........................................................................................301
Back up an encryption key.............................................................................................302
Restore an encryption key.............................................................................................302
Manage enterprise application definitions............................................................................302
Manage account information for an enterprise application definition....................................303
Configure authentication.......................................................................................................306
Office SharePoint Server authentication...............................................................................306
Windows authentication provider..........................................................................................307
Forms authentication provider..............................................................................................310
Web single sign-on (SSO) authentication provider...............................................................310
xi
About Kerberos authentication.............................................................................................338
Before you begin..................................................................................................................339
Software version requirements.......................................................................................340
Known issues.................................................................................................................340
Additional background....................................................................................................341
Server farm topology......................................................................................................342
Active Directory, computer naming, and NLB conventions.............................................343
Active Directory domain account conventions................................................................344
Preliminary configuration requirements..........................................................................345
Configure Kerberos authentication for SQL communications...............................................345
Create the SPNs for your SQL Server service account..................................................346
Confirm Kerberos authentication is used to connect servers running Office SharePoint
Server 2007 to SQL Server.........................................................................................346
Configure Internet Explorer to include port numbers in Service Principal Names.................348
Create Service Principal Names for your Web applications using Kerberos authentication. 349
Deploy the server farm.........................................................................................................350
Install Office SharePoint Server 2007 on all of your servers..........................................350
Run the SharePoint Products and Technologies Configuration Wizard and create a new
farm............................................................................................................................351
Run the SharePoint Products and Technologies Configuration Wizard and join the other
servers to the farm......................................................................................................353
Configure services on servers in your farm..........................................................................354
Windows SharePoint Services Search...........................................................................354
Index server...................................................................................................................354
Query server..................................................................................................................355
Create Web applications using Kerberos authentication......................................................355
Create the portal site Web application............................................................................355
Create the My Site Web application...............................................................................356
Create the Shared Services Administration site Web application...................................356
Create a site collection using the Collaboration Portal template in the portal site Web
application.........................................................................................................................357
Create a Shared Services Provider for your farm.................................................................358
Confirm successful access to the Web applications using Kerberos authentication.............358
Confirm correct Search Indexing functionality......................................................................361
Confirm correct Search Query functionality..........................................................................361
Configure your SSP infrastructure for Kerberos authentication............................................362
Register new custom-format SPNs for your SSP service account in Active Directory..........363
Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos
authentication....................................................................................................................364
Add a new registry key to all of your servers running Office SharePoint Server to enable
generation of the new custom-format SPNs......................................................................364
Confirm Kerberos authentication for root-level shared services access...............................365
Confirm Kerberos authentication for virtual-directory-level shared services access.............366
Configuration limitations.......................................................................................................368
xii
Additional resources and troubleshooting guidance ............................................................368
xiii
Getting Help
Every effort has been made to ensure the accuracy of this book. This content is also available
online in the Office System TechNet Library, so if you run into problems you can check for
updates at:
http://technet.microsoft.com/office
If you do not find your answer in our online content, you can send an e-mail message to the
Microsoft Office System and Servers content team at:
o12ITdx@microsoft.com
If your question is about Microsoft Office products, and not about the content of this book, please
search the Microsoft Help and Support Center or the Microsoft Knowledge Base at:
http://support.microsoft.com
xiv
Roadmap to Office SharePoint Server 2007
content
In this section:
• Office SharePoint Server 2007 content by audience
• Office SharePoint Server 2007 IT professional content by stage of the IT life cycle
1
Additionally, there is information for all users of SharePoint Products and Technologies at the
community and blog sites listed in the following table.
• SharePoint Products and Technologies community portal — a central place for community
information (blogs, newsgroups, and so on) about SharePoint Products and Technologies
(http://go.microsoft.com/fwlink/?LinkId=88915&clcid=0x409)
• SharePoint Products and Technologies team blog — a group blog from the teams who
develop the SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?
LinkId=88916&clcid=0x409)
• Support Center for Microsoft Office SharePoint Server 2007 — a central place for issues
and solutions from Microsoft Help and Support (http://go.microsoft.com/fwlink/?
LinkId=89555&clcid=0x409)
2
Evaluate
During the evaluation stage, IT professionals (including decision makers, solution architects, and
system architects) focus on understanding a new technology and evaluate how it can help them
address their business needs. The following table lists resources that are available to help you
evaluate Office SharePoint Server 2007.
Online content Includes the most Product evaluation for Office SharePoint Server 2007
up-to-date (http://go.microsoft.com/fwlink/?LinkId=89180&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Plan
During the planning stage, IT professionals have different needs depending on their role within an
organization. If you are focused on designing a solution, including determining the structure,
capabilities, and information architecture for a site, you might want information that helps you to
3
determine which capabilities of Office SharePoint Server 2007 you want to take advantage of,
and that helps you to plan for those capabilities and to tailor the solution to your organization's
needs. On the other hand, if you are focused on the hardware and network environment for your
solution, you might want information that helps you to structure the server topology, plan
authentication methods, and understand system requirements for Office SharePoint Server 2007.
We have planning content, including worksheets, to address both of these needs.
The following table lists resources that are available to help you plan for using Office SharePoint
Server 2007.
Online content Includes the most Planning and architecture for Office SharePoint Server
up-to-date content. 2007 (http://go.microsoft.com/fwlink/?
The Technical LinkId=89404&clcid=0x409)
Library on TechNet
is continually
refreshed with new
and updated
content.
Planning Provides in-depth Planning and architecture for Office SharePoint Server, part 1
Guide, Part 1 planning (http://go.microsoft.com/fwlink/?LinkID=79552)
information for
application
administrators
designing a
solution based on
Office SharePoint
Server 2007.
Planning Provides in-depth Planning and architecture for Office SharePoint Server, part 2
Guide, Part 2 planning (http://go.microsoft.com/fwlink/?LinkID=85548)
information for IT
professionals
designing the
environment to
host a solution
based on Office
SharePoint Server
2007.
Deploy
During the deployment stage, you configure your environment, install Office SharePoint Server
2007, and then start creating SharePoint sites. Depending on your environment and your
4
solution, you may have several configuration steps to perform for your servers, for your Shared
Services Providers, and for your sites. Additionally, you may have templates, features, or other
custom elements to deploy into your environment.
The process of upgrading from a previous version product, such as Microsoft Office SharePoint
Portal Server 2003, Microsoft Content Management Server 2002, or Windows SharePoint
Services, is also part of the deployment stage of the IT life cycle, and we have content that
addresses planning for upgrade, performing the upgrade, and performing post-upgrade steps.
The following table lists resources that are available to help you deploy or upgrade to Office
SharePoint Server 2007.
Online content Includes the Deployment for Office SharePoint Server 2007
most up-to-date (http://go.microsoft.com/fwlink/?LinkID=76139&clcid=0x409)
content. The
Technical
Library on
TechNet is
continually
refreshed with
new and
updated
content.
Migration and Provides cross- Migration and Upgrade Information for SharePoint
Upgrade for audience (IT Developers
SharePoint and developer)
5
Content Description Links
Operate
After deployment, in which you install and configure your environment, you move to the
operations stage. During this stage, you are focused on the day-to-day monitoring, maintenance
and tuning of your environment.
The following table lists resources that are available to help with day-to-day operations for Office
SharePoint Server 2007.
Online content Includes the most Operations for Office SharePoint Server 2007
up-to-date (http://go.microsoft.com/fwlink/?LinkId=89407&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Online content Includes the most Security and protection for Office SharePoint Server 2007
up-to-date (http://go.microsoft.com/fwlink/?LinkId=89408&clcid=0x409)
content. The
Technical Library
6
Content Description Links
on TechNet is
continually
refreshed with
new and updated
content.
Technical Reference
Technical reference information supports the content for each of the IT life cycle stages by
providing the technical information you need to work with Office SharePoint Server 2007. For
example, the Technical Reference content has information about how permissions work, how to
perform operations from the command line, and how to use Setup.exe from the command line.
The following table lists resources that are available to help you use Office SharePoint Server
2007.
Online content Includes the most Technical Reference for Office SharePoint Server 2007
up-to-date (http://go.microsoft.com/fwlink/?LinkId=89445&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
7
Deployment worksheets for Office
SharePoint Server 2007
In this section:
• Deployment worksheets by task
• Deployment worksheets by title
This section provides links to worksheets that you can use to record information that you gather
and decisions that you make as you perform your deployment of Microsoft Office SharePoint
Server 2007. Use these worksheets in conjunction with — not as a substitute for — Deployment
for Office SharePoint Server 2007.
Chapter
overview:
Create and
configure
Shared
Services
Providers
Deploy and
configure
SharePoint
sites
8
For this task Use this worksheet To do this
Estimate database space and time for upgrade worksheet Record current
(http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) database sizes
and estimate how
much space you
need for upgrade.
Estimate database space and time for upgrade worksheet Upgrading to Record current
(http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) Office database sizes
SharePoint and estimate how
Server 2007 much space you
need for upgrade.
9
Use this worksheet For this task To do this
10
I. End-to-end deployment scenarios
11
Chapter overview: End-to-end deployment
scenarios
This chapter provides information and directions for deploying Microsoft Office SharePoint Server
2007 as an end-to-end solution, whether on a single computer or on a simple server farm. This
chapter does not discuss more complex deployments. For information about deploying Office
SharePoint Server 2007 in a large server farm, see Deploy in a simple server farm.
The articles in this chapter include:
• Ι ν σ τ α λ λ Ο φ φ ι χ ε Σ η α ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 ο ν α
σ τ α ν δ − α λ ο ν ε χ ο µ π υ τ ε ρ discusses how to install Office SharePoint Server
2007 on a single-server computer running the Windows Server 2003 operating system. A
stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007
features and capabilities, such as collaboration, document management, and search. A
stand-alone configuration is also useful if you are deploying a small number of Web sites and
you want to minimize administrative overhead.
• Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server
2008 discusses how to install Office SharePoint Server 2007 on a single-server computer
running the Windows Server 2008 operating system. A stand-alone configuration is useful if
you want to evaluate Office SharePoint Server 2007 features and capabilities, such as
collaboration, document management, and search. A stand-alone configuration is also useful
if you are deploying a small number of Web sites and you want to minimize administrative
overhead.
• Deploy in a simple server farm discusses how to do a clean installation of Office
SharePoint Server 2007 in a server farm environment on the Windows Server 2003 operating
system. You can deploy in a server farm environment if you are hosting a large number of
sites, if you want the best possible performance, or if you want the scalability of a multi-tier
topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 applications.
• ∆ ε π λ οψ α σ ι µ π λ ε φ α ρ µ ο ν τ η ε Ω ι ν δ οω σ Σ ε ρϖ ε ρ
2008 ο π ε ρ α τ ι ν γ σ ψ σ τ ε µ discusses how to do a clean installation of Office
SharePoint Server 2007 in a server farm environment on the Windows Server 2008 operating
system. You can deploy in a server farm environment if you are hosting a large number of
sites, if you want the best possible performance, or if you want the scalability of a multi-tier
topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 applications.
• Deploy using DBA-created databases discusses how to deploy Office SharePoint Server
2007 in an environment in which database administrators (DBAs) create and manage
databases. This section discusses how DBAs can create these databases and how farm
administrators configure them. The deployment includes all the required databases, one
12
portal site, a Shared Services Administration Web site, My Sites, and one Shared Services
Provider (SSP).
• Ι ν σ τ α λ λ Ο φ φ ι χ ε Σ η α ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 β ψ
υ σ ι ν γ τ η ε χ ο µ µ α ν δ λ ι ν ε discusses how to use the command-line tools
Setup.exe, Psconfig.exe, and Config.xml, to install and configure Office SharePoint Server
2007 from the command prompt window.
• Install Office SharePoint Server 2007 with least privilege administration by using the
command line discusses how to install Office SharePoint Server 2007 from the command
prompt window while granting the user the least privileges necessary.
• Migrate a stand-alone installation to a server farm installation discusses the process for
moving from a stand-alone installation to a server farm installation. This process consists of
creating a new server farm, and then migrating the data from your stand-alone server to the
new farm.
13
Install Office SharePoint Server 2007 on a
stand-alone computer
In this section:
• Hardware and software requirements
• Configure the server as a Web server
• Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005
Express Edition
• Post-installation steps
Important:
This section discusses how to install Microsoft Office SharePoint Server 2007 on a single
computer as a stand-alone installation. It does not cover installing Office SharePoint
Server 2007 in a farm environment, upgrading from previous releases of Office
SharePoint Server 2007, or how to upgrade from SharePoint Portal Server 2003. For
information about how to do this, see the following:
Deploy in a simple server farm
Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-
us/library/cc303420.aspx)
You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single
server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint
Server 2007 features and capabilities, such as collaboration, document management, and
search. A stand-alone configuration is also useful if you are deploying a small number of Web
sites and you want to minimize administrative overhead. When you deploy Office SharePoint
Server 2007 on a single server using the default settings, the Setup program automatically
installs Microsoft SQL Server 2005 Express Edition and uses it to create the configuration
database and content database for your SharePoint sites. In addition, the Setup program creates
a Shared Services Provider (SSP), installs the SharePoint Central Administration Web site and
creates your first SharePoint site collection and site.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
14
Configure the server as a Web server
Before you install and configure Office SharePoint Server 2007, you must install and configure
the required software. This includes installing and configuring Internet Information Services (IIS)
so your computer acts as a Web server, installing the Microsoft .NET Framework version 3.0, and
enabling ASP.NET 2.0.
Note:
The Run WWW in IIS 5.0 isolation mode check box is only selected if you have
upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows
2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by
default.
15
download and install the appropriate version for your computer. The .NET Framework version 3.0
download contains the Windows Workflow Foundation technology, which is required by workflow
features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the
.NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=110508).
Notes
• If you uninstall Office SharePoint Server 2007 and then later install Office
SharePoint Server 2007 on the same computer, the Setup program could fail when
creating the configuration database causing the entire installation process to fail. You can
prevent this failure by either deleting all the existing Office SharePoint Server 2007
databases on the computer or by creating a new configuration database. You can create
a new configuration database by running the following command:
• psconfig -cmd configdb -create -database <uniquename>
Run Setup
1. From the product disc, run Setup.exe, or from the product download, run
Officeserver.exe.
2. On the Enter your Product Key page, enter your product key, and then click
16
Continue.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup places a red circle next to the text box and displays a message
that the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Basic to install to the default
location. To install to a different location, click Advanced, and then on the File Location
tab, specify the location you want to install to and finish the installation.
5. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
6. Click Close to start the configuration wizard.
Note:
If you are prompted for your user name and password, you might need to add the
SharePoint site to the list of trusted sites and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are
provided in the following procedure.
Note:
If you see a proxy server error message, you might need to configure your proxy
server settings so that local addresses bypass the proxy server. Instructions for
configuring proxy server settings are provided later in this section.
17
5. Click Close to close the Trusted Sites dialog box.
6. Click OK to close the Internet Options dialog box.
If you are using a proxy server in your organization, use the following steps to configure Internet
Explorer to bypass the proxy server for local addresses.
Configure proxy server settings to bypass the proxy server for local addresses
1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Connections tab, in the Local Area Network (LAN) settings area, click
LAN Settings.
3. In the Automatic configuration section, clear the Automatically detect settings
check box.
4. In the Proxy Server section, select the Use a proxy server for your LAN check
box.
5. Type the address of the proxy server in the Address box.
6. Type the port number of the proxy server in the Port box.
7. Select the Bypass proxy server for local addresses check box.
8. Click OK to close the Local Area Network (LAN) Settings dialog box.
9. Click OK to close the Internet Options dialog box.
Post-installation steps
After Setup finishes, your browser window opens to the home page of your new SharePoint site.
Although you can start adding content to the site or you can start customizing the site, we
recommend that you perform the following administrative tasks by using the SharePoint Central
Administration Web site.
• Configure incoming e-mail settings You can configure incoming e-mail settings so
that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-
mail settings so that SharePoint sites can archive e-mail discussions as they happen, save e-
mailed documents, and show e-mailed meetings on site calendars. In addition, you can
configure the SharePoint Directory Management Service to provide support for e-mail
distribution list creation and management. For more information, see Configure incoming e-
mail settings.
• Configure outgoing e-mail settings You can configure outgoing e-mail settings so that
your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and
notifications to site administrators. You can configure both the "From" e-mail address and the
"Reply" e-mail address that appear in outgoing alerts. For more information, see Configure
outgoing e-mail settings.
• Create SharePoint sites When Setup finishes, you have a single Web application that
contains a single SharePoint site collection that hosts a SharePoint site. You can create more
18
SharePoint sites collections, sites, and Web applications if your site design requires multiple
sites or multiple Web applications.
• Configure Workflow settings Specify whether users can assemble new workflows and
if participants without site access should be sent documents in email attachments so they can
participate in document workflows. For more information, see Configure workflow settings.
• Configure diagnostic logging settings You can configure several diagnostic logging
settings to help with troubleshooting. This includes enabling and configuring trace logs, event
messages, user-mode error messages, and Customer Experience Improvement Program
events. For more information, see Configure diagnostic logging settings.
• Configure antivirus protection settings You can configure several antivirus settings if
you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus
settings enable you to control whether documents are scanned on upload or download and
whether users can download infected documents. You can also specify how long you want
the antivirus program to run before it times out, and you can specify how many execution
threads the antivirus program can use on the server. For more information, see Configure
antivirus settings.
• Configure search You can configure several search and index settings to customize
how Office SharePoint Server 2007 crawls your site content or external content. For more
information, see Configure the Office SharePoint Server Search service
(http://technet.microsoft.com/en-us/library/cc262700.aspx).
• Configure Excel Services Before you can use Excel Services, you must start the
service and add at least one trusted location. For more information about doing this, see C.
Configure Excel Services.
19
Deploy in a simple server farm
In this section:
• Deployment overview
• Deploy and configure the server infrastructure
• Create and configure a Shared Services Provider
• Perform additional configuration tasks
• Create a site collection and a SharePoint site
• Configure the trace log
Deployment overview
Important:
This section discusses how to do a clean installation of Microsoft Office SharePoint
Server 2007 in a server farm environment. It does not cover upgrading from previous
releases of Office SharePoint Server 2007 or how to upgrade from Microsoft SharePoint
Portal Server 2003. For more information about upgrading from Microsoft Office
SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc303420.aspx).
Note:
This section does not cover installing Office SharePoint Server 2007 on a single
computer as a stand-alone installation. For more information, see Install Office
SharePoint Server 2007 on a stand-alone computer.
You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a
large number of sites, if you want the best possible performance, or if you want the scalability of a
multi-tier topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 application.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
Because a server farm deployment of Office SharePoint Server 2007 is more complex than a
stand-alone deployment, we recommend that you plan your deployment. Planning your
deployment can help you to gather the information you need and to make important decisions
before beginning to deploy. For information about planning, see Planning and architecture for
Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
20
required by Office SharePoint Server 2007. This topic provides details about how the DBA can
create these databases before beginning the Office SharePoint Server 2007 installation or
creation of a Shared Services Provider (SSP). For more information about deploying using DBA-
created databases, including detailed procedures, see Deploy using DBA-created databases.
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many
servers or as few as two servers.
A small server farm typically consists of a database server running either Microsoft SQL Server
2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers
running Internet Information Services (IIS) and Office SharePoint Server 2007. In this
configuration, the front-end servers are configured as Web servers and application servers. The
Web server role provides Web content to clients. The application server role provides Office
SharePoint Server 2007 services such as servicing search queries, and crawling and indexing
content.
A medium server farm typically consists of a database server, an application server running Office
SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server
2007 and IIS. In this configuration, the application server provides indexing services and Excel
Calculation Services, and the front-end Web servers service search queries and provide Web
content.
A large server farm typically consists of two or more clustered database servers, several load-
balanced front-end Web servers running Office SharePoint Server 2007, and two or more
application servers running Office SharePoint Server 2007. In this configuration, each of the
application servers provides specific Office SharePoint Server 2007 services such as indexing or
Excel Calculation Services, and the front-end servers provide Web content.
Note:
All of the Web servers in your server farm must have the same SharePoint Products and
Technologies installed. For example, if all of the servers in your server farm are running
Office SharePoint Server 2007, you cannot add to your farm a server that is running only
Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office
SharePoint Server 2007 on your server farm, you must install Office Project Server 2007
and Office SharePoint Server 2007 on each of your Web servers. To enhance the
security of your farm and reduce the surface area that is exposed to a potential attack,
you can turn off services on particular servers after you install SharePoint Products and
Technologies.
21
Important
• The account that you select for installing Office SharePoint Server 2007 needs to be
a member of the Administrators group on every server on which you install Office
SharePoint Server 2007. You can, however, remove this account from the Administrators
group on the servers after installation.
• For information about assigning users to be SSP administrators, see “Shared
Services Providers” in Plan for administrative and service accounts
(http://technet.microsoft.com/en-us/library/cc263445.aspx).
• To deploy Office SharePoint Server 2007 in a server farm environment, you must provide
credentials for several different accounts. For information about these accounts, see “Shared
Service Providers” in the Planning and architecture for Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.
• You must install Office SharePoint Server 2007 on the same drive on all load-balanced
front-end Web servers.
• You must install Office SharePoint Server 2007 on a clean installation of the Microsoft
Windows Server 2003 operating system with the most recent service pack. If you uninstall a
previous version of Office SharePoint Server 2007, and then install Office SharePoint Server
2007, Setup might fail to create the configuration database and the installation will fail.
Note:
We recommend that you read the Known Issues/Readme documentation before you
install Office SharePoint Server 2007 on a domain controller. Installing Office
SharePoint Server 2007 on a domain controller requires additional configuration
steps that are not discussed in this document.
• You must install the same language packs on all servers in the farm. For more
information about installing language packs, see Deploy language packs.
• All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both an English version of Office SharePoint Server
2007 and a Japanese version of Office SharePoint Server 2007 in the same farm.
• You must use the Complete installation option on all computers you want to be index
servers, query servers, or servers that run Excel Calculation Services.
• If you place a query server beyond a firewall from its index server, you must open the
NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls
that separate these servers. If your environment does not use NetBIOS, you must use direct-
hosted server message block (SMB). This requires that you open the TCP/UDP 445 port.
• If you want to have more than one index server in a farm, you must use a different
Shared Services Provider (SSP) for each index server.
23
If you are using SQL Server 2005, you must also change the surface area settings.
24
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and
to install Office SharePoint Server 2007. For more information about the required accounts,
including specific privileges required for these accounts, see Plan for administrative and service
accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
SQL Server This account is used as SQL Server prompts for this account during SQL
Service the service account for Server Setup. You have two options:
Account the following SQL Server • Assign one of the built-in system accounts
services: (Local System, Network Service, or Local Service)
• MSSQLSERVER to the logon for the configurable SQL Server
• SQLSERVERAGE services. For more information about these
NT accounts and security considerations, refer to the
Setting Up Windows Service Accounts topic
If you are not using the
(http://go.microsoft.com/fwlink/?
default instance, these
LinkId=121664&clcid=0x409) in the SQL Server
services will be shown as:
documentation.
• MSSQL$InstanceNa
• Assign a domain user account to the logon for
me
the service. However, if you use this option you
•SQLAgent$InstanceNa
must take the additional steps required to configure
me
Service Principal Names (SPNs) in Active Directory
in order to support Kerberos authentication, which
SQL Server uses.
25
Account Purpose Requirements
Important:
Office SharePoint Server 2007 requires Active Directory directory services for farm
deployments. Therefore Office SharePoint Server 2007 cannot be installed in a farm on a
Microsoft Windows NT Server 4.0 domain.
26
2. On the Welcome to the Configure Your Server Wizard page, click Next.
3. On the Preliminary Steps page, click Next.
4. On the Server Role page, click Application server (IIS, ASP.NET), and then click
Next.
5. On the Application Server Options page, click Next.
6. On the Summary of Selections page, click Next.
7. Click Finish.
8. Click Start, point to All Programs, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the
Web Sites folder, and then click Properties.
10. In the Web Sites Properties dialog box, click the Service tab.
11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation
mode check box, and then click OK.
Note:
The Run WWW in IIS 5.0 isolation mode check box is only selected if you have
upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows
2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by
default.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET
Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=110508).
27
2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click
the Web Service Extensions folder.
3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
Note:
We recommend that you run Setup on all the servers that will be in the farm before
configuring the farm.
You can add servers to the farm at this point, or after you have created and configured an SSP.
You can add servers after you have created and configured an SSP to add redundancy, such as
additional load-balanced Web servers or additional query servers. It is recommended that you run
Setup and the configuration wizard on all your application servers before you create and
configure the SSP.
Note:
To configure more than one query server in your farm, you cannot configure your
index server as a query server.
5. Other application servers (optional).
Because the SSP configuration requires an index server, you must start the Office SharePoint
Server Search service on the computer that you want to be the index server, and configure it as
an index server before you can create an SSP. Because of this, you must deploy and configure
an index server before other servers. You can choose any server to be the first server on which
28
you install Office SharePoint Server 2007. However, the Central Administration Web site is
automatically installed on the first server on which you install Office SharePoint Server 2007.
You can configure different features on different servers. The following table shows which
installation type you should use for each feature set.
Note:
If you choose the Web Front End
installation option you will not be able to
run additional services, such as search,
on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any
servers that you add you will join to this farm.
Setting up the first server involves two steps: installing the Office SharePoint Server 2007
components on the server, and configuring the farm. After Setup finishes, you can use the
SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint
Server 2007. The SharePoint Products and Technologies Configuration Wizard automates
several configuration tasks, including: installing and configuring the configuration database,
installing Office SharePoint Server 2007 services, and creating the Central Administration Web
site.
29
Run Setup on the first server
Important:
If you uninstall Office SharePoint Server 2007 from the first server on which you installed
it, your farm might experience problems. It is not recommended that you install Office
SharePoint Server 2007 on an index server first.
Note:
Setup installs the Central Administration Web site on the first server on which you run
Setup. Therefore, we recommend that the first server on which you install Office
SharePoint Server 2007 is a server from which you want to run the Central Administration
Web site.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced. The Basic option is
for stand-alone installations.
5. On the Server Type tab, select Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the next set of steps.
30
Run the SharePoint Products and Technologies Configuration
Wizard
After Setup finishes, you can use the SharePoint Products and Technologies Configuration
Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several
configuration tasks, including: installing and configuring the configuration database, installing
Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use
the following instructions to run the SharePoint Products and Technologies Configuration Wizard.
Important:
The server farm account is used to access your configuration database. It also
acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows SharePoint
Services Timer service runs. The SharePoint Products and Technologies
Configuration Wizard adds this account to the SQL Server Logins, the SQL
Server Database Creator server role, and the SQL Server Security Administrators
server role. The user account that you specify as the service account must be a
domain user account, but it does not need to be a member of any specific
security group on your Web servers or your back-end database servers. We
recommend that you follow the principle of least privilege and specify a user
account that is not a member of the Administrators group on your Web servers or
your back-end servers.
7. In the Password box, type the user's password, and then click Next.
8. On the Configure SharePoint Central Administration Web Application page, select the
Specify port number check box and type a port number if you want the SharePoint
Central Administration Web application to use a specific port, or leave the Specify port
number check box cleared if you do not care which port number the SharePoint Central
Administration Web application uses.
9. In the Configure SharePoint Central Administration Web Application dialog box,
do one of the following:
31
• If you want to use NTLM authentication (the default), click Next.
• If you want to use Kerberos authentication, click Negotiate (Kerberos), and then
click Next.
Note:
In most cases, use the default setting (NTLM). Use Negotiate (Kerberos)
only if Kerberos authentication is supported in your environment. Using the
Negotiate (Kerberos) option requires you to configure a Service Principal
Name (SPN) for the domain user account. To do this, you must be a member
of the Domain Admins group. For more information, see How to configure a
Windows SharePoint Services virtual server to use Kerberos authentication
and how to switch from Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
10. On the Completing the SharePoint Products and Technologies Configuration Wizard
page, click Next.
11. On the Configuration Successful page, click Finish.
The SharePoint Central Administration Web site home page opens.
Note:
If you are prompted for your user name and password, you might need to add the
SharePoint Central Administration site to the list of trusted sites and configure
user authentication settings in Internet Explorer. Instructions for configuring these
settings are provided in the next set of steps.
Note:
If a proxy server error message appears, you might need to configure your proxy
server settings so that local addresses bypass the proxy server. Instructions for
configuring this setting are provided later in this section.
32
Configure proxy server settings to bypass the proxy server for
local addresses
Important:
If you uninstall Office SharePoint Server 2007 from the first server on which you installed
it, your farm might experience problems. It is not recommended that you install Office
SharePoint Server 2007 on an index server first.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
33
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced.
5. On the Server Type tab, click Web Front End.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the following section.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced.
5. On the Server Type tab, click Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
34
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the next set of steps.
35
2. On the Operations page, in the Topology and Services section, click Services on
server.
3. On the Services on Server page, next to Window SharePoint Services Search,
click Start.
4. On the Configure Windows SharePoint Services Search Service Settings page, in the
Service Account section, type the user name and password for the user account under
which the Windows SharePoint Services Search service account will run.
5. In the Content Access Account section, type the user name and password for the
user account that the search service will use to search over content. This account must
have read access to all the content you want it to search over. If you do not specify
credentials, the same account used for the search service will be used.
6. In the Indexing Schedule section, either accept the default settings, or specify the
schedule that you want the search service to use when searching over content.
7. After you have configured all the settings, click Start.
36
Disable the Windows SharePoint Services Web Application service on a server
1. On the SharePoint Central Administration home page, click the Operations tab on
the top link bar.
2. On the Operations page, in the Topology and Services section, click Services on
server.
3. On the Services on Server page, next to Window SharePoint Services Web
Application, click Stop.
Start the Office SharePoint Server Search service on the index server
1. On the SharePoint Central Administration home page, click the Operations tab on
the top link bar.
2. On the Operations page, in the Topology and Services section, click Services on
server.
3. In the Server list, select the server that you want to configure as an index server
and — optionally — as a query server.
4. On the Services on Server page, next to Office SharePoint Server Search, click
Start.
5. Select the Use this server for indexing content check box. This expands the page
and adds the Index Server Default File Location, Indexer Performance, and Web
37
Front End and Crawling sections.
6. If you want to use this server to service search queries, select the Use this server
for servicing search queries check box. This expands the page and adds the Query
Server Index File Location section. If not, skip to the next step.
7. In the Contact E-mail Address section, type the e-mail address you want external
site administrators to use to contact your organization if problems arise when their sites
are being crawled by your index server.
8. In the Farm Search Service Account section, specify the User name and
Password of the account under which the search service will run. This domain account
should not be a member of the Farm Administrators group in the Central Administration
Web site (the WSS_ADMIN_WPG Windows security group). For least privilege
scenarios, this should be a separate domain account, used only for this service. For more
information about this account, see Plan for administrative and service accounts
(http://technet.microsoft.com/en-us/library/cc263445.aspx).
9. Optionally, you can also configure other settings or accept the default settings.
10. When you have configured all the settings, click Start.
You can optionally use the following steps to start the Office SharePoint Server Search service on
computers that were set up by using the Complete option during Setup to deploy query servers.
Important:
If you selected the Use this server for serving search queries option in step 6 of the
previous procedure, you cannot deploy additional query servers unless you first remove
the query server role from the index server.
For information about how to perform this procedure using the Stsadm command-line tool, see
Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).
38
information about this account, see Plan for administrative and service accounts
(http://technet.microsoft.com/en-us/library/cc263445.aspx).
7. In the Query Server Index File Location section, in the Query server index file
location box, either type the location on the local drive of the query server on which you
want to store the propagated index, or accept the default path.
8. In the Query Server Index File Location section, select one the following:
• Configure share automatically Select this option to automatically configure
the share on which you want to store the propagated index, and type the user name
and password of the account that you want to use to propagate the index
(recommended).
Important:
This account must a member of the Administrators group and a member of
the WSS_ADM_WPG group on the query server before you proceed to the
next step, or propagation of the index will fail.
• I will configure the share with STSAdm Select this option if you want to use
the Stsadm command-line tool to create this share at a later time.
• Do nothing. The share is already configured Select this option if the share
already exists and the permissions to the share are configured as described above.
9. When you have configured all the settings, click Start.
For information about how to perform this procedure using the Stsadm command-line
tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262920.aspx).
Create a Web application to host the SSP and create the SSP
Note:
If you see any items in the Web application drop-down list, a Web application
has already been created. You can either use this Web application or create
another.
5. On the Create New Web Application page, in the Application Pool section, specify
the User name and Password for the user account that the Web application pool will run
39
under.
6. You can also configure other settings on this page, or click OK to create the new Web
application.
Note:
By default, the Web application uses the default Web site in IIS and port 80. This
port might be used by other Web applications. Ensure that this port is open for
use, or choose another port before you click OK.
Note:
By default, Restart IIS Manually is selected. If you use this setting, you must
restart the default Web site in IIS, or restart the W3C service by using the
command line.
7. On the New Shared Services Provider page, in the SSP Service Credentials
section, type the user name and password for the user account that the SSP service will
run under.
8. Optionally, you can also configure other settings.
9. When you have configured all the settings, click OK.
10. If you used the same Web application for the SSP administration site and the My
Sites site collection, you will be prompted to use separate Web applications for these site
collections. If you want to use the same Web application, click OK. For more information
about site planning, see Plan Web site structure and publishing
(http://technet.microsoft.com/en-us/library/cc262789.aspx).
11. After the SSP has been created, click OK on the confirmation page that appears.
41
You can also migrate content from a pre-existing Microsoft Content Management Server 2002
source. For information, see Migrate from Microsoft Content Management Server 2002 to Office
SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261812.aspx).
Before you can create a site collection or a site, you must first create a Web application. A Web
application is comprised of an Internet Information Services (IIS) site with a unique application
pool.
42
7. In the Load Balanced URL section, type the URL for the domain name for all sites
that users will access in this Web application. This URL domain will be used in all links
shown on pages within the Web application. By default, the box is populated with the
current server name and port.
The Zone box is automatically set to Default for a new Web application and cannot be
changed from this page.
8. In the Application Pool section, choose whether to use an existing application pool
or create a new application pool for this Web application. To use an existing application
pool, select Use existing application pool. Then select the application pool you wish to
use from the drop-down menu.
a. To create a new application pool, select Create a new application pool.
b. In the Application pool name box, type the name of the new application pool, or
keep the default name.
c. In the Select a security account for this application pool section, select
Predefined to use an existing application pool security account, and then select the
security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a
security account for an existing application pool. In the User name box, type the user
name of the account you wish to use, and type the password for the account into the
Password box.
9. In the Reset Internet Information Services section, choose whether to allow Office
SharePoint Server 2007 to restart IIS on other farm servers. The local server must be
restarted manually for the process to finish. If this option is not selected and you have
more than one server in the farm, you must wait until the IIS Web site is created on all
servers and then run iisreset/noforce on each Web server. The new IIS site is not
usable until that action is completed. These choices are unavailable if your farm only
contains a single server.
10. Under Database Name and Authentication, choose the database server, database
name, and authentication method for your new Web application.
43
Item Action
11. Click OK to create the new Web application, or click Cancel to cancel the process
and return to the Application Management page.
For information about how to perform this procedure using the Stsadm command-line
tool, see Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262407.aspx).
44
6. In the Template Selection section, select a template from the tabbed template
control.
7. In the Primary Site Collection Administrator section, type the user account name
for the user you want to be the primary administrator for the site collection. You can also
browse for the user account by clicking the Book icon to the right of the text box. You can
verify the user account by clicking the Check Names icon to the right of the text box.
8. Optionally, in the Secondary Site Collection Administrator section, type the user
account for the user you want to be the secondary administrator for the site collection.
You can also browse for the user account by clicking the Book icon to the right of the text
box. You can verify the user account by clicking the Check Names icon to the right of the
text box.
9. Click Create to create the site collection.
For information about how to perform this procedure using the Stsadm command-line
tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262594.aspx).
After creating sites, you might want to configure alternate access mappings. Alternate access
mappings direct users to the correct URLs during their interaction with Office SharePoint Server
2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for
example). Alternate access mappings enable Office SharePoint Server 2007 to map Web
requests to the correct Web applications and sites, and they enable Office SharePoint Server
45
2007 to serve the correct content back to the user. For more information, see Plan alternate
access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
For information about how to perform this procedure using the Stsadm command-line tool, see
Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).
Tip:
To save 10,080 minutes (seven days) of events, you can use any
combination of number of log files and minutes to store in each log file.
3. Ensure that the path specified in the Path box has enough room to store the extra log
files or change the path to another location.
Tip:
We recommend that you store log files on a hard drive partition that is used to
store log files only.
4. Click OK.
Trace log files can help you to troubleshoot issues related to configuration changes of either the
Office SharePoint Server Search service or the Windows SharePoint Services Search service.
Because problems related to configuration changes are not always immediately discovered, we
recommend that you save all trace log files that the system creates on any day that you make any
configuration changes related to either search service. Store these log files for an extended
46
period of time in a safe location that will not be overwritten. See step 3 in the previous procedure
to determine the location that the system stores trace log files for your system.
For information about how to perform this procedure using the Stsadm command-line tool, see
Logging and events: Stsadm operations (http://technet.microsoft.com/en-
us/library/cc262191.aspx).
47
Deploy using DBA-created databases
In this topic:
• About deploying by using DBA-created databases
• Required database hardware and software
• Required accounts
• Create and configure the databases
Note:
This section does not cover using the Office SharePoint Server 2007 graphical user
interface tools to create or configure databases. For information about creating and
configuring databases by using the Office SharePoint Server 2007 graphical user
interface tools, see Deploy in a simple server farm.
Using these procedures, the DBA will create databases and the farm administrator will perform
other configuration actions in the following order:
• The configuration database (only one per farm).
• The content database for Central Administration (only one per farm).
• Central Administration Web application (only one per farm, created by Setup).
• The Windows SharePoint Services search database (only one per farm).
• Start the Office SharePoint Search service.
For each portal site:
• Portal site Web application content database.
For each SSP:
48
• A content database for the My Sites Web application (if the SSP is using its own Web
application).
• A content database for the Shared Services Administration Web application (if the SSP is
using its own Web application).
• SSP Search database (one per SSP).
• SSP Web application (created by Setup if the SSP is using its own Web application).
Note:
As part of the Web site and application pool creation process, a Web application is also
created in Internet Information Services (IIS). Extending a Web application will create an
additional Web site in IIS, but not an additional application pool.
Required accounts
The DBA needs to create SQL Server logins for the accounts that are used to access the
databases for Office SharePoint Server 2007 and add them to roles
For more information about the required accounts, including specific permissions and roles
required for these accounts, see Plan for administrative and service accounts
(http://technet.microsoft.com/en-us/library/cc263445.aspx).
49
The following table describes the accounts that are used to access the databases for Office
SharePoint Server 2007.
SQL Server This account is used as the SQL Server prompts for this account during SQL
Service service account for the Server Setup. You have two options:
Account following SQL Server • Assign one of the built-in system accounts
services: (Local System, Network Service, or Local
• MSSQLSERVER Service) to the logon for the configurable SQL
• SQLSERVERAGENT Server services. For more information about
these accounts and security considerations, refer
If you are not using the
to the Setting Up Windows Service Accounts
default instance, these
topic (http://go.microsoft.com/fwlink/?
services will be shown as:
LinkId=121664&clcid=0x409) in the SQL Server
• MSSQL$InstanceName
documentation.
• SQLAgent$InstanceNa
• Assign a domain user account to the logon
me
for the service. However, if you use this option
you must take the additional steps required to
configure Service Principal Names (SPNs) in
Active Directory in order to support Kerberos
authentication, which SQL Server uses.
50
Account Purpose Requirements
Note:
If you are using the least-privilege principle for added security, use a different account for
each service, process, and application pool identity for each Web application. Each SSP
will use two accounts, one for the SSP service account and one for the application pool
identity for the Shared Services Administration Web application.
Create and configure the configuration database, the Central Administration content
database, and the Central Administration Web application
1. [DBA] Create the configuration database and the Central Administration content
database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the
database owner (dbo) to be the Setup user account.
2. [Setup] Run Setup on each server computer in the farm. You must run Setup on at
least one of these computers by using the Complete installation option.
51
Note:
The rest of the farm servers will be configured after the procedures in the article
are finished and the farm is established. You will run the SharePoint Products
and Technologies Configuration Wizard on these servers by selecting the Yes, I
want to connect to an existing server farm option, instead of by using the
commands used in this procedure.
3. [Setup] On the server on which you used the Complete installation option, do not run
the SharePoint Products and Technologies Configuration Wizard after Setup. Instead
open the command line, and then run the following command to configure the databases:
Psconfig –cmd configdb –create –server <SqlServerName> –database
<SqlDatabaseName> –user <DomainName\UserName> –password <password> –
admincontentdatabase <SqlAdminContentDatabaseName>
Note:
<SqlDatabaseName> is the configuration database. -user is the server farm
account. <SqlAdminContentDatabaseName> is the Central Administration
content database.
4. [Setup] After the command has completed, run the SharePoint Products and
Technologies Configuration Wizard and complete the remainder of the configuration for
the server. This creates the Central Administration Web application and performs other
setup and configuration tasks.
5. [DBA] After the SharePoint Products and Technologies Configuration Wizard has
completed, perform the following actions for both the configuration database and the
Central Administration content database:
• Add the Office SharePoint Server Search account, default content access
account, and the SSP service account to the Users group.
• Add the Office SharePoint Server Search account, default content access
account, and the SSP service account to the WSS_Content_Application_Pools role.
6. [Setup] To confirm that the databases were created and correctly configured, verify
that the home page of the Central Administration Web site can be accessed. However, do
not configure anything by using Central Administration at this time. If the Central
Administration page does not render, verify the accounts used in this procedure and
ensure that they are properly assigned.
52
The following procedure will only have to be performed once for the farm. The farm has only one
Windows SharePoint Services search database.
Create and configure the Windows SharePoint Services Search database and start the
Windows SharePoint Services Search service
1. [DBA] Create the Windows SharePoint Services Search database using the
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [Setup] Open the command line, and then run the following command to configure
the database and start the Windows SharePoint Services Search service:
stsadm -o spsearch -action start -farmserviceaccount <DomainName\UserName>
-farmservicepassword <password> -farmcontentaccessaccount
<DomainName\UserName> -farmcontentaccesspassword <password>
-databaseserver <server\instance> -databasename <DatabaseName>
Note:
-farmserviceaccount is the server farm account. -farmcontentaccessaccount
is the Office SharePoint Services Search service account. For -databaseserver,
if you are using the default instance of SQL Server, you only have to specify the
name of the computer running SQL Server.
The following procedure must be performed once for each server running indexing or search
queries in the farm.
Start the Office SharePoint Server Search service on each server that will run search
queries or indexing
1. [Setup] Open the command line, and then run the following command:
stsadm -o osearch -action start -role <OsearchRole>-farmcontactemail
<FarmContactEmail> -farmserviceaccount <DomainName\UserName>
-farmservicepassword <password>
For additional information, see Osearch: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc262920.aspx).
Note:
farmserviceaccount is the server farm account. role specifies what type of server
role the server plays. The values for OsearchRole can be "Index", "Query", or
"IndexQuery". For more information about these options, see Add query servers to
expand a farm (http://technet.microsoft.com/en-us/library/cc297192.aspx).
The following procedure will only have to be performed once for the farm. The farm only has one
My Sites database. The My Sites Web application typically is hosted by its own SSP.
Create and configure the content database and Web application for My Sites
1. [DBA] Create the My Sites content database using the
53
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [DBA] Add the SSP service account to the db_owner role for the My Sites Web
application content database.
3. [Setup] Open the command line, and then run the following command to configure
the My Sites content database:
stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm
-databaseserver <DatabaseServerName> -databasename <DatabaseName>
-apidtype configurableid -description <IISWebSiteName> -apidname
<AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password>
For additional information, see Extendvs: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc263040.aspx).
Note:
url is the URL (in the form http://hostname:port) of the My Sites Web application.
databasename is the content database for the My Sites Web application.
description is the text name you give to the Web site in IIS. apidname is the text
name that you give to the Web application pool in IIS. apidlogin is the identity for
the application pool in IIS. This is the application pool process account. If you are
using Kerberos v5 authentication rather than NTLM authentication, use the
negotiate parameter rather than the exclusivelyusentlm parameter
Important:
This command must be run on the same computer that is indicated in the url
parameter. This is the same computer that is running the My Sites Web
application. The host name and port combination must not describe a Web
application that already exists or an error will result without creating the Web
application.
4. [Setup] Open the command line, and then run the following command to restart IIS:
iisreset /noforce.
You must create a Shared Services Administration site Web application for every SSP in the farm.
Create the content database and the Web application for the Shared Services
Administration site
1. [DBA] Create the Shared Services Administration site content database using the
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [DBA] Using SQL Server Management Studio, add the SSP service account to the
Users group and then to the db_owner role for the Shared Services Administration site
content database.
3. [Setup] Open the command line, and then run the following command to create the
Shared Services Administration site Web application and configure the content database:
54
stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm
-databaseserver <DatabaseServerName> -databasename <DatabaseName>
-apidtype configurableid -description <IISWebSiteName> -apidname
<AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password>
For additional information, see Extendvs: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc263040.aspx).
Note:
url is the URL (in the form http://hostname:port) of the Shared Services
Administration site Web application. databasename is the content database for
the Shared Services Administration site Web application. description is the text
name you give to the Web site in IIS. apidname is the text name that you give to
the application pool in IIS. apidlogin is the identity for the application pool in IIS.
This is the application pool process account. If you are using Kerberos v5
authentication rather than NTLM authentication, use the negotiate parameter
rather than the exclusivelyusentlm parameter
Important:
This command must be run on the same computer that is indicated in the url
parameter. This is the same computer that is running the Shared Services
Administration Web application. The host name and port combination must not
describe a Web application that already exists or an error results and the Web
application is not created.
4. [Setup] Open the command line, and then run the following command to restart IIS:
iisreset /noforce.
The following procedure will have to be performed once for each portal site in the farm.
Create and configure the portal site Web application content database
1. [DBA] Create the portal site Web application content database using the
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [DBA] Using Microsoft SQL Server Management Studio, add the SSP Service
account to the Users group and then to the db_owner role for the portal site Web
application content database.
3. [Setup] Open the command line, and then run the following command to configure
the portal site Web application content database:
stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm
-databaseserver <DatabaseServerName> -databasename <DatabaseName>
-apidtype configurableid -description <IISWebSiteName> -apidname
<AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password>
For additional information, see Extendvs: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc263040.aspx).
55
Note:
url is the URL (in the form http://hostname:port) of the portal site Web
application. databasename is the content database for the portal site Web
application. description is the text name you give to the Web site in IIS.
apidname is the text name that you give to the Web application pool in IIS.
apidlogin is the identity for the application pool in IIS. This is the application pool
process account. If you are using Kerberos v5 authentication rather than NTLM
authentication, use the negotiate parameter rather than the exclusivelyusentlm
parameter.
Important:
This command must be run on the same computer that is indicated in the url
parameter. This is the same computer that is running the Web application. The
host name and port combination must not describe a Web application that
already exists or an error results and the Web application is not created.
4. [Setup] Open the command line, and then run the following command to restart IIS:
iisreset /noforce.
The following procedure must be performed once for each SSP in the farm.
Create and configure the SSP content database and SSP Search database, and then
create and configure the SSP
1. [DBA] Create the SSP content database and the SSP Search database using the
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [DBA] Using Microsoft SQL Server Management Studio, add the following accounts
to the Users group and then to the db_owner role in both databases:
• Server farm account
• SSP Service account
• Windows SharePoint Services Search service account
• Office SharePoint Server Search service account
• Application pool process account. This is the Web application pool identity for
each Web application associated with the SSP. In this section, these are the Shared
Services Administration Web application and the My Sites site Web application.
3. [Setup] Open the command line, and then run the following command to create the
SSP (the SSP will use the DBA-created SSP content database and the SSP Search
database):
stsadm -o createssp -title <SSPName> -url <url> -mysiteurl <url>-ssplogin
<UserName> -ssppassword <password> -indexserver <IndexServerName>-
indexlocation <IndexFilePath>-sspdatabaseserver <SSPDatabaseServerName>
-sspdatabasename <SSPDatabaseName> -searchdatabaseserver
<SearchDatabaseServer> -searchdatabasename <SearchDatabaseName>
56
For additional information, see Createssp: STSadm operation
(http://technet.microsoft.com/en-us/library/cc262773.aspx).
Note:
url is the URL (in the format http://hostname:port/ssp/admin) of the Shared
Services Administration site. mysiteurl is the URL (in the format
http://hostname:port) of the My Sites Web site. ssplogin is the SSP service
account in the format domain\username. indexserver is the name of the server
that the index is hosted on. indexlocation is the directory on the index server
where the farm administrator specified the index to be stored. By default this is
SystemDrive:\Program Files\Microsoft Office Servers\12.0\Data\Office
Server\Applications.
Important:
This command must be run on the same computer that is indicated in the url
parameter. This is the same computer that is running the Web applications. In
this section, this is the server where the Shared Services Administration site Web
application and the My Sites Web application are running.
Note:
For more information about properly sizing these databases, see Estimate
performance and capacity requirements (http://technet.microsoft.com/en-
us/library/cc261716.aspx) and Estimate performance and capacity requirements for
portal collaboration environments (http://technet.microsoft.com/en-
us/library/cc263100.aspx).
57
Deploy a simple farm on the Windows Server
2008 operating system
In this section:
• Deployment overview
• Deploy and configure the server infrastructure
• Perform additional configuration tasks
• Create a site collection and a SharePoint site
• Configure the trace log
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can
install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the
Windows Server 2003 operating system, you must download and run Setup and the SharePoint
Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server
2007 without service packs on Windows Server 2008.
Important:
Office SharePoint Server 2007 requires the following components: the Web Server role,
Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint
Server 2007 will cease to run if you uninstall these components.
Deployment overview
You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a
large number of sites, if you want the best possible performance, or if you want the scalability of a
multi-tier topology. A server farm consists of one or more servers dedicated to running Office
SharePoint Server 2007.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
Important:
This section discusses how to perform a clean installation of Office SharePoint Server
2007 with SP1 in a server farm environment on Windows Server 2008. It does not cover
upgrading the operating system from Windows Server 2003 to Windows Server 2008.
Note:
This section does not cover installing Office SharePoint Server 2007 on a single
computer as a stand-alone installation on Windows Server 2008. For more information,
58
see Perform a stand-alone installation of Office SharePoint Server 2007 on Windows
Server 2008.
Because a server farm deployment of Office SharePoint Server 2007 is more complex than a
stand-alone deployment, we recommend that you plan your deployment. Planning your
deployment can help you to gather the information you need and to make important decisions
before beginning to deploy. For information about planning, see Planning and architecture for
Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many
servers or as few as two servers.
A server farm typically consists of a database server and one or more servers running Internet
Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end
servers are configured as Web servers. The Web server role provides Web content and services
such as search.
A large server farm typically consists of two or more clustered database servers, several load-
balanced front-end Web servers running IIS and Office SharePoint Server 2007, and two or more
servers providing Search services.
When you install Office SharePoint Server 2007, you can decide if you want to perform a
complete installation, which results in an application server, or to install just a front-end Web
server. The main difference between an application server installation and a front-end Web server
installation is the ability to run services such as the Search service. Since the front-end Web
server installation is a subset of the application server installation, if necessary, you can use an
application server as a front-end Web server; however, you should note that this configuration
increases the attack surface area on the server.
59
• All the Office SharePoint Server 2007 installations in the server farm must be in the same
language. For example, you cannot have both an English version of Office SharePoint Server
2007 and a Japanese version of Office SharePoint Server 2007 in the same server farm.
Note:
We recommend that you read the Known Issues and the Readme documentation
before you install Office SharePoint Server 2007 on a domain controller. Installing
Office SharePoint Server 2007 on a domain controller requires additional
configuration steps that are not discussed in this section.
• All of the Office SharePoint Server 2007 installations must be running the same software
update. For example, if one of the servers is updated to Post Service Pack 1 rollup, you
should update all of the Office SharePoint Server 2007 servers in the server farm to that
software update.
61
Required accounts
The following table lists the accounts used to configure SQL Server and to install Office
SharePoint Server 2007. For detailed information about the required accounts, including specific
role memberships and permissions required for these accounts, see Plan for administrative and
service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
SQL Server This account is used as the SQL Server prompts for this account during SQL
Service service account for the Server Setup. You have two options:
Account following SQL Server • Assign one of the built-in system accounts
services: (Local System, Network Service, or Local
• MSSQLSERVER Service) to the logon for the configurable SQL
• SQLSERVERAGENT Server services. For more information about
these accounts and security considerations, refer
If you are not using the
to the Setting Up Windows Service Accounts
default instance, these
topic (http://go.microsoft.com/fwlink/?
services will be shown as:
LinkId=121664&clcid=0x409) in the SQL Server
• MSSQL$InstanceName
documentation.
• SQLAgent$InstanceNa
• Assign a domain user account to the logon
me
for the service. However, if you use this option
you must take the additional steps required to
configure Service Principal Names (SPNs) in
Active Directory in order to support Kerberos
authentication, which SQL Server uses.
62
Account Purpose Requirements
If you use a domain user account for the SQL Server service account, you must make sure that a
valid service principal name (SPN) for that account and instance of SQL Server on their database
server exists in their environment. This is the case regardless of whether you use NTLM or
Kerberos authentication for Office SharePoint Server 2007.
You must configure the SPN for that account in the domain using the Setspn.exe command-line
tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the
following command on a computer that is joined to the same domain as the user/service account.
setspn -a <http/<farmclusterdnsname> <serviceaccountname>
You only have to complete this task once for this account.
Important:
Office SharePoint Server 2007 requires Active Directory Domain Services for farm
deployments in a Windows Server 2008 environment.
63
IIS 6.0 Management Compatibility role service
If you use the Windows Server 2008 Server Manager to perform a default Internet Information
Services (IIS) 7.0 installation, the IIS 6.0 Management Compatibility role service is not included.
Since this is a required role service, you must use the following procedure.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET
Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=110508).
Note:
If you have not created an updated installation source, you must first install Office
SharePoint Server 2007 without any software updates, and then, without running the
SharePoint Products and Technologies Configuration Wizard at the end of the
installation, install SP1. After the installations are complete, you can run the SharePoint
Products and Technologies Configuration Wizard.
The server farm is established when you configure Office SharePoint Server 2007 on the first
server. You must join additional servers in the server farm to this farm.
Setting up the first server involves two steps: installing the Office SharePoint Server 2007 and
SP1 components on the server, and configuring the farm. After Setup finishes, you can use the
SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint
Server 2007. The SharePoint Products and Technologies Configuration Wizard automates
several configuration tasks, including: installing and configuring the configuration database,
installing Office SharePoint Server 2007 services, and creating the Central Administration Web
site.
Note:
Setup installs the Central Administration Web site on the first server on which you run
Setup. Therefore, we recommend that the first server on which you install Office
SharePoint Server 2007 be a server on which you want to run the Central Administration
Web site.
65
Run Setup on the first server
1. From the slipstreamed installation source, run Setup.exe on one of your Web
servers. For more information about slipstreaming, see Create an installation source that
includes software updates (http://technet.microsoft.com/en-us/library/cc261890.aspx).
2. On the Enter your Product Key page, enter your product key, and then click
Continue.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and alerts you that the
key is incorrect.
66
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
67
4. On the Choose the installation you want page, click Advanced. (The Basic option is
for stand-alone installations.)
68
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
69
File Location tab, and then type the location or Browse to the location.
70
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box prompts you to complete the configuration of your
71
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is not selected.
Note:
You should wait to run the SharePoint Products and Technologies Configuration Wizard
until you have installed Office SharePoint Server 2007 and Office SharePoint Server
2007 SP1 and performed the rest of the procedures in this section on all the servers in
the server farm.
Use the following procedure to add the SharePoint Central Administration Web site to the list of
trusted sites.
Add the SharePoint Central Administration Web site to the list of trusted sites.
1. In Windows Internet Explorer, on the Tools menu, click Internet Options.
2. On the Security tab, in the Select a Web content zone to specify its security
settings box, click Trusted sites, and then click Sites.
72
3. Clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL for the SharePoint Central
Administration Web site, and then click Add.
5. Click Close to close the Trusted sites dialog box.
6. Click OK to close the Internet Options dialog box.
Use the following procedure to configure proxy server settings to bypass the proxy server for local
addresses.
Configure proxy server settings to bypass the proxy server for local addresses
1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Connections tab, in the Local Area Network (LAN) settings area, click
LAN Settings.
3. In the Automatic configuration section, clear the Automatically detect settings
check box.
4. In the Proxy Server section, select the Use a proxy server for your LAN check
box.
5. Type the address of the proxy server in the Address box.
6. Type the port number of the proxy server in the Port box.
7. Select the Bypass proxy server for local addresses check box.
8. Click OK to close the Local Area Network (LAN) Settings dialog box.
9. Click OK to close the Internet Options dialog box.
Additional servers
We recommend that you install and configure Office SharePoint Server 2007 on all of your front-
end Web servers and the index server before you configure Office SharePoint Server 2007
services and create sites. If you want to build a minimal server farm configuration, and
incrementally add front-end Web servers to expand the farm, you can install and configure Office
SharePoint Server 2007 on a single Web server, and configure the Web server as both a front-
end Web server and an application server. Regardless of how many servers you have in your
server farm, you must have SQL Server 2005 running on at least one back-end database server
before you install Office SharePoint Server 2007 on your front-end Web servers.
Important:
If you uninstall Office SharePoint Server 2007 from the first server on which you installed
it, your farm might experience problems. It is not recommended that you install Office
SharePoint Server 2007 on an index server first.
73
Run Setup on additional servers — front-end Web servers
1. From the slipstreamed installation source, run Setup.exe on one of your Web
servers.
2. On the Enter your Product Key page, enter your product key, and then click
Continue.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced.
5. On the Server Type tab, click Web Front End.
74
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the following section.
Use the following procedure to run Setup on additional servers in your server farm.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced.
75
5. On the Server Type tab, click Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the next set of steps.
76
Run the SharePoint Products and Technologies
Configuration Wizard
After you have run Setup and both Office SharePoint Server 2007 and Office SharePoint Server
2007 SP1 are installed on all the servers in your server farm, you can use the SharePoint
Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The
configuration wizard automates several configuration tasks, including installing and configuring
the configuration database, installing Office SharePoint Server 2007 services, and creating the
Central Administration Web site. Use the following instructions to run the SharePoint Products
and Technologies Configuration Wizard.
77
3. In the dialog box that notifies you that some services might need to be restarted
during configuration, click Yes.
4. On the Connect to a server farm page, click No, I want to create a new server farm,
78
and then click Next.
79
server box, type the name of the computer that is running SQL Server.
6. Type a name for your configuration database in the Database name box, or use the
default database name. The default name is SharePoint_Config.
7. In the User name box, type the user name of the server farm account. (Be sure to
type the user name in the format <DOMAIN>\<user name>.)
Important:
The server farm account is used to access your configuration database. It also
acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows SharePoint
Services Timer service runs. The SharePoint Products and Technologies
Configuration Wizard adds this account to the SQL Server Logins, the SQL
Server Database Creator server role, and the SQL Server Security Administrators
server role. The user account that you specify as the service account must be a
domain user account, but it does not need to be a member of any specific
security group on your Web servers or your back-end database servers. We
recommend that you follow the principle of least privilege, and specify a user
80
account that is not a member of the Administrators group on your Web servers or
your back-end servers.
8. In the Password box, type the user's password, and then click Next.
9. On the Configure SharePoint Central Administration Web Application page, select the
Specify port number check box; type a port number if you want the SharePoint Central
Administration Web application to use a specific port, or leave the Specify port number
check box cleared if it does not matter which port number the SharePoint Central
Administration Web application uses.
10. In the Configure SharePoint Central Administration Web Application dialog box,
do one of the following:
• If you want to use NTLM authentication (the default), click Next.
• If you want to use Kerberos authentication, click Negotiate (Kerberos), and then
click Next.
Note:
In most cases, use the default setting (NTLM). Use Negotiate (Kerberos)
81
only if Kerberos authentication is supported in your environment. Using the
Negotiate (Kerberos) option requires you to configure a service principal
name (SPN) for the domain user account. To do this, you must be a member
of the Domain Admins group. For more information, see How to configure a
Windows SharePoint Services virtual server to use Kerberos authentication
and how to switch from Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
11. On the Completing the SharePoint Products and Technologies Configuration Wizard
page, click Next.
82
The SharePoint Central Administration Web site home page opens.
Notes
If you are prompted for your user name and password, you might need to add the SharePoint
Central Administration Web site to the list of trusted sites, and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are provided in the
next set of steps.
If a proxy server error message appears, you might need to configure your proxy server
settings so that local addresses bypass the proxy server. Instructions for configuring this
setting are provided later in this section.
83
Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint
Products and Technologies Configuration Wizard.
Start the Windows SharePoint Services Search service on computers used to search
content
1. On the SharePoint Central Administration home page, click the Operations tab on
the top link bar.
2. On the Operations page, in the Topology and Services section, click Servers in
farm.
3. On the Servers in Farm page, click the server on which you want to start the
Windows SharePoint Services Search service.
4. Next to Window SharePoint Services Search, click Start.
5. On the Configure Windows SharePoint Services Search Service Settings page, in the
Service Account section, specify the user name and password for the user account
under which the Search service will run.
84
6. In the Content Access Account section, specify the user name and password for
the user account that the Search service will use to search content. This account must
have read access to all the content you want it to search. If you do not enter credentials,
the same account used for the Search service will be used.
7. In the Indexing Schedule section, either accept the default settings, or specify the
schedule that you want the Search service to use when searching content.
8. After you have configured all the settings, click Start.
Note:
If you configure host headers in IIS, the ports for the Web Applications will be created on
port 80 and you may not have to perform the procedures in this section. If, however, you
use the host header mode in Windows SharePoint Services 3.0 to create multiple
domain-named sites in a single Web application you will need to perform the procedures
in this section to determine which ports the Web applications, including Central
Administration, will use in your server farm.
You should use Windows Firewall with Advanced Security to open the ports required for your
server farm as identified in the Determine ports used by Web Applications
85
(http://technet.microsoft.com/en-
us/library/cc263408.aspx#BKMK_DeterminePortsUsedByWebApplications) procedure.
For ease in managing the rules, we recommend that you create one rule per Web application and
one for the two SSP ports. Alternatively, for more centralized rule management you can create
one rule to manage all the ports.
For Web applications you only need to create a rule to open a port for incoming connections, the
rule for the two SSP ports must be configured to enable both incoming and outgoing traffic.
86
Wizard page Settings
7. On the Console Tree, select Outbound Rules, in the Actions pane click. New Rule.
8. Complete the New Outbound Rule Wizard using the settings from the following table.
87
Wizard page Settings
For more information about Windows Firewall with Advanced Security, see Windows Firewall
(http://go.microsoft.com/fwlink/?LinkID=84639).
88
• Configure single sign-on You can configure single sign-on settings in the farm. Single
sign-on enables you to connect to external data sources by using Excel Calculation Services
or the Business Data Catalog. For more information, see Configure single sign-on.
• Configure antivirus settings You can configure several antivirus settings if you have
an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings
allow you to control whether documents are scanned on upload or on download, and whether
users can download infected documents. You can also specify how long you want the
antivirus program to run before it times out, and you can specify how many execution threads
the antivirus program can use on the server. For more information, see Configure antivirus
settings.
You can use the following procedure to configure optional administrative settings using
SharePoint Central Administration.
89
Management section, click Create or extend Web application.
4. On the Create or Extend Web Application page, in the Adding a SharePoint Web
Application section, click Create a new Web application.
5. On the Create New Web Application page, in the IIS Web Site section, you can
configure the settings for your new Web application.
a. To choose to use an existing Web site, select Use an existing Web site, and
specify the Web site on which to install your new Web application by selecting it from
the drop-down menu.
b. To create a new Web site, select Create a new IIS Web site, and then type the
name of the Web site in the Description box.
c. In the Port box, type the port number you want to use to access the Web
application. If you are creating a new Web site, this field is populated with a
suggested port number. If you are using an existing Web site, this field is populated
with the current port number.
d. In the Host Header box, type the URL you wish to use to access the Web
application. This is an optional field.
e. In the Path box, type the path to the site directory on the server. If you are
creating a new Web site, this field is populated with a suggested path. If you are
using an existing Web site, this field is populated with the current path.
6. In the Security Configuration section, configure authentication and encryption for
your Web application.
a. In the Authentication Provider section, choose either Negotiate (Kerberos) or
NTLM.
Note:
To enable Kerberos authentication, you must perform additional configuration
tasks. For more information about authentication methods, see Plan
authentication methods (http://technet.microsoft.com/en-
us/library/cc262350.aspx).
b. In the Allow Anonymous section, choose Yes or No. If you choose to allow
anonymous access, this enables anonymous access to the Web site using the
computer-specific anonymous access account (that is, IUSR_<computername>).
Note:
If you want users to be able to access any site content anonymously, you
must enable anonymous access for the entire Web application. Later, site
owners can configure how anonymous access is used within their sites. For
more information about anonymous access, see Determine which Windows
security groups and accounts to use for granting access to sites.
c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you
choose to enable SSL for the Web site, you must configure SSL by requesting and
installing an SSL certificate.
90
Important:
If you use SSL, you must add the appropriate certificate on each server by
using IIS administration tools. For more information about using SSL, see
Plan for secure communication within a server farm
(http://technet.microsoft.com/en-us/library/cc263077.aspx).
7. In the Load Balanced URL section, type the URL for the domain name for all sites
that users will access in this Web application. This URL domain will be used in all links
shown on pages within the Web application. By default, the box is populated with the
current server name and port.
The Zone box is automatically set to Default for a new Web application, and cannot be
changed from this page. To change the zone for a Web application, see Extend an
existing Web application.
8. In the Application Pool section, choose whether to use an existing application pool
or create a new application pool for this Web application. To use an existing application
pool, select Use existing application pool. Then select the application pool you wish to
use from the drop-down menu.
a. To create a new application pool, select Create a new application pool.
b. In the Application pool name box, type the name of the new application pool, or
keep the default name.
c. In the Select a security account for this application pool section, select
Predefined to use an existing application pool security account, and then select the
security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a
security account for an existing application pool. In the User name box, type the user
name of the account you wish to use, and then, in the Password box, type the
password for the account.
9. In the Reset Internet Information Services section, choose whether to allow
Windows SharePoint Services to restart IIS on other farm servers. The local server must
be restarted manually for the process to finish. If this option is not selected, and you have
more than one server in the farm, you must wait until the IIS Web site is created on all
servers and then run iisreset /noforce on each Web server. The new IIS site is not
usable until that action is completed. The choices are unavailable if your farm only
contains a single server.
10. In the Database Name and Authentication section, choose the database server,
database name, and authentication method for your new Web application.
Item Action
Note:
The paths available for the URL option are taken from the list of managed paths
that have been defined as wildcard inclusions. For more information about
managed paths, see “Define managed paths” in the Central Administration Help
(http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
6. In the Template Selection section, in the Select a template list, select the template
that you want to use for the top-level site in the site collection.
7. In the Primary Site Collection Administrator section, enter the user name (in the
form DOMAIN\user name) for the user who will be the site collection administrator.
8. If you want to identify a user as the secondary owner of the new top-level Web site
(recommended), in the Secondary Site Collection Administrator section, enter the
user name for the secondary administrator of the site collection.
9. If you are using quotas to limit resource use for site collections, in the Quota
Template section, click a template in the Select a quota template list.
10. Click OK.
92
appears in the URL box.
4. Copy and paste the full URL path into your browser, and then, on the home page of
the top-level site for the site collection, on the Site Actions menu, click Create.
5. On the Create page, in the Web Pages section, click Sites and Workplaces.
6. On the New SharePoint Site page, in the Title and Description section, type a title
and description for the site.
7. In the Web Site Address section, type a URL for the site.
8. In the Template Selection section, select a template from the tabbed template
control.
9. Either change other settings, or click Create to create the site.
The new site opens.
After creating sites, you might want to configure alternate access mappings. Alternate access
mappings direct users to the correct URLs during their interaction with Office SharePoint Server
2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for
example). Alternate access mappings enable Office SharePoint Server 2007 to map Web
requests to the correct Web applications and sites, and they enable Office SharePoint Server
2007 to display the correct site. For more information, see Plan alternate access mappings
(http://technet.microsoft.com/en-us/library/cc261814.aspx).
93
Configure the trace log to save seven days of events
1. In Central Administration, on the Operations tab, in the Logging and Reporting
section, click Diagnostic logging.
2. On the Diagnostic Logging page, in the Trace Log section, do the following:
Tip:
To save 10,080 minutes (seven days) of events, you can use any combination of
number of log files and minutes to store in each log file.
3. Ensure that the path specified in the Path box has enough room to store the extra log
files, or change the path to another location.
Tip:
We recommend that you store log files on a hard drive partition that is used to
store log files only.
4. Click OK.
Important:
You must be logged on as a member of the Administrators group on the local server
computer to edit the registry. Incorrectly editing the registry might severely damage your
system. Before making changes to the registry, you should back up any valued data on
the computer.
94
7. Type Application Support, and then press ENTER.
8. Select the Application Support key, and then on the Edit menu, click New, and then
click Key.
9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press
ENTER.
This is the GUID for the WSS Writer.
10. Select the new key, and then on the Edit menu, click New, and then click String
Value.
11. Type Application Identifier as the new value, and then press ENTER.
12. Right-click the Application Identifier value, and then click Modify.
13. In the Value Data box, type Windows SharePoint Services, and then click OK.
14. On the Edit menu, click New, and then click DWORD (32-bit) Value.
15. Type UseSameVssContext as the new value name, and then press ENTER.
16. Right-click the UseSameVssContext value, and then click Modify.
17. In the Value Data box, type 00000001, and then click OK.
95
Install Office SharePoint Server 2007 by
using the command line
In this section:
• Install software requirements
• Determine required accounts for installation
• Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt
• Configure the server by using the Psconfig command-line tool
• Perform additional configuration tasks
• Create a Shared Services Provider (SSP) by using the Stsadm command-line tool
• Create a site collection by using the Stsadm command-line tool
• Configure the trace log
This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007
on a stand-alone server or on a server farm by using command-line tools.
The command-line tools enable you to customize the configuration of Office SharePoint Server
2007. Additionally, you can streamline deployment by using command-line installations in
combination with other administrator tools to automate unattended installations.
To install Office SharePoint Server 2007 on a server farm, you have to complete the following
steps:
1. Plan the deployment and ensure that you have installed all the software requirements.
2. Determine the required accounts that are used during installation.
3. Install Office SharePoint Server 2007 by running Setup at a command prompt, and
specifying a configuration file.
4. Configure the server by using the Psconfig command-line tool with the appropriate
options.
5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only
applies on server-farm installations).
6. Create a site collection by using the Stsadm command-line tool (only applies on server-
farm installations).
96
• Office SharePoint Server 2007 on a clean installation of the Windows Server 2003
operating system with the most recent service pack. To install Office SharePoint Server 2007
on Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on
Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=122586&clcid=0x409).
Note:
All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both English and Japanese versions of
Office SharePoint Server 2007 in the same farm.
• The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download
contains the Windows Workflow Foundation technology, which is required by workflow
features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download
the .NET Framework version 3.5 from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=110508).
• ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all servers
that are running Office SharePoint Server 2007.
• Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service
pack running on at least one database server before you install Office SharePoint Server
2007 on the Web servers.
To deploy a server farm, you must have at least one server computer acting as a Web server and
an application server, and one server computer acting as a database server.
97
The following table describes the accounts that are used during installation and configuration of
Office SharePoint Server 2007. These accounts must be created and configured before you run
Setup.
Setup user account The Setup user account is • Domain user account.
used to run the following: • Member of the
• Setup on each server. Administrators group on each
• The SharePoint server on which Setup is run.
Products and Technologies • SQL Server login on the
Configuration Wizard. computer that is running SQL
• The Psconfig Server.
command-line tool. • Member of the following
• The Stsadm SQL Server security roles:
command-line tool. • securityadmin fixed
server role
• dbcreator fixed
server role
If you run Stsadm command-line
tool commands that read from or
write to a database, the Setup
user account must be a member
of the db_owner fixed database
role for the database.
98
Account Purpose Requirements
Server farm account or The server farm account is • Domain user account.
database access account used to: • If the server farm is a
• Configure and manage child farm with Web
the server farm. applications that consume
• Act as the application shared services from a larger
pool identity for the farm, the server farm account
SharePoint Central must be a member of the
Administration application db_owner fixed database
pool. role on the configuration
database of the larger farm.
• Run the Windows
SharePoint Services Timer Additional permissions are
service. automatically granted for the
server farm account on Web
servers and application servers
that are joined to a server farm.
The server farm account is
automatically added as a SQL
Server login on the computer that
is running SQL Server, and
added to the following SQL
Server security roles:
• dbcreator fixed server
role
• securityadmin fixed
server role
• db_owner fixed
database role for all
databases in the server farm
99
Configuration file Description
Important:
The example configuration files that are included with Office SharePoint Server 2007 omit
the <Setting Id="SETUP_REBOOT"Value="Never"/> setting. You must include this setting
if you want to suppress restarts during a command-line installation.
Example
The following example shows the configuration file for setting up a single server in silent mode
(SetupSilent).
<Configuration>
<Package Id="sts">
<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Package Id="spswfe">
<Setting Id="SETUPCALLED" Value="1"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="OFFICESERVERPREMIUM" Value="1" />
</Package>
<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>
<Display Level="none" CompletionNotice="no" />
<PIDKEY Value="Enter PID Key Here" />
<Setting Id="SERVERROLE" Value="SINGLESERVER"/>
100
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
</Configuration>
Note:
You can select one of the example files, or customize your own configuration file.
3. Press ENTER.
Important:
Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose
XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see
Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx).
For more information about the command-line options for Setup, see Setup.exe command-line
reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).
The Psconfig command-line tool describes the configuration steps as they occur, and notes the
successful completion of configuration. For a stand-alone server installation, this is the final step
in a command-line installation.
Note:
Ensure that you follow the procedure in the order that it is written to avoid configuration
problems.
Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool
1. On the drive on which SharePoint Products and Technologies is installed, change to
102
the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Bin.
2. Create the configuration database:
psconfig-cmd configdb -create -server<database server name>-database<database
name>
[-dbuser<domain\user name>-dbpassword<password>]
-user<domain\user name>-password<password>
-addomain<domain name>-adorgunit<org unit>
-admincontentdatabase<Central Administration Web application content database
name>
Note:
The dbuser and dbpassword parameters are only used in deployments that use
SQL Server authentication. If you are using Windows authentication, these
parameters are not required.
3. Install all Help collections:
psconfig-cmd helpcollections -installall
4. Perform resource security enforcement:
psconfig-cmd secureresources
5. Register services in the server farm:
psconfig-cmd services -install
Note:
After installing services, you must start and configure two services, Windows
SharePoint Services Search and Office SharePoint Server Search, by using the
Stsadm command-line tool:
a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name>
-farmservicepassword<password>[-database name<content database name>][-
database server<server instance>][-search server<search server name>]
For more information, see Spsearch: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc288507.aspx).
b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount
<domain\user name> -farmservicepassword<password>
-farmcontactemail<user@domain.com>
For more information, see Osearch: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc262920.aspx).
c. Provision the services of the farm:
psconfig -cmd services -provision
6. Register all features:
psconfig-cmd installfeatures
103
7. Provision the SharePoint Central Administration Web application:
psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
8. Install shared application data:
psconfig-cmd applicationcontent -install
The SharePoint Central Administration Web site has now been created.
We recommend that you install and configure Office SharePoint Server 2007 on all of the farm
servers before you create sites.
Note:
If any of these commands fail, look in the post-setup configuration log files. The log files
are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Logs, and can be identified by a file name that begins with “PSC” and the
.log file name extension.
To connect to an existing configuration database and join the server to an existing server farm,
you have to run the configdb command together with the -connect parameter instead of the
-create parameter.
psconfig -cmd configdb -connect -server<server name>-database<database name>
Note:
Omit the -admincontentdatabase command because you have already included this
command when you created the configuration database.
Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
command if you want to provision the SharePoint Central Administration Web application on
additional servers, which reduces the risk if the server that is running the SharePoint Central
Administration Web application fails.
To successfully complete the command-line installation on a server farm, you must use the
Stsadm command-line tool to create the Shared Services Provider (SSP), and then a site
collection for the farm. However, before you create the SSP and a site collection, we recommend
that you first perform some additional configuration tasks.
104
Create a Shared Services Provider (SSP) by using
the Stsadm command-line tool
After you create and configure Office SharePoint Server 2007 on a farm, you must use the
Stsadm command-line tool to create the SSP for the farm. The Stsadm command-line tool is
available on the installation drive for Office SharePoint Server 2007 at
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators group
on the local computer.
The recommended procedure for creating an SSP is to create a Web application for the My Site
host location, and a separate Web application for the Shared Services Administration Web site.
To create a new Web application, use the following procedure.
105
[-allowanonymous]
For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc263040.aspx).
The extendvs operation creates the Web application. The donotcreatesite parameter creates
the Web application without creating a site collection on the Web application.
After creating the Web applications for the My Site host location and for the Shared Services
Administration Web site, you create the SSP.
Example
The following command creates a Web application with the URL http://intranet:8080 that can be
used to host the SSP Administration site.
stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -databaseserver <database server name>
106
-databasename <SSP content database> -donotcreatesite -apidname <SSP application pool
name> -apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd
<password>
Similarly, you can create another Web application as the My Site host location by using the
following command:
stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -databaseserver <database server name >
-databasename <My Sites content database name> -donotcreatesite -apidname <My Sites
application pool name>-apidtype {configurableID | NetworkService}-apidlogin<domain\user
name> -apidpwd <password>
Then you create the SSP, named MySSP1_db:
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090
-ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <SSP
database server name > -sspdatabasename MySSP1_db -indexserver <index server name>
-indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office
Server\Applications" -searchdatabaseserver <search database server name>
-searchdatabasename <search database name>
For more information, see Stsadm command-line tool (http://technet.microsoft.com/en-
us/library/cc261956.aspx).
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators group
on the local computer.
107
[-databaseuser<database user name>]
[-databaseserver<database server name>]
[-databasename<new content database name>]
[-databasepassword<database password>]
[-lcid<language>]
[-sitetemplate<site template>]
[-donotcreatesite]
[-description]
[-sethostheader]
[-apidname<application pool name>]
[-apidtype {configurableID | NetworkService}]
[-apidlogin<domain\user name>]
[-apidpwd <application pool password>]
[-allowanonymous]
For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc263040.aspx) and Stsadm command-line tool
(http://technet.microsoft.com/en-us/library/cc261956.aspx).
Example
The following command creates a site collection at http://intranet that uses the corporate intranet
site template.
stsadm -o extendvs -url http://intranet -ownerlogin<domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname
"SharePoint AppPool" -apidtype {configurableID | NetworkService} -apidlogin<
domain\user name> -apidpwd <password>
If you do not specify the site template to use, site owners can choose the site template when they
first browse to the site.
The following table lists common templates.
108
Parameter value Description
BLOG#0 Blog
If you want to create additional Web applications or site collections by using the Stsadm
command-line tool, you can use either the extendvs operation or the createsite operation.
The extendvs operation extends a Web application and creates a new content database. The
createsite operation creates a site collection at a specific URL with a specified user as a site
owner.
Note:
The createsite operation does not create a new content database. If you want to create a
new content database with the new site, use the createsiteinnewdb operation.
For more information, see Createsite: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262594.aspx) and Createsiteinnewdb: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc262407.aspx).
The extendvs operation also enables site collection administrators to specify the language of the
site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the
language of the server is used for the top-level site collection. For more information about the
available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft
(http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409).
After creating sites, you might want to configure alternate access mappings. Alternate access
mappings direct users to the correct URLs during their interaction with Office SharePoint Server
2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for
example). Alternate access mappings enable Office SharePoint Server 2007 to map Web
requests to the correct Web applications and sites, and they enable Office SharePoint Server
2007 to serve the correct content back to the user. For more information, see Plan alternate
access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
109
You can use the Diagnostic Logging page in Central Administration to configure the maximum
number of trace log files to maintain, and how long (in minutes) to capture events to each log file.
By default, 96 log files are kept, each one containing 30 minutes of events.
96 log files * 30 minutes of events per file = 2880 minutes or two days of events.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows
SharePoint Services Search service. Because problems related to configuration changes are not
always immediately discovered, we recommend that you save all trace log files that the system
creates on any day that you make any configuration changes. Store these log files for some time
in a safe location that will not be overwritten. We recommend that you store log files on a hard
disk drive partition that is used to store log files only.
See Also
Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)
Plan for administrative and service accounts (http://technet.microsoft.com/en-
us/library/cc263445.aspx)
Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?
LinkID=110493&clcid=0x409)
110
Install Office SharePoint Server 2007 with
least privilege administration by using the
command line
In this section:
• Install software requirements
• Determine required accounts for least-privilege administration
• Install Microsoft Office SharePoint Server 2007 by using least-privilege administration
• Configure the server by using the Psconfig command-line tool
• Perform additional configuration tasks
• Create a Shared Services Provider by using the Stsadm command-line tool
• Χρ ε α τ ε α σ ι τ ε χ ο λ λ ε χ τ ι ο ν βψ υ σ ι ν γ τ η ε
Σ τ σ α δ µ χ ο µ µ α ν δ−λ ι ν ε τ ο ο λ
• Χο ν φ ι γ υ ρ ε τ η ε τ ρ α χ ε λ ο γ
This section discusses how to install Microsoft Office SharePoint Server 2007 on a stand-alone
server or on a server farm by using least-privilege administration.
The Office SharePoint Server 2007 standard configuration uses a set of user accounts and
installation settings for both stand-alone servers and server farms to simplify the installation
process. However, enterprises are often required to use least-privilege administration in which
each service or user is provided with only the minimum permissions and group memberships that
they need to accomplish the tasks that they are authorized to perform. Installing Office
SharePoint Server 2007 with least-privilege administration requires additional preparation and
configuration steps. We strongly recommend that you use least-privilege administration.
To install Office SharePoint Server 2007 by using least-privilege administration on either a stand-
alone server or a server farm, you complete the following steps:
1. Plan the deployment and ensure that you have installed all the software requirements.
2. Determine the required accounts that are used during installation.
3. Use the least-privilege Setup user account to install Office SharePoint Server 2007 by
using Setup at a command prompt and specifying a configuration file.
4. Configure the server by using the Psconfig command-line tool with the appropriate
options.
5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only
applies on server-farm installations).
6. Create a site collection by using the Stsadm command-line tool (only applies on server-
farm installations).
111
Install software requirements
Before running Setup, you must perform several actions to prepare the deployment. For more
information about the complete list of actions you must perform before installation, see Chapter
overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you
have the following software requirements before you run Setup in any deployment:
• Office SharePoint Server 2007 on a clean installation of the Windows Server 2003
operating system with the most recent service pack. To install Office SharePoint Server 2007
on Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on
Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=122586&clcid=0x409).
Note:
All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both English versions and Japanese
versions of Office SharePoint Server 2007 in the same farm.
• The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download
contains the Windows Workflow Foundation technology, which is required by workflow
features.
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET
Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?
LinkId=110508).
• ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all Office
SharePoint Server 2007 servers.
• Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service
pack running on at least one database server before you install Office SharePoint Server
2007 on the Web servers.
Note:
To deploy a server farm, you must have at least one server computer acting as a Web
server and an application server, and one server computer acting as a database server.
112
• Office SharePoint Server Security Account Requirements
(http://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409)
Many requirements and configuration steps for installing Office SharePoint Server 2007 by using
least-privilege administration resemble the standard farm installation. For more information about
the standard farm installation, see Chapter overview: Install Office SharePoint Server 2007 in a
server farm environment.
The following table describes the accounts that are used to install Office SharePoint Server 2007
for least-privilege administration compared to the standard account requirements for farm
installation.
Setup user The Setup user • Domain user Server farm standard
account account is used to run account requirements with the
the following: • Member of the following additions or
• Setup on each Administrators group exceptions:
server. on each server on • Use a separate
• The which Setup is run domain user
SharePoint • SQL Server login account.
Products and on the computer that • The Setup
Technologies is running SQL user account
Configuration Server should not be a
Wizard. • Member of the member of the
• The Psconfig following SQL Server Administrators
command-line security roles: group on the
tool. computer that is
•
running SQL
• The Stsadm
securityadmin Server.
command-line
tool. fixed server role
• dbcreator
fixed server role
If you run Stsadm
command-line commands
that read from or write to
a database, the Setup
user account must be a
member of the db_owner
fixed database role for
the database.
113
Account Purpose Server farm standard Least-privilege
requirement administration using
domain user accounts
requirements
Server farm The server farm • Domain user Server farm standard
account or account is used to: account. requirements with the
database access • Configure and • If the server farm following additions or
account manage the server is a child farm with exceptions:
farm. Web applications that • Use a separate
• Act as the consume shared domain user
application pool services from a larger account.
identity for the farm, this account • The server
SharePoint must be a member of farm account is not
Central the db_owner fixed a member of the
Administration database role on the Administrators
Web site. configuration group on any
database of the larger server in the server
• Run the
farm. farm. This includes
Windows
SharePoint Additional permissions the computer that
Services Timer are automatically granted is running SQL
service. for the server farm Server.
account on Web servers The server farm
and application servers account does not
that are joined to a server require permissions to
farm. SQL Server before you
The server account is create the
automatically added as a configuration database.
SQL Server login on the
computer that is running
SQL Server and added to
the following SQL Server
security roles:
• dbcreator fixed
server role
• securityadmin
fixed server role
• db_owner fixed
database role for all
databases in the
server farm.
114
The minimum requirements to achieve least-privilege administration include the following:
• Separate accounts are used for different services and processes.
• No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions assigned to
each account, you reduce the opportunity for a malicious user or process to compromise the
environment.
Least-privilege administration can be implemented in many ways, depending on the security
configuration of each scenario. The configurations for least-privilege administration include:
• Separate domain user accounts
• SQL Server authentication
• Domain user accounts connecting to existing databases
Important:
The example configuration files that are included with Office SharePoint Server 2007 omit
the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this
setting if you want to suppress restarts during a command-line installation.
115
Example
The following example shows the configuration for setting up a single server in silent mode
(SetupSilent).
<Configuration>
<Package Id="sts">
<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Package Id="spswfe">
<Setting Id="SETUPCALLED" Value="1"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="OFFICESERVERPREMIUM" Value="1" />
</Package>
<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>
<Display Level="none" CompletionNotice="no" />
<PIDKEY Value="Enter PID Key Here" />
<Setting Id="SERVERROLE" Value="SINGLESERVER"/>
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
</Configuration>
Note:
You can select one of the example files, or customize your own configuration file.
3. Press ENTER.
116
elements. Then run setup /config<path and file name> to specify that Setup runs and uses the
options that you set in the Config.xml file.
Some typical configuration options include:
• Bypassing the prompt for the product key by providing the key as a value, <PIDKEY
Value="Enter PID Key Here" />, in the Config.xml file.
• Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"
Path="path name"Template="file name.log"/>, which you can view if command-line
installation fails.
Important:
Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose
XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see
Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx).
For more information about the command-line options for Setup, see Setup.exe command-line
reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).
For more information about command-line installation, see Install Office SharePoint Server 2007
by using the command line.
117
the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Bin.
2. Type the following command, and then press ENTER:
psconfig -cmd
The Psconfig command-line tool describes the configuration steps as they occur, and notes the
successful completion of configuration. For a stand-alone-server installation, this is the final step
in a command-line installation.
Note:
Ensure that you follow the procedure in the order that it is written to avoid configuration
problems.
Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool
1. Log on by using the Setup user account that you previously created and configured.
2. On the drive on which SharePoint Products and Technologies is installed, change to
the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Bin.
3. Create the configuration database:
psconfig-cmd configdb -create -server <database server name>-database<database
name>
-dbuser<domain\user name>-dbpassword<password>
-user<domain\user name>-password<password>
-addomain<domain name>-adorgunit<org unit>
-admincontentdatabase<Central Administration Web application content database
name>
Note:
The dbuser and dbpassword parameters are only used in deployments that use
SQL Server authentication. If you are using Windows authentication, these
parameters are not required.
4. Install all Help collections:
psconfig-cmd helpcollections installall
118
5. Perform resource security enforcement:
psconfig-cmd secureresources
6. Register services in the server farm:
psconfig-cmd services -install
Note:
After installing services, you must start and configure two services, Windows
SharePoint Services Search and Office SharePoint Server Search, by using the
Stsadm command-line tool:
a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name>
-farmservicepassword<password>[-database name<content database name>][-
database server<server instance>][-search server<search server name>]
For more information, see Spsearch: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc288507.aspx).
Note:
Use the domain and user account information for the server farm account
that you previously created and configured.
b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount
<domain\user name>-farmservicepassword<password>-
farmcontactemail<user@domain.com>
For more information, see Osearch: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc262920.aspx).
Note:
Use the domain and user account information for the server farm account
that you created and configured previously.
c. Provision the services of the farm:
psconfig -cmd services -provision
7. Register all features:
psconfig-cmd installfeatures
8. Provision the SharePoint Central Administration Web application:
psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
9. Install shared application data:
psconfig-cmd applicationcontent -install
119
Note:
If any of these commands fail, look in the post-Setup configuration log files. The log files
are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Logs. They can be identified by a file name starting with “PSC” and the .log
file name extension.
To connect to an existing configuration database and join the server to an existing server farm,
you must run the configdb command together with the -connect parameter instead of the
-create parameter.
psconfig -cmd configdb -connect -server<server name>-database<database name>
Note:
Omit the -admincontentdatabase command because you have already included this
command when you created the configuration database.
Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
command if you want to provision the SharePoint Central Administration Web application on
additional servers, which reduces the risk if the server that is running the SharePoint Central
Administration Web application fails.
To successfully complete command-line installation on a server farm, you must use the Stsadm
command-line tool to create an SSP, and then a site collection for the farm. However, before you
create a Shared Services Provider and a site collection, we recommend that you first perform
some additional configuration tasks.
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators group
on the local computer.
120
The recommended procedure for creating an SSP is to create a Web application for the My Sites
host location, and a separate Web application for the Shared Services Administration Web site.
The extendvs operation creates the Web application. The donotcreatesite parameter creates
the Web application without creating a site collection on the Web application.
After creating the Web applications for the My Sites host location and for the Shared Services
Administration Web site, you create the SSP.
121
extensions\12\Bin.
2. Type the following command, and then press ENTER:
stsadm -o createssp
-title<SSP name>
-url<Web application URL>
-mysiteurl<My Sites Web application URL>
-ssplogin<user name>
-ssppassword<password>
-sspdatabaseserver<SSP database server>
-sspdatabasename<SSP database name>
-indexserver<index server name>
-indexlocation<index file path>
[-ssppassword<SSP password>]
[-sspdatabaseserver<SSP database server name>]
[-sspdatabasename<SSP database name>]
[-sspsqlauthlogin<SQL user name>]
[-sspsqlauthpassword<SQL password>]
[-searchdatabaseserver<search database server name>]
[-searchdatabasename<search database name>]
[-searchsqlauthlogin<SQL user name>]
[-searchsqlauthpassword<SQL password>]
[-ssl {Yes | No}]
Example
The following command creates a Web application with the URL http://intranet:8080 that can be
used to host the SSP Administration site.
stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -databaseserver <database server name >
-databasename <SSP content database name> -donotcreatesite -apidname <SSP application
pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd<password>
Similarly, you can create another Web application as the My Sites host location by using the
following command:
stsadm -o extendvs -url http://intranet:8090 -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -databaseserver <SQL Server> -databasename
<site content database name> -donotcreatesite -apidname <site application pool> -apidtype
configurableID -apidlogin <domain\user name> -apidpwd <password>
Then you create the SSP, named MySSP1_db:
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090
-ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <database
122
server name > -sspdatabasename MySSP1_db -indexserver <index server name>
-indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office
Server\Applications"-searchdatabaseserver<search database server name>-
searchdatabasename<search database name>
For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc263040.aspx) and Createssp: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262773.aspx).
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators group
on the local computer.
123
[-apidtype {configurableID | NetworkService} ]
[-apidlogin<domain\user name>]
[-apidpwd <application pool password>]
[-allowanonymous]
For more information about how to create a site collection, see Createsite: Stsadm
operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).
Example
The following example creates a site collection at http://intranet that uses the corporate intranet
site template.
stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname
"SharePoint AppPool" -apidtype configurableID -apidlogin <domain\user name> -apidpwd
<password>
This command can also be used to add other site collections and sites.
If you do not specify the site template to use, the site collection administrator can choose the site
template when he or she first browses to the site.
The extendvs operation also enables you to specify the language of the site collection by using
the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used
for the top-level site collection. For more information about the available LCID values, see List of
Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?
LinkId=63028&clcid=0x409).
For more information about the Stsadm command-line tool, see Stsadm command-line tool
(http://technet.microsoft.com/en-us/library/cc261956.aspx).
After creating sites, you might want to configure alternate access mappings. Alternate access
mappings direct users to the correct URLs during their interaction with Office SharePoint Server
2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for
example). Alternate access mappings enable Office SharePoint Server 2007 to map Web
requests to the correct Web applications and sites, and they enable Office SharePoint Server
2007 to serve the correct content back to the user. For more information, see Plan alternate
access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
124
You can use the Diagnostic Logging page in Central Administration to configure the maximum
number of trace log files to maintain, and how long (in minutes) to capture events to each log file.
By default, 96 log files are kept, each one containing 30 minutes of events.
96 log files * 30 minutes of events per file = 2880 minutes or two days of events.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows
SharePoint Services Search service. Because problems related to configuration changes are not
always immediately discovered, we recommend that you save all trace log files that the system
creates on any day that you make any configuration changes. Store these log files for an
extended period of time in a safe location that will not be overwritten. We recommend that you
store log files on a hard disk drive partition that is used to store log files only.
See Also
Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)
Plan for administrative and service accounts (http://technet.microsoft.com/en-
us/library/cc263445.aspx)
Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?
LinkId=110493&clcid=0x409)
125
Migrate a stand-alone installation to a server
farm installation
In this section:
• Install Office SharePoint Server 2007 on a new farm
• Migrate data from the single-server installation
• Create and attach data from the Shared Services Provider (SSP)
• Attach site collection data from content databases
Installing Microsoft Office SharePoint Server 2007 as a stand-alone installation on a single server
computer simplifies deployment. A stand-alone installation of Microsoft Office SharePoint Server
2007 is a good choice for:
• A low-capacity deployment with a small number of Web sites
• A small number of concurrent users
• The initial evaluation of Office SharePoint Server 2007 before you begin testing and
implementing a more complex deployment.
Many deployments have greater performance and capacity requirements that can only be
achieved with a farm deployment. You can migrate a stand-alone installation of Office SharePoint
Server 2007 to a server farm installation to meet expanded performance, capacity, or scalability
requirements. Migration enables you to meet these requirements while also retaining the data,
content, and sites from your single-server installation. A direct upgrade from a stand-alone server
to a farm is not available.
It is usually easier to expand an existing farm deployment by adding servers to meet
performance, capacity, or scalability requirements than it is to migrate a stand-alone deployment
to a farm deployment. If you know that your organization is going to require a server farm
eventually, it is a better idea to start with a simple farm deployment.
For more information about installing Office SharePoint Server 2007 on a simple server farm, see
Deploy in a simple server farm. For more information about installing Office SharePoint Server
2007 on a stand-alone server, see Install Office SharePoint Server 2007 on a stand-alone
computer.
You have two options for a migration from a stand-alone installation to a farm installation of Office
SharePoint Server 2007:
• SQL Backup and Restore, followed by using the Stsadm command-line tool to attach the
databases
• Central Administration Backup and Restore
This section describes the first option. For more information about using Central Administration to
migrate from a stand-alone installation to a farm installation, see Migrate to another farm by using
the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx).
126
To migrate from a stand-alone server to a server farm, you perform the following steps:
1. Install Office SharePoint Server 2007 on a new farm.
2. Migrate data from the stand-alone server to the Microsoft SQL Server 2005 database
server that is part of the new server farm by using SQL Backup and Restore.
3. Create and attach data from the Shared Services Provider (SSP) by using the Stsadm
command-line tool.
4. Attach the restored databases to the new server farm by using the Stsadm command-line
tool.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the
.NET Framework version 3.5 from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=110508).
127
• You must enable ASP.NET 2.0 in the Internet Information Services (IIS) Manager on all
Office SharePoint Server 2007 servers.
• You must have Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most
recent service pack running on at least one database server before you install Office
SharePoint Server 2007 on your Web servers.
You must also create and configure the following accounts:
• SQL Server service account
• Setup user account
• Server farm account
It is possible to use the same account for each of these account roles, unless you are using least
privilege administration. For more information about these required accounts and other account
requirements for Office SharePoint Server 2007, see Plan for administrative and service accounts
(http://technet.microsoft.com/en-us/library/cc263445.aspx).
For more information about preparing servers for installation, see the following articles:
• Χηα π τ ε ρ ο ϖ ε ρ ϖ ι ε ω: Ι ν σ τ α λ λ Οφ φ ι χ ε
Σ ηα ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 ι ν α σ ε ρϖ ε ρ φ α ρ µ
ε ν ϖ ι ρ ο ν µ ε ν τ Χηαπ τ ε ρ οϖ ε ρϖ ι ε ω: Ι ν σ τ α λ λ Ο φ φ ι χ ε
Σ ηα ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 ι ν α σ ε ρϖ ε ρ φ α ρ µ
ε ν ϖ ι ρ ο ν µ ε ν τ
• Πρ ε π α ρ ε τ η ε δ α τ α β α σ ε σ ε ρϖ ε ρ σ
• Πρ ε π α ρ ε τ η ε Ωε β α ν δ α π π λ ι χ α τ ι ο ν σ ε ρϖ ε ρ σ
• ∆ ε π λ οψ ι ν α σ ι µ π λ ε σ ε ρϖ ε ρ φ α ρ µ
128
Migrate data from the stand-alone server
A single-server installation of Office SharePoint Server 2007 includes Microsoft SQL Server 2005
Express Edition. A server farm installation uses a separate Microsoft SQL Server 2005 database
server. To successfully migrate from a stand-alone server to a farm, you must migrate databases
from the stand-alone server to the database server in the farm by using SQL Server Management
Studio Express and Microsoft SQL Server Management Studio.
SQL Server Management Studio Express is installed on the stand-alone server by running Setup
for SQL Server Express with Advanced Services or SQL Server Express Toolkit. It is used to
enable a connection from the database server that is running SQL Server Management Studio.
SQL Server Management Studio is used to back up databases from the stand-alone server and
restore the databases to the database server in the farm.
For more information about managing SQL Server Express, see Managing SQL Server Express
with SQL Server 2005 Management Studio Express Edition (http://go.microsoft.com/fwlink/?
LinkId=110559&clcid=0x409).
To download SQL Server Management Studio Express, visit the Visual Studio Download Center
(http://go.microsoft.com/fwlink/?LinkId=110560&clcid=0x409).
Migrate data from the stand-alone server to the database server on the farm
1. Set the databases on the stand-alone server to be read-only:
a. In SQL Server Management Studio Express, right-click the name of the database
that you want to set to read-only, and then click Properties.
b. In the Select a page section, click Options.
c. In the Other options section of the right pane, expand State, click the drop-
down arrow for the values of Database Read-Only, and then click True.
2. Connect to the stand-alone server by using SQL Server Management Studio and
back up the following databases:
• Shared Services DB
• Shared Services Search DB
• Shared Services Content DB
• WSS Content DB
• All additional content databases associated with Web applications on the stand-
alone server:
129
Database Engine, in Object Explorer, expand the server tree by clicking
the plus sign next to the server name.
Note:
The SQL Server Express instance name that is used to connect
to the databases on the stand-alone server is set to
OfficeServers by default.
g. Expand Databases, right-click the database that you want to back
up, point to Tasks, and then click Back Up. The Back Up Database
dialog box appears.
h. In the Source section, in the Database box, verify the database
name.
i. In the Backup type box, click the drop-down arrow for the values,
and then click Full.
j. Under Backup component, select Database.
k. In the Backup set section, in the Name box, either accept the
default value or type a different name.
l. In the Destination section, specify the type of backup destination by
selecting Disk or Tape, and then specify a destination. To create a
different destination, click Add.
m. Click OK to start the backup process.
1. Restore databases to the database server on the farm by using Microsoft SQL Server
Management Studio:
a. After connecting to the appropriate instance of the SQL Server 2005 Express, in
Object Explorer, expand the server tree by clicking the plus sign next to the server
name.
b. Right-click Databases, and then click New Database.
c. In the Database name box, type the name of the database you want to restore.
d. In the Owner box, specify an owner if desired.
e. In the Database files section, in the Logical Name box for the Data file type,
verify that the logical name is the one you want to use.
f. In the Initial Size (MB) box, adjust the size to approximately the size of the
database you want to restore.
g. In the Logical Name box for the Log file type, verify that the logical name is the
one you want to use.
h. In the Initial Size (MB) box, adjust the size to approximately three or four times
the size of the log file for the database you want to restore.
Make the log file large to accommodate entries during the upgrade process. You can
always shrink the transaction log after you have completed the upgrade.
130
i. In the Autogrowth column for the log file, set the value to By 10 percent,
unrestricted growth.
You can change this setting after you perform the upgrade, but again, you do not
want to have the log file run out of space during the upgrade process.
j. Click OK to create the database.
For more information about migrating databases including different backup and restore options
for different versions of SQL Server, see Migrate databases (http://technet.microsoft.com/en-
us/library/cc263299.aspx).
131
For additional information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262920.aspx).
Example
stsadm -o extendvs -url http://intranet:8080 -ownerlogin domain\username -owneremail
user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename
SSPContentDB -apcreatenew -apidname SSPAppPool -apidtype configurableid -apidlogin
domain\username -apidpwd MyPassword
This command creates a Web application with the URL http://intranet:8080 that can be used to
host the SSP.
Note:
The databasename parameter is the Shared Services content database that was
restored from the stand-alone server.
The stand-alone installation uses the default Web application for the My Site host location. When
you migrate to a farm, we recommend that the My Site host location use a separate Web
application.
Example
132
stsadm -o extendvs -url http://intranet:8090 -ownerlogin domain\username -owneremail
user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename
MySiteContentDB -apcreatenew -apidname MySiteAppPool -apidtype configurableid
-apidlogin domain\username -apidpwd MyPassword
After creating both Web applications, you restore the SSP by using the restoressp command.
The sspdatabasename and searchdatabasename for the databases that were restored to the
farm from the stand-alone server:
stsadm –o restoressp
–title <SSP name>
-url <Web application url>
-mysiteurl <MySite Web application url>
-ssplogin <username>
-ssppassword <password>
-sspdatabaseserver <SSP database server>
-sspdatabasename <SSP database name>
-searchdatabaseserver <Search database server>
-searchdatabasename <Search database name)
-indexserver <index server>
-indexlocation <index file path>
Example
stsadm -o restoressp -title Migrated_SSP1 -url http://intranet:8080 -mysiteurl
http://intranet:8090 -ssplogin domain\username -ssppassword MyPassword
-sspdatabaseserver SQLServer -sspdatabasename MySSP1_db -searchdatabaseserver
SearchServer-searchdatabasename SharedServices1_Search
–indexserver MyServer -indexlocation "D:\Program Files\Microsoft Office
Servers\12.0\Data\Office Server\Applications"
For more information about the Stsadm command-line tool, see Stsadm command-line tool
(http://technet.microsoft.com/en-us/library/cc261956.aspx).
For additional information about how to perform this procedure using the Stsadm command-line
tool, see Restoressp (http://technet.microsoft.com/en-us/library/cc262163.aspx), Extendvs
(http://technet.microsoft.com/en-us/library/cc263040.aspx), and Createssp
(http://technet.microsoft.com/en-us/library/cc262773.aspx).
133
-ownerlogin <domain/username>
-owneremail <emailed>
-exclusivelyusentlm
-databaseserver <DBservername>
-databasename <NewcontentDBname>
-apcreatenew
-apidname <Apppoolname>
-apidtype configurableid
-apidlogin <domain/username>
-apidpwd <Password>
Example
stsadm -o extendvs -url http://intranet -ownerlogin domain\username -owneremail
user@domain.com -exclusivelyusentlm -databaseserver intranet-databasename WSSContent
-apcreatenew -apidname SharePoint_80_AppPool -apidtype configurableid -apidlogin
domain\username -apidpwd MyPassword
This command restores the top-level site collection http://intranet that also contains the My Site
content.
The databasename parameter is the restored database from the stand-alone installation that will
now be attached to the top-level site.
For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc263040.aspx).
See Also
Chapter overview: Install Office SharePoint Server 2007 in a server farm environment
Deploy in a simple server farm
Install Office SharePoint Server 2007 on a stand-alone computer
Migrate to another farm by using the Central Administration Web site
(http://technet.microsoft.com/en-us/library/cc262281.aspx)
Install Office SharePoint Server 2007 by using the command line
Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx).
134
Perform a stand-alone installation of Office
SharePoint Server 2007 on Windows
Server 2008
In this section:
• Hardware and software requirements
• Perform installation steps
• Perform post-installation steps
• Configure the trace log
• Configure Windows Server Backup
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can
install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the
Windows Server 2003 operating system, you must download and run Setup and the SharePoint
Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server
2007 without service packs on Windows Server 2008.
Important:
This section discusses how to perform a clean installation of Office SharePoint Server
2007 with SP1 in a stand-alone environment on Windows Server 2008. It does not cover
upgrading the operating system from Windows Server 2003 to Windows Server 2008.
Note:
This section does not cover installing Office SharePoint Server 2007 in a server farm on
Windows Server 2008. For more information, see Deploy a simple farm on the Windows
Server 2008 operating system.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single
server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint
Server 2007 features and capabilities, such as collaboration, document management, and
search. A stand-alone configuration is also useful if you are deploying a small number of Web
sites and you want to minimize administrative overhead. When you deploy Office SharePoint
Server 2007 on a single server using the default settings, the Setup program automatically
installs the Windows Internal Database and uses it to create the configuration database and an
initial content database for your SharePoint sites. In addition, Setup installs the SharePoint
Central Administration Web site and creates your first SharePoint site collection and site.
135
Important:
Office SharePoint Server 2007 requires the following components: the Web Server role,
Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint
Server 2007 will cease to run if you uninstall these components.
Notes
• Server Manager is designed to guide server administrators through the process of
installing, configuring, and managing server roles and features that are part of Windows
Server 2008. For more information on using the Server Manager, see the Windows
Server 2008 Server Manager Technical Overview (http://go.microsoft.com/fwlink/?
LinkID=109936&clcid=0x409).
136
Install Microsoft .NET Framework version 3.0
1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In Server Manager, on the Action menu, click Add features.
3. In the Features list, select the .NET Framework 3.0 Features check box, and then
click Next.
4. Follow the wizard steps to install the.NET Framework version 3.0.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET
Framework version 3.5 from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=110508).
Note:
If you have not created an updated installation source, you must first install Office
SharePoint Server 2007 without any software updates and, without running the
SharePoint Products and Technologies Configuration Wizard at the end of the
installation, install Service Pack 1. After the installations are complete, you can run the
SharePoint Products and Technologies Configuration Wizard.
To install and configure Office SharePoint Server 2007, you must first install Office SharePoint
Server 2007 with SP1 and then run the SharePoint Products and Technologies Configuration
Wizard. When you install Office SharePoint Server 2007 on a single server, run the Setup
program using the Basic option. This option uses the Setup program's default parameters to
install Office SharePoint Server 2007 and Windows Internal Database.
Notes
• If you uninstall Office SharePoint Server 2007, and then later reinstall Office
SharePoint Server 2007 on the same computer, the Setup program could fail when
creating the configuration database, causing the entire installation process to fail. You
can prevent this failure by either deleting all the existing Office SharePoint Server 2007
databases on the computer or by creating a new configuration database. You can create
a new configuration database by running the following command from the directory
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin:
• psconfig -cmd configdb -create -database <unique database name>
137
Install Office SharePoint Server 2007 with SP1
1. From your slipstreamed installation source, run Setup.exe.
2. On the Enter your Product Key page, enter your product key, and then click
Continue.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup places a red circle next to the text box and displays a message
that the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Basic to install to the default
location. To install to a different location, click Advanced, and then on the File Location
tab, specify the location you want to install to and finish the installation.
5. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Make sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
6. Click Close to start the configuration wizard.
The SharePoint Products and Technologies Configuration Wizard starts, and you can go
directly to the procedure "To run the SharePoint Products and Technologies Configuration
Wizard."
Note:
Do not add any server roles in Windows Server 2008 Server Manager before the setup
for Office SharePoint Server 2007 is complete. If you add a server role, the setup process
will fail, and you will need to uninstall and reinstall Office SharePoint Server 2007.
Note:
If you are prompted for your user name and password, you might need to add the
SharePoint site to the list of trusted sites and configure user authentication
138
settings in Internet Explorer. Instructions for configuring these settings are
provided in the following procedure.
Note:
If you see a proxy server error message, you might need to configure your proxy
server settings so that local addresses bypass the proxy server. Instructions for
configuring proxy server settings are provided later in this section.
If you want to configure the installation from the command line, use the following procedure.
Run the SharePoint Products and Technologies Configuration Wizard from the
command line
• Type the following command, and then press ENTER:
psconfig.exe -cmd setup -cmd standaloneconfig -lcid 0 -cmd configdb -create
-server<servername>\OfficeServers -cmd helpcollections -installall -cmd
secureresources -cmd services -install -provision -cmd installfeatures -cmd
adminvs -provision -cmd evalprovision -provision -cmd applicationcontent -install
After you have configured the Office SharePoint Server 2007 installation, you should add the
SharePoint site to the list of trusted sites, using the following steps.
If you are using a proxy server in your organization, use the following steps to configure Internet
Explorer to bypass the proxy server for local addresses.
Configure proxy server settings to bypass the proxy server for local addresses
1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Connections tab, in the Local Area Network (LAN) settings area, click
LAN Settings.
3. In the Automatic configuration section, clear the Automatically detect settings
check box.
4. In the Proxy Server section, select the Use a proxy server for your LAN check
box.
5. In the Address box, type the address of the proxy server.
139
6. In the Port box, type the port number of the proxy server.
7. Select the Bypass proxy server for local addresses check box.
8. Click OK to close the Local Area Network (LAN) Settings dialog box.
9. Click OK to close the Internet Options dialog box.
140
Note:
If you create additional Web applications to host SharePoint sites, you must also
configure Windows Firewall to allow communication on the ports for those Web
applications. For more information, see Deploy a simple farm on the Windows Server
2008 operating system.
141
• In the Number of minutes to use a log file box, type 30.
Tip:
To save 10,080 minutes (seven days) of events, you can use any combination of
number of log files and minutes to store in each log file.
3. Ensure that the path specified in the Path box has enough room to store the extra log
files or change the path to another location.
Tip:
We recommend that you store log files on a hard drive partition that is used to
store log files only.
4. Click OK.
Important:
You must be logged on as a member of the Administrators group on the local server
computer to edit the registry. Incorrectly editing the registry might severely damage your
system. Before making changes to the registry, you should back up any valued data on
the computer.
142
Value.
11. Type Application Identifier as the new value, and then press ENTER.
12. Right-click the Application Identifier value, and then click Modify.
13. In the Value Data box, type Windows SharePoint Services, and then click OK.
14. On the Edit menu, click New, and then click DWORD (32-bit) Value.
15. Type UseSameVssContext as the new value name, and then press ENTER.
16. Right-click the UseSameVssContext value, and then click Modify.
17. In the Value Data box, type 00000001, and then click OK.
143
II. Install Office SharePoint Server 2007 in a
server farm environment
144
Chapter overview: Install Office SharePoint
Server 2007 in a server farm environment
In this section:
• Suggested topologies
• Before you begin deployment
• Overview of the deployment process
Important:
This section discusses how to do a clean installation of Microsoft Office SharePoint
Server 2007 in a server farm environment. It does not cover upgrading from previous
releases of Office SharePoint Server 2007 or how to upgrade from Microsoft Office
SharePoint Portal Server 2003. For more information about upgrading from
SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc303420.aspx).
Note:
This section does not cover installing Office SharePoint Server 2007 on a single
computer as a stand-alone installation. For more information, see Install Office
SharePoint Server 2007 on a stand-alone computer.
You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a
large number of sites, if you want the best possible performance, or if you want the scalability of a
multi-tier topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 application.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
Because a server farm deployment of Office SharePoint Server 2007 is more complex than a
stand-alone deployment, we recommend that you plan your deployment. Planning your
deployment can help you to gather the information you need and to make important decisions
before beginning to deploy. For information about planning, see Planning and architecture for
Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Suggested topologies
Server farm environments can encompass a wide range of topologies, and can include many
servers or as few as two servers.
A small server farm typically consists of a database server running either Microsoft SQL Server
2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers
running Internet Information Services (IIS) and Office SharePoint Server 2007. In this
configuration, the front-end servers are configured as Web servers and application servers. The
145
Web server role provides Web content to clients. The application server role provides Office
SharePoint Server 2007 services such as servicing search queries, and crawling and indexing
content.
A medium server farm typically consists of a database server, an application server running Office
SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server
2007 and IIS. In this configuration, the application server provides indexing services and Excel
Calculation Services, and the front-end Web servers service search queries and provide Web
content.
A large server farm typically consists of two or more clustered database servers, several load-
balanced front-end Web servers running Office SharePoint Server 2007, and two or more
application servers running Office SharePoint Server 2007. In this configuration, each of the
application servers provides specific Office SharePoint Server 2007 services such as indexing or
Excel Calculation Services, and the front-end servers provide Web content.
Note:
All of the Web servers in your server farm must have the same SharePoint Products and
Technologies installed. For example, if all of the servers in your server farm are running
Office SharePoint Server 2007, you cannot add to your farm a server that is running only
Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office
SharePoint Server 2007 in your server farm, you must install Office Project Server 2007
and Office SharePoint Server 2007 on each of your Web servers. To enhance the
security of your farm and reduce the surface area that is exposed to a potential attack,
you can turn off services on particular servers after you install SharePoint Products and
Technologies.
Important
• The account that you select for installing Office SharePoint Server 2007 needs to be
a member of the Administrators group on every server on which you install Office
SharePoint Server 2007. However, you can remove this account from the Administrators
group on the servers after installation.
• For information about assigning users to be SSP administrators, see “Shared
Services Providers” in Plan for security roles (http://technet.microsoft.com/en-
us/library/cc262918.aspx).
• To deploy Office SharePoint Server 2007 in a server farm environment, you must provide
credentials for several different accounts. For information about these accounts, see “Plan for
administrative and service accounts” in the Planning and architecture for Office SharePoint
Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.
• You must install Office SharePoint Server 2007 on the same drive on all load-balanced
front-end Web servers.
146
• You must install Office SharePoint Server 2007 on a clean installation of the Microsoft
Windows Server 2003 operating system with the most recent service pack. If you uninstall a
previous version of Office SharePoint Server 2007, and then install Office SharePoint Server
2007, Setup might fail to create the configuration database and the installation will fail.
Note:
We recommend that you read the Known Issues/Readme documentation before you
install Office SharePoint Server 2007 on a domain controller. Installing Office
SharePoint Server 2007 on a domain controller requires additional configuration
steps that are not discussed in this section.
• You must install the same language packs on all servers in the farm. For more
information about installing language packs, see Deploy language packs.
• All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both an English version of Office SharePoint Server
2007 and a Japanese version of Office SharePoint Server 2007 in the same farm.
• You must use the Complete installation option on all computers you want to be index
servers, query servers, or servers that run Excel Calculation Services.
• If you place a query server beyond a firewall from its index server, you must open the
NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls
that separate these servers. If your environment does not use NetBIOS, you must use direct-
hosted server message block (SMB); this requires that you open the TCP/UDP 445 port.
• If you want to have more than one index server in a farm, you must use a different
Shared Services Provider (SSP) for each index server.
147
Phase 2: Create and configure a Shared Services Provider
Creating and configuring an SSP consists of the following steps:
• Creating a Web application to host the SSP.
• Creating the SSP.
• Configuring the Web application and the SSP.
• Configuring services on the servers.
For more information about creating and configuring SSPs, see III. Create and configure Shared
Services Providers.
148
Prepare the database servers
In this section:
• SQL Server and database collation
• Required accounts
• Preinstall databases (optional)
Before installing Microsoft Office SharePoint Server 2007, you must prepare the database server.
The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000
with the most recent service pack.
The Office SharePoint Server 2007 Setup program automatically creates the necessary
databases when you install and configure Office SharePoint Server 2007. Optionally, you can
preinstall the required databases if your IT environment or policies require this.
For more information about prerequisites, see Determine hardware and software requirements
(http://technet.microsoft.com/en-us/library/cc262485.aspx).
If you are using SQL Server 2005, you must also change the surface area settings.
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and
to install Office SharePoint Server 2007. For more information about the required accounts,
149
including specific privileges required for these accounts, see Plan for administrative and service
accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose
SQL Server service account SQL Server prompts for this account during SQL Server Setup.
This account is used as the service account for the following SQL
Server services:
• MSSQLSERVER
• SQLSERVERAGENT
If you are not using the default instance, these services will be
shown as:
• MSSQL$InstanceName
• SQLAgent$InstanceName
Setup user account The user account that is used to run Setup on each server.
150
Prepare the Web and application servers
In this section:
• Install the Microsoft .NET Framework version 3.0
• Enable ASP.NET 2.0
Before you install and configure Microsoft Office SharePoint Server 2007, be sure that your
servers have the recommended hardware and software. To deploy a server farm, you need at
least one server acting as a Web server and an application server, and one server acting as a
database server.
For more information about these requirements, see Determine hardware and software
requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).
151
Install Office SharePoint Server 2007 and run
the SharePoint Products and Technologies
configuration wizard
In this section:
• Recommended order of configuration
• Run Setup on the first server
• Run the SharePoint Products and Technologies Configuration Wizard
• Add the SharePoint Central Administration Web site to the list of trusted sites
• Configure proxy server settings to bypass the proxy server for local addresses
• Add servers to the farm
• Run the SharePoint Products and Technologies Configuration Wizard on additional
servers
• Start the Windows SharePoint Services Search service
• Stop the Central Administration service on all index servers
• Disable the Windows SharePoint Services Web Application service on all servers not
serving content
After preparing your database and the servers in your farm, run Setup and then run the
SharePoint Products and Technologies Configuration Wizard on all your farm servers. Do this on
all farm servers before going on to create a Shared Services Provider (SSP).
Note:
We recommend that you run Setup on all the servers that will be in the farm before you
configure the farm.
You can add servers to the farm at this point, or after you have created and configured an SSP.
You can add servers after you have created and configured an SSP to add redundancy, such as
additional load-balanced Web servers or additional query servers. It is recommended that you run
Setup and the configuration wizard on all your application servers before you create and
configure the SSP.
152
farm will have an application server, install Office SharePoint Server 2007 on that server first;
this also installs the Central Administration Web site.
2. All your front-end Web servers.
3. The index server (if using a separate server for search queries and indexing).
4. The query servers, if separate from the index server.
Note:
To configure more than one query server in your farm, you cannot configure your
index server as a query server.
5. Other application servers (optional).
Because the SSP configuration requires an index server, you must start the Office SharePoint
Server Search service on the computer that you want to be the index server, and configure it as
an index server before you can create an SSP. Because of this, you must deploy and configure
an index server before other servers. You can choose any server to be the first server on which
you install Office SharePoint Server 2007. However, the Central Administration Web site is
automatically installed on the first server on which you install Office SharePoint Server 2007.
You can configure different features on different servers. The following table shows which
installation type should be used for each feature set.
Note:
If you choose the front-end Web
installation option, you will not be able
to run additional services, such as
search, on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any
servers that you add you will join to this farm.
Setting up the first server involves two steps: installing the Office SharePoint Server 2007
components on the server, and configuring the farm. After Setup finishes, you can use the
SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint
Server 2007. The SharePoint Products and Technologies Configuration Wizard automates
several configuration tasks, including installing and configuring the configuration database,
153
installing Office SharePoint Server 2007 services, and creating the Central Administration Web
site.
Note:
Setup installs the Central Administration Web site on the first server on which you run
Setup. Therefore, we recommend that the first server on which you install Office
SharePoint Server 2007 be a server from which you want to run the Central
Administration Web site.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced. The Basic option is
for stand-alone installations.
154
5. On the Server Type tab, select Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the next set of steps.
Important
This account is the server farm account and it is used to access your configuration database.
It also acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows® SharePoint Services Timer
service runs. The SharePoint Products and Technologies Configuration Wizard adds this
account to the SQL Server Logins, the SQL Server Database Creator server role, and the
155
SQL Server Security Administrators server role.
The user account that you specify for this service account must be a domain user account.
Because this account does not require a high level privilege, we recommend that you follow
the principle of least privilege, and specify a user account that is not a member of the
Administrators group on your Web servers or your back-end servers.
7. In the Password box, type the user's password, and then click Next.
8. On the Configure SharePoint Central Administration Web Application page, select the
Specify port number check box; type a port number if you want the SharePoint Central
Administration Web application to use a specific port, or leave the Specify port number
check box cleared if you do not care which port number the SharePoint Central
Administration Web application uses.
9. In the Configure SharePoint Central Administration Web Application dialog box,
do one of the following:
• If you want to use NTLM authentication (the default), click Next.
• If you want to use Kerberos authentication, click Negotiate (Kerberos), and then
click Next.
Note:
In most cases, use the default setting (NTLM). Use Negotiate (Kerberos)
only if Kerberos authentication is supported in your environment. Using the
Negotiate (Kerberos) option requires you to configure a Service Principal
Name (SPN) for the domain user account. To do this, you must be a member
of the Domain Admins group. For more information, see How to configure a
Windows SharePoint Services virtual server to use Kerberos authentication
and how to switch from Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
10. On the Completing the SharePoint Products and Technologies Configuration Wizard
page, click Next.
11. On the Configuration Successful page, click Finish.
The SharePoint Central Administration Web site home page opens.
Notes
If you are prompted for your user name and password, you might need to add the SharePoint
Central Administration Web site to the list of trusted sites, and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are provided in the
next set of steps.
If a proxy server error message appears, you might need to configure your proxy server
settings so that local addresses bypass the proxy server. Instructions for configuring this
setting are provided later in this section.
156
Add the SharePoint Central Administration Web
site to the list of trusted sites
Add the SharePoint Central Administration Web site to the list of trusted sites
1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Security tab, in the Select a Web content zone to specify its security
settings box, click Trusted sites, and then click Sites.
3. Clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL for the SharePoint Central
Administration Web site, and then click Add.
5. Click Close to close the Trusted sites dialog box.
6. Click OK to close the Internet Options dialog box.
157
2005 running on at least one back-end database server before you install Office SharePoint
Server 2007 on your Web servers.
Important:
If you uninstall Office SharePoint Server 2007 from the first server on which you installed
it, your farm might experience problems. It is not recommended that you install Office
SharePoint Server 2007 on an index server first.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced.
5. On the Server Type tab, click Web Front End.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the following section.
Note:
158
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Advanced.
5. On the Server Type tab, click Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the next set of steps.
159
computer running SQL Server. (Be sure to type the user name in the format
DOMAIN\username.) This must be the same user account you used when you configured
the first server.
7. In the Password box, type the user's password, and then click Next.
8. On the Completing the SharePoint Products and Technologies Configuration Wizard
page, click Next.
9. On the Configuration Successful page, click Finish.
160
the Central Administration Web site, even if that server is also an index server. You do not need to
stop this service for installations where the farm has only one index server.
Before stopping the service on the index server, make sure that the service is running another
server.
161
Deploy language packs
In this section:
• About language IDs and language packs
• Preparing your front-end Web servers for language packs
• Installing language packs on your front-end Web servers
Language packs enable site owners and site collection administrators to create SharePoint sites
and site collections in multiple languages without requiring separate installations of Microsoft
Office SharePoint Server 2007. You install language packs, which contain language-specific site
templates, on your front-end Web servers. When an administrator creates a site or a site
collection based on a language-specific site template, the text that appears on the site or the site
collection is displayed in the site template's language. Language packs are typically used in
multinational deployments where a single server farm supports people in different locations or in
situations where sites and Web pages must be duplicated in one or more languages. For more
information about language packs, see Plan for multilingual sites
(http://technet.microsoft.com/en-us/library/cc262055.aspx).
Note:
You cannot change an existing site, site collection, or Web page from one language to
another by applying different language-specific site templates; once you choose a
language-specific site template for a site or a site collection, the site or site collection will
always display content in the language of the original site template.
Word breakers and stemmers enable you to efficiently and effectively search across content on
SharePoint sites and site collections in multiple languages without requiring separate installations
of Office SharePoint Server 2007. Word breakers and stemmers are not installed with language
packs. Instead, they are automatically installed on your front-end Web servers by the Setup
wizard. For more information about word breakers and stemmers, see the "Plan word breakers
and stemmers" section in Plan to crawl content (http://technet.microsoft.com/en-
us/library/cc262926.aspx).
You can install language packs for Microsoft Office Server products from the Microsoft Download
site, at 2007 Office System Language Packs (http://www.microsoft.com/downloads/details.aspx?
FamilyId=2447426B-8689-4768-BFF0-CBB511599A45&displaylang=en).
Important:
If you are uninstalling a Microsoft Office Server product, you must uninstall all language
packs before you uninstall the product.
162
The language they choose represents the language identifier (ID), and the language ID
determines the language that is used to display text and interpret text that is put on the site or site
collection. For example, when a site administrator chooses to create a site in French, the site's
toolbars, navigation bars, lists, and column headings appear in French. Likewise, if a site
administrator chooses to create a site in Arabic, the site's toolbars, navigation bars, lists, and
column headings appear in Arabic, and the default left-to-right orientation of the site changes to a
right-to-left orientation to properly display Arabic text.
The list of available languages that a site administrator can use to create a site or site collection is
generated by the language packs that are installed on your front-end Web servers. By default,
sites and site collections are created in the language in which Office SharePoint Server 2007 was
installed. For example, if you install the Spanish version of Office SharePoint Server 2007, the
default language for sites, site collections, and Web pages is Spanish. If a site administrator
needs to create sites, site collections or Web pages in a language other than the default Office
SharePoint Server 2007 language, you must install the language pack for that language on your
front-end Web servers. For example, if you are running the French version of Office SharePoint
Server 2007, and a site administrator wants to create sites in French, English, and Spanish, you
must install the English and Spanish language packs on your front-end Web servers.
Note:
By default, when a site administrator creates a new Web page within a site, the Web
page uses the site's language ID to display text.
Language packs for Office SharePoint Server 2007 are not bundled into multilingual installation
packages. You must install a specific language pack for each language that you want to support.
Also, language packs must be installed on each of your front-end Web servers to ensure that
each Web server can render content in the specified language.
The following table lists the language packs that are available for Office SharePoint Server 2007.
Although a site administrator specifies a language ID for a site, some user interface elements
such as error messages, notifications, and dialog boxes do not display in the language that was
specified. This is because Office SharePoint Server 2007 relies on several supporting
technologies — for example, the Microsoft .NET Framework, Microsoft Windows Workflow
Foundation, Microsoft ASP.NET, and Microsoft SQL Server 2005 — some of which are localized
into only a limited number of languages. If a user interface element is generated by any of the
supporting technologies that is not localized into the language that the site administrator specified
for the site, the user interface element appears in English. For example, if a site administrator
creates a site in Hebrew, and the.NET Framework component displays a notification message,
the notification message will not display in Hebrew because the .NET Framework is not localized
163
into Hebrew. This situation can occur when sites are created in any language except the
following: Chinese, French, German, Italian, Japanese, Korean, and Spanish.
In some cases, some text might originate from the original installation language, which can create
a mixed-language experience. This type of mixed-language experience is typically seen only by
content creators or site administrators and is not seen by site users.
Note:
You must be a member of the Administrators group on the computer to install these
language files. After the language files are installed, the languages are available to all
users of the computer.
164
Note:
You will need your Windows Server 2003 product disc to perform this procedure, or you
will need to know the location of a shared folder that contains your operating system
installation files.
Note:
You must restart your computer after you install supplemental language files.
After you install the necessary language files on your front-end servers, you need to install Office
SharePoint Server 2007 and run the SharePoint Products and Technologies Configuration
Wizard. The wizard creates and configures the configuration database and performs other
configuration tasks that must be done before you install language packs. For more information
about installing Office SharePoint Server 2007 and running the SharePoint Products and
Technologies Configuration Wizard, see Deploy in a simple server farm and Install Office
SharePoint Server 2007 on a stand-alone computer.
165
Important:
The language pack installs in its native language, for example the Russian language
pack executable file is localized into Russian. The procedure provided below is for the
English language pack.
When you install language packs, the language-specific site templates are installed in the
\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\number
directory, where number is the Language ID for the language that you are installing. For example,
the US English language pack installs to the \Program Files\Common Files\Microsoft Shared\web
server extensions\12\template\1033 directory. After you install a language pack, site owners and
site collection administrators can create sites and site collections based on the language-specific
site templates by specifying a language when they are creating a new SharePoint site or site
collection.
166
language pack removes the language-specific site templates from your computer. All sites that
were created with those language-specific site templates will no longer work (the URL will
produce a HTTP 500 - Internal server error page). Reinstalling the language pack will make the
site functional.
Note:
You cannot remove the language pack for the version of Office SharePoint Server 2007
that you have installed on your server. For example, if you are running the Japanese
version of Office SharePoint Server 2007, you cannot uninstall the Japanese language
support for Office SharePoint Server 2007.
167
III. Create and configure Shared Services
Providers
168
Chapter overview: Create and configure
Shared Services Providers
After you have installed Microsoft Office SharePoint Server 2007, you must configure the primary
Shared Services Provider (SSP) that your SharePoint sites will rely on to provide services such
as search, personalization, or business intelligence. This chapter helps you create the primary
Shared Services Provider, and configure settings for the shared services that are hosted by that
SSP.
In this chapter:
• Χο ν φ ι γ υ ρ ε τ η ε π ρ ι µ α ρψ Σηα ρ ε δ Σ ε ρϖ ι χ ε σ
Προϖ ι δ ε ρ
• Χο ν φ ι γ υ ρ ε τ η ε Οφ φ ι χ ε Σ ηα ρ εΠ ο ι ν τ Σ ε ρϖ ε ρ
Σ ε α ρ χ η σ ε ρϖ ι χ ε
• Α. Χ ο ν φ ι γ υ ρ ε π ε ρ σ ο ν α λ ι ζ α τ ι ο ν
• Β. Χ ο ν φ ι γ υ ρ ε β υ σ ι ν ε σ σ ι ν τ ε λ λ ι γ ε ν χ ε
φ ε α τ υ ρ ε σ
• Χ. Χ ο ν φ ι γ υ ρ ε Ε ξ χ ε λ Σ ε ρϖ ι χ ε σ
• ∆. Χ ο ν φ ι γ υ ρ ε Ι ν φ οΠα τ η Φορ µ σ Σ ε ρϖ ι χ ε σ
• Ε. Χ ο ν φ ι γ υ ρ ε Οφ φ ι χ ε Πρ οϕ ε χ τ Σ ε ρϖ ε ρ
169
Configure the primary Shared Services
Provider
Important:
If you have not created a Web application for the SSP administration site, you need
to create one before you create the SSP. If you have already created a Web
application for the SSP administration site, skip to step 14.
4. On the New Shared Services Provider page, click Create a new Web application.
5. On the Create New Web Application page, in the IIS Web Site section, click Create a
new IIS web site, and do not modify the default settings in this section.
6. In the Security Configuration section, under Authentication provider, select the
appropriate option for your environment, and do not modify the default settings in the
remainder of this section.
Note:
By default, the authentication provider is set to NTLM. Use the Negotiate (Kerberos)
setting only if Kerberos is supported in your environment. This option will require
configuring a Service Principal Name for the domain user account, for which you
must have Domain Administrator credentials. For more information about configuring
Kerberos, see Microsoft Knowledge Base article KB 832769: HOW TO: Configure
Windows SharePoint Services to Use Kerberos Authentication
(http://support.microsoft.com/?kbid=832769).
7. In the Load Balanced URL section, do not modify the default settings.
8. In the Application Pool section, click Create new application pool.
9. In Application pool name, enter the name of your application pool or use the default
name.
10. Click Configurable, and in User name and Password, type the user name and
password for the user account that you want to act as the application pool identity for your
SSP Web application.
The user account must be a domain user account, but the user account does not have to be
a member of any particular security group. It is recommended that you use the principle of
170
least privilege and select a unique user account that does not have administrative rights on
your front-end servers or on your back-end database servers. You can use the user account
that you specified as the Microsoft Office SharePoint Server 2007 service account; however,
if that user account is a member of a security group that has administrative rights on your
front-end servers or your back-end database servers, you will not be following the principle of
least privilege. The user name must be in the format DOMAIN\username.
11. In the Database Name and Authentication section, verify the database information and
make sure that Windows Authentication (recommended) is selected.
12. In the Search Server section, do not modify the default settings.
13. Click OK.
Upon successful creation of the Web application, the New Shared Services Provider page
appears.
14. In the SSP Name section, in Web Application, select the Web application that you
created for the SSP, and do not modify any of the default settings in this section.
15. In My Site Location section, choose the correct Web application.
Note:
It is recommended that you run My Sites and the SSP administration site in different
Web applications so that you can back up and restore My Sites separately from the
SSP administration site.
16. In the SSP Service Credentials section, in User name and Password, type the user
name and password for the user account under which you want the SSP to run.
The user account must be a domain user account, but the user account does not have to be
a member of any particular security group. It is recommended that you use the principle of
least privilege and select a unique user account that does not have administrative rights on
your front-end servers or on your back-end database servers. You can use the user account
that you specified as the Office SharePoint Server 2007 service account; however, if that user
account is a member of a security group that has administrative rights on your front-end
servers or your back-end database servers, you will not be following the principle of least
privilege. The user name must be in the format DOMAIN\username.
17. In the SSP Database section, you can either accept the default settings (recommended),
or specify your own settings for the database server, the database name, or the SQL
authentication credentials.
18. In the Search Database section, you can either accept the default settings
(recommended), or specify your own settings for the search database server, the database
name, or the SQL Server authentication credentials.
19. In the Index Server section, in Index Server, click the server on which you configured
the Search service.
If there is no index server listed in the Index Server section, then no server in your farm has
been assigned the index server role. To assign the index server role to a server in your farm,
follow the instructions in Configure a dedicated front-end Web server for crawling
(http://technet.microsoft.com/en-us/library/cc261810.aspx).
171
20. In the SSL for Web Services section, click No.
21. Click OK.
Upon successful creation of the SSP, the Success page appears.
22. On the Success page, click OK to return to the Manage this Farm's Core Services page.
For information about how to perform this procedure using the Stsadm command-line tool, see
Shared Services Provider: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262916.aspx).
Note:
If you choose to enable SSL for Web services, you must add the certificate on
each server in the farm by using the IIS administration tool. Until this is done, the
172
Web services will not be available.
11. Click OK to create the SSP.
Note:
In the SSP Name column in the SSP list, you will see all the Web applications
with which each SSP is currently associated.
4. On the Change Association between Web Applications and SSPs page, under
Shared Services Provider, select the SSP you want to configure.
5. In the Web applications section, select the Web applications you want to associate
with the SSP.
6. Click OK to associate the SSP with the selected Web applications.
173
Configure the Office SharePoint Server
Search service
In this section:
• Server-level configuration
• Farm-level configuration
• SSP-level configuration
• Site collection-level configuration
This section describes the process of deploying the search features for Microsoft Office
SharePoint Server 2007 that are related to crawling content. If you have not already done so, we
highly recommend that you first read the topics described in Plan search
(http://technet.microsoft.com/en-us/library/cc263400.aspx) and fill out the companion Plan to
crawl content worksheet (http://go.microsoft.com/fwlink/?LinkID=73748&clcid=0x409). As you
proceed through this section, refer to this worksheet so that you have the information you need to
configure these search features.
For information about how to perform this procedure using the Stsadm command-line tool, see
Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).
Server-level configuration
The procedures in this section are performed at the server level. To perform these procedures,
you must be a member of the Administrators group for each server on which you want to perform
them.
174
• spss
• sts
• sts2
• sts2s
• sts3
• sts3s
Refer to the Protocol handlers section of the Plan to crawl content worksheet to review your
decisions for installing additional protocol handlers. When installing the protocol handlers on your
index server, follow the appropriate installation instructions provided by the manufacturer of each
protocol handler.
Note:
You must be a member of the Administrators group on each server on which you want to
install an additional protocol handler.
Note:
You must be a member of the Administrators group on each server on which you want to
install an IFilter.
Note:
The Office OneNote 2007 IFilter can crawl both OneNote 2003 and Office OneNote
2007 files. The Office OneNote 2003 IFilter can crawl OneNote 2003 files only.
• Add the OneNote file extension to the File Types list.
• Register the OneNote IFilter.
Note:
You must be a member of the Administrators group on the index server to perform
the following procedures.
175
Add the OneNote file extension to the File Types list
1. Open the administration page for the Shared Services Provider (SSP).
To open the administration page for the SSP, do the following:
a. In Central Administration, on the top link bar, click Application Management.
b. On the Application Management page, in the Office SharePoint Server Shared
Services section, click Create or configure this farm's shared services.
c. On the Manage this Farm's Shared Services page, click the SSP for which you
want to open the administration page.
2. On the Shared Services Administration page, in the Search section, click Search
settings.
3. On the Configure Search Settings page, in the Crawl Settings section, click File
Types.
4. On the Manage File Types page, click New File Type.
5. On the Add File Type page, in the File extension box, type one, and then click OK.
Note:
Do not type the period character "." before the file extension.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Server\12.0\Search\Setup\Filters\.one]
"Extension"="one"
"FileTypeBucket"=dword:00000001
"MimeTypes"="application/msonenote"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Server\12.0\Search\Setup\ContentIndexCommon\Filters\Extension\.one]
@="{B8D12492-CE0F-40AD-83EA-099A03D493F1}"
4. In Notepad, on the File menu, click Save As.
5. In the Save As dialog box, in the File name box, type onenote.reg, and then click
Save.
6. On the index server, double-click the onenote.reg file that you just created.
Note:
176
This step starts the process of setting the necessary registry keys for registering
the OneNote IFilter.
7. If the Open File - Security Warning dialog box appears, click Run.
8. In the Registry Editor dialog box, click Yes.
9. Click OK to close the Registry Editor box.
10. Restart the index server.
Note:
The index server must be restarted for the IFilter registration to take effect.
After you restart the index server, you must start a full crawl of the locations that contain Office
OneNote 2007 files before they can appear in search queries. If your document libraries require
check-out to edit the files, Office OneNote 2007 files will often be in checked-out state. Any
updates to the checked-out files that are saved to the library will not be crawled until the files are
checked in. In general, we recommend that administrators do not require that files be checked out
before they can be edited for document libraries that are intended for storing OneNote files.
Farm-level configuration
The procedures in this section are performed at the farm level. To perform these procedures, you
must be a farm administrator.
Note:
When typing the URL, you must exclude the protocol. For example, do not
include http:// or file://.
5. In the Request Frequency section, select one of the following options:
• Request up to the specified number of documents at a time and do not wait
between requests. If you choose this option, use the Simultaneous requests list to
select how many documents you want the crawler to request at one time when
177
crawling this URL. You can specify the maximum number of requests that the Office
SharePoint Services Search service can make at one time when crawling this URL.
• Request one document at a time and wait the specified time between
requests. You can specify a delay (in seconds) between requests, when crawling this
URL. When this option is selected, the Office SharePoint Services Search service
makes one request per site at one time, and then it waits for the specified amount of
time before making the next request. In the Time to wait (in seconds) box, type the
time to wait (in seconds) between requests. The minimum time to wait between
requests is one second, and the maximum time is 1,000 seconds.
6. Click OK.
178
6. In the SSL Certificate Warning Configuration section, select the Ignore SSL
certificate name warnings check box if you want to trust that sites are legitimate even if
their certificate names are not exact matches. Otherwise, ensure that this check box is
unselected.
7. Click OK.
Tip:
You can use any combination of number of log files and minutes to store in
each log file you want to achieve 10,080 minutes (seven days) of events.
3. Ensure that the path specified in the Path box has enough room to store the extra log
files, or change the path to another location.
Tip:
We recommend that you store log files on a hard drive partition that is used to
store log files only.
4. Click OK.
Trace log files are invaluable for troubleshooting issues related to configuration changes of either
the Office SharePoint Server Search service or the Windows SharePoint Services Search
service. Because problems related to configuration changes are not always discovered right
179
away, we recommend that you save all trace log files that the system creates on any day that you
make any configuration changes related to either search service. Store these log files for an
extended period of time in a safe location that will not be overwritten. See step 3 in the procedure
above to determine the location where the system stores trace log files for your system.
SSP-level configuration
The procedures in this section are performed at the Shared Services Provider (SSP) level. To
perform these procedures, you must be an SSP administrator for Search.
180
Use the following procedure to create a content source of any of the following content source
types:
• SharePoint sites
• Web sites
• File shares
• Microsoft Exchange public folders
Note:
Each content source name must be unique within the SSP in which it is created.
5. In the Content Source Type section, select the type of content you want to crawl by
using this content source.
6. In the Start Addresses section, in the Type start addresses below (one per line)
box, type the URLs from which the search system should start crawling.
Note:
For performance reasons, you cannot add the same start addresses to multiple
content sources.
7. In the Crawl Settings section, select the behavior for the type of content you
selected.
8. In the Crawl Schedules section, you can specify when to start full and incremental
crawls.
• You can create a full crawl schedule by clicking the Create Schedule link below
the Full Crawl list.
• You can create an incremental crawl schedule by clicking the Create Schedule
link below the Incremental Crawl list.
9. Click OK.
10. Repeat steps 4 through 10 for any additional content sources you want to create.
Use the following procedure to create a content source of the business data content source type.
181
settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Content
sources and crawl schedules.
3. On the Manage Content Sources page, click New Content Source.
4. On the Add Content Source page, in the Name section, in the Name box, type a
name for the content source.
Note:
Each content source name must be unique within the SSP in which it is created.
5. In the Content Source Type section, select Business Data.
6. In the Applications section, select Crawl entire Business Data Catalog to crawl all
applications registered in the Business Data Catalog or select Crawl selected
applications and select the specific applications you want to crawl.
7. In the Crawl Schedules section, you can specify when to start full and incremental
crawls.
• You can create a full crawl schedule by clicking the Create Schedule link below
the Full Crawl list.
• You can create an incremental crawl schedule by clicking the Create Schedule
link below the Incremental Crawl list.
8. Click OK.
9. Repeat steps 4 through 9 for any additional content sources you want to create.
182
specified path to be excluded from the crawl.
• Include all items in this path. Select this option if you want all items in the path
to be crawled.
6. If you chose to exclude all items in this path, skip to step 8. Otherwise, you can
further refine the inclusion by selecting any combination of the following:
• Follow links on the URL without crawling the URL itself. Select this option if
you want to crawl links contained within the URL, but not the URL itself.
• Crawl complex URLs (URLs that contain a question mark (?)). Select this
option if you want to crawl URLs that contain parameters that use the question mark
(?) notation.
• Crawl SharePoint content as HTTP pages. Normally, SharePoint content is
crawled by using a special protocol. Select this option if you want SharePoint content
to be crawled as HTTP pages instead. When the content is crawled by using the
HTTP protocol, item permissions are not stored.
7. In the Specify Authentication section, do one of the following:
• To use the default content access account when crawling URLs affected by this
crawl rule, select Use the default content access account.
• If you want to use a different content access account, select Specify a different
content access account, and then do the following:
In the Account box, type the account name that can access the paths defined by this
crawl rule. Examples are user_name and DOMAIN\user_name.
In the Password and Confirm Password boxes, type the password for this account.
If you want to prevent basic authentication from being used, select the Do not allow
Basic Authentication check box.
• To use a client certificate for authentication, select Specify client certificate,
and then click a certificate on the Certificate menu.
8. Click OK.
9. Repeat steps 4 through 8 for each new crawl rule you want to create.
Note:
Do not precede the file type with the period "." character.
5. Click OK.
6. Repeat steps 4 through 7 for any other file types you want to add.
You can also delete file types from this list for the file types you don't want the crawler to include
in the content index. Use the following procedure, along with the decisions you recorded in the
File-type inclusions section of the Plan to crawl content worksheet, to delete file types from the
file type inclusions list.
184
Crawl content defined in a particular content source
1. On the Shared Services Administration page, in the Search section, click Search
settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Content
sources and crawl schedules.
3. On the Manage Content Sources page, position the cursor over the content source
you want to crawl, and then click Start full crawl on the menu that appears.
185
Select this option if you want only a single value mapped. When multiple crawled
properties are mapped to a managed property, the one that is chosen will be the first
in the list that has a value for a given document. You can reorder the list by using the
Move up and Move down buttons.
8. If you selected Include values from all crawled properties mapped, skip to step
12.
9. Click Add Mapping to add a mapping to the list.
10. The Crawled property selection dialog box appears. Configure the settings as
follows:
a. On the Select a category menu, click either All categories or a specific type of
document category (for example, Office or SharePoint).
b. In Select a crawled property, select a crawled property to map to the managed
property that you are adding.
Because the list of crawled properties is likely to be long, you can type the name (or
the first part of the name) of the property that you are looking for in the Crawled
property name box and then click Find.
c. Click OK.
11. Repeat steps 9 through 10 for each additional crawled property that you want to map
to this managed property.
12. On the New Managed Property page, in the Use in scopes section, select the Allow
this property to be used in scopes check box if you want this managed property to be
available for defining scopes.
13. Click OK.
Note:
Changes to the property mappings take effect on a document-by-document basis
as soon as a document is crawled, regardless of the type of the crawl. A full crawl
ensures that the changes are consistently applied to the entire index.
186
type a title for the scope.
5. In the Description box, type a description for the scope that informs administrators
what the purpose of the scope is.
Note:
These descriptions are not visible to users.
6. Your credentials are automatically entered in the read-only Last modified by box.
Note:
Last modified by settings are not visible to users.
7. In the Target Results Page section, select one of the following:
• Use the default Search Results Page. Select this option if you want search
results from this scope to be presented by using the standard Search Results page.
• Specify a different page for searching this scope. Select this option if you
want search results from this scope to be presented on a custom page. If you select
this option, type the URL for the custom Search Results page in the Target results
page box.
8. Click OK.
187
The following table describes the four scope rule types that you can choose from when creating a
scope rule. For simplicity, a separate procedure is provided for each scope rule type.
Web address Select this option if you want the scope to include or exclude
content from any resource in the search index that can be
identified either by a URL (such as Web sites, file shares, and
Exchange public folders) or by a host name, domain name, or
subdomain name.
• Folder. Select this option if you want to include or exclude
items in the folder and subfolders of the indicated URL (for
example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host
name. All items in the host name will be included or excluded
from the scope (according to the behavior rules).
• Domain or subdomain. Select this option if you want to
specify a domain or subdomain (for example,
widgets.contoso.com). All items in the domain or subdomain
will be included in or excluded from the scope.
Property query Select this option if you want the scope to include or exclude
content that has a managed property with a particular value. For
example, Author="John Doe".
Content source Select this option if you want the scope to include or exclude
content that was crawled by using a particular content source.
All content Select this option if the rule should not restrict the scope (the
scope will include or exclude all content in the search index).
Use the following procedure to open the Add Scope Rule page.
188
Use the following procedure to create scope rules by using the Web address scope rule type.
Create scope rules by using the Web address scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address.
2. In the Web Address section, select one of the following options and provide the
address you want to associate with this rule:
• Folder. Select this option if you want to include or exclude items in the folder and
subfolders of the indicated URL (for example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host name. All items in the
host name will be included or excluded from the scope (according to the behavior
rules).
• Domain or subdomain. Select this option if you want to specify a domain or
subdomain (for example, widgets.contoso.com). All items in the domain or
subdomain will be included in or excluded from the scope.
3. In the Behavior section, select one of the following options:
• Include. Select this option if you want the rule to be applied (if another rule
precludes its inclusion, it won't be included). The Include option is analogous to the
logical operator AND.
• Require. Select this option if you want the rule to be applied regardless of other
rules. The Require option is analogous to the logical operator OR.
• Exclude. Select this option if you want items that match this rule to be excluded
from the scope. The Exclude option is analogous to the logical operator AND NOT.
4. Click OK.
Use the following procedure to create scope rules by using the Property query scope rule type.
Create scope rules by using the Property query scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Property
Query.
2. In the Property Query section, select the managed property that you want to use to
limit the scope from the Add property restrictions menu.
3. In the = box, type the string (value) that the managed property needs to match.
4. In the Behavior section, select one of the following options:
• Include. Select this option if you want the rule to be applied (if another rule
precludes its inclusion, it won't be included). The Include option is analogous to the
logical operator AND.
• Require. Select this option if you want the rule to be applied regardless of other
rules. The Require option is analogous to the logical operator OR.
• Exclude. Select this option if you want items that match this rule to be excluded
from the scope. The Exclude option is analogous to the logical operator AND NOT.
189
5. Click OK.
190
Use the following procedure to create scope rules by using the Content source scope rule type.
Create scope rules by using the Content source scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Content
source.
2. In the Content Source section, in the corresponding menu, select the content source
from the list that you want to associate with this rule.
3. In the Behavior section, select one of the following options:
• Include. Select this option if you want the rule to be applied (if another rule
precludes its inclusion, it won't be included). The Include option is analogous to the
logical operator AND.
• Require. Select this option if you want the rule to be applied regardless of other
rules. The Require option is analogous to the logical operator OR.
• Exclude. Select this option if you want items that match this rule to be excluded
from the scope. The Exclude option is analogous to the logical operator AND NOT.
4. Click OK.
Use the following procedure to create scope rules by using the All content scope rule type.
Create scope rules by using the All content scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content.
2. Click OK.
Note:
Separate the URLs by hard returns so that you list one full URL per line.
4. In the Second-level authoritative pages box, list the URLs that are secondary.
5. In the Third-level authoritative pages box, list the URLs that are tertiary.
191
6. In the Non-authoritative Sites section, in the Sites to demote box, list the URLs
that you want to mark as unimportant when search results are returned (for example,
URLs of sites that contain outdated information but are kept for record-keeping).
Note:
Any URL or item whose prefix matches the provided URLs in the Sites to
demote box is demoted.
7. If you want the ranking calculations to begin after you click OK, in the Refresh Now
section, select the Refresh now check box. If the check box is cleared, ranking
calculations occur according to a predetermined schedule.
8. Click OK.
192
based alerts.
3. On the Configure Search-based Alerts page, click Deactivate.
Note:
The copy of the shared scope appears in the Unused Scopes section of the
View Scopes page.
Use the following procedure, along with the decisions you recorded in the Site-collection level
scopes section of the Plan the end-user search experience worksheet
(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scopes at the site
collection level.
193
the scope that will best explain it to your users. You can also type a fuller description for
reference by site administrators.
5. Ignore the Display Groups section for now. We will assign display groups to scopes
later in this section.
6. In the Target Results Page section, select one of the following:
• Use the default Search Results Page. Select this option if you want search
results from this scope to be presented by using the standard Search Results page.
• Specify a different page for searching this scope. Select this option if you
want search results from this scope to be presented on a custom page. If you select
this option, type the URL for the custom Search Results page in the Target results
page box.
7. Click OK.
Web address Select this option if you want the scope to include or exclude
content from any resource in the search index that can be
identified either by a URL (such as Web sites, file shares, and
Exchange public folders) or by a host name, domain name, or
subdomain name.
• Folder. Select this option if you want to include or exclude
items in the folder and subfolders of the indicated URL (for
example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host
name. All items in the host name will be included or excluded
from the scope (according to the behavior rules).
• Domain or subdomain. Select this option if you want to
specify a domain or subdomain (for example,
widgets.contoso.com). All items in the domain or subdomain
will be included in or excluded from the scope.
Property query Select this option if you want the scope to include or exclude
content that has a managed property with a particular value. For
example, Author="John Doe".
194
Scope rule type Purpose
All content Select this option if the rule should not restrict the scope (the
scope will include or exclude all content in the search index).
Use the following procedure to open the Add Scope Rule page.
Note:
You cannot add scope rules to shared scopes at the site collection level.
4. On the Scope Properties and Rules page, in the Rules section, click New rule.
Use the following procedure to create scope rules by using the Web address scope rule type.
Create scope rules by using the Web address scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address.
2. In the Web Address section, select one of the following options and provide the
address you want to associate with this rule:
• Folder. Select this option if you want to include or exclude items in the folder and
subfolders of the indicated URL (for example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host name. All items in the
host name will be included or excluded from the scope (according to the behavior
rules).
• Domain or subdomain. Select this option if you want to specify a domain or
subdomain (for example, widgets.contoso.com). All items in the domain or
subdomain will be included in or excluded from the scope.
3. In the Behavior section, select one of the following options:
• Include. Select this option if you want the rule to be applied (if another rule
precludes its inclusion, it won't be included). The Include option is analogous to the
logical operator AND.
• Require. Select this option if you want the rule to be applied regardless of other
rules. The Require option is analogous to the logical operator OR.
• Exclude. Select this option if you want items that match this rule to be excluded
from the scope. The Exclude option is analogous to the logical operator AND NOT.
195
4. Click OK.
Use the following procedure to create scope rules by using the Property Query scope rule type.
Create scope rules by using the Property Query scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Property
Query.
2. In the Property Query section, select the managed property that you want to use to
limit the scope from the Add property restrictions list.
3. In the = box, type the string (value) that the managed property needs to match.
4. In the Behavior section, select one of the following options:
• Include. Select this option if you want the rule to be applied (if another rule
precludes its inclusion, it won't be included). The Include option is analogous to the
logical operator AND.
• Require. Select this option if you want the rule to be applied regardless of other
rules. The Require option is analogous to the logical operator OR.
• Exclude. Select this option if you want items that match this rule to be excluded
from the scope. The Exclude option is analogous to the logical operator AND NOT.
5. Click OK.
Use the following procedure to create scope rules by using the All content scope rule type.
Create scope rules by using the All content scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content.
2. Click OK.
196
2. On the Site Settings page, in the Site Collection Administration section, click
Search scopes.
3. On the View Scopes page, click New Display Group.
4. On the Create Scope Display Group page, type a title and description that easily
identifies the purpose of the group.
5. In the Scopes section, select the check box next to each scope that you want to
include in this display group. You can manage the ordering of the scopes in the group by
using the Position from Top lists.
6. In the Default Scope section, in the Default Scope list, select the scope that you
want to be applied if users do not make a choice on their own.
7. Click OK.
197
Modify the Search Box Web Part for a new display group
Use the following procedure to modify the Search Box Web Part for a new display group.
Modify the Search Box Web Part for a new display group
1. Go to the Search Center page on the site collection on which you want to modify the
Search Box Web Part.
2. Click Site actions, and then click Edit Page.
3. In the search box, click Edit, and then click Modify Shared Web Part.
4. In the Search Box tool pane, click the plus sign (+) next to Miscellaneous.
5. In the Scope Display Group text box, type the name of the display group that you
want to use, and then click Apply.
6. Click OK to close the tool pane.
7. On the Search Center page, click either Publish or Check In to Share Draft,
depending on your site permissions and workflow.
198
4. On the Add Keyword page, in the Keyword Information section, in the Keyword
Phrase box, type the keyword phrase you want to create.
5. In the Synonyms box, type the synonyms you want to associate with this keyword
phrase. You can type more than one synonym by separating them with semicolons.
6. If you want to associate a Best Bet with this keyword, in the Best Bets section, click
Add Best Bet. Otherwise, skip to step 13.
7. If this is the first Best Bet you will create on this site collection, skip to step 9.
Otherwise, in the Add Best Bet dialog box, do one of the following:
• To create a new Best Bet, select Add new best bet and then skip to step 9.
• To select an existing Best Bet, select Select existing best bet, click the Best Bet
you want from the Select best bets from the list below box, and then click OK. Skip
to step 13.
8. In the URL box, type the URL you want to associate with this Best Bet.
9. In the Title box, type the title you want to associate with this Best Bet. This title
appears in the Select best bets from the list below box, when selecting an existing
Best Bet.
10. In the Description box, type a description for this Best Bet. This description appears
with the Best Bet on the Search Results page.
11. Click OK.
12. If you want to create a definition for this keyword, in the Keyword Definition section,
type the definition that you want to appear next to Best Bets for this keyword on the
Search Results page (optional).
13. In the Contact section, type the user name of the person to inform when the keyword
is past its review date (optional).
14. In the Publishing section, you can optionally choose end and review dates for this
keyword.
15. Click OK.
16. Repeat steps 4 through 16 to create additional keywords and best bets.
199
A. Configure personalization
200
Chapter overview: Configure personalization
In this section:
• Configure personalization permissions
• Configure connections to personalization services
• Configure targeted content
• Configure personalization sites
• Configure policies for Profile Services
The personalization service in Microsoft Office SharePoint Server 2007 uses information about
users in your organization that is stored in directory services. That information can be
supplemented with information about users from line-of-business applications. Personalization
information can then be displayed in user profiles, and the properties in user profiles can be used
to target content.
Consult the plan for personalization in your initial deployment, and then configure the options that
you have selected.
201
Configure targeted content
After the SSP administrator has configured access to directory services and has configured user
profiles, it is time to configure targeted content.
Content is primarily targeted by using audiences. Audiences are defined by using rules based on
properties from directory services. Lists, sites, and other content are then targeted to those
audiences so that only members of targeted audiences can see the content.
Some kinds of content are not targeted to users until their locations are selected by
administrators as trusted. The SSP administrator configures trusted My Site locations, published
links to Office client applications, and personalization site links so that the correct content is
available for the right users.
For more information about targeting content, see Configure targeted content.
202
Configure personalization permissions
In this section:
• Configure SSP administrator permissions for Profile Services
• Configure access to SSP pages
• Configure user permissions for personalization
• Configure access to trusted My Site host locations
Before enabling personalization features in your deployment, you must first configure permissions
to personalization features. Although some permissions are configured by default for deployments
using Active Directory directory services, other configuration options vary according to the specific
plan for deployment.
Administrators of the Shared Services Provider (SSP) have limited ability to configure
personalization services. The administration options for personalization services are associated
with a set of permissions for different personalization features. Administrators can have access to
some or all of these administration options.
The users of the SSP have access to personal features associated with My Sites. Administrators
of personalization permissions are responsible for configuring any changes to the default
permissions for users.
203
Configure administrator permissions to the SSP for personalization sites
1. Open the administration page for the SSP.
To open the administration page for the SSP, perform the following:
a. On the top navigation bar, click Application Management.
b. On the Application Management page, in the Office SharePoint Server Shared
Services section, click Create or configure this farm’s shared services.
c. On the Manage this Farm’s Shared Services page, there is a link to each SSP
and links to the Web applications for each SSP. Click the link for the SSP that you
want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick
Launch.
2. On the SSP Home page, in the User Profiles and My Sites section, click
Personalization services permissions.
3. On the Manage Permissions page, click Add Users/Groups.
4. On the Add Users/Groups page, in the Choose Users section, type the name of the
users and groups that you want to add. If a user or group is already on the list, select the
check box for that user or group, and then click Modify Permissions of Selected Users.
5. In the Choose Permissions section, select the permissions that you want for the
added users and groups:
• To enable administration of user profiles, select Manage user profiles. Users
who have this permission can access the User profiles and properties page and the
Profile services policies page.
• To enable administration of permissions to personalization services, select
Manage permissions.
• To enable administration of audiences, select Manage Audiences.
• To enable administration of the portal usage reporting service, select Manage
usage analytics.
6. Click Save.
204
Use the following procedure to configure access to SSP pages.
205
and the Create personal site permission can create a My Site by clicking the My Site link in the
top navigation bar.
In some organizations, personalization features may not be enabled. In these scenarios, the
administrator with permission to manage permissions would remove these permissions for all
authenticated users.
In other organizations, only some users will have access to personalization features. In these
scenarios, the personalization permissions would be removed for the All Authenticated Users
group, and another group would be created containing users who have both permissions.
In some organizations, My Sites will be created on a case-by-case basis, or created by managers
during deployment. In these scenarios, users would have the Use personal features permission,
but not the Create personal site permission.
Because these permissions are managed in the same place as administrator permissions, it is
possible to create several groups with different combinations of permissions. It is recommended
that you carefully plan group permissions during the initial deployment so that you can minimize
administration tasks during regular operations.
Use the following procedure to configure user permissions for personalization.
Access to personalized information can also be modified by configuring profile services policies
for users. For more information about configuring profile services policies, see Configure policies
for Profile Services.
206
typical scenario that requires multiple My Site host locations is a geographically distributed
deployment with multiple sets of shared services in different locations. In these scenarios, it is
common for each region to have its own set of My Sites and personalization features based on
the needs of each region.
Use the following procedure to add trusted My Site host locations.
During regular operations, in response to changes in directory services, one or more users often
end up with My Sites in different locations. Trusted My Site host locations can be used to provide
access to personalization features targeted for only these users, without enabling access to all
users.
See Also
Configure policies for Profile Services
Configure targeted content
207
Configure connections to Profile Services
In this section:
• Add import connections
• Configure import connections
• Configure user profiles
Personal information about the users in your organization is stored in directory services and line-
of-business applications and imported to the user profile store so that it can be used to present
personalized or targeted content in sites, and to search for people in your organization.
When the administrator of the Shared Services Provider (SSP) configures user profile imports,
the import connections necessary for those settings are configured automatically except for
custom connections. Custom import connections must be configured separately.
208
Note:
Changing this setting will delete any manually configured connections for the
current source.
5. In the Default Access Account section, select Specify Account and type a name
and password for the access account.
Note:
It is recommended that you specify an account, rather than relying on the default
content access account. To use the default content access account, select Use
Default Content Access Account.
6. Depending on your plan for scheduling user profile imports, select Schedule full
import in the Full Import Schedule section, or select Schedule incremental import in
the Incremental Import Schedule section, and then select the day and time to schedule
the import.
7. Click OK.
Before continuing with configuration of personalization features, ensure that you have imported all
user profiles at least once. To run a full import of user profiles:
• On the User Profiles and Properties page, in the Profile and Import Settings section,
click Start full import.
209
and links to the Web applications for each SSP. Click the link for the SSP that you
want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick
Launch.
2. On the SSP home page, in the User Profiles and My Sites section, click User
profiles and properties.
3. On the User Profiles and Properties page, in the Profile and Import Settings
section, click View import connections.
4. On the View Import Connections page, click Create New Connection.
5. To add a connection to Active Directory directory services:
a. On the Add Connection page, in the Connection Settings section, on the Type
menu, click Active Directory.
b. In the Domain name text box, type the domain name for the domain that
contains the information that you want to import.
c. Select Auto discover domain controller if the specific domain controller is not
important. To select a specific domain controller, select Specify a domain
controller, and then in the Domain controller name menu, click the name of a
specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain.
To use SSL to help secure the connection, select the Use SSL-secured connection
check box, and type a port number that is configured to use SSL in the Port text
box.
e. To minimize the performance impact on the domain controller, type a number of
seconds in the Time out text box, and select Enable Server Side Incremental.
Note:
The Enable Server Side Incremental option must be selected if you are
planning to perform incremental imports.
6. To add a connection to an Active Directory resource:
a. In the Connection Settings section, on the Type menu, click Active Directory
Resource.
b. In the Domain name text box, type the domain name for the domain that
contains the information that you want to import.
c. Select Auto discover domain controller if the specific domain controller is not
important. To select a specific domain controller, select Specify a domain
controller, and then in the Domain controller name menu, click the name of a
specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain.
To use SSL to help secure the connection, select the Use SSL-secured connection
check box, and type a port number that is configured to use SSL in the Port text
box.
210
e. To minimize the performance impact on the domain controller, type a number of
seconds in the Time out text box, and select Enable Server Side Incremental.
f. In the Master Forest Connection Settings section, in the Domain name text
box, type the domain name for the master forest associated with the Active Directory
resource that you want to import.
g. Select Auto discover domain controller if the specific domain controller for the
master forest is not important. To select a specific domain controller, select Specify a
domain controller, and then in the Domain controller name menu, click the name
of a specific domain controller.
h. In the Port text box, type the number of the port to use to connect to the domain.
To use SSL to help secure the connection, select the Use SSL-secured connection
check box, and type a port number that is configured to use SSL in the Port text
box.
Select Specify Account and type the account name and password that you want to
use to import user profiles from this connection.
Note:
It is recommended that you specify an account, rather than relying on the
default content access account. To use the default content access account,
select Use Default Account.
7. To add a connection to LDAP directory services:
a. On the Add Connection page, in the Connection Settings section, in the Type
menu, click LDAP Directory.
b. In the Connection name text box, type the name of the connection.
c. In the Directory service server name text box, type the name of the server for
the directory service.
d. In the Port text box, type the number of the port to use to connect to the domain.
To use SSL to help secure the connection, select the Use SSL-secured connection
check box, and type a port number that is configured to use SSL in the Port text
box.
e. To minimize the performance impact on the domain controller, type a number of
seconds in the Time out text box, and select Enable Server Side Incremental.
f. In the Providername text box, type the name of the provider for this connection.
g. In the Username attribute text box, type the name of the attribute to import.
Note:
This attribute is the identification attribute for each entry in LDAP directory
services, associated with a single user or account. By default, this is the uid
attribute.
8. In the Search Settings section, in the Search base text box, type the distinguished
name of the directory node from which to import the users. If you do not know the
distinguished name, click the Auto Fill Root Search Base button.
211
9. In the User filter text box, you can add new query clauses to the default query to
filter which user profiles are imported.
10. Under Scope, select One level to import one level of user profiles, or Subtree to
import all user profiles under the search base.
11. To improve performance, you can type a maximum number of user profiles to import
in the Page Size text box, and type a maximum number of seconds for the import in the
Page time out text box.
12. In the Authentication Information section, select Specify Account and type the
account name and password that you want to use to import user profiles from this
connection.
Note:
It is recommended that you specify an account, rather than relying on the default
content access account. To use the default content access account, select Use
Default Account.
13. Click OK.
For most connections, unless you have a specific need to narrow the scope of the import or limit
the impact on the servers for directory services, you can accept the default values that appear on
the Add Connection page. If you have non-user accounts in Active Directory, such as accounts
used for testing, you might want to filter out those accounts. Configuration settings for
connections can be modified to improve performance as part of regular operations.
For more information about the exact settings to use when importing user profiles, see the
technical reference documentation for Microsoft SharePoint Office Server 2007. For more
information about Active Directory, see the documentation for Active Directory.
After you have configured import connections to directory services, you can add a connection for
additional properties imported from the Business Data Catalog. Unlike directory services, it is not
possible to create user profiles from the Business Data Catalog. You can only add Business Data
Catalog data to existing user profiles imported from directory services, although you can add as
much or as little data as you want.
Use the following procedure to add an import connection to the Business Data Catalog.
212
Entity as a 1:1 mapping, and then select a profile property that maps to the business
data type in the Return items identified by this profile property menu.
7. To import multiple items for the business data type, select Connect User Profile
Store to Business Data Catalog Entity as a 1:many mapping, select a property to
filter by in the Filter items by menu, and then type a property for the filter value in the
Use this profile property as the filter value menu.
8. Select Auto discover domain controller if the specific domain controller is not
important. To select a specific domain controller, select Specify a domain controller,
and then in the Domain controller name menu, click the name of a specific domain
controller.
9. In the Port text box, type the number of the port to use to connect to the domain. To
use SSL to help secure the connection, select the Use SSL-secured connection check
box, and type a port number that is configured to use SSL in the Port text box.
10. To minimize the performance impact on the domain controller, type a number of
seconds in the Time out text box, and select Enable Server Side Incremental.
11. In the Providername text box, type the name of the provider for this connection.
12. In the Username attribute text box, type the name of the attribute to import.
Note:
This attribute is the identification attribute for each entry in the Business Data
Catalog for this business data type.
Note:
If your deployment uses multiple languages, you can provide alternative display
names for each language by clicking the Edit Languages button, clicking Add
Language, selecting a language from the menu, and then typing the display
name in the new language. You can add display names for any of the available
213
languages. The display name that appears depends on the language used by the
user viewing the property.
3. On the Type menu, select the data type for the property.
4. On the Length menu, type the maximum number of characters allowed for values for
this property.
5. To allow multiple values for this property, select the Allow multiple values check
box, and then select an option from the Multivalue Separator menu.
Note:
If you select the Allow multiple values check box, the property will be
permanently set as a multi-valued property. You cannot change this setting after
you have selected it.
6. To allow users to select values from a list of choices, select the Allow choice list
check box
7. In the User Description section, type a description that provides instructions for
users who are adding values for this property.
Note:
If your deployment uses multiple languages, you can provide alternative
descriptions for each language by clicking the Edit Languages button, clicking
Add Language, selecting a language from the menu, and then typing the display
name in the new language. You can add descriptions for any of the available
languages. The description that appears depends on the language used by the
user viewing the property.
8. In the Policy Settings, Edit Settings, and Display Settings sections, select a policy
setting and default privacy setting for this property, select whether users can edit values
for this property, and configure display options. For more information about privacy
policies, see Configure policies for Profile Services.
9. In the Choice List Settings section, choose whether the property uses a defined
choice list, add the choices, and select whether users can add to the choice list.
Note:
This section is only available if you selected the Allow choice list check box in
the Property Settings section. For more information about choice lists, see Plan
for people and user profiles.
10. In the Search Settings section, select the Alias check box if the property is
equivalent to the user's name for purposes of search. Select Indexed if this property is
part of the search schema for users, so that it can be used to find users or is displayed in
users search results.
11. In the Property Import Mapping section, select the data source and data type field
to use when mapping this property.
12. Click OK.
214
See Also
Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx)
Configure policies for Profile Services
Configure targeted content
Configure personalization sites
215
Configure targeted content
In this section:
• Create and configure audiences
• Configure published links to Office client applications
• Configure personalization site links
• Configure access to trusted My Site host locations
In Microsoft Office SharePoint Server 2007, content in a site can be targeted to individuals and
groups of users so that a site can provide a personalized experience for all users. This
encourages collaboration across an organization.
Content is primarily targeted by using audiences. Audiences are defined by using audience rules
based on properties in user profiles or membership in distribution lists and SharePoint groups.
Properties and distribution list membership information are imported from directory services or
from line-of-business applications that are registered in the Business Data Catalog. SharePoint
groups are configured within each site or site collection.
SharePoint lists and Web Parts can be targeted by using audiences, so that only members of the
targeted audience can view content.
Links to certain sites can be targeted by audience. Examples of targeted links include published
links to Office client applications and personalization site links. Targeted links appear in Office
client applications and My Sites only for users who are members of the target audiences.
Administrators of the Shared Services Provider (SSP) create and configure audiences, and then
configure the compilation schedules for audiences. After audiences are created by SSP
administrators, any other user with the correct permissions can use audiences to target content.
SSP administrators also configure the settings for published links to the Office client applications
and personalization site links. In configurations that have more than one My Site location, the
SSP administrator for personalization services configures trusted My Site locations so that some
groups of users can view personalized content across all My Site locations.
216
2. On the Manage Audiences page, click Create audience.
3. On the Create Audience page, type a name and description.
4. In the Owner text box, type or select a person to own this audience.
5. Select Satisfy all of the rules or Satisfy any of the rules depending on the rules
you have planned for each audience.
Note Complex rules containing AND and OR can be created by developers using the
SharePoint object model.
6. Click OK.
7. On the Add Audience Rule page, to add a rule based on a user:
a. In the Operand section, select User.
b. In the Operator section, select Reports Under to create a rule based on
organizational hierarchy or select Member Of to target by group or distribution list.
c. Type or select the user that you want to use to test this rule. For a Reports Under
rule, select the person who is the manager of the users that you want to include in
the audience. For a Member Of audience, select the group or distribution list to
include for the audience rule.
8. To add a rule based on a property of user profiles:
a. In the Operand section, select Property, and then select a property from the
menu.
b. In the Operator menu, select an operator for the property. The operators vary by
property, but common operators include =, Contains, and <>. Full descriptions of the
operators are available in the planning and operations documentation for Office
SharePoint Server 2007.
c. Type a value to use when evaluating the property against this rule.
9. Click OK.
Use the following procedure to configure audience compilation and compile audiences.
On the Manage Audiences page, click Start compilation at any time to compile audiences. All
audiences will be compiled.
217
Note:
You can compile audiences individually from the View Audiences page by clicking the
audience, and then clicking Compile.
Actual targeting of content based on audiences is performed by site administrators or
contributors. As part of planning for your initial deployment, your planning team will identify the
key content to target. Audience administrators should work with site administrators during
deployment to ensure that content is targeted according to plan.
218
Every user who is a member of a targeted audience can see the personalization link when
viewing their personal site, along with other relevant personalization sites. This enables each user
to have a single access point for personalized content.
The configuration page for personalization sites does not check the template of linked sites, so
SSP administrators can theoretically create a link to any kind of sites. However, to focus the
purpose of My Sites, it is recommended that only personalization site links or links to sites that
use a similar template be added to the list on the Personalization site links page.
SSP administrators select an owner for each personalization site link. This provides a contact for
the personalization link, but does not configure any permissions for audiences. The visibility of
each link can be modified by the relevant site administrator of each site during regular operations,
by changing the targeted audiences. Audience creation and membership can only be configured
by the audiences administrator from the SSP administration pages.
Configure the personalization site links for the key personalization sites identified during site
hierarchy and personalization planning. Additional links can be added as necessary as part of
regular operations.
Use the following procedure to configure personalization site links.
219
Consult your planning for SSPs and trusted My Site host locations to determine which trusted My
Site host locations you need to add and the audiences you need to use when targeting those
locations.
Use the following procedure to add trusted My Site host locations.
During regular operations, in response to changes in directory services, one or more users can
end up with My Sites in different locations. This can happen when an account is migrated from
one SSP to another, such as when an employee changes geographic divisions in an organization
that uses different SSPs for geographically distributed locations. Trusted My Site host locations
can be used to provide access to personalization features targeted for only these users, without
enabling access to all users.
See Also
Plan for audiences (http://technet.microsoft.com/en-us/library/cc261958.aspx)
Configure personalization sites
220
Configure personalization sites
In this section:
• Create personalization sites
• Design personalization sites
• Target personalization site links
Microsoft Office SharePoint Server 2007 provides a template for creating personalization sites.
Personalization sites use a Current User Filter Web Part that can be connected to other Web
Parts on the page to display content that is personalized for each user who visits the site.
Unlike personal sites, which combine Web Parts that display information configured by Shared
Services Provider (SSP) administrators by configuring user profiles and personalization policies
with content customized by each user, personalization sites are designed to be customized by
site owners for a larger audience.
Site owners are selected during initial deployment by SSP administrators when they configure
personalization links. The site owner of each site is typically the site administrator for the site, and
decides which audiences to use when targeting the display of the personalization link on the My
Site navigation bar.
Site administrators, possibly working with site designers, create and customize personalization
sites based on recognized business needs.
221
Design personalization sites
Design of personalization sites can be simple or complex depending on the need of the site. The
key personalization sites for the initial deployment are identified during site hierarchy planning
based on the needs of your organization. Consult site hierarchy planning, and then design each
personalization site to meet your identified needs.
The list of Web Parts that can be used in designing personalization sites is provided in part in the
planning documentation, developer documentation, and technical reference documentation for
Office SharePoint Server 2007. For more information about the full capabilities of Web Parts, see
this documentation. The key concept to understand regardless of the exact Web Parts used is
how to connect the Current User Filter Web Part to other Web Parts.
Use the following procedure to connect the Current User Filter Web Part to other Web Parts.
Connect the Current User Filter Web Part to other Web Parts
1. On the Site Actions menu, click Edit Page.
2. Add the Web Parts that you want to connect to the filter Web Parts, based on your
plan for the design of this site.
3. On the Current User Filter Web Part, click the Edit menu, point to Connections,
point to Send Values To, and then click the name of the Web Part that you want to
connect to the filter Web Part.
Note:
Some connected Web Parts can accept a default value from the Current User
Web Part. The procedure to connect these Web Parts uses the Send Default
Value To connection option, but is otherwise the same.
4. On the Configure Connection Webpage dialog, in the Consumer Field Name
menu, select the property to filter by.
For example, to filter the contents of a Documents Web Part, select Modified By to filter
the list in the Documents Web Part to display only the documents modified by the current
user.
5. Click Finish.
6. Click Exit Edit Mode when you are done connecting Web Parts.
For more information on configuring personalization site links, see Configure targeted content.
223
Configure policies for Profile Services
In this section:
• Configure policies for personalization features
• Configure policies for user profiles
In Microsoft Office SharePoint Server 2007, Shared Services Provider (SSP) administrators for
personalization services configure the policies that determine who can view personalized
information and how that information can be shared. Every kind of personalized information is
affected by these policies, including:
• Memberships in SharePoint sites and distribution lists.
• Social networking features, such as My Colleagues.
• Links on personal sites.
• Personalization site link pinning.
• User profile properties.
Consult your planning for personalization policies, and then configure settings for each of these
personalization features.
224
property or feature.
• Select Required if the property must contain information. The visibility of the
property is configured in the Default Privacy Settings menu.
• Select Optional if the property is not required. Each user decides whether
optional properties contain information based on the user's preference.
4. In the Default Privacy Setting menu, select the people who can view information for
the feature or property.
• Click Only Me to limit visibility to the user.
• Click My Manager to limit visibility to the user and the user's manager.
• Click My Workgroup to limit visibility to the user and all users who report to the
same manager.
• Click My Colleagues to limit visibility to the user and all colleagues for that user.
• Click Everyone to share the information with all users who have the "use
personal features" permission.
5. To enable users to change the default privacy setting, select the User can override
check box.
6. To enable a property to be available in user information lists for SharePoint sites
other than My Site, select the Replicable check box. This property and its values from
the user profile will be replicated to other sites.
Note:
If you clear a check box that has already been selected, any information that was
replicated before the change will remain on other SharePoint sites until it is
changed on each site. This can occur during deployment if you clear a check box
for a property that is replicable by default if the property has already been
imported from directory services or the Business Data Catalog.
7. Click OK.
225
• Select Required if the property must contain information. The visibility of the
property is configured in the Default Privacy Settings menu, as discussed in step 5.
• Select Optional if the property is not required. Each user decides whether or not
to provide values for optional properties.
• Select Disabled to prevent anyone but the SSP administrator from viewing the
property or feature.
5. In the Default Privacy Setting menu, select the people who can view information for
the feature or property.
• Click Only Me to limit visibility to the user.
• Click My Manager to limit visibility to the user and the user's manager.
• Click My Workgroup to limit visibility to the user and all users who report to the
same manager.
• Click My Colleagues to limit visibility to the user and all colleagues for that user.
• Click Everyone to share the information with all users who have the Use
personal features permission.
6. To enable users to change the default privacy setting, select the User can override
check box.
7. To enable a property to be available in user information lists for SharePoint sites
other than My Site, select the Replicable check box. This property and its values from
the user profile will be replicated to other sites.
Note:
Replication occurs during profile imports. The information list is replaced by the
values for the property in the imported user profile. Changes made to properties
in the user profile that are not replicated will not appear on other sites. If you
clear a Replicable check box that was previously selected, any information that
was replicated before the change will remain on other SharePoint sites until it is
changed on each site. This can occur during deployment if you clear a check box
for a property that is replicable by default after the property has been imported
from directory services or the Business Data Catalog.
8. In the Edit Settings section, click an option to allow or not allow users to edit values
for properties in their user profiles.
• To allow users to edit values for the property in their user profiles, click Allow
users to edit values for this property.
• To prevent users from editing values for the property, click Do not allow users to
edit values for this property.
9. In the Display Settings section, select where the property is displayed on My Site.
• To display the property in the profile properties section of the user's profile page,
select Show in the profile properties section of the user's profile page.
• To display the property on the Edit Details page available from the personal page
of My Site, select Show on the Edit Details page.
226
• To display changes to the property in the Colleagues section of My Site and all
other instances of the Colleague Tracker Web Part, click Show changes in the
Colleague Tracker web part.
10. Click OK.
See Also
Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx)
Policies for Profile Services (http://technet.microsoft.com/en-us/library/cc263160.aspx)
227
B. Configure business intelligence features
228
Chapter overview: Configure business
intelligence features
In this section:
• Configure access to business data
• Register line-of-business applications in the Business Data Catalog
• Customize business data lists, Web Parts, and sites
• Χο ν φ ι γ υ ρ ε β υ σ ι ν ε σ σ δ α τ α σ ε α ρ χ η
Microsoft Office SharePoint Server 2007 enables the integration of data from line-of-business
applications with features that enable that data to be found, displayed, and analyzed along with
other content by users who use SharePoint sites.
After you have planned the line-of-business applications, SharePoint lists, and sites for your
organization, you must configure the connection between data in applications and the features in
your deployment that use data.
229
Customize business data lists, Web Parts, and
sites
After you configure access to business data and imported business data types and properties,
you can include the data in SharePoint lists and Web Parts. These lists and Web Parts are used
in sites across your organization, particularly business dashboards and the Report Center site.
Business data displayed in dashboard sites enables complex data analysis and action through
business intelligence features, such as Excel Web Access Web Parts and key performance
indicators (KPIs).
These features are implemented by site administrators and end users, but business planners and
SSP administrators should work closely with these users during initial deployment to implement
the decisions made during planning.
For more information about customizing business data in lists, Web Parts, and sites, see
Customize business data lists, Web Parts, and sites.
230
Configure access to business data
In this section:
• Configure SSP administrator rights for the Business Data Catalog
• Configure access to the SSP pages
• Configure application definitions and single sign-on for the Business Data Catalog
• Configure data warehousing
• Configure permissions for business data
In Microsoft Office SharePoint Server 2007, the Business Data Catalog enables users to find and
analyze business data and take effective actions directly from SharePoint sites that use business
data. When configuring the Business Data Catalog, it is critical that you protect the security and
integrity of the data in line-of-business applications.
One of the most important ways to protect your data is to carefully enable access to data to users
who can use it effectively, and preventing access by other users. During planning for your
deployment, you identify the purpose of your sites, the business applications associated with key
business purposes, and the users who use each application. During deployment, you enable
access to the groups of users identified during planning.
To enable access to business data, you should:
• Configure Shared Services Provider (SSP) administrator rights for the Business Data
Catalog.
• Configure access to the SSP pages.
• Configure single sign-on for the Business Data Catalog.
• Configure data warehouses for data security.
• Configure user permissions for business data.
231
Services section, click Create or configure this farm’s shared services.
c. On the Manage this Farm’s Shared Services page, there is a link to each SSP
and links to the Web applications for each SSP. Click the link for the SSP that you
want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick
Launch.
2. On the SSP home page, in the Business Data Catalog section, click Business Data
Catalog permissions.
3. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups.
4. On the Add Users/Groups: Business Data Catalog page, in the Choose Users
section, enter the name or account of the user that you want to add.
5. In the Choose Permissions section, select one or more permissions for the user.
For the main administrator of the Business Data Catalog, it is common to select all
permissions.
• Edit: Select this permission to enable users to import application definitions and
add, edit, or delete application definitions, business data types, and data fields for
business data types.
• Execute: Select this permission to enable users to change the properties of
business data.
• Select in Clients: Select this permission to enable the user to refer to business
data types and fields in SharePoint lists, Web Parts, sites, and client applications.
• Set permissions: Select this permission to enable the user to configure
permissions for other users.
6. Click Save.
233
The Business Data Catalog is only one of several features and services that take advantage of
SSO. SSO is also used by Excel Services in Microsoft Office SharePoint Server 2007, InfoPath
Forms Services, and in a variety of Web Parts, lists, and search features that access external
data sources. With SSO, all of these data sources can be accessed securely by using a single
sign-on.
The Business Data Catalog relies on application definitions to translate the data types and fields
of data sources into metadata that is useful in sites and applications that use Office SharePoint
Server 2007. The SSP administrator for the Business Data Catalog, or a Web designer author the
XML file for the application definition, includes authentication information and the business data
types and fields in the planned business data schema. The SSP administrator then imports the
application definitions to the Business Data Catalog. This data can then be viewed and analyzed
in SharePoint sites to improve business data collaboration and business intelligence.
To use SSO for applications in the Business Data Catalog, the farm administrator must configure
SSO on the server farm. Then, the farm administrator must create application definitions for each
line-of-business application that match the separate application definitions already imported into
the Business Data Catalog.
By the end of server farm configuration of SSO, enterprise application definitions should exist for
all of the line-of-business applications in the Business Data Catalog. The administrator of the
Business Data Catalog should work closely with farm administrators to ensure that the necessary
application definitions are created. For more information on the configuration of SSO on the
server farm, see Configure single sign-on.
After SSO is configured on the server farm and enterprise application definitions have been
created for the line-of-business applications that will be added to the Business Data Catalog, the
administrator of the Business Data Catalog imports the application definitions to the Business
Data Catalog. Then, you can import the business data types and fields for those applications. For
more information about importing application definitions, see Register business applications in the
Business Data Catalog. For more information about managing single sign-on, see Central
Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx).
234
To copy data from a line-of-business application to a data warehouse, follow the procedures for
copying the data relevant to the particular application. When you configure the connections to
business applications, use the location of the business data warehouse instead of the line-of-
business application. When configuring business data actions that are intended to update the
underlying data, you will have to separately configure access to the business data application.
235
See Also
Register business applications in the Business Data Catalog
Customize business data lists, Web Parts, and sites
Configure business data search
Plan for business intelligence (http://technet.microsoft.com/en-us/library/cc262935.aspx)
236
Register business applications in the
Business Data Catalog
In this section:
• Create application definitions
• Import application definitions
• Configure enterprise application definitions for single sign-on
• Configure business data types and fields
Before you can use data from any line-of-business application in Microsoft Office SharePoint
Server 2007, you must register that information in the Business Data Catalog. The Business Data
Catalog is the service that manages connections among line-of-business applications and the
SharePoint lists, Web Parts, and sites that use data from those applications.
To register line-of-business applications in the business data catalog, you should:
• Create application definitions for each application or database in your organization.
Application definitions contain connection settings, authentication mode, and definitions for
the business data types and properties imported for a particular application.
• Import application definitions to the Business Data Catalog.
• Configure single sign-on (SSO) enterprise application definitions for applications that will
be using SSO.
• Configure business data types and the fields for each business data type.
After completing these steps for each line-of-business application in your organization, you can
then use the data from applications in SharePoint lists, Web Parts, and business data-enabled
sites such as business dashboards and the Report Center site. Data can also be imported for use
in user profiles or used in enterprise search to find business data.
237
definition files can be imported into the Business Data Catalog, and can be exported as a backup
for disaster recovery scenarios.
For more information about authoring application definitions, see the Microsoft Office SharePoint
Server 2007 Software Development Kit (SDK).
238
Use the following procedure to create an application definition.
Warning:
If Windows authentication is not used, the logon credentials are not encrypted.
13. In the Logon Account Information section, configure each of the Field boxes for
soliciting required logon information from users. Selecting Yes for Mask hides the text
typed by the user. This helps to keep sensitive information such as passwords secret.
239
14. Click OK.
Administrators for the Business Data Catalog should work closely with farm administrators to
ensure that the necessary application definitions are created that correspond to the configuration
plans for the Business Data Catalog.
240
Selected Users.
9. To modify the permissions of selected users, click Modify Permissions of Selected
Users.
10. On the Modify Permissions page, in the Choose Permissions section, select the
permissions that you want for the user or group.
11. Click OK.
12. To copy permissions for an application to all entities for that application, or to copy
permissions for an entity to all child entities, click Copy all permissions to
descendants, and click OK on the dialog box that appears.
For more information about business data catalog permissions, see Configure access to business
data.
241
Edit the profile page template
Use the following procedure to edit the profile page template.
Note:
To view business data profiles in a complex business dashboard, you can
replace the default profile page template with the dashboard page template, and
then modify the new template. This enables you to use key performance
indicators, filters, and other tools for business intelligence and analysis directly
from business data profiles.
242
Customize business data lists, Web Parts,
and sites
In this section:
• Create business data lists
• Create KPIs and KPI lists
• Create and configure reports in the Report Center site
• Create and configure dashboard sites
• Create other business data sites
After configuring access to business data and registering applications in the Business Data
Catalog, business data is available for use in lists, Web Parts, and sites in your deployment. The
initial creation and customization of lists, Web Parts, and sites is performed by site administrators,
designers, and contributors. While these tasks are daily operations for different users, and not the
responsibility of IT professionals, it is important to set up key lists, Web Parts, and sites as part of
an initial deployment of Microsoft Office SharePoint Server 2007.
The relevant customization tasks during deployment include:
• Creating SharePoint lists that use business data that can be used by business data Web
Parts and sites that use business data.
• Creating key performance indicators (KPIs) based on business data lists, other
SharePoint lists, Excel workbooks, or data sources made available in data connection
libraries.
• Creating reports and adding KPI lists and business data lists to the Reports Library of the
Report Center site or any site that uses the Report Center template.
• Creating and configuring dashboard sites in the Report Center site.
• Creating additional Report Center sites and other sites that use business data.
243
click the link to an existing list.
3. On the list page, on the Settings menu, click Create Column.
4. On the Create Column page, in the Name and Type section, type a name and then
select the Business data check box.
5. In the Additional Column Settings section, select the business data type and field
that contains the data you want to add to the list.
6. To display the action menu for the selected business data type, click Display the
actions menu.
7. To link the column to the business data profile for the type, click Link this column to
the profile page.
8. Click OK.
You can add as many business data columns as you want. For more information about business
data lists, see the User's Guide.
For more information on creating and configuring KPIs, see the User's Guide.
244
Create and configure reports in the Report Center
site
For business data lists and KPI lists that are based on data from the Business Data Catalog that
you plan to use in the Report Center site, you can create the lists the Reports Library of the
Report Center site. These lists can then be used in dashboards for the Report Center site.
In the Report Center site, you can also create reports based on Excel data Use the following
procedure to create a report.
During deployment, you will only add the key reports that you identified during planning. The
other reports can be added by users during normal operations.
For more information about using reports to display Excel data, see C. Configure Excel Services.
Note:
If your site template does not include a Report Center site, you must first create a
site by using the Report Center template, and then open that site.
2. On the home page of the Report Center site, in the Quick Launch, click Dashboards
245
to open a list of dashboards in the Reports Library page of the Report Center site.
3. On the Reports Library page, click the New menu, and then click Dashboard Page.
4. On the New Dashboard page, in the Page Name section, provide a name, title, and
description for the dashboard site.
5. In the Key Performance Indicator section, select Allow me to select an existing
KPI later.
Note:
Alternatively, you can select Create a KPI list for me automatically, and then
configure the KPI list later.
6. Click OK.
7. On the Dashboard page, in the Site Actions menu, click Edit Page.
8. For the Web Part Page zone in which you want to add a Web Part, click Add a Web
Part.
9. On the Add Web Parts Web page, in the Suggested Web Parts section, select the
check box for the type of Web Part you want to add, and then click Add.
10. To configure the Web Part, click the Edit menu, and then click Modify Shared Web
Part.
For more information about the configuration options for Business Data Web Parts, see Plan
business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx).
Use the following procedure to configure filter Web Parts.
246
See Also
B. Configure business intelligence features
Plan business data lists (http://technet.microsoft.com/en-us/library/cc261850.aspx)
Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx)
Plan key performance indicators (http://technet.microsoft.com/en-us/library/cc263321.aspx)
Plan reports (http://technet.microsoft.com/en-us/library/cc263506.aspx)
Plan business data actions (http://technet.microsoft.com/en-us/library/cc262684.aspx)
Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx)
247
Configure business data search
In this section:
• Ensure availability of business data
• Configure and crawl business data content sources
• Configure and customize query options for business data
Administrators of the search service and administrators of individual site collections must
configure several options before business data is available in search results. To make business
data available for search, you should:
• Ensure that the data you want users to find is available in the Business Data Catalog,
and ensure that users have the intended permissions.
• Configure and crawl business data content sources.
• Configure and customize query options for business data.
Most of these tasks are performed by the administrator of the search shared service or by the
administrator of the Business Data Catalog. Some tasks are performed by site collection
administrators. Both shared services administrators and site collection administrators will help
plan search for business data.
248
line-of-business application, you must use the location of the copied data in the start address for
the business data content source.
Use the following procedure to configure business data content sources.
See Also
249
Configure access to business data
Register business applications in the Business Data Catalog
250
C. Configure Excel Services
251
Chapter overview: Configure Excel Services
Configure Excel Services in Microsoft Office SharePoint Server 2007 to centrally manage user
access to system resources and external databases. From the Central Administration Web
application in Microsoft Office SharePoint Server 2007, you can configure the SharePoint
document libraries, UNC paths, and HTTP Web sites from which Excel Calculation Services can
open workbooks.
You can also configure which external databases workbook authors are allowed to access. You
can configure restrictions on the use of data connections, single sign-on (SS0) authentication,
and the use of user-defined functions.
See Also
Plan Excel Services security (http://technet.microsoft.com/en-us/library/cc263086.aspx)
252
Add a trusted file location
In this section:
• About trusted file locations
• Add a trusted file location
253
8. In the External Data section, select the type of data connections that you will allow
workbooks in this trusted file location to contain and click OK.
In the External Data section, you can determine whether workbooks stored in trusted file
locations and opened in Excel Calculation Services sessions can access an external data source.
You can designate whether Allow External Data is set to None, Trusted data connection
libraries only, or Trusted data connection libraries and embedded.
If you select either Trusted data connection libraries only or Trusted data connection
libraries and embedded, the workbooks stored in the trusted file locations are allowed to access
external data sources. External data connections can be accessed only when they are embedded
in or linked from a workbook. Excel Calculation Services checks the list of trusted file locations
before opening a workbook. If you select None, Excel Calculation Services will block any attempt
to access an external data source. If you manage data connections for a large number of
workbook authors, you might want to select Trusted data connection libraries only.
For information about how to perform this procedure using the Stsadm command-line tool, see
Add-ecsfiletrustedlocation (http://technet.microsoft.com/en-us/library/cc262818.aspx).
See Also
Add a trusted data connection library
254
Start the Single Sign-On service
In this section:
• About single sign-on authentication
• Start the Single Sign-On service
Note:
Start the Single Sign-On service on all front-end Web servers and all application
servers in your farm that run Excel Calculation Services.
See Also
Manage settings for single sign-on
255
Manage settings for single sign-on
In this section:
• About single sign-on settings
• Manage single sign-on settings
See Also
Start the Single Sign-On service
256
Add a trusted data provider
In this section:
• About trusted data providers
• Add a trusted data provider
257
For information about how to perform this procedure using the Stsadm command-line
tool, see Add-ecssafedataprovider (http://technet.microsoft.com/en-
us/library/cc263293.aspx).
See Also
Add a trusted data connection library
258
Add a trusted data connection library
In this section:
• About trusted data connection libraries
• Add a trusted data connection library
For information about how to perform this procedure by using the Stsadm command-line tool, see
Add-ecstrusteddataconnectionlibrary (http://technet.microsoft.com/en-us/library/cc261726.aspx).
See Also
Add a trusted file location
260
Enable user-defined functions
In this section:
• About user-defined functions
• Enable user-defined functions
• Enable user-defined functions for workbooks in a trusted file location
261
Excel Calculation Services application server (a local path), or to a network share (a
UNC path).
c. Ensure that the Enable Assembly check box is selected, and then click OK.
For information about how to perform this procedure using the Stsadm command-line
tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/en-
us/library/cc262904.aspx).
262
D. Configure InfoPath Forms Services
263
Configure InfoPath Forms Services for Office
SharePoint Server
InfoPath Forms Services provides you with the ability to deploy your organization's forms to
Microsoft Office SharePoint Server and enable users to fill out these forms using a Web browser.
There are many ways you can configure InfoPath Forms Services depending on the needs of
your organization. For example, by default, form templates deployed by non-administrators ("user
form templates") can be opened in a browser, but you can disable this feature so that only
administrator-approved templates are browser-enabled.
You should configure InfoPath Forms Services before you begin to deploy form templates in order
to avoid unexpected behavior.
Before you begin to configure InfoPath Forms Services, you should read the planning articles in
Plan Forms Services (http://technet.microsoft.com/en-us/library/cc262498.aspx) to ensure your
configuration choices are aligned with the needs of your organization.
264
specified.
a. In the Default data connection timeout box, enter the time in milliseconds that
will elapse before a data connection times out. The default timeout is 10000
milliseconds. You can override this setting with code within a form template that
specifies the data connection timeout value.
b. In the Maximum data connection timeout box, enter the maximum time in
milliseconds that will elapse before a data connection times out. The default timeout
is 20000 milliseconds. This is an absolute setting, and it overrides any data
connection timeout values specified within form template code.
6. In the Data Connection Response Size section, type a value in kilobytes in the box
to specify the maximum size of responses data connections are allowed to process. Data
connection responses that exceed this value will generate an error message.
7. In the HTTP data connections section, select the Require SSL for HTTP
authentication to data sources box to require an SSL-encrypted connection for data
connections that use Basic authentication or Digest authentication. You must have
configured Secure Sockets Layer (SSL) properly in order for this setting to function.
8. In the Embedded SQL Authentication section, select the Allow embedded SQL
authentication box to allow forms to use embedded SQL credentials. Forms that
connect to databases may embed SQL user name and password data in the connection
string. The connection string can be read in plaintext in the universal data connection file
associated with the solution, or in the solution manifest.
9. In the Authentication to data sources (user form templates) section, select the
Allow user form templates to use authentication information contained in data
connection files box to allow user form templates to use embedded authentication
information such as an explicit user name and password or a Microsoft Single Sign-On
application ID.
10. In the Cross-Domain Access for User Form Templates section, select the Allow
cross-domain data access for user form templates that use connection settings in
a data connection file box to allow user form templates to access data from another
domain.
11. In the Thresholds section, specify the thresholds at which to end user sessions and
log error messages. Form operations that exceed these thresholds will terminate the user
session, resulting in the loss of all form data entered during the session, and generate an
error message.
a. In the Number of postbacks per form session state box, type the maximum
number of postbacks you want to allow. The default value is 75.
b. In the Number of actions per postback box, type the maximum number of
actions per postback you want to allow. The default value is 200.
12. Before you configure form session state, you should read Configure session state for
InfoPath Forms Services. Correct configuration of form session state requires that you
understand how session state is configured for Office SharePoint Server, and it can
dramatically affect the behavior of InfoPath Forms Services operations and system
265
performance.
Form session state stores data necessary to maintain a user session. File attachment
data in the form will receive an additional 50 percent of session state space.
Note:
The default parameters should work for most scenarios. If you change the default
settings, verify that form-filling sessions are working properly.
13. In the Form Session State section, configure the following parameters:
a. In the Active sessions should be terminated after text box, type the maximum
session duration in minutes. Form-filling sessions that exceed this value will
terminate, an error message will be generated, and all form data entered during the
session will be lost. The default value is 1440 minutes.
b. In the Maximum size of form session state text box, type the maximum
session state size in kilobytes. Form-filling sessions that exceed this value will
terminate, an error message will be generated, and all form data entered during the
session will be lost. The default value is 4096 kilobytes.
c. In the Select the location to use for storing form session state section,
choose from the following options:
Session State Service (best for low- Store session state data on the
bandwidth users) computer running Microsoft SQL Server
Form view (reduces database load on Store session state data on the client
server) computer. If form session state is larger
than the value specified in the
associated text box, the Session State
Service will be used instead.
d. In the associated text box, type the session state size in kilobytes at which form
view will be automatically transitioned to the Session State Service. Once this
threshold is reached, session state data will be saved to the SQL Server database,
and the session will continue to use the Session State Service. The default value is
40 kilobytes.
14. Click OK to save your settings.
See Also
Configure session state for InfoPath Forms Services
266
Configure session state for InfoPath Forms
Services
In this section:
• Configure session state for Forms Services
• Session state vs. Form view
InfoPath Forms Services uses session state to store the large amount of transient data generated
while filling out a form. As a result, front-end Web servers can remain stateless between round
trips, and each postback is not burdened with carrying large amounts of session state information
over narrow bandwidth pipes. Other methods of state management, such as in process, are not
supported for farms with multiple front-end Web servers. Session state can only be used with
Web applications that are associated with a Shared Services Provider (SSP). For more
information about SSPs, see Plan Shared Services Providers (http://technet.microsoft.com/en-
us/library/cc263276.aspx).
Note:
In order for the session state database to be properly maintained, the SQL Agent must be
turned on for the instance of Microsoft SQL Server where session data is stored. If the
SQL Agent is not turned on, expired sessions are not automatically expunged from the
session table and may eventually pose a storage problem.
Note:
If you are deploying Microsoft Office SharePoint Server 2007 with Microsoft SQL Server
2005 Express Edition, such as in a single-server deployment, expired sessions must be
expunged manually. SQL Server 2005 Express Edition does not include the SQL Agent,
and it cannot run automated stored procedures.
267
configure InfoPath Forms Services to use the Session State service, all browser sessions are
maintained on the SQL Server database, which uses little network bandwidth, but has a
cumulative performance impact on the computer running SQL Server. When you are using Form
view, sessions are maintained on the client browser, and all session data is included in each
postback to the server, up to 40 KB of session data. This approach uses more bandwidth than
using session state does, but it does not affect the performance of the computer running SQL
Server. Once session data reaches 40 KB in size, the session automatically transitions to
session-state management.
We recommend the use of Form view in environments with smaller groups of users, because it
reduces the impact on the computer running SQL Server. If your InfoPath Forms Services
deployment will have many users, particularly if session data is below 40 KB for many high-usage
form templates, session state is likely a better choice. If Form view is used, the bandwidth used
by browser sessions of 40 KB or fewer can be monitored if there is a concern that network
performance might be adversely affected.
See Also
Manage session state for Microsoft Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc263527.aspx)
Configure InfoPath Forms Services for Office SharePoint Server
268
E. Configure Office Project Server
269
Deploy Project Server 2007 with Office
SharePoint Server 2007
Microsoft Office Project Server 2007 is the core of Microsoft Office Enterprise Project
Management (EPM) Solutions. The Microsoft Office Enterprise Project Management (EPM)
Solution allows you to effectively manage and prioritize projects and resources across your
organization. With it your teams can share knowledge, collaborate smoothly to complete tasks
and deliverables, and adjust activities quickly to accommodate project changes and updates. And
you can accurately assess your needs and effectively deploy resources across the organization.
For more information about Office Project Server 2007 and EPM Solutions, see What's new in
Office Project 2007 (http://technet.microsoft.com/en-us/library/cc197654.aspx).
Note:
Additional information can be found in the Microsoft Office Enterprise Project
Management Solution and Microsoft Office Project Server 2007 Product Guide
(http://www.microsoft.com/office/preview/solutions/epm/guide.mspx).
You can easily install and configure Office Project Server 2007 on an existing Office SharePoint
Server 2007 farm. For detailed information and procedures, see Deploy Project Server 2007 to an
existing deployment of Office SharePoint Server 2007 (http://technet.microsoft.com/en-
us/library/cc197558.aspx).
270
IV. Perform additional configuration tasks
271
Chapter overview: Additional configuration
tasks
After the initial installation and configuration of Microsoft Office SharePoint Server 2007, you can
configure several additional settings. The configuration of additional settings is optional, but many
key features are not available unless these settings are configured.
272
allow you to control whether documents are scanned on upload or on download, and whether
users can download infected documents. You can also specify how long you want the
antivirus program to run before it times out, and you can specify how many execution threads
the antivirus program can use on the server. For more information, see Configure antivirus
settings.
You can use the following procedure to configure optional administrative settings using
SharePoint Central Administration.
273
Configure incoming e-mail settings
In this section:
• Install and configure the SMTP service
• Configure Active Directory
• Configure permissions to the e-mail drop folder
• Configure DNS Manager
• Configure attachments from Outlook 2003
• Configure incoming e-mail settings
• Configure incoming e-mail on SharePoint sites
Use this procedure to configure the incoming e-mail settings for Microsoft Office SharePoint
Server 2007.
The features of Office SharePoint Server 2007 that use incoming e-mail are not available until
these settings are configured.
Before you configure incoming e-mail settings in Office SharePoint Server 2007, confirm that:
• You have read the topic Plan incoming e-mail (http://technet.microsoft.com/en-
us/library/cc263260.aspx).
• One or more servers in your server farm are running the Internet Information Services
(IIS) Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server
that is running the SMTP service. This server must be configured to accept relayed e-mail
from the mail server for the domain.
• One or more servers in your server farm are running the Microsoft SharePoint Directory
Management Service, or you know the name of another server that is running the SharePoint
Directory Management Web Service.
• The application pool account for the SharePoint Central Administration Web site has the
Create, delete, and manage user accounts right to the container in the Active Directory
directory service.
• The application pool account for Central Administration, the logon account for the
Windows SharePoint Services Timer service, and the application pool accounts for your Web
applications have the correct permissions to the e-mail drop folder.
• The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS
Manager for the mail server that you plan to use for incoming e-mail.
Note:
All of these configuration steps are described in detail in the following sections.
274
Install and configure the SMTP service
Incoming e-mail for Office SharePoint Server 2007 uses the SMTP service. The SMTP service
can be either installed on one or more servers in the farm, or administrators can provide an e-mail
drop folder for e-mail forwarded from the service on another server. The drop folder option is not
recommended because administrators of the other server can affect the availability of incoming e-
mail by changing the configuration of SMTP, and because this requires the additional step of
configuring permissions to the e-mail drop folder.
If a drop folder is not used, the SMTP service must be installed on each server that is used to
receive and process incoming e-mail. Typically, this includes every front-end Web server in the
farm.
Important:
Membership in the Farm Administrators group of the Central Administration site is
required to complete this procedure.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
276
c. Click OK to close the Computer dialog box.
10. Click OK to close the Relay Restrictions dialog box.
11. Click OK to close the Properties dialog box.
Important:
Membership in the Domain Administrators group or delegated authority for domain
administration is required to complete this procedure.
277
Create an organizational unit in Active Directory
1. Click Start, point to Control Panel, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In Active Directory Users and Computers, right-click the folder for the second-level
domain that contains your server farm, point to New, and then click Organizational Unit.
3. Type the name of the organizational unit, and then click OK.
After creating the organization unit, we recommend that you delegate the Create, delete, and
manage user accounts right to the container.
Important:
Membership in the Domain Administrators group or the Enterprise Administrators group in
Active Directory, or delegated authority for administration, is required to complete this
procedure.
If you must add permissions for the application pool identity account directly, complete the
following procedure.
Important:
Membership in the Account Operators group, Domain Administrators group, or the
Enterprise Administrators group in Active Directory, or delegated authority for
administration, is required to complete this procedure.
278
Web application.
5. Click OK.
6. In the Permission Entries section, double-click the application pool identity account.
7. In the Permissions section, under Allow, select the Modify permissions check box.
8. Click OK to close the Permissions dialog box.
9. Click OK to close the Properties dialog box.
10. Click OK to close the Active Directory Users and Computers plug-in.
If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you
must know the URL for the Web service. This URL is typically in the following format:
http://server:adminport/_vti_bin/SharePointEmailWS.asmx.
Note:
Before you delegate the following rights to the Central Administration application pool
account for the organizational unit, you must delegate rights to the application pool
account for the Web application. The procedures for delegating those rights are explained
in the previous section.
Administrators must delegate full control of the organizational unit to the Central Administration
application pool account. After this delegation is complete, administrators can enable incoming e-
mail.
Delegate full control of the organizational unit to the Central Administration application
pool account
1. Right-click the organizational unit, and then click Delegate control.
2. In the Delegation of Control wizard, click Next.
3. Click Add, and then type the name of the application pool account for Central
Administration.
279
4. Click OK.
5. Click Next.
6. On the Tasks to Delegate page of the Delegation of Control wizard, select Create a
custom task to delegate, and then click Next.
7. Select This folder, existing objects in this folder, and creation of new objects in
this folder, and then click Next.
8. In the Permissions section, select Create all Child Objects and Delete all Child
Objects.
9. Click Next.
10. On the last page of the Delegation of Control wizard, click Finish to exit the wizard.
Delegating full control of the organizational unit to the Central Administration application pool
account enables administrators to enable e-mail for a list. Administrators cannot disable e-
mail for the list or document library after delegating full control because the Central
Administration account tries to delete the contact from the entire organizational unit rather
than deleting the contact from the list.
Important:
Membership in the Account Operators group, Domain Administrators group, or the
Enterprise Administrators group in Active Directory, or delegated authority for
administration, is required to complete this procedure.
Add the Delete Subtree permission for the Central Administration application pool
account
1. In Active Directory Users and Computers, click the View menu, and then click
Advanced Features.
2. Right-click the organizational unit and then click Properties.
3. In the Properties dialog box, click the Security tab, and then click Advanced.
4. In the Permission Entries section, double-click the Central Administration
application pool account.
5. In the Permissions section, under Allow, select Delete Subtree.
6. Click OK to close the Permissions dialog box.
7. Click OK to close the Properties dialog box.
8. Click OK to close the Active Directory Users and Computers plug-in.
After adding the permission, you must restart Internet Information Services (IIS) for the farm.
280
For more information about Active Directory, see the Help documentation for Active Directory.
Important:
Membership in the Administrators group on the local computer that contains the e-mail
drop folder is required to complete this procedure.
Note:
This account is listed on the Log On tab of the Properties dialog box for the
service in the Services console.
4. In the Permissions for User or Group box, next to Modify, select the Allow check
box.
5. Click OK.
281
• WSS_Admin_WPG, which includes the application pool account for Central
Administration and the logon account for the Windows SharePoint Services Timer service,
has Full Control permission.
• WSS_WPG, which includes the application pool accounts for Web applications, has
Read & Execute, List Folder Contents, and Read permissions.
In some cases, these groups might not be configured automatically for the e-mail drop folder. For
example, if Central Administration is running as the Network Service account, the groups or
accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It
is a good idea to check whether these groups have been added automatically to the e-mail drop
folder. If the groups have not been added automatically, you can add them or add the specific
accounts that are required.
Important:
Membership in the Administrators group on the local computer that contains the e-mail
drop folder is required to complete this procedure.
Note:
This account is listed on the Identity tab of the Properties dialog box for the
application pool in IIS.
4. In the Permissions for User or Group box, next to Modify, select the Allow check
box.
5. Click OK.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
282
subdomain for Office SharePoint Server 2007.
2. Right-click the zone, and then click New Mail Exchanger.
3. In the Host or domain text box, type the host or subdomain name for Office
SharePoint Server 2007.
4. In the Fully qualified domain name (FQDN) of mail server text box, type the fully
qualified domain name for the server that is running Office SharePoint Server 2007. This
is typically in the format subdomain.domain.com.
5. Click OK.
Important:
Membership in the Administrators group of the Central Administration site is required to
complete this procedure.
283
OU=ContainerName, DC=domain, DC=com, where ContainerName is the name of
the organizational unit in Active Directory, domain is the second-level domain, and
com is the top-level domain.
Note:
The Central Administration application pool account must be delegated the
Create, delete, and manage user accounts task for the container. Access
is configured in the properties for the organizational unit in Active Directory.
b. In the SMTP mail server for incoming mail box, type the name of the SMTP
mail server. The server name must match the fully qualified domain name in the MX
entry for the mail server in DNS Manager.
c. To accept only messages from authenticated users, click Yes for Accept
messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow
creation of distribution groups from SharePoint sites. Otherwise, click No.
e. Under Distribution group request approval settings, select the actions that
will require approval. Actions include the following:
• Create new distribution group
• Change distribution group e-mail address
• Change distribution group title and description
• Delete distribution group
6. If you want to use a remote SharePoint Directory Management Web Service, select
Use remote.
a. In the Directory Management Service URL box, type the URL of the Microsoft
SharePoint Directory Management Service that you want to use.
b. In the SMTP mail server for incoming mail box, type the name of the SMTP
mail server. The server name must match the fully qualified domain name in the MX
entry for the mail server in DNS Manager on the domain server.
c. To accept messages from authenticated users only, click Yes for Accept
messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow
creation of distribution groups from SharePoint sites. Otherwise, click No.
7. If you do not want to use the Microsoft SharePoint Directory Management Service,
click No.
8. In the Incoming E-Mail Server Display Address section, type a display name for
the e-mail server (for example, mail.fabrikam.com) in the E-mail server display address
box.
Tip:
You can specify the e-mail server address that is displayed when users create an
incoming e-mail address for a list or group. Use this setting together with the
284
Microsoft SharePoint Directory Management Service to provide an e-mail server
address that is more user-friendly.
9. In the Safe E-Mail Servers section, select one of the following options:
• Accept mail from all e-mail servers
• Accept mail from these safe e-mail servers. If you select this option, type the
IP addresses (one per line) of the e-mail servers that you want to specify as safe in
the corresponding box.
10. In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of
the folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from
the SMTP service.
This option is available only if you selected advanced mode.
11. Click OK.
See Also
Plan incoming e-mail (http://technet.microsoft.com/en-us/library/cc263260.aspx)
Demo: Configure a SharePoint Server 2007 site to receive e-mail (http://office.microsoft.com/en-
us/sharepointserver/HA102047921033.aspx)
285
Configure outgoing e-mail settings
In this section:
• Install and configure the SMTP service4
• Configure outgoing e-mail settings
Use this procedure to configure the default outgoing e-mail settings for all Web applications. You
can override the default outgoing e-mail settings for specific Web applications by using the
procedure that is described in Configure outgoing e-mail settings for a specific Web application.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
286
Windows Components Wizard page, click Finish.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
287
Configure outgoing e-mail settings
Important:
Membership in the Farm Administrators group of the Central Administration site is
required to complete this procedure.
See Also
Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)
288
Configure outgoing e-mail settings for a
specific Web application
In this section:
• Install and configure the SMTP service
• Configure outgoing e-mail settings
Use this procedure to configure the outgoing e-mail settings for a specific Web application. Before
using this procedure, you must first configure the default outgoing e-mail settings for all Web
applications by using the procedure described in Configure outgoing e-mail settings.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
289
8. Click Next.
9. When Windows has finished installing the SMTP service, on the Completing the
Windows Components Wizard page, click Finish.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.
290
10. Click OK to close the Relay Restrictions dialog box.
11. Click OK to close the Properties dialog box.
See Also
Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)
291
Configure workflow settings
Use this procedure to configure the workflow settings for Microsoft Office SharePoint Server
2007.
Workflow settings are configured at the Web application level, enabling you to configure different
settings for different Web applications. When you configure workflow settings, you must first
select the Web application to configure.
Site administrators can create workflows from the Site Settings page for the site or site collection.
By default, end users can create their own workflows by using code already deployed by an
administrator. You can also choose to limit workflow creation to site administrators.
By default, workflows can include users who do not have site access. Users without site access
who attempt to complete the task assigned to them will be directed to the Error: Access Denied
page, where they can request access to the site. If you do not enable alerts for internal users
without site access, workflows that include those users will not generate alerts for those users.
By default, external users cannot participate in workflows, and external users included in
workflows will not be alerted. You can choose to allow external users to participate in workflows
by sending copies of documents to those users by e-mail.
292
be sent an e-mail alert when a task is assigned to them, select No.
6. Under Allow external users to participate in workflow by sending them a copy
of the document, select Yes if you want documents to be sent to external users by e-
mail when those users are part of the workflow but they do not have access permissions
to the documents. If you do not want documents to be sent to external users who do not
have access permissions, select No.
Note:
If the object in the workflow is not a document but a list item, the list item
properties are displayed in a table as part of the e-mail message.
7. Click OK.
For information about how to perform this procedure using the Stsadm command-line
tool, see Workflow management: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc263153.aspx).
293
Configure diagnostic logging settings
In this section:
• Customer Experience Improvement Program
• Error reports
• Event throttling
• Configuring diagnostic logging settings
Use this procedure to configure the diagnostic logging settings for Microsoft Office SharePoint
Server 2007.
You can configure how diagnostic events are logged according to their criticality. Additionally, you
can set the maximum number of log files that can be maintained, and you can set how long to
capture events to a single log file.
You can also indicate whether or not to provide Microsoft with continuous improvement and Dr.
Watson event data.
Error reports
Error reports are created when your system encounters hardware or software problems. Microsoft
and its partners actively use these reports to improve the reliability of your software. Error reports
include the following: information regarding the condition of the server when the problem occurs;
the operating system version and computer hardware in use; and the Digital Product ID, which
can be used to identify your license. The IP address of your computer is also sent because you
are connecting to an online service to send error reports; however, the IP address is used only to
generate aggregate statistics.
Microsoft does not intentionally collect any personal information. However, error reports could
contain data from log files, such as user names, IP addresses, URLs, file or path names, and e-
mail addresses. Although this information, if present, could potentially be used to determine your
identity, the information will not be used in this way. The data that Microsoft collects will be used
only to fix problems and to improve software and services. Error reports will be sent by using
encryption technology to a database with limited access, and will not be used for marketing
purposes.
294
For more information, see the Microsoft Error Reporting Service privacy statement
(http://go.microsoft.com/fwlink/?LinkId=85028&clcid=0x409).
If you want to provide error reports to Microsoft and its partners, select the option to collect error
reports. Base your decision on your organization's policies about sharing the information
collected by error reports, and the potential impact of error collection on users and administrators.
Two options are available for error reports:
• You can choose to periodically download a file from Microsoft that can help identify
system problems based on the error reports that you provide to Microsoft.
• You can change the error collection policy to silently send all reports. This changes the
computer's error reporting behavior to automatically send reports to Microsoft without
prompting users when they log on.
Event throttling
You can configure the diagnostic options for event logging. Events can be logged in either the
Windows® event log or the trace log. You can configure event throttling settings to control how
many events are recorded in each log, according to the criticality of the events. To provide more
control in event throttling, you can decide to throttle events for all events, or for any single
category of events. Several categories of events are available, based on different services and
features of SharePoint Products and Technologies.
Categories of events can be defined by individual services or by groupings of related events.
Selected event categories include:
• All
• Categories defined by product, such as Office SharePoint Server 2007 and Microsoft
Office Project Server 2007
• Administrative functions such as Administration, Backup and Recovery, Content
Deployment, and Setup and Upgrade
• Feature areas such as Document Management, E-Mail, Forms Services, Information
Policy Management, Information Rights Management, Publishing, Records Center, Site
Directory, Site Management, User Profiles, and Workflow
• SharePoint Services and other services such as the Load Balancer Service
• Shared services such as all Office Server Shared Services, Business Data, and Excel
Calculation Services
For the selected category, select the least-critical event to record, for both the Windows event log
and the trace log. Events that are equally critical to or more critical than the selected event will be
recorded in each log. The list entries are sorted in order from most-critical to least-critical.
The levels of events for the Windows event log include:
• None
• Error
• Warning
• Audit Failure
295
• Audit Success
• Information
The levels of events for the trace log include:
• None
• Unexpected
• Monitorable
• High
• Medium
• Verbose
For more information about the Windows event log or the trace log, see the Windows
documentation.
296
5. In the Event Throttling section, in the Select a category menu, select a category of
events:
a. In the Least critical event to report to the event log menu, select the least-
critical event to report to the event log for the selected category.
b. In the Least critical event to report to the trace log menu, select the least-
critical event to report to the trace log for the selected category.
6. In the Trace Log section, in the Path text box, type the local path to use for the trace
log on all servers in the farm. The location must exist on all servers in the farm.
a. In the Number of log files text box, type the maximum number of files that you
want to maintain.
b. In the Number of minutes to use a log file text box, type the number of minutes
to use each log file.
7. Click OK.
For information about how to perform this procedure using the Stsadm command-line tool, see
Setlogginglevels (http://technet.microsoft.com/en-us/library/cc261740.aspx) and Listlogginglevels
(http://technet.microsoft.com/en-us/library/cc262133.aspx).
297
Configure single sign-on
Single sign-on (SSO) is a Microsoft Office SharePoint Server feature that provides storage and
mapping of credentials such as account names and passwords. Using SSO, portal site–based
applications can retrieve information from third-party applications and back-end systems such as
Enterprise Resource Planning (ERP) and Customer Relations Management (CRM) systems.
The use of single sign-on functionality enables users to authenticate only once when they access
portal site–based applications that need to obtain information from other business applications
and systems.
Configuring single sign-on consists of five tasks:
• Configure and start the Microsoft Single Sign-On service
• Χ ο ν φ ι γ υ ρ ε Σ ι ν γ λ ε Σ ι γ ν−Ο ν φ ο ρ Ο φ φ ι χ ε
Σ η α ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007
• Manage the encryption key
• Manage enterprise application definitions
• Manage account information for an enterprise application definition
Note that you must be logged into the SharePoint Central Administration Web site on a farm
server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to
configure SSO on a workstation or any computer that is not a farm server, you will see an error
message that reads "Single sign-on cannot be configured from this server. To configure single
sign-on, go to the computer running the single sign-on service and specify these settings locally."
Follow the procedures in the sections that follow to configure SSO for your Office SharePoint
Server 2007 environment.
298
• Must be a member of the Security Administrators role and db_creator role on the
computer running Microsoft SQL Server.
• Must be either the same as the single sign-on administrator account, or a member of the
group account that is the single sign-on administrator account.
Note:
You must open Central Administration on the computer that runs Office SharePoint
Server 2007 to manage server settings for single sign-on.
Note:
The single sign-on administrator account specifies the set of people who can
create, delete, or modify application definitions. The administrator account can
also back up the encryption key.
299
The user or group that you specify as the single sign-on administrator must be all of the
following:
• Either a Windows global group or an individual user account. This account
cannot be a domain local group account or a distribution list.
• The same account as the single sign-on service account, if a user is specified. If
a group is specified, the single sign-on service account must be a member of that
group.
• The same as the configuration account for single sign-on, if a user is specified. If
a group is specified, the configuration account for single sign-on must be a member
of that group.
• A member of the Farm Administrators group on Central Administration.
If a group is specified, all users who are added to the group for the purpose of
administering single sign-on must be members of the local Administrators group on the
encryption-key server. Do not make this account a member of the local Administrators
group on the encryption-key server.
5. In the Enterprise Application Definition Administrator Account section, in the
Account name box, type the account name of the group or user who can set up and
manage enterprise application definitions. Type the name by using the form
domain/group or domain/username.
The enterprise application definition administrator account can manage credentials of an
enterprise application definition, including changing the password of a group enterprise
application definition and changing or deleting credentials for an individual enterprise
application definition.
The user or group that you specify must be the following:
• Either a Windows global group or an individual user account. This account
cannot be a domain local group account or a distribution list.
• A member of the Reader SharePoint group on Central Administration.
6. In the Database Settings section, in the Server name box, type the NetBIOS name
of the single sign-on database server (for example, computer_name or
computer_name\SQL_Server_instance). Do not type the fully qualified domain name.
7. In the Database name box, enter the name of the single sign-on database server.
Note:
Unless you are pre-creating databases, we recommend that you use the default
database server and single sign-on database server.
8. In the Time Out Settings section, in the Ticket time out (in minutes) box, type a
value for how many minutes passes before a single sign-on ticket expires. The time-out
should be long enough to last between the time that the ticket is issued and the time that
the enterprise application redeems the ticket. Two minutes is the recommended value.
9. In the Delete audit log records older than (in days) box, type a value for how many
days the audit log holds records before deleting them.
300
10. Click OK.
Note:
You must open Central Administration on the computer that runs Office SharePoint
Server 2007 to manage the encryption key.
From the Manage Encryption Key page, you can perform three management tasks:
• Create a new encryption key
• Back up an encryption key
• Restore an encryption key
1. On the Manage Encryption Key page, in the Encryption Key section, click Create
Encryption Key.
2. On the Create Encryption Key page, select the Re-encrypt all credentials by using
the new encryption key check box.
301
Important:
If you do not re-encrypt the existing credentials with the new encryption key,
users must retype their credentials for individual application definitions, and
administrators must retype group credentials for group application definitions.
3. Click OK.
1. On the Manage Encryption Key page, in the Drive list in the Encryption Key
Backup section, click the removable media drive on which you want to store the
encryption-key backup.
2. Click Back Up.
1. On the Manage Encryption Key page, in the Drive list in the Encryption Key
Restore section, click the removable media drive from which you want to restore the
encryption-key backup.
2. Click Restore.
302
Manage account information for an enterprise
application definition
If you are using a group to connect to the enterprise application, you need to provide account
credentials for the group to use. If individual users are connecting directly to the enterprise
application, you can preset or reset user passwords, or you can delete users from the enterprise
application definition.
Option Purpose
Delete stored credentials for this Delete the credentials currently used to
account from this enterprise connect to the enterprise application.
application definition
Delete stored credentials for this Delete the credentials currently used to
account from all enterprise application connect the selected enterprise application
definitions from all enterprise application definitions.
Deleting stored credentials deletes
credentials only for individual accounts; it
does not delete credentials for group
accounts.
304
Configure antivirus settings
Use this procedure to configure the antivirus settings for Microsoft Office SharePoint Server 2007.
You can activate antivirus measures only after installing a compatible antivirus scanner. In a
server farm, you must install antivirus software on every front-end Web server in the server farm.
You can configure four antivirus settings:
• Scan documents on upload Select this setting to scan uploaded documents. This
helps prevent users with infected documents from distributing them to other users.
• Scan documents on download Select this setting to scan downloaded documents.
This helps prevent users from downloading infected documents by warning them about
infected files. Users can still choose to download infected files, unless the option to allow
users to download infected documents is not selected.
• Allow users to download infected documents If this option is selected, users can
download infected documents. In most cases, do not select this option. Unless you have a
specific reason to download infected documents, such as troubleshooting a virus infection on
your system, do not select this option.
• Attempt to clean infected documents Select this setting to automatically clean
infected documents that were discovered during scanning.
Administrative credentials
Membership in the Administrators group of the Central Administration site is required to complete
this procedure.
For information about how to perform this procedure using the Stsadm command-line tool, see
Antivirus: Stsadm properties (http://technet.microsoft.com/en-us/library/cc261683.aspx).
305
Configure authentication
In this section:
• Χο ν φ ι γ υ ρ ε α ν ο νψ µ ο υ σ α χ χ ε σ σ
• Χο ν φ ι γ υ ρ ε δ ι γ ε σ τ αυ τ η ε ν τ ι χ α τ ι ο ν
• Χο ν φ ι γ υ ρ ε φ ο ρ µ σ−β α σ ε δ α υ τ η ε ν τ ι χ α τ ι ο ν
• Χο ν φ ι γ υ ρ ε Ω ε β Σ ΣΟ αυ τ η ε ν τ ι χ α τ ι ο ν βψ υ σ ι ν γ
Α∆ΦΣ
• Χο ν φ ι γ υ ρ ε Κ ε ρ β ε ρ ο σ αυ τ η ε ν τ ι χ α τ ι ο ν
Authentication is the process of validating client identity, usually by means of a designated
authority. Web site authentication helps establish that a user who is trying to access Web site
resources can be verified as an authenticated entity. An authentication application obtains
credentials from a user who is requesting Web site access. Credentials can be various forms of
identification, such as user name and password. The authentication application tries to validate
the credentials against an authentication authority. If the credentials are valid, the user who
submitted the credentials is considered to be an authenticated identity.
306
• Forms authentication provider
• Web SSO authentication provider
You can use the Active Directory directory service for authentication, or you can design your
environment to validate user credentials against other data stores, such as a Microsoft SQL
Server database, a lightweight directory access protocol (LDAP) directory, or any other directory
that has an ASP.NET 2.0 membership provider. The membership provider specifies the type of
data store you are going to use. The default ASP.NET 2.0 membership provider uses a SQL
Server database. Office SharePoint Server 2007 includes an LDAP v3 membership provider, and
ASP.NET 2.0 includes a SQL Server membership provider.
You can also deploy multiple authentication providers to enable, for example, intranet access by
using Windows authentication and external access by using forms authentication. Using multiple
authentication providers requires the use of multiple Web applications. Each Web application
must have a designated zone and a single authentication provider.
The authentication providers are used to authenticate against user and group credentials that are
stored in Active Directory, in a SQL Server database, or in a Non-Active Directory LDAP directory
service (such as NDS). For more information about ASP.NET membership providers, see
Configuring an ASP.NET Application to Use Membership (http://go.microsoft.com/fwlink/?
LinkId=87014&clcid=0x409).
307
• Digest authentication
Digest authentication provides the same functionality as basic authentication, but with
increased security. User credentials are encrypted instead of being sent over the network in
plaintext. User credentials are sent as an MD5 message digest in which the original user
name and password cannot be deciphered. Digest authentication uses a challenge/response
protocol that requires the authentication requestor to present valid credentials in response to
a challenge from the server. To authenticate against the server, the client has to supply an
MD5 message digest in a response that contains a shared secret password string. The MD5
Message-Digest Algorithm is described in detail in Internet Engineering Task Force (IETF)
RFC 1321 (http://www.ietf.org).
To use digest authentication, note the following requirements:
• The user and IIS server must be members of, or trusted by, the same domain.
• Users must have a valid Windows user account stored in Active Directory on the
domain controller.
• The domain must use a Microsoft Windows Server 2003 domain controller.
• You must install the IISSuba.dll file on the domain controller. This file is copied
automatically during Windows Server 2003 Setup.
• Integrated Windows authentication
Integrated Windows authentication can be implemented using either NTLM or constrained
Kerberos delegation. Constrained Kerberos delegation is the most secure authentication
method. Integrated Windows authentication works well in an intranet environment where
users have Windows domain accounts. In Integrated Windows authentication, the browser
attempts to use the current user's credentials from a domain logon, and if the attempt is
unsuccessful, the user is prompted to enter a user name and password. If you use Integrated
Windows authentication, the user's password is not transmitted to the server. If the user has
logged on to the local computer as a domain user, the user does not have to authenticate
again when the user accesses a network computer in that domain.
• Kerberos authentication
This method is for servers that are running Active Directory on Microsoft Windows 2000
Server and more recent versions of Windows. Kerberos is a secure protocol that supports
ticketing authentication. A Kerberos authentication server grants a ticket in response to a
client computer authentication request that contains valid user credentials. The client
computer then uses the ticket to access network resources. To enable Kerberos
authentication, the client and server computers must have a trusted connection to the domain
Key Distribution Center (KDC). The client and server computers must also be able to access
Active Directory. For more information about configuring a virtual server to use Kerberos
authentication, see Microsoft Knowledge Base article 832769: How to configure a Windows
SharePoint Services virtual server to use Kerberos authentication and how to switch from
Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?
LinkId=115572&clcid=0x409).
308
• Constrained Kerberos delegation
Constrained authentication is the most secure configuration for communication between
multiple application tiers. You can use constrained delegation to pass the original caller's
identity through multiple application tiers: for example, from a Web server to an application
server to a database server. Constrained Kerberos delegation is also the most secure
configuration for accessing back-end data sources from application servers. Impersonation
enables a thread to run in a security context other than the context of the process that owns
the thread. In most server farm deployments in which front-end Web servers and application
servers run on different computers, impersonation will require constrained Kerberos
delegation.
• Impersonation and Kerberos delegation
Kerberos delegation enables an authenticated entity to impersonate the credentials of a user
or computer within the same forest. When impersonation is enabled, the impersonating entity
is allowed to use credentials for performing tasks on behalf of the impersonated user or
computer.
During impersonation, ASP.NET applications can run by using the credentials of another
authenticated entity. By default, ASP.NET impersonation is disabled. If impersonation is
enabled for an ASP.NET application, then that application runs using the credentials of the
access token IIS passes to ASP.NET. That token can be either an authenticated user token,
such as a token for a logged-in Windows user, or the token that IIS provides for anonymous
users (typically, the IUSR_computername identity).
When impersonation is enabled, only your application code runs under the context of the
impersonated user. Applications are compiled and configuration information is loaded by
using the identity of the ASP.NET process.
For more information about impersonation, see ASP.NET Impersonation
(http://go.microsoft.com/fwlink/?LinkId=115573&clcid=0x409).
• NTLM authentication
This method is for Windows servers that are not running Active Directory on a domain
controller. NTLM authentication is required for networks that receive authentication requests
from client computers that do not support Kerberos authentication. NTLM is a secure protocol
that supports user credential encryption and transmission over a network. NTLM is based on
encrypting user names and passwords before sending the user names and passwords over
the network. NTLM authentication is required in networks where the server receives requests
from client computers that do not support Kerberos authentication. NTLM is the
authentication protocol that is used in Windows NT Server and in Windows 2000 Server
workgroup environments, and in many Active Directory deployments. NTLM is used in mixed
Windows 2000 Active Directory domain environments that must authenticate Windows NT
systems. When Windows 2000 Server is converted to native mode where no down-level
Windows NT domain controllers exist, NTLM is disabled. Kerberos then becomes the default
authentication protocol for the enterprise.
309
Forms authentication provider
The forms authentication provider supports authentication against credentials stored in Active
Directory, in a database such as a SQL Server database, or in an LDAP data store such as Novell
eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms authentication enables user
authentication based on validation of credential input from a logon form. Unauthenticated
requests are redirected to a logon page, where the user must provide valid credentials and
submit the form. If the request can be authenticated, the system issues a cookie that contains a
key for reestablishing the identity for subsequent requests.
310
Configure anonymous access
In this section:
• About anonymous access
• Enable anonymous access for a zone
• Enable anonymous access for individual sites
• Enable anonymous access for individual lists
Anonymous access enables users to find resources in the public areas of Web sites without
having to provide authentication credentials.
Note:
You can set up different anonymous accounts for different Web sites, virtual or physical
directories, and files.
In a stand-alone environment, the IUSR_computername account is on the local server. If the
server is a domain controller, the IUSR_computername account is defined for the domain.
By default, anonymous access is disabled by Office SharePoint Server 2007 when you create a
new Web application. This provides an additional layer of security because IIS rejects anonymous
access requests before they can ever be processed by Office SharePoint Server 2007 if
anonymous access is disabled.
311
Enable anonymous access for a zone of a Web application
1. From Administrative Tools, open the SharePoint Central Administration Web site
application.
2. On the Central Administration home page, click Application Management.
3. On the Application Management page, in the Application Security section, click
Authentication providers.
4. On the Authentication Providers page, make sure the Web application that is listed in
the Web Application box (under Site Actions) is the one that you want to configure. If
the listed Web application is not the one that you want to configure, click the drop-down
arrow to the right of the Web Application drop-down list box and select Change Web
Application.
5. In the Select Web Application dialog box, click the Web application that you want to
configure.
6. On the Authentication Providers page, click the zone of the Web application on which
you want to enable anonymous access. The zones that are configured for the selected
Web application are listed on the Authentication Providers page.
7. On the Edit Authentication page, in the Anonymous Access section, select Enable
Anonymous Access, and then click Save.
At this point, the Web application zone has been enabled for anonymous access.
312
At this point, your site is configured for anonymous access based on the options that you have
selected.
At this point, users have anonymous access to the list you have configured. You can control
whether users have anonymous access to other lists, the home page, or other pages on this site.
313
Configure digest authentication
In this section:
• About digest authentication
• Enable digest authentication for a zone of a Web application
• Configure IIS to enable digest authentication
314
Enable digest authentication for a zone of a Web
application
Use the following procedures to enable digest authentication for a zone of a Web application.
Within each Web application, you can categorize different classes of users into one of the
following five zones:
• Internet is the zone used for customers.
• Intranet is the zone used for internal employees.
• Default is the zone used for remote employees.
• Custom is the zone used for administrators.
• Extranet is the zone used for partners.
At this point use the IIS Management Console to configure IIS to enable digest authentication.
315
2. Under the Web Sites node on the console tree, right-click the IIS Web site that
corresponds to the Web application zone on which you want to configure digest
authentication, and then click Properties.
3. On the Web Site Properties page, click the Directory Security tab.
4. In the Anonymous access and authentication control section, click the Edit
button.
5. In the Authenticated access section of the Authentication Methods dialog box,
select Digest authentication for Windows domain servers. A dialog box is displayed
informing you that digest authentication only works with Active Directory domain
accounts, and asking you if you want to continue. Click Yes.
6. In the Realm section of the of the Authentication Methods dialog box, click the
Select button.
7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK.
316
Configure forms-based authentication
In this section:
• About forms-based authentication
• Configure forms-based authentication across multiple zones
• Configure forms-based authentication for My Sites Web applications
• Configure the SSP for forms-based authentication
• Configure user profiles and people search
Microsoft Office SharePoint Server 2007 authentication is performed by an authentication
mechanism that is supported by one of the available authentication providers. Providers are
modules that contain the code necessary to authenticate the credentials of a requestor
Authentication for Office SharePoint Server 2007 is built on the ASP.NET authentication model
and includes three authentication providers:
• Windows authentication provider
• Forms-based authentication provider
• Web Single Sign-On (SSO) authentication provider
In addition, ASP.NET supports the use of pluggable authentication providers, which means that
you can write an authentication provider to support any credential store that you want to use.
317
Create a new site
1. On the home page of the SharePoint Central Administration Web site, click
Application Management.
2. On the Application Management page, in the SharePoint Web Application
Management section, click Create or extend Web application.
3. On the Create or Extend Web Application page, click Create a new Web
application.
4. On the Create New Web Application page, in the Security Configuration section,
make sure NTLM is selected under Authentication provider. Also, select Yes under
Allow Anonymous.
5. Use the default entries to complete the new Web application creation procedure and
click OK.
At this point, you have created a new site placeholder. Use the following procedure to create a
site collection.
Note:
If you select a wildcard inclusion path, you must also type the site name to use in
the URL of your site. The paths available for the URL option are taken from the
list of managed paths that have been defined as wildcard inclusions.
6. In the Template Selection section, in the Select a template list, select the template
that you want to use for the top-level site in the site collection.
7. In the Primary Site Collection Administrator section, enter the user name (in the
form domain\username) for the user who will be the site collection administrator.
8. If you want to identify a user as the secondary owner of the new top-level Web site
(recommended), in the Secondary Site Collection Administrator section, enter the
user name for the secondary administrator of the site collection.
9. If you are using quotas to limit resource use for site collections, in the Quota
318
Template section, click a template in the Select a quota template list.
10. Click OK.
At this point, you have created a site collection. Use the following procedure to configure a forms-
based authentication provider.
Note:
If you enable anonymous access here, anonymous access can still be denied at
the site collection level or at the site level. However, if you disable anonymous
access here, it is disabled at all levels within the Web application.
7. In the Membership Provider Name section, in the Membership provider name
box, type the name of the membership provider that you want to use.
Note:
If the Web application is going to support forms-based authentication, the
membership provider must be correctly configured in the Web.config file for the
IIS Web application that hosts SharePoint content on each Web server. The
membership provider must also be added to the Web.config file for the IIS Web
application that hosts Central Administration.
8. In the Client Integration section, under Enable Client Integration, make sure No is
selected, and then click Save.
• If you select Yes, features that start client applications according to document
types will be enabled. This option will not work correctly with some types of forms-
based authentication.
• If you select No, features that start client applications according to document
319
types will be disabled. Users will have to download documents and then upload them
after they make changes.
Notes
For forms-based authentication, client integration is disabled by default. When client
integration is disabled, links to client applications are not visible and documents cannot be
opened in client applications; documents can only be opened in a Web browser. However,
users can download documents, edit them in client applications locally, and then upload them
to the site.
Client integration is disabled by default when you use forms-based authentication. This is
because client integration does not natively support forms-based authentication. You might be
able to use many client integration features with forms-based authentication, and there are
workarounds available to implement varying levels of client integration functionality with
forms-based authentication. However, if published workarounds are inadequate, or if you find
unexpected issues using workarounds, we do not provide support and there are no product
changes to address these issues. If you plan to use client integration with forms-based
authentication, you must fully test any available solutions or workarounds to determine if the
performance and functionality are acceptable in your environment.
Product Support can provide commercially reasonable support to help you troubleshoot
published workarounds.
After a user provides credentials, the system issues a cookie that identifies the user. On
subsequent requests, the system first checks the cookie to see whether the user has already
been authenticated, so the user does not have to supply credentials again.
If the user has not selected the Remember me? box on the logon page, the credential
information is not cached on the client computer, and is valid only during the current session. This
is especially important in a scenario where users are connecting from public computers or kiosks,
where you would not want user credentials to be cached. Users are required to reauthenticate if
they close the browser, log off from a session, or navigate to another Web site. Also, you can
configure a maximum idle session time-out value to force reauthentication if a user is idle for a
prolonged period of time during a session.
320
• Extranet zone
Note:
If you use forms-based authentication and the Office SharePoint Server 2007 search
crawler polls a zone that is configured to support Kerberos authentication, the Office
SharePoint Server 2007 search crawler will fail. If you use forms-based authentication
and the Office SharePoint Server 2007 search crawler polls a zone that is configured to
support basic or certificate authentication, you have to configure a crawl rule and provide
credentials or certificates in the Shared Services Provider (SSP) search settings. If a
crawl rule is not configured, the crawler will cycle through all of the zones until it finds a
zone that is configured with NTLM. If the crawler finds a zone configured with NTLM, the
crawl will succeed. If the crawler finds a zone configured with Kerberos or Digest
authentication, the crawl will fail and polling will stop.
Office SharePoint Server 2007 does not allow a Web application to work with the same provider
name across multiple zones. You can configure the Web.config file to use the same provider for
each zone; however, the name of the provider has to be unique for each zone.
For additional information on authentication mechanisms and samples for configuring forms-
based authentication with multiple providers, see Plan for authentication
(http://technet.microsoft.com/en-us/library/cc263434.aspx).
321
3. To ensure that the crawler can access the content, configure the extended content
Web application for forms-based authentication by selecting the Web application from the
Web Application list in Central Administration, as shown in the following figure:
4. Follow the link to Create or Extend Web Application and choose the option to extend a
Web application. Type in the details, such as choosing a port number where the new Web
application will be hosted in IIS, and choosing the zone that this extended Web application
will reside under.
The following figure shows the original Web application, which is always created in the
Default zone, and the extended Web application created under the Custom zone.
Each of the zones identifies the logical separation of access restrictions to the same content.
Note:
You cannot increase the number of zones.
5. Configure the membership provider name of the extended Web application for forms-
based authentication, as shown in the following figure.
After extending the content Web application to a different zone, you can configure
authentication providers and enable different authentication mechanisms using different
URLs. At this point, add a provider section in the Web.config file of the extended Web
application.
322
Note:
Adding the provider section in the Web.config file for the default zone will have no
impact on Office SharePoint Server 2007 awareness of the provider for the new
zone. Practically, the two zones are isolated from each other as far as IIS Web sites
are concerned, even though they will still share the same application pool.
6. Modify the authentication provider by following the link to the Authentication Providers
page. This page displays all of the zones on which the Web application has been extended.
Select the appropriate zone and configure the authentication provider. In the preceding
example, the authentication provider is configured as the
PeopleDCLDAPMemberShipProvider for the Custom zone.
7. Add the first administrative user who will have administrative access on all site collections
within the Web application. In this example, the content is the same and the site collections
are identical across all the extended zones (Default and Custom), even though the URLs are
different. When the Web application is first created, the application pool identity is granted
Full Read permissions on the Web application for all zones. For the Default zone, access is
controlled by the primary site collection administrator who was specified during the creation of
the site collection at the root of the Web application. For the extended zone, you have to add
a specific user with Full Control on the Web application to enable initial logon to the site
collections and to perform administrative tasks. To add a user, click Add Users on the Policy
for Web Application page, and select a zone. Run the People Picker and resolve the name of
the user.
Note:
The user will be added as provider:username because the People Picker will resolve
the user by using the provider configured in the Web.config file for the extended Web
application. Office SharePoint Server 2007 ignores the custom provider if All Zones
is selected in the Zone drop-down list. Therefore, it is very important to ensure that
the appropriate zone is selected.
8. After the user has been added, verify that forms-based authentication is functioning and
browse to the URL for the extended zone. In this example, the content Web application is in
the Default zone on port 2000 and is extended to the Custom zone on port 2001. Browse to
the extended port.
9. At this point, the forms-based authentication logon screen is displayed. Type the
credentials for the user you added earlier, and click Submit. You are then redirected to the
Default.aspx page of the site.
The Default.aspx page is very similar to a standard Default.aspx page of a default zone site.
However, in this example, the My Site creation link is not displayed. My Sites and personalization
are services provided by the Shared Services Provider (SSP). There is an existing SSP that
provides these services to this Web application. At this point in the procedure, the SSP is
unaware of the new user, whose credentials you used to log in. Because links are security
trimmed, they are not displayed and, in this example, the current user is not recognized by the
SSP. To correct this situation, enable the SSP for forms-based authentication, as described in the
following procedure.
323
Configure the SSP for forms-based authentication
To configure the Shared Services Provider (SSP) for forms-based authentication, extend the SSP
administration Web application to map to the same zone as the content Web application. On the
Manage this Farm's Shared Services page, the administration site host for the SSP is listed on
port 80, and the SSP is only aware of NTLM authentication. To make the SSP aware of the
custom provider, configure the SSP for forms-based authentication.
1. Extend the Web application on port 80 (the administration site host) to the same zone on
which the content Web application was extended, and then configure the extended Web
application for forms-based authentication.
Note:
Typically, users are not aware of this new Web application and this Web application
only provides forms-based authentication awareness to the SSP.
2. Browse to the new SSP administration site. After the administration Web application is
forms-based authentication enabled, you can point the browser to a URL such as
http://<server>:<extended port>/ssp/admin/default.aspx. This is similar to the URL for the
SSP administration site (with a different port number). However, now you are prompted for
credentials on the forms-based authentication logon page.
After you enter the credentials of the user that you added during the Add Users procedure on
the Policy for Web Application page, you are redirected to the Administration page.
Note:
If you try to browse to Personalization Services Permissions in the User Profiles and
My Sites section of the Shared Services Administration page, access is denied.
This is because the logged-on user does not have permissions to modify
personalization services permissions even though the forms-based authenticated
user has permissions to browse the site. To change this behavior, the user has to
have permissions explicitly provided in a different account, and the account itself has
to have permissions to modify personalization services permissions. In this example,
that configuration would be difficult to configure because you are currently browsing
using the one account that has been added with Full Control over the SSP. Users in a
Windows authenticated zone are the only ones who have permissions to edit
personalization services permissions. To enable forms-based authenticated users to
edit personalization services permissions, you must be logged on as a user in a
Windows authenticated zone.
3. Add permissions for personalization links by logging in to the SSP administration site
using the Default zone.
Note:
Make sure the welcome control displays the identity of the Windows user.
4. Browse to the Personalization Services Permissions page, and launch the People Picker.
324
5. Try resolving the forms-based authenticated user here. The People Picker will not resolve
the forms-based authenticated user because this zone is not aware that there is another
provider that can be queried to find these users.
6. To make this zone aware of the provider, modify the Web.config file for this zone and add
the same provider section that you added for enabling forms-based authentication.
Important:
In the Web.config file, do not set the defaultProvider attribute. If you set this
attribute, the People Picker and security trimmer will always use this provider to
resolve and authenticate users.
7. Browse back to the Personalization Services Permissions page and launch the People
Picker, which now resolves the forms-based authentication user and displays all users who
meet the same criteria.
8. Select a user and a choose the permissions you want to assign to this user:
• Create Personal Site: This permission is required to make the My Site link visible,
and enables users to create a My Site.
• Use Personal Features: This permission enables users to access SSP and My Site
features.
• Manage user profiles: This permission enables users to view and manage user
profiles from the Profile Store.
• Manage Audiences: This permission enables users to manage audiences.
• Manage Permissions: This permission enables permission management on an SSP.
• Manage Usage Analytics: This permission enables users to manage and configure
usage analysis.
9. Click Save.
At this point, you can log back on to the Custom zone SSP site as a forms-based authenticated
user and add additional users. In addition, you can configure sets of permissions for these
additional users. After the user is enabled with the Create Personal Site permissions, the My Site
link will be displayed. You can browse to the Custom zone portal using the forms-based
authenticated user and note the Welcome control suite displays the My Site link. However,
clicking the link will not actually create a My Site. This is because the SSP still only refers to the
default zone for the My Site host, even though the SSP is extended on the Custom zone. The
Web application is not yet aware of the forms authenticated users. You can address this by
extending the My Site Web application and configuring it for forms-based authentication.
Because you can manually set the My Site host from within the SSP, it does not matter if the My
Site host is extended to a different zone than the SSP administration Web application. If you are
implementing a scenario in which these two zones have to be different, you can browse to the
SSP, using forms-based authentication, and manually set the My Site host. Browse to the SSP
administration Web site using forms-based authentication and then browse to the My Site
Settings page.
Now you can edit the personal site provider to point to the newly extended My Site Web
application. If you extend the My Site Web application onto the same zone as the SSP
325
administration Web application, Office SharePoint Server 2007 will automatically realign the My
Sites and this manual configuration is not necessary.
In addition, you can go to the content site, log on by using forms-based authentication, and create
a My Site for the forms-based authenticated user.
326
6. Verify that the profiles are imported by clicking View User Profiles, as shown in the
following figure:
After the import is performed, the user profile store in Office SharePoint Server 2007 is
updated with the new profiles. To enable people search, perform the next procedure.
7. Initiate a crawl of the people content source. When the crawl is complete, you will be able
to perform a people search on the forms-based authentication site.
327
Configure Web SSO authentication by using
ADFS
In this section:
• About federated authentication systems
• Before you begin
• Configuring your extranet Web application to use Web SSO authentication
• Allowing users access to your extranet Web site
• Working with the People Picker
• Working with E-mail and UPN claims
• Working with groups and organizational group claims
328
for building Windows NT token agent applications that are described in the step-by-step
guide.
Note:
When you use the People Picker to add users to Windows SharePoint Services 3.0,
Windows SharePoint Services 3.0 validates the users against the provider, which in this
example is ADFS. Therefore, you should configure the Federation Server before you
configure Windows SharePoint Services 3.0.
Important:
The setup process has been captured in a VBScript file that you can use to configure
Office SharePoint Server 2007 to use ADFS for authentication. This script file is
contained in the file (SetupSharePointADFS.zip) and is available on the Microsoft
SharePoint Products and Technologies blog, listed in the Attachments section. For more
information, see the blog page A script to configure SharePoint to use ADFS for
authentication (http://go.microsoft.com/fwlink/?LinkId=113894).
6. Add an SSL certificate to the Extranet Web Site in IIS. Make sure that this SSL certificate
is issued to extranet.treyresearch.net, because this is the name that clients will use when
they access the sites.
7. Configure the Authentication provider for the extranet zone on your Web application to
use Web SSO by doing the following:
a. On the Application Management page of your farm’s Central Administration site, click
Authentication Providers.
b. Click Change in the upper-right corner of the page, and then select the Web
application on which you want to enable Web SSO.
c. In the list of two zones that are mapped for this Web application (both of which
should say Windows), click the Windows link for the Extranet zone.
d. In the Authentication Type section, click Web Single Sign On.
e. In the Membership provider name box, type
SingleSignOnMembershipProvider2
Make a note of this value; you will be adding it to the name element of the <membership>
section in the web.config files that you will edit later in this procedure.
f. In the Role manager name box, type
SingleSignOnRoleProvider2
Make a note of this value; you will be adding it to the name element of the
<roleManager> section in the web.config files you will edit later in this procedure.
g. Make sure the Enable Client Integration setting is set to No.
h. Click Save.
Your extranet Web application is now configured to use Web SSO. However, at this point, the site
will be inaccessible because no one has permissions to it. The next step is to assign permissions
to users so that they can access this site.
Note:
After selecting WebSSO as the Authentication Provider, Anonymous Authentication will
be automatically enabled for the SharePoint site in IIS (no user action is required). This
setting is required for the site to allow access using only claims.
330
Allowing users access to your extranet Web site
1. Use a text editor to open the web.config file for the Web site on the default zone that is
using Windows authentication.
2. Add the following entry anywhere in the <system.web> node.
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide
r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-
server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-
server/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>
3. Change the value for fs-server to reflect your resource Federation Server
(adfsresource.treyresearch.net). Ensure that you entered the correct membership provider
and the role manager names on the Central Administration Authentication Providers page.
When this entry is added to web.config, the People Picker on the default zone site that is
using Windows authentication is able to know about the ADFS providers and, therefore, can
resolve the ADFS claims. This enables you to grant permissions to the ADFS claims on your
Web site.
4. Grant ADFS claims access to the site by doing the following:
a. Navigate to the Web site on the default zone that uses Windows authentication as an
administrator of the site.
b. Click the Site Actions menu, point to Site Settings, and then click Advanced
Permissions.
c. Click New, and then click Add Users.
331
d. To add a user claim, specify their e-mail address or User Principal Name in the
Users/Groups section. If both UPN and e-mail claims are sent from the federation
server, then SharePoint will use UPN to verify against the MembershipProvider.
Therefore, if you want to use e-mail, you will have to disable the UPN claim in your
federation server. See “Working with UPN and e-mail Claims” for more information.
e. To add a group claim, type the name of the claim you want the SharePoint site to use
in the Users/Groups section. For example, create an organizational group claim named
Adatum Contributers on the Federation Server. Add the claim name Adatum
Contributers to the Sharepoint site as you would a Windows user or group. You can
assign this claim Home Members [Contribute], and then any user who accesses the
SharePoint site by using this group claim will have Contributor access to the site.
f. Select the appropriate permission level or SharePoint group.
g. Click OK.
5. Use the text editor of your choice to open the web.config file for the extranet site, and add
the following entry in the <configSections> node.
<sectionGroup name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
6. Add the following entry to the <httpModules> node
<add name="Identity Federation Services Application Authentication
Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
Note:
The ADFS authentication module should always be specified after the Sharepoint
SPRequest module in the <httpModules> node of the web.config file. It is safest to
add it as the last entry in that section.
7. Add the following entry anywhere under the <system.web> node.
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide
r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
332
<roleManager enabled="true"
defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35 />
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://your_application</returnurl>
</urls>
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
Note:
Change the value for fs-server to your Federation Server computer, and change the
value of your_application to reflect the URL of your extranet Web application.
8. Browse to the https://extranet.treyresearch.net Web site as an ADFS user who has
permissions to the extranet web site.
333
• As you extend Web applications by using different providers, you can configure one or
more of them to be able to find users and groups from various providers that you are using on
that Web application. In this scenario, we configured our site that uses Windows
authentication in a way that allows users of that site to select other Windows users, Windows
groups, and ADFS claims, all from one site.
<roleManager enabled="true"
defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-
server/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>
334
</system.web>
</configuration>
Note:
Change the value of fs-server to your resource Federation Server
(adfsresource.treyresearch.net).
1. From Administrative Tools on your Federation Server, open the ADFS snap-in.
Note:
You can also open the ADFS snap-in by typing ADFS.MSC in the Run dialog
box.
2. Select your Office SharePoint Server 2007 application node (your application should
already be added to the list of nodes).
3. In the claims list on the right, right-click E-mail, and select Enable or Disable.
4. In the claims list on the right, right-click UPN, and select Enable or Disable.
Note:
If both UPN and E-mail are enabled, Office SharePoint Server 2007 will use UPN
to perform user claim verification. Therefore, when configuring the Office
SharePoint Server 2007, be careful about which user claim you enter. Also note
that the UPN claim will only work consistently if the UPN suffixes and the e-mail
suffixes that are accepted by the Federation Server are identical. This is because
the membership provider is e-mail based. Because of this complexity in
configuring UPN claims, e-mail is the recommended user claim setting for
membership authentication.
335
resolves groups by using organizational group claims. When you use ADFS with Office
SharePoint Server 2007, you must create a set of organizational group claims in ADFS. You can
then associate multiple Active Directory groups with an ADFS organizational group claim.
For group claims to work with the latest version of ADFS, you need to edit the web.config file for
the ADFS application in IIS on your ADFS server.
Open the web.config file and add <getGroupClaims /> to the
<FederationServerConfiguration> node inside the <System.Web> node, as shown in the
following example.
<configuration>
<system.web>
<FederationServerConfiguration>
<getGroupClaims />
</FederationServerConfiguration>
</system.web>
</configuration>
In the Adatum (Account Forest), do the following:
1. Create an Active Directory group named Trey SharePoint Readers.
2. Create an Active Directory group named Trey SharePoint Contributors.
3. Add Alansh to the Readers group and Adamcar to the Contributors group.
4. Create an organizational group claim named Trey SharePoint Readers.
5. Create an organizational group claim named Trey SharePoint Contributors.
6. Right-click the Active Directory account store, and then click New Group Claim
Extraction.
a. Select the Trey SharePoint Readers organizational group claim, and then associate it
with the Trey SharePoint Readers Active Directory group.
b. Repeat step 6, and then associate the Trey SharePoint Contributors organizational
group claim with the Trey SharePoint Contributors Active Directory group.
7. Right-click the Trey Research Account Partner, and then create the outgoing claim
mappings:
a. Select the Trey SharePoint Reader claim, and then map to outgoing claim adatum-
trey-readers.
b. Select the Trey SharePoint Contributor claim, and then map to outgoing claim
adatum-trey-contributors.
Note:
The claim mapping names must be agreed on between the organizations, and they must
match exactly.
336
On the Trey Research side, start ADFS.MSC, and then do the following:
1. Create an organizational group claim named Adatum SharePoint Readers.
2. Create an organizational group claim named Adatum SharePoint Contributors.
3. Create incoming group mappings for your claims:
a. Right-click the Adatum account partner, and then click Incoming Group Claim
Mapping.
b. Select Adatum SharePoint Readers, and then map it to the incoming claim name
adatum-trey-readers.
c. Select Adatum SharePoint Contributors, and then map it to the incoming claim name
adatum-trey-contributors.
4. Right-click the Office SharePoint Server 2007 Web application, and then click Enable on
both the Reader and Contributor claims.
Browse to the http://trey-moss site on the Trey Research side as the site administrator, and then
do the following:
1. Click the Site Actions menu, point to Site Settings, and then click People and Groups.
2. If it is not already selected, click the Members group for your site.
3. Click New, and then click Add Users on the toolbar.
4. Click the address book icon next to the Users/Groups box.
5. In the Find box in the People Picker dialog box, type
Adatum SharePoint Readers
In the Give Permission section, select SharePoint group homeVisitors [Readers].
6. In the Find box, type
Adatum SharePoint Contributors
In the Give Permission section, select SharePoint group homeMembers [Contribute].
337
Configure Kerberos authentication
In this section:
• About Kerberos authentication
• Before you begin
• Configure Kerberos authentication for SQL communications
• Configure Internet Explorer to include port numbers in Service Principal Names
• Χρ ε α τ ε Σ ε ρϖ ι χ ε Πρ ι ν χ ι π α λ Ναµ ε σ φ ο ρ ψο υ ρ
Ωε β α π π λ ι χ α τ ι ο ν σ υ σ ι ν γ Κ ε ρ β ε ρ ο σ
αυ τ η ε ν τ ι χ α τ ι ο ν
• Deploy the server farm
• Configure services on servers in your farm
• Create Web applications using Kerberos authentication
• Create a site collection using the Collaboration Portal template in the portal site Web
application
• Create a Shared Services Provider for your farm
• Confirm successful access to the Web applications using Kerberos authentication
• Confirm correct Search Indexing functionality
• Confirm correct Search Query functionality
• Configure your SSP infrastructure for Kerberos authentication
• Register new custom-format SPNs for your SSP service account in Active Directory
• Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos
authentication
• Add a new registry key to all of your servers running Office SharePoint Server to enable
generation of the new custom-format SPNs
• Confirm Kerberos authentication for root-level shared services access
• Confirm Kerberos authentication for virtual-directory-level shared services access
• Configuration limitations
• Additional resources and troubleshooting guidance
338
(KDC). The KDC distributes shared secret keys to enable encryption. The client and server
computers must also be able to access Active Directory directory services. For Active Directory,
the forest root domain is the center of Kerberos authentication referrals.
To deploy a server farm running Microsoft Office SharePoint Server 2007 using Kerberos
authentication, you must install and configure a variety of applications on your computers. This
section describes an example server farm running Office SharePoint Server 2007 and provides
guidance for deploying and configuring the farm to use Kerberos authentication to support the
following functionality:
• Communication between Office SharePoint Server 2007 and Microsoft SQL Server
database software.
• Access to the SharePoint Central Administration Web application.
• Access to other Web applications, including a portal site Web application, a My Site Web
application, and an SSP Administration site Web application.
• Access to the shared services for the Office SharePoint Server 2007 Web applications in
the Office SharePoint Server 2007 Shared Services Provider (SSP) infrastructure.
Important:
To create SPNs in an Active Directory domain, you must have domain administrative-
level permissions.
339
Kerberos authentication for the SSP infrastructure in Office SharePoint Server 2007 requires the
installation of the Infrastructure Update for Microsoft Office Servers.
Note:
An SSP is a logical grouping of a common set of services and service data that can be
provided to Web applications and their associated Web sites. An SSP infrastructure
enables the sharing of services across server farms, Web applications, and site
collections. The Office Server Web Services Web site is the SSP infrastructure. The SSP
infrastructure exists on any server running Office SharePoint Server 2007 that is
deployed using the Complete installation option. Kerberos authentication does not work
with the Office Server Web Services Web site unless the Infrastructure Update for
Microsoft Office Servers is installed.
This section does not provide an in-depth examination of Kerberos authentication. Kerberos is an
industry-standard authentication method that is implemented in Active Directory.
This section does not provide detailed, step-by-step instructions for installing Office SharePoint
Server 2007 or using the SharePoint Products and Technologies Configuration Wizard.
This section does not provide detailed, step-by-step instructions for using Central Administration
to create Office SharePoint Server 2007 Web applications.
Known issues
Kerberos authentication cannot be configured to work with the SSP infrastructure in Office
SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.
Therefore, if you do not have the Infrastructure Update for Microsoft Office Servers installed,
disregard the guidance in this section for configuring Kerberos authentication for the SSP
infrastructure.
Office SharePoint Server 2007 can crawl Web applications configured to use Kerberos
authentication if those Web applications are hosted on IIS virtual servers that are bound to default
ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, Office SharePoint
340
Server 2007 Search cannot crawl Office SharePoint Server 2007 Web applications that are
configured to use Kerberos authentication if the Web applications are hosted on IIS virtual
servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443).
Currently, Office SharePoint Server 2007 Search can only crawl Office SharePoint Server 2007
Web applications hosted on IIS virtual servers bound to non-default ports that are configured to
use either NTLM authentication or Basic authentication.
For end-user access using Kerberos authentication, if you need to deploy Web applications that
can only be hosted on IIS virtual servers that are bound to non-default ports, and if you want end-
users to get search query results, then:
• The same Web applications must be hosted on other IIS virtual servers on non-default
ports.
• The Web applications must be configured to use either NTLM or Basic authentication.
• Search Indexing must crawl the Web applications using NTLM or Basic authentication.
This section provides guidance for:
• Configuring the Central Administration Web application using Kerberos authentication
hosted on an IIS virtual server bound to non-default ports.
• Configuring portal and My Site applications, and shared services using Kerberos
authentication hosted on IIS virtual servers bound to default ports and with an IIS host header
binding.
• Ensuring that Search Indexing successfully crawls Office SharePoint Server 2007 Web
applications using Kerberos authentication.
• Ensuring that users accessing Kerberos-authenticated Web applications can successfully
get search query results for those Web applications.
• Configuring Kerberos authentication for the SSP infrastructure (if the Infrastructure
Update for Microsoft Office Servers is installed).
Additional background
It is important to understand that when you use Kerberos authentication, accurate authentication
functionality is dependant in part on the behavior of the client that is attempting to authenticate
using Kerberos. In an Office SharePoint Server 2007 farm deployment using Kerberos
authentication, Office SharePoint Server 2007 is not the client. Before you deploy a server farm
running Office SharePoint Server 2007 using Kerberos authentication, you must understand the
behavior of the following clients:
• The browser (in the context of this section, the browser is always Windows Internet
Explorer).
• The Microsoft .NET Framework.
The browser is the client used when browsing to a Web page in an Office SharePoint Server
2007 Web application. When Office SharePoint Server 2007 performs tasks such as crawling the
local Office SharePoint Server 2007 content sources or making calls to the SSP infrastructure,
the .NET Framework is functioning as the client.
341
For Kerberos authentication to work correctly, you must create SPNs in Active Directory. If the
services to which these SPNs correspond are listening on non-default ports, the SPNs should
include port numbers. This is to ensure that the SPNs are meaningful. It is also required to
prevent the creation of duplicate SPNs.
When a client (Internet Explorer or the .NET Framework) attempts to access a resource using
Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos
authentication process. If the client does not construct an SPN that matches the SPN that is
configured in Active Directory, Kerberos authentication will fail, usually with an “access denied”
error.
There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are
using Office SharePoint Server 2007 Web applications that are bound to non-default port
numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs
that it constructs. In a farm running Office SharePoint Server 2007, the Central Administration
Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port.
Therefore, this section addresses both IIS port-bound and IIS host-header-bound Web sites, and
it provides a link to instructions for directing Internet Explorer to include port numbers in SPNs.
In a farm running Office SharePoint Server 2007, by default the .NET Framework does not
construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web
applications using Kerberos authentication if those Web applications are hosted on IIS virtual
servers that are bound to non-default ports. It is also the reason why Kerberos authentication
cannot be correctly configured and made to work for the SSP infrastructure unless the
Infrastructure Update for Microsoft Office Servers is installed.
342
Active Directory, computer naming, and NLB conventions
The scenario described in this section uses the following Active Directory, computer-naming, and
NLB conventions:
343
Active Directory domain account conventions
The example in this section uses the naming conventions listed in the following table for service
accounts and application pool identities used in the farm running Office SharePoint Server 2007.
344
Domain account or application pool identity Name
345
The following list contains examples of SPNs for a default instance of SQL Server running on a
computer named mosssql and listening on port 1433:
• MSSQLSvc/mosssql:1433
• MSSQLSvc/mosssql.mydomain.com:1433
These are the SPNs that you will create for the instance of SQL Server on the SQL host that will
be used by the farm described in this section. You should always create SPNs that have both a
NetBIOS name and a full DNS name for a host on your network.
There are different methods that you can use to set an SPN for an account in an Active Directory
domain. One method is to use the SETSPN.EXE utility that is part of the resource kit tools for
Windows Server 2003. Another method is to use the ADSIEDIT.MSC snap-in on your Active
Directory domain controller. This section addresses using the ADSIEDIT.MSC snap-in.
There are two core steps for configuring Kerberos authentication for SQL Server:
• Create SPNs for your SQL Server service account.
• Confirm Kerberos authentication is used to connect servers running Office SharePoint
Server 2007 to servers running SQL Server.
346
your servers running Office SharePoint Server 2007. The confirmation procedures are based on
the following assumptions:
• You are using SQL Server 2005 SP2 on your SQL host.
• You have logged on to one of your servers running Office SharePoint Server 2007, using
the account mydomain\pscexec, and have installed the SQL 2005 Client Tools on the server
running Office SharePoint Server 2007.
1. Run the SQL Server 2005 Management Studio.
2. When the Connect to Server dialog box appears, type the name of the SQL host
computer (in this example, the SQL host computer is mosssql), and click Connect to connect
to the SQL host computer.
3. To confirm that Kerberos authentication was used for this connection, run the event
viewer on the SQL host computer and examine the Security event log. You should see a
Success Audit record for a Logon/Logoff category event that is similar to the data shown in
the following tables:
Event ID 540
Date 10/31/2007
Time 4:12:24 PM
User MYDOMAIN\pscexec
Computer MOSSSQL
Description
Domain MYDOMAIN
Logon ID (0x0,0x6F1AC9)
Logon Type 3
Workstation Name
347
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
348
Create Service Principal Names for your Web
applications using Kerberos authentication
As far as Kerberos authentication is concerned, there is nothing special about IIS-based Office
SharePoint Server 2007 Web applications—Kerberos authentication treats them as just another
IIS Web site.
This process requires knowledge of the following items:
• The Service Class for the SPN (in the context of this section, for Office SharePoint Server
2007 Web applications, this is always HTTP).
• The URL for all of your Office SharePoint Server 2007 Web applications using Kerberos
authentication.
• The host name portion of the SPN (either real or virtual; this section addresses both).
• The port number portion of the SPN (in the scenario described in this section, both IIS
port-based and IIS host-header-based Office SharePoint Server 2007 Web applications are
used).
• The Windows Active Directory accounts for which your SPNs must be created.
The following table lists the information for the scenario described in this section:
349
Use the guidance provided above to create the SPNs you need in Active Directory to support
Kerberos authentication for your Office SharePoint Server 2007 Web applications. You need to
log on to a domain controller in your environment using an account that has domain
administrative permissions. To create the SPNs, you can use either the SETSPN.EXE utility
mentioned previously, or you can use the ADSIEDIT.MSC snap-in mentioned previously. If using
the ADSIEDIT.MSC snap-in, please refer to the instructions provided earlier in this section for
creating the SPNs. Be sure to create the correct SPNs for the correct accounts in Active
Directory.
350
Log on to each of your computers running Office SharePoint Server 2007 using the account
mydomain\pscexec. No step-by-step instructions are provided for this. For the scenario described
in this section, do a Complete installation of Office SharePoint Server 2007 on all servers that
require Office SharePoint Server 2007.
351
3. To confirm that Kerberos authentication was used to access Central Administration,
go back to the computer named MOSSADMIN and run the event viewer and look in the
security log. You should see a Success Audit record that looks similar to the following
table:
Event ID 540
Date 11/1/2007
Time 2:22:20 PM
User MYDOMAIN\pscexec
Computer MOSSADMIN
Description
Domain MYDOMAIN
Logon ID (0x0,0x1D339D3)
Logon Type 3
Workstation Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
352
Examination of this log record shows the same type of information as in the previous log entry:
• Confirm that the user name is correct; it is the mydomain\pscexec account that logged on
over the network to the server running Office SharePoint Server 2007 that is hosting Central
Administration.
• Confirm that the logon type is 3; a logon type 3 is a network logon.
• Confirm that the logon process and authentication package both use Kerberos
authentication. This confirms that Kerberos authentication is being used to access your
Central Administration Web application.
• Confirm that the Source Network Address matches the IP address of the computer from
which the connection was made.
If the Central Administration home page fails to render and instead an unauthorized error
message is displayed, Kerberos authentication is failing. There are usually only two causes for
this failure:
• The SPN in Active Directory was not registered for the correct account. It should have
been registered for mydomain\mossfarmadmin.
• The SPN in Active Directory does not match the SPN being constructed by Internet
Explorer or is otherwise invalid. The most common cause of this is that Internet Explorer is
not constructing an SPN containing the correct port number. See the previous section titled
Configure Internet Explorer to include port numbers in Service Principal Names to correct this
problem. You also might have omitted the port number from the SPN that you registered in
Active Directory. Either way, ensure that this is corrected and that Central Administration is
working, using Kerberos authentication, before proceeding.
Note:
A diagnostic aid you could use to see what is going on over the network is a network
sniffer, such as Microsoft Network Monitor, to take a trace during browsing to Central
Administration. After the failure, examine the trace and look for KerberosV5 Protocol
packets. Find a packet with an SPN constructed by Internet Explorer. If that SPN does
not contain a port number, you need to apply the fix described in the section titled
Configure Internet Explorer to include port numbers in Service Principal Names. If the
SPN in the trace looks correct, either the SPN in Active Directory is invalid, or it has been
registered for the wrong account.
353
the setup completion dialog box to run the SharePoint Products and Technologies Configuration
Wizard. Perform the procedure to join each of these servers to the farm.
Upon completion of the SharePoint Products and Technologies Configuration Wizard on each
server you add to the farm, verify that each of these servers can render Central Administration,
which is running on the server, MOSSADMIN. If any of these servers fail to render Central
Administration, take the appropriate steps to solve the problem before you proceed.
Note:
This section does not provide an in-depth description of the user interface. Only high-
level instructions are provided. You should be familiar with Central Administration and
how to perform the required steps before you proceed.
Access Central Administration and perform the following steps to configure the services on the
servers indicated, using the accounts indicated.
Index server
On the Services on Server page in Central Administration:
1. Select the server MOSSCRAWL.
2. In the list of services that appears close to the middle of the page, locate the Office
SharePoint Server 2007 Search service, and then click Start in the Action column.
On the subsequent page, check the Use this server for indexing content check box and then
provide the credentials for the Office SharePoint Server 2007 search service account. In the
scenario in this section, the Office SharePoint Server 2007 search service account is
354
mydomain\mosssearch. Type the account names and passwords in the appropriate locations on
the page, and then click Start.
Query server
On the Services on Server page in Central Administration:
1. Select the server MOSSQUERY.
2. In the list of services that appears close to the middle of the page, locate the Office
SharePoint Server 2007 Search service, and then click the service name in the Service
column.
On the subsequent page, check the Use this server for serving search queries check box and
click OK.
Note:
This section does not provide an in-depth description of the user interface. Only high-
level instructions are provided. You should be familiar with Central Administration and
how to perform the required steps before you proceed.
355
8. Confirm that the Web application is successfully created.
Note:
If you want to use an SSL connection and bind the Web application to port 443, type 443
in the Port field and select Use SSL on the Create New Web Application page. In
addition, you must install an SSL wildcard certificate. When using an IIS host header
binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate.
For more information about SSL host headers in IIS, see Configuring SSL Host Headers
(IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Note:
If you want to use an SSL connection and bind the Web application to port 443, type 443
in the Port field and select Use SSL on the Create New Web Application page. In
addition, you must install an SSL wildcard certificate. When using an IIS host header
binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate.
For more information about SSL host headers in IIS, see Configuring SSL Host Headers
(IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
356
3. On the subsequent page, make sure Create a new IIS Web site is selected.
• In the Description field, type SSPAdminSite.
• In the Port field, type 80.
• In the Host Header field, type kerbsspadminsite.mydomain.net.
4. Make sure Negotiate is selected as the authentication provider for this Web application.
5. Create this Web application in the Default zone. Do not modify the zone for this Web
application.
6. Make sure Create new application pool is selected.
• In the Application pool name field, type SSPAdminSiteAppPool.
• Make sure Configurable is selected. In the User name field, type the account
mydomain\sspadminpool.
7. Click OK.
8. Confirm that the Web application is successfully created.
Note:
If you want to use an SSL connection and bind the Web application to port 443, type 443
in the Port field and select Use SSL on the Create New Web Application page. In
addition, you must install an SSL wildcard certificate. When using an IIS host header
binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate.
For more information about SSL host headers in IIS, see Configuring SSL Host Headers
(IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Note:
This section does not provide an in-depth description of the user interface. Only high-
level instructions are provided. You should be familiar with Central Administration and
how to perform the required steps before you proceed.
1. On the Application Management page in Central Administration, click Create site
collection.
2. On the subsequent page, make sure you select the correct Web application. For the
example in this section, select http://kerbportal.mydomain.net.
3. Provide the title and description you want to use for this site collection.
4. Leave the Web site address unchanged.
5. In the Template Selection section under Select a Template, click the Publishing tab
and select the Collaboration Portal template.
357
6. In the Primary Site Collection Administrator section, type mydomain\pscexec.
7. Specify the Secondary Site Collection Administrator you want to use.
8. Click OK.
9. Confirm that the portal site collection is successfully created.
Note:
This section does not provide an in-depth description of the user interface. Only high-
level instructions are provided. You should be familiar with Central Administration and
how to perform the required steps before you proceed.
1. On the Application Management page in Central Administration, click Create or
configure this farm’s shared services.
2. On the subsequent page, click New SSP.
3. On the subsequent page, in the SSP Name section, type SSP1 in the SSP Name field.
Then, in the Web application field, select the Web application you created for the Shared
Services Administration site Web application. For the example in this section, select the Web
application named SSPAdminSite.
• In the MySite section, in the Web application field, select the Web application you
created for the My Site Web site. For the example in this section, select the Web
application named MySite.
• In the SSP service credentials section, in the User name field, type
mydomain\sspsvc.
4. Click OK.
5. Confirm that your farm’s SSP is successfully created.
358
The home page of the Kerberos-authenticated portal site should render.
To confirm that Kerberos authentication was used to access the portal site, go to one of the load-
balanced front-end Web servers and run the event viewer and look in the security log. You should
see a Success Audit record, similar to the following table, on one of the front-end Web servers.
Note that you may have to look on both front-end Web servers before you find this, depending on
which system handled the load-balanced request.
Event ID 540
Date 11/1/2007
Time 5:08:20 PM
User MYDOMAIN\pscexec
Computer mossfe1
Description
Domain MYDOMAIN
Logon ID (0x0,0x1D339D3)
Logon Type 3
Workstation Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
359
Examination of this log record shows the same type of information as in the previous log entry:
• Confirm that the user name is correct; it is the mydomain\pscexec account that logged on
over the network to the front-end Web server running Office SharePoint Server 2007 that is
hosting the portal site.
• Confirm that the logon type is 3; a logon type 3 is a network logon.
• Confirm that the logon process and authentication package both use Kerberos
authentication. This confirms that Kerberos authentication is being used to access your portal
site.
• Confirm that the Source Network Address matches the IP address of the computer from
which the connection was made.
If the home page of the portal site fails to render, and displays an “unauthorized” error message,
then Kerberos authentication is failing. There are usually only a couple of causes for this:
• The SPN in Active Directory was not registered for the correct account. It should have
been registered for mydomain\portalpool, for the Web application of the portal site.
• The SPN in Active Directory does not match the SPN being constructed by Internet
Explorer or is invalid for another reason. In this case, because you are using IIS host headers
without explicit port numbers, the SPN registered in Active Directory differs from the IIS host
header specified when you extended the Web application. You need to correct this to get
Kerberos authentication working.
Note:
A diagnostic aid you could use to see what is going on over the network is a network
sniffer such as Microsoft Network Monitor to take a trace during browsing to Central
Administration. After the failure, examine the trace and look for KerberosV5 Protocol
packets. You should find a packet with an SPN constructed by Internet Explorer. If that
SPN does not contain a port number, then you need to apply the fix described in the
section Configure Internet Explorer to include port numbers in Service Principal Names. If
the SPN in the trace looks correct, then either the SPN in Active Directory is invalid or the
SPN has been registered for the wrong account.
After you have Kerberos authentication working for your portal site, go to your Kerberos-
authenticated My Site and the Shared Services Administration site using the following URLs:
• http://kerbmysite.mydomain.net
• http://kerbsspadmin.mydomain.net/ssp/admin
Note:
The first time you access the My Site URL, it will take some time for Office SharePoint
Server 2007 to create a My Site for the logged-on user. However, it should succeed, and
the My Site page for that user should render.
These should both work correctly. If they don’t, refer to the preceding troubleshooting steps.
360
Confirm correct Search Indexing functionality
Confirm that Search Indexing is successfully crawling the content hosted on this farm. This is the
step you must take prior to confirming the Search Query results for users accessing the sites
using Kerberos authentication.
Note:
This section does not provide an in-depth description of the user interface. Only high-
level instructions are provided. You should be familiar with Central Administration and
how to perform the required steps before you proceed.
1. Access the Shared Services Administration site Web application at
http://kerbsspadmin.mydomain.net/ssp/admin.
2. On this page, click Search Settings.
3. On the subsequent page, click Content Sources and Crawl Schedules.
4. On the subsequent page, access the ECB for the Office SharePoint Server Content
Sources, and from the drop-down list, select Start Full Crawl.
5. Wait for the crawl to complete. If the crawl fails, you must investigate and correct the
failure, and then run a full crawl. If the crawl fails with "access denied" errors, it is either
because the crawling account does not have access to the content sources, or because
Kerberos authentication has failed. Whatever the cause, this error must be corrected before
proceeding to subsequent steps.
You must complete a full crawl of the Kerberos-authenticated Web applications before
proceeding.
361
Configure your SSP infrastructure for Kerberos
authentication
Note:
This is an optional procedure that requires installation of the Infrastructure Update for
Microsoft Office Servers. Without the installation of the Infrastructure Update for Microsoft
Office Servers, Kerberos authentication cannot be correctly configured for Office
SharePoint Server 2007.
The Infrastructure Update for Microsoft Office Servers includes a new, custom-format SPN for
Kerberos authentication for the SSP infrastructure. This custom-format SPN introduces a new
Service Class: MSSP. The custom-format SPN is in the following format: MSSP/<host:port>/<SSP
name>.
This new custom-format SPN sets a .NET Framework property to direct the .NET Framework to
use a specific SPN for a given URI. It is the .NET Framework that is used to make inter-server
calls to the Office SharePoint Server 2007 SSP infrastructure Web services.
If you examine the SSP infrastructure on an Office SharePoint Server 2007 application server,
you will see that there is a Search shared service at both the root level and the virtual directory
level in IIS. There is also an Excel Calculation Services (ECS) shared service at the virtual
directory level in IIS. After the SSP infrastructure is configured for Kerberos authentication,
Kerberos will be used for accessing shared services at both the root level and the virtual directory
level.
You do not need to register SPNs for the root-level Web services. You only need to register SPNs
for the virtual-directory-level Web services. This is because when joining a computer to a domain,
a HOST-class SPN is automatically registered for the computer account in the domain, and the
SPN will work for the root-level Web service. However, you do need to register SPNs
corresponding to the virtual directories that actually correlate to the SSPs in your farm.
To successfully configure your SSP infrastructure for Kerberos authentication you must perform
the following steps:
1. Register new custom-format SPNs for your SSP service account in Active Directory.
2. Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos
authentication.
3. Add a new registry key to all of your servers running Office SharePoint Server 2007 to
enable the generation of new custom-format SPNs.
4. Confirm Kerberos authentication for root-level shared Web service access.
5. Confirm Kerberos authentication for virtual-directory-level shared Web service access.
Note:
In the preceding procedure, steps 4 and 5 pertain to the searchadmin.asmx shared Web
service. This Search-related shared Web service is located at both the root level of the
SSP infrastructure and at the virtual directory level of the SSP infrastructure. The root-
level Search shared service can be thought of as a global Web service that pertains to
the configuration of the Office SharePoint Server 2007 Search service settings at the
362
Services on Server level in Office SharePoint Server 2007 Central Administration. The
virtual-directory-level Search shared service corresponds to a specific SSP in your farm,
and is used when configuring Search settings specific to that SSP on the Shared
Services Administration site. When performing the steps to verify Kerberos authentication
for root-level shared services access, you will not see the generation or use of the new-
format SPNs. You will only see the new-format SPNs when accessing the virtual directory
level Web service; however, you need to verify that access to the shared service works at
both levels.
Caution:
Incorrectly editing the registry might severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
364
Confirm Kerberos authentication for root-level
shared services access
To confirm Kerberos authentication for the root-level shared services, perform the following
procedure:
1. Log on to the computer that is hosting the Central Administration Web application. If you
are using the example in this section, log on to MOSSADMIN.
2. Go to Central Administration at http://mossadmin.mydomain.net:10000
3. On the Central Administration home page, click Operations.
4. On the Operations page, click Services on Server.
5. In the Server section, click the drop-down arrow to display the list of servers in the farm,
and then click your Search Query server. If you are using the example in this section, select
MOSSQUERY.
6. After the page refreshes, confirm that you are pointing to the correct query server, and in
the Service section, click Office SharePoint Server Search.
7. Confirm that the Configure Office SharePoint Server Search Service Settings on server
mossquery page is displayed.
8. Perform the following steps to confirm that Kerberos authentication was used to render
the page:
• Log on to your Search Query server—using the example in this section, log on to the
MOSS machine named MOSSQUERY.
• Run the Windows event viewer.
• Examine the Security event log.
• You should see a log record that is similar to the data shown in the following table:
Event ID 540
Date 5/6/2008
Time 12:12:17 PM
User MYDOMAIN\pscexec
Computer MOSSQUERY
Description
365
An example of a successful network logon is depicted in the following table.
Domain MYDOMAIN
Logon ID (0x0,0x7252B10)
Logon Type 3
Workstation Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Important:
Repeat this procedure for your Search Indexing server to confirm that the page renders
and that there is a security event viewer log record indicating that the Kerberos
authentication package was used for accessing the page.
366
3. On the front-end Web server that is responding to the request, run Network Monitor and
apply a capture filter to capture KerberosV5 protocol packets. Using Network Monitor 3.2, this
capture filter would be protocol.KerberosV5.
4. Start a Network Monitor sniff.
5. On the Shared Services Administration site home page, click Search Settings.
6. Confirm that the Search Settings page is displayed.
7. Stop the sniff and examine captured packets. You should see Kerberos protocol packets
with descriptions that are similar to those shown in the following example:
The Sname value in the preceding example (MSSP/mosscrawl:56738/SSP1) is the new-format
SPN being generated and sent to the Kerberos KDC as a result of the changes included in the
Infrastructure Update for Microsoft Office Servers.
Log on to your index server (in the example in this section, the index server is MOSSCRAWL).
Run the event viewer and examine the security log. You should see an entry that is similar to the
data shown in the following table:
Event ID 540
Date 5/6/2008
Time 1:21:04 PM
User MYDOMAIN\sspadminpool
Computer MOSSCRAWL
Description
Domain MOSSCRAWL
Logon ID (0x0,0xD84A6)
Logon Type 3
Workstation Name
367
Caller User Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Configuration limitations
There are a few configuration limitations with respect to utilizing Kerberos authentication for the
SSP infrastructure using the Infrastructure Update for Microsoft Office Servers:
• The host name portion of the new-format SPNs that are created will be the NetBIOS
name of the host running the service, for example: MSSP/kerbtest4:56738/SSP1. This is
because the host names are fetched from the Office SharePoint Server 2007 configuration
database, and only NetBIOS computer names are stored in the Office SharePoint Server
2007 configuration database. This might be ambiguous in certain scenarios. Currently, the
Stsadm command-line tool to rename a server running Office SharePoint Server 2007 cannot
be successfully used to rename a server running Office SharePoint Server 2007, so there is
no workaround for this issue.
• Do not use SSP names containing extended characters. An SPN with an SSP name
containing extended characters cannot be selected as the target for delegation. Therefore,
avoid using extended characters in your SSP names.
Windows Server 2003 Event ID 10017 error messages are logged in the System log
after you install Windows SharePoint Services 3.0
(http://go.microsoft.com/fwlink/?LinkId=120456&clcid=0x409)
SQL Server How to make sure that you are using Kerberos
authentication when you create a remote connection to an
instance of SQL Server 2005
(http://go.microsoft.com/fwlink/?LinkId=85942&clcid=0x409)
368
Product/technology Resource
SQL Server How to configure SQL Server 2005 Analysis Services to use
Kerberos authentication (http://go.microsoft.com/fwlink/?
LinkId=120459&clcid=0x409)
Windows Internet Explorer Internet Explorer 6 cannot use the Kerberos authentication
protocol to connect to a Web site that uses a non-standard
port in Windows XP and in Windows Server 2003
(http://go.microsoft.com/fwlink/?LinkId=99681&clcid=0x409)
Windows Internet Explorer Error message in Internet Explorer when you try to access a
Web site that requires Kerberos authentication on a Windows
XP-based computer: "HTTP Error 401 - Unauthorized:
Access is denied due to invalid credentials"
(http://go.microsoft.com/fwlink/?LinkId=120462&clcid=0x409)
369
Run the Best Practices Analyzer tool
You can run the Best Practices Analyzer tool to check for common issues and best security
practices. The tool generates a report that can help you optimize the configuration of your
system. The tool can be run locally or from a server that is not attached to the server farm. To
download the tool, click Microsoft Best Practices Analyzer for Windows SharePoint Services 3.0
and the 2007 Microsoft Office System (http://go.microsoft.com/fwlink/?
LinkID=83335&clcid=0x409).
370
Configure usage reporting
In this section:
• About usage reporting
• Configure Windows SharePoint Services usage logging
• Enable usage reporting
• Activate usage reporting
• Monitor usage reporting
371
• Queries per search scope over the previous 30 days.
Site collection administrators for the SSP site can view a usage summary page that tracks the
following information:
• Total amount of storage used by the site collection.
• Percent of storage space used by Web Discussions.
• Maximum storage space allowed.
• Number of users for all sites in the hierarchy.
• Total hits and recent bandwidth usage across all sites.
Site collection administrators can also view a site usage report that includes monthly and daily
page hit totals filtered by the following criteria:
• Page
• User
• Operating system
• Browser
• Referrer URL
Usage reporting is very useful for managing complex site hierarchies with many sites, a large
number of page hits, and a large number of search queries, and it is recommended that the
service be enabled for deployments of complex site hierarchies. For less complex deployments,
usage reporting might not be necessary. It is also possible to disable the service temporarily to
conserve resources when other those resources are needed for other processes.
372
tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-
us/library/cc263478.aspx).
If advanced usage analysis processing is not selected, usage reporting statistics will be minimal.
For information about how to perform this procedure using the Stsadm command-line tool, see
Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-us/library/cc263478.aspx).
373
Monitor usage reporting
Usage reporting can be viewed in several places:
• Site administrators, including administrators of the SSP administration site, can view
usage reporting for their site by clicking Site usage reports in the Site Administration
section of the Site Settings page.
• Site collection administrators can view usage reporting by clicking Site collection usage
reports in the Site Collection Administration section of the Site Settings page.
• Site collection administrators for the SSP administration site can view a usage summary
by clicking Usage summary in the Site Collection Administration section of the Site
Settings page.
• SSP administrators for search can view search usage reports by clicking Search usage
reports in the Search section of the SSP home page.
For information about how to perform this procedure using the Stsadm command-line tool,
see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-
us/library/cc263478.aspx).
374
V. Deploy and configure SharePoint sites
375
Chapter overview: Deploy and configure
SharePoint sites
After you have installed Microsoft Office SharePoint Server 2007, configured shared services,
and performed the other configuration tasks for your servers, you are ready to begin creating
SharePoint sites.
In this chapter:
• Χ ρ ε α τ ε ο ρ ε ξ τ ε ν δ Ω ε β α π π λ ι χ α τ ι ο ν σ SharePoint sites
are hosted by Web applications, so you must create one or more Web applications before
you can create any sites. This section covers how to create a Web application, or how to
extend a Web application to host the same content as another Web application.
• Create zones for Web applications Each Web application can have as many as five
zones, and each zone can have a different authentication method. A default zone is
automatically created when you create a Web application. This section helps you configure
any additional zones you need.
• Χ ο ν φ ι γ υ ρ ε α λ τ ε ρ ν α τ ε α χ χ ε σ σ µ α π π ι ν γ Alternate
access mapping enables you to assign different URLs to the same site (for example, you can
configure access via the HTTP protocol for internal users and via the HTTPS protocol for
external users). Alternate access mapping settings are configured per zone at the Web
application level. Although the settings can be configured at any time, it is useful to configure
alternate access mapping before you create your SharePoint sites. This section helps you
configure alternate access mapping for a Web application.
• Χ ρ ε α τ ε θ υ ο τ α τ ε µ π λ α τ ε σ Quota templates enable you to set a
limit on how large a site collection can become. This section helps you configure the quota
templates that you want to use for any site collections you create.
• Χ ρ ε α τ ε α σ ι τ ε χ ο λ λ ε χ τ ι ο ν After you have configured the settings
that the previous articles describe, you can create a site collection. This section helps you
create a site collection from Central Administration and assign primary and secondary
owners. If you want to allow users to create their own sites, you need to configure Self-
Service Site Management for the Web application. For more information about choosing a
method to use for site creation, see Plan process for creating sites
(http://technet.microsoft.com/en-us/library/cc263483.aspx).
• Χρ ε α τ ε α β λ α ν κ σ ι τ ε τ ο µ ι γ ρ α τ ε χ ο ν τ ε ν τ ι ν τ ο
If you are moving a site collection from one Web application or server farm to another, or
using the content deployment features to deploy an existing site collection to a new site
collection on a different server farm or Web application, you need to create a blank site
collection as the destination for the content. This section helps you create a blank site
collection, either for migrating sites or for content deployment.
376
• Α δ δ σ ι τ ε χ ο ν τ ε ν τ After you have created your site collection, you can
begin adding site content. This section provides links to information that can help you add
content to your sites.
• Ε ν α β λ ε α χ χ ε σ σ φ ο ρ ε ν δ υ σ ε ρ σ After you have created your
site, you can add users and grant them access to the site. This section helps you add users
to a site collection.
377
Create or extend Web applications
Before you can create a site or a site collection, you must first create a Web application. A Web
application is comprised of an Internet Information Services (IIS) site with a unique application
pool and can be assigned to an SSP (Shared Services Provider) to enable features such as
InfoPath Forms Services, Excel Calculation Services, and Workflows.
In this section:
• Create a new Web application
• Extend an existing Web application
378
a. In the Authentication Provider section, choose either Negotiate (Kerberos) or
NTLM.
b. In the Allow Anonymous section, choose Yes or No. If you choose to allow
anonymous access, this enables anonymous access to the Web site using the
computer-specific anonymous access account (that is, IUSR_<computername>).
c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you
choose to enable SSL for the Web site, you must configure SSL by requesting and
installing an SSL certificate.
7. In the Load Balanced URL section, type the URL for the domain name for all sites
that users will access in this Web application. This URL domain will be used in all links
shown on pages within the Web application. By default, the box is populated with the
current server name and port.
The Zone box is automatically set to Default for a new Web application, and cannot be
changed from this page. To change the zone for a Web application, see Extend an
existing Web application later in this section.
8. In the Application Pool section, choose whether to use an existing application pool
or create a new application pool for this Web application. To use an existing application
pool, select Use existing application pool. Then select the application pool you wish to
use from the drop-down menu.
a. To create a new application pool, select Create a new application pool.
b. In the Application pool name box, type the name of the new application pool, or
keep the default name.
c. In the Select a security account for this application pool section, select
Predefined to use an existing application pool security account, and then select the
security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a
security account for an existing application pool. In the User name box, type the user
name of the account you wish to use, and type the password for the account into the
Password box.
9. In the Reset Internet Information Services section, choose whether to allow
Windows SharePoint Services to restart IIS on other farm servers. The local server must
be restarted manually for the process to finish. If this option is not selected and you have
more than one server in the farm, you must wait until the IIS Web site is created on all
servers and then run iisreset /noforce on each Web server. The new IIS site is not
usable until that action is completed. The choices are unavailable if your farm only
contains a single server.
10. Under Database Name and Authentication, choose the database server, database
name, and authentication method for your new Web application.
379
Item Action
11. Click OK to create the new Web application, or click Cancel to cancel the process
and return to the Application Management page.
381
Configure alternate access mapping
Each Web application can be associated with a collection of mappings between internal and
public URLs. Both internal and public URLs consist of the protocol and domain portion of the full
URL (for example, https://www.fabrikam.com). A public URL is what users type to get to the
SharePoint site, and that URL is what appears in the links on the pages. Internal URLs are in the
URL requests that are sent to the SharePoint site. Many internal URLs can be associated with a
single public URL in multi-server farms (for example, when a load balancer routes requests to
specific IP addresses to various servers in the load-balancing cluster).
Each Web application supports five collections of mappings per URL; the five collections
correspond to five zones (default, intranet, extranet, Internet, and custom). When the Web
application receives a request for an internal URL in a particular zone, links on the pages returned
to the user have the public URL for that zone. For more information, see Plan alternate access
mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
382
Edit or delete an internal URL
Note:
You cannot delete the last internal URL for the default zone.
1. On the Alternate Access Mappings page, click the internal URL that you want to edit or
delete.
2. In the Edit internal URL section, modify the URL in the URL protocol, host and port
box.
3. In the Zone list, click the zone for the internal URL.
4. Do one of the following:
• Click Save to save your changes.
• Click Cancel to discard your changes and return to the Alternate Access Mappings
page.
5. Click Delete to delete the internal URL.
383
2. On the Create External Resource Mapping page, in the Resource Name box, type a
unique name.
3. In the URL protocol, host and port box, type the initial URL.
4. Click Save.
384
Create zones for Web applications
If your solution architecture includes Web applications with more than one zone, use the
guidance in this section to create additional zones.
385
Create quota templates
In this section:
• Create a new quota template
• Edit an existing quota template
• Delete a quota template
A quota template consists of storage limit values that specify how much data can be stored in a
site collection and the storage size that triggers an e-mail alert to the site collection administrator
when that size is reached. You can create a quota template that can be applied to any site
collection in the farm.
Note:
When you apply a quota template to a site collection, the storage limit applies to the site
collection as a whole. In other words, the storage limit applies to the sum of the content
sizes for the top-level site and all subsites within the site collection.
You can also modify existing quota templates. When a quota template is modified, the new
storage limits you defined in the template will apply to any new site collection you create that uses
that quota template. However, existing site collections to which the quota template has been
previously applied will not be automatically updated to reflect the new storage limits.
386
b. If you want an e-mail to be sent to the site collection administrator when a certain
storage threshold is reached, click the Send warning E-mail when site storage
reaches check box and type the threshold in megabytes into the text box.
7. Click OK to create the new quota template, or click Cancel to cancel the operation and
return to the Application Management page.
387
Create a site collection
When you create a site collection, you also create the top-level site within that site collection.
Select the appropriate template for your scenario, such as: Publishing Portal for an Internet
presence Web site, or Collaboration Portal for an Intranet portal Web site.
Note:
The paths available for the URL option are taken from the list of managed paths
that have been defined as wildcard inclusions. For more information about
managed paths, see Define managed paths in the Central Administration Help
(http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
6. In the Template Selection section, in the Select a template list, select the template
that you want to use for the top-level site in the site collection.
7. In the Primary Site Collection Administrator section, enter the user name (in the
form DOMAIN\username) for the user who will be the site collection administrator.
8. If you want to identify a user as the secondary owner of the new top-level Web site
(recommended), in the Secondary Site Collection Administrator section, enter the
user name for the secondary administrator of the site collection.
9. If you are using quotas to limit resource use for site collections, in the Quota
Template section, click a template in the Select a quota template list.
388
10. Click OK.
For information about how to perform this procedure by using the Stsadm command-line
tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262594.aspx).
389
Create a blank site to migrate content into
You must create the site collection that is assigned as the destination for content migration by
using the Blank Site template.
Note:
The paths available for the URL option are taken from the list of managed paths
that have been defined as wildcard inclusions. For more information about
managed paths, see the topic Define managed paths in the Central
Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx)
system.
7. In the Template Selection section, in the Select a template list, on the
Collaboration tab, click Blank Site.
8. In the Primary Site Collection Administrator section, specify the user name for the
user who will be the site collection administrator.
You can type the user name in the User name box or use the Browse button to search
for a user.
9. If you want to designate a user as the secondary administrator of the new top-level
Web site (recommended), in the Secondary Site Collection Administrator section,
specify the user name for the secondary administrator of the site collection.
10. If you want to use a quota to limit resource use for site collections, in the Quota
390
Template section, select a template in the Select a quota template list.
11. Click OK.
For information about how to perform this procedure using the Stsadm command-line
tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262594.aspx) and Addpath: Stsadm operation
(http://technet.microsoft.com/en-us/library/cc263161.aspx).
391
Add site content
In this section:
• Use Web site designers to design and add content
• Migrate content from another site
• Allow users to add content directly
There are several methods that you can use to add content to sites, including:
• Using Web site designers to design and add content.
• Migrating content from another site.
• Allowing users to add content directly.
Depending on your scenario, you may find particular methods more appropriate.
Use Web site designers to design and add content when you are working with:
• A published intranet portal site
• A published Internet Web site
Migrate content from another site when you are working with:
• A published Internet site in which authors create content in the authoring site. After you
migrate content, you use content deployment to deploy the content to the production site.
• A site or set of sites that is being reorganized.
Allow users to add content directly when you are working with:
• A collaboration site in which the site owner can create the lists and libraries that are
needed, and then grant site members access so that they can begin contributing content.
• A blog site in which the blog owner can set up the structure for the blog, and then start
creating posts.
• A wiki site in which the wiki site owner can grant access to users and the users can start
creating topics in the wiki.
392
Migrate content from another site
When you are using a published site, you can author content in one site collection and then
publish it to another. For this scenario, you must create a blank site collection to migrate the
content into. For more information, see Create a blank site to migrate content into.
If you are reorganizing an existing site and need to migrate content to a different site collection,
you can use several methods to migrate the content. You can use:
• The Export and Import operations for the Stsadm command-line tool to migrate site
collections or subsites.
For more information about using Stsadm operations, see the following resources:
• Export: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262759.aspx)
• Import: Stsadm operation (http://technet.microsoft.com/en-us/library/cc261866.aspx)
• The Content Migration object model to programmatically move content at any level in the
site (Web site, list, library, folder, file, or list item).
For more information about using the Content Migration object model, see "Content Migration
Overview" in the Windows SharePoint Services 3.0 Software Development Kit
(http://go.microsoft.com/fwlink/?LinkId=86999&clcid=0x409).
• Microsoft Office SharePoint Designer 2007 to migrate individual lists or libraries to the
appropriate place in the new site hierarchy.
For more information about using Office SharePoint Designer 2007, see the following articles
in the Office SharePoint Designer 2007 Help system:
• Export or import a Web package (http://go.microsoft.com/fwlink/?
LinkId=87002&clcid=0x409)
• Back up, restore, or move a SharePoint site (http://go.microsoft.com/fwlink/?
LinkId=87003&clcid=0x409)
393
Enable access for end users
In this section:
• Add site collection administrators
• Add site owners or other users
After you create your site collection and populate it with content, you are ready to grant access to
end users. This section helps you configure administrative and user permissions for a site
collection. Note that you can also configure permissions for the following securable objects within
a site collection: site, list, library, folder, document, or item. For more information about assigning
permissions for different securable objects within a site collection, see Plan site security
(http://technet.microsoft.com/en-us/library/cc262778.aspx).
In Microsoft Office SharePoint Server 2007, you can enable access to the site collection by using
different methods, based on the type of site collection. The following list describes some
examples of these methods:
• If this is a published site collection intended for an Internet audience, you can publish it to
the blank site collection that you created as a destination by using the content deployment
features. After you publish it, you can then configure the appropriate permissions for the new
environment. For more information about publishing a site collection by using content
deployment, see Plan content deployment (http://technet.microsoft.com/en-
us/library/cc263428.aspx) and the Content Deployment topics in the Central Administration
Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
• If this is a site collection in a development or pilot environment, you can migrate the site
collection to your production environment by using import and export, and then configure the
appropriate permissions for the new environment. For more information about using import
and export, see Export: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262759.aspx) and Import: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc261866.aspx).
• If this is a site collection intended to facilitate collaboration on the intranet, you can easily
add the users and groups that need access to the site collection. This section describes how
to perform these actions.
In most cases, these actions are not performed by farm administrators, but are performed by site
collection administrators or site owners. Moreover, these steps are performed in the site collection
itself, not in Central Administration. (However, you can add site collection administrators by using
Central Administration and by using the Site Settings page in the site collection.) Nonetheless,
this information is presented in the Deployment Guide because it is truly the final stage of
deployment — the stage when the site collection is made available for end users.
394
This section does not cover how to enable anonymous access. When you create a Web
application, you decide whether to allow anonymous access for site collections on that Web
application. For more information about anonymous access, see the following resources:
• Overview: Plan environment-specific security (http://technet.microsoft.com/en-
us/library/cc262974.aspx)
• Plan authentication settings for Web applications in Office SharePoint Server
(http://technet.microsoft.com/en-us/library/cc263304.aspx)
• Choose which security groups to use (http://technet.microsoft.com/en-
us/library/cc261972.aspx)
• "Enable anonymous access” in the Central Administration Help
(http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
Note:
This procedure uses the Central Administration Web site, but you can also add a site
collection administrator from the top-level site in the site collection by using the Site
Settings page for the top-level site. On the Site Settings page, in the Users and
Permissions section, click Site collection administrators.
395
Add site owners or other users
If you have not yet set up any groups for this site or site collection, you must set up groups before
you can add any users to groups. (You can also add users individually, without setting up groups,
but if you want to manage users efficiently, we recommend that you use groups.) To specify which
group to assign to site visitors, site members, site owners, or other groups, use the following
procedure. This procedure helps you set up the default groups, but you can also create additional
groups.
Note:
The SiteName Owners group has the Full Control permission level on the site, so you
can add users to that group to give them administrative access for that site. For more
information about groups and permission levels, see Determine permission levels and
groups to use (http://technet.microsoft.com/en-us/library/cc262690.aspx).
After you have configured groups for the site, you can add users and grant them permissions by
using the following procedure.
Note:
In rare cases, you might want to give individual permissions to a user by clicking
Give users permission directly. However, assigning individual permissions to
many users can quickly become difficult and time-consuming to manage. We
396
recommend that you use groups as much as possible to efficiently manage site
access.
7. Click OK.
For more information about managing users and groups, see "Grant access to the portal site" in
the Help system for Office SharePoint Server 2007.
397