Bob Mixon Don't Need Me to Help Him But…

He's offering a MOSS deployment class in New York and San Francisco.

Alas, I can't go (short notice) but I did look at the syllabus here.

And it occurred to me that what he's done is given us a pretty good index of what you need to know when you try to pursuade people that you're a qualified SharePoint architect.

Better get busy..

-robot

Alternate Access Mappings in MOSS Server Farm

We've struggled through alternate access mappings (AAM) once before on a single server farm but we should take a look at the multi-server farm approach.  I'm not sure I have a complete grip on the topic but I've gotten some sense that I'm getting it correct.

You'll recall we have a total of four web apps:

Central Admin runs on MyWFEServer:63999
Portal runs on MyWFEServer and MySSPServer using a host header Portal.
SSP runs on MyWFEServer and MySSPServer using a host header SSP.
MySite runs on MyWFEServer and MySSPServer using a host header MySite.

The two servers and the DB server run in a domain called MyDomain.Local.  The MyDomain.Local DNS server includes A records that point all three, Portal, SSP and MySite, to the IP address of my WFE server.  MyDomain.Local is piped to the internet using the MyDomain.MyCompany.net URL.

So, there's a fourth computer in the domain that I can log onto and open a browser and point to http://Portal and, since I built the portal using the Enterprise Collaboration template, I see the dorks.  I can also point to http://MySite and I'll get my site except that my administrator has not yet allowed self-service site creation. 

http://SSP still has me a bit confused because I get a 404 unless I browse to http://SSP/SSP/Admin.

Still, all three work. 

So I go to Central Admin and click on Alternate Access Mappings and then Edit Public URLs.  Here, I select my MySite mapping collection and I enter the following:

Default: http://MySite
Intranet: http://MySite.MyDomain.Local
Internet: http://MySite.MyDomain.MyCompany.net

This is where it's cool to have not stolen your IIS default web site for your portal app.  When I created my web apps for my SSP, MySite and Portal, I did not use the Default Web site.  That site still runs and still displays the Under Construction page when you browse to the server.  I have to have either hosts file or DNS support for my host headers and those host headers have to included on the dialog box you get when you click on the Advanced button on the Web Site tab of the web site's Properies in IIS. 

So, in DNS, MySite is the same as MySite.MyDomain.Local and it points to my WFE server's IP address.  The Host Header on my MySite web site in IIS tells my WFE server: "When you get a requrest on Port 80 and the host header is MySite send it to the MySite web site."

Now, when I browse to http://MySite, I get MySite but when I browse to http://MySite.MyDomain.Local, I get Under Construction.  Perfect.  What's happening is the DNS is sending me to the correct IP address but IIS fumbles the host header.  So I add the MySite.MyDomain.Local as a host header using the advanced button on the web site tab of the MySite web site properties.  I reset IIS and try again and…

I get the error that says "Your administrator has not allowed for self-sevice site creation"  Which is both perfect and perfectly unacceptable.

All I have left is the internet settings and this is a DNS issue for the DNS server that supports MyDomain.MyCompany.net.  Those are other cats and they need a help ticket so I'll have to wait for that.  But I"ll also have to add the new host header to the web sites.

This will leave me with just four issues:

  1. The http://ssp/ssp/admin thing is silly.  I should just be able to browse to http://ssp and land on http://ssp/admin.
  2. When I add the host headers, I have to do it individually to each of my WFE servers.
  3. I'll have to get on that Admin guy about the self service site creation.
  4. The dorks, I really need to figure out how to get them off my portal BEFORE I install it.

Thanks for reading along.

-robot

ps. you know Microsoft has a friend of mine pimping for Server 2008.  I'll have to get that ad and show you.

 

Error Scheduling Crawls: Access is Denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I've always been one that thought if I followed the directions, I should end up with an expected result.

My bank doesn't agree.  Not only is their web site misleading, but it also doesn't work.  And then, when you call their "Customer Service" number, the automated voice lies to you and you end up stuck where you can't get out and you have to call back.

I can change banks but, alas, I can't change Microsofts and I can't change SharePoints; there's only one of each.

So, if your following along, you're aware that I'm trying to get a three server farm running.  And I'm trying to do it exactly like the instructions say.

At this point, I can see Central Admin and I'm running the the Read First… task that says Read the Quick Start Guide.  So I'm reading the Quick Start Guide and it's got a section for server farms.  Here, the first heading is configure services.

The first service is the MOSS Search Service.  Not a problem.  I have a dedicated index server and a dediated service account.  I did make a note that the insctuctions do not specifically tell you to select your index server from the change server option in the pull down list before you tell it to Use this server for indexing content or Use this server for serving search queries.

The second service under this heading is the Web App Service. I found that this paragraph incorrectly suggests that the Web App Serivce would NOT be running on my servers since I installed them as Compete servers.  Both my server were, in fact already running the Web App Service.  Not correct, but not a problem.  I figured I was rolling.

The next heading is Configure the Shared Services Provider.  This involves creating web apps for the SSP admin site as well as for MySites.  Now I like my MySites to have their own host header because I want my users to be able to just type http://mysite in their browser and get their MySite.  So they need their own web app.  In addition, No matter what I do, my SSP admin site ends up with a URL of http://ssp/ssp/admin which seems silly.  But I got Shared Services running and I got my SSP Admin site.

Am I rolling or what.

Well, the correct answer would be "what" cuz here the wheels fall off.

The next item on the Quick Start Guide is Configure Indexing which should be no problem.  The first step is Configure default content access account. No problem, I got one of those.

Then we get to Content sources and crawl schedules.  Of course, I want to crawl my local MOSS sites so I edit that item in the list.  All I need to do is create the crawl schedule and, sure enough, there's the Create Schedule link.  I click it and fill it out and stick your fingers in your ears:

Access is Denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

So we go looking and meet our new best friend Andy who points us to: http://support.microsoft.com/kb/926959

Apparently we have to add the wss_wpg user to the tasks folder but the taks folder is a system folder that does not have a security tab so we have to make it not a system folder, add the user and then make it a system folder again.  Sounds kind of like my bank.

So at the command line, revert the tasks folder to a common folder by running this:

attrib -s c:winnnt asks

You have to restart Windows Explorer to see the changes but, now, when you right click on the tasks folder and select Properties you see it has a Sharing and Security tab like all the other folders.  On the Security tab, you add the wss_wpg user.  It matters that this is a local user and not a domain user because you have to change the source location by clicking on the location button.  The kb article says to give the user read and write permissions.  That's simple enough and then you click Apply.

Don't forget to go back to your command line and run

attrib +s c:winnnt asks

This will reset the system folder attribute on the tasks folder.  Now when you right-click on it and select Properties all you'll see is a General tab.

Then it says to restart IIS so I restart IIS on both servers and try my schedule again.

Thank you for banking with us.  I think I will change banks, the new branch up at the corner has a hot ATM.

-robot

Revisiting the Three Server Farm Install

So I guess I'm not the only one a lttile confused by the installation of multiple server.

What I've found is this.

Central Admin will be installed on our first WFE server and it will run on only one server.  When you're  adding additional servers, you get an advanced setting that will allow the new server to steal Central Admin from a previously configured server.  You avoid any nastiness by installing your designated CA server first.

Second, all your IIS web apps will be deployed on all your WFE servers.  I think, if you turn off the Web App Service on a particular server, those web apps will dissappear from IIS.

You can run the indexing service on only one server.  If that server is also running the Web App service, it will have a  local copy of the web apps that it can crawl and you can configure the indexing service to only  use that server for crawling.

Right now, I'm running through the CA Admin tasks and I'm getting an error trying to schedule the index crawls.  I'm going to write a post about it and then I'm going to come back to this topic of services on servers in a three server farm.

-robot 

Deploying Multi-Server Farms

As a deminstration, I'm attempting to deploy a three server farm in a virtual domain.  I'd like to include as many technical complexities as possible so I don't simply want two WFEs and a DB.  What I want is a dedicated WFE and a dedicated IndexApp server that will handle everything EXCEPT the content web application.

So, I'm seeing some of this stuff for the first time.  And the way I looked at it, there's a couple of discreet steps to the whole process:

  1. Do a ton of pre-installation steps like creating your service accounts, installing IIS, .Net and getting your DB server running. 
  2. Run the SharePoint setup.exe on all your farm servers; the db server does not actually need SharePoint.
  3. Run the configuration wizard on each of the SharePoint servers.
  4. Perform the adminsitrative tasks that configure the MOSS applications.

Now, we've covered the install pretty good as far as the pre-install steps are concerned.

But the setup.exe program provides us with our first chance to screw something up.  During the setup routine, we can decide on a WFE or a Complete install.  You can also select Stand Alone but that's the SQLExpress solution that's not really relevant to our purpose.

I seems like I want one WFE server and one Complete server.

 

MOSS Three Server Farm Install

So, we want to deploy the classic three-server farm and found this nice link here from SharePointForum and another from TechNet here.

So I've got MyDBServer that's running SQL Server 2005. 

My other two servers are called MyWFEServer and MySSPServer.   I want MyWFEServer to run the CA website and my user site collection(s) while I want MySSPServer to run everything else.

I installed SharePoint on both and, before I ran the Configuration Wizard, I took virtual snapshots so I can roll back at any time.

Then I ran the Configuration Wizard on MyWFEServer.  I pointed to MyDBServer and selected Kerebos Authentication.  That ran and eventually opened up the CA web site.

Then I ran the Configuration Wizard on MySSPServer.  I pointed it to the SharePoint_Config database on MyDBServer, selected Kerebos Authentication and it ran and ended up pointing to the CA website on MyWFEServer.

Great, I've got three servers in my farm.

If you're like me, when you get CA running, you'd just like to stare at it for a while before you do something that screws it up.  Well, no time for fun, we must move on.

The question I have is where do I tell SSP to live on the other server?

Well, CA has a list of Adminsitrative Tasks and I started at the top.

1. Read the Quickstart Guide – This has a link to a web page that includes a section called Learn how to deploy Office SharePoint Server 2007 in a server farm environment.  It says to do what I've already done, install SharePoint on all the Front End Web Server.  Now at this point, I don't know if my SSP server will be a front-end web server or not but it's got SharePoint installed all the same.  The instructions tell me to configure farm services and to start with MOSS Search.  It has a link to a page called Configure the Office SharePoint Server Search service

That page will direct you to the Services on Server page and it tells you to click on the Office SharePoint Server Search link in the list of services on the page.  It did not tell me to select MySSPServer from the pull down list at the top of the page but I did.  So it takes me to a page titled Configure Office SharePoint Server Search Service Settings on server MySSPServer.  Great.

I tell it to use MySSPServer, an eMail address, [email protected] and I give it my MyDomainMOSSSearchSvc account and password.  Then I told it not to use all WFE servers for crawling but just MySSPServer.  I click OK and it takes me back to the list.  I click on Start and it takes me back to the configuration page where I have to enter the password again and click OK again.  Then it takes me back to the list but the Status has changed from the red Stopped to the green Starting.  When I refresh the page, it says Started.

I go back to the instruction page and I see, at the bottom, this:

Tip: If your index server is dedicated and is not running any other shared services, activate the Web front-end role on the index server and specify the index server as the dedicated Web front-end computer for crawling.

And then, since I'm done with the Search Index set up page and I go back to the Learn How page and the next step on it says this:

The Windows SharePoint Services Web Application service must be running on any server that acts as a Web server and renders Web content. This service is started by default on servers that you set up by using the Web Front End option during Setup. If you set up a server using the Complete option during Setup, and you want that server to act as a Web server and render Web content, you must start the Windows SharePoint Services Web Application service on that server.

This does not appear to be a "Service" like you see in Computer Management | Serivces but it does appear in the list of services in the Services on Server page and it says it's running.

There doesn't seem to be any instructions that have anything to do with the other services.  Instead, the "Learn How…" page rolls onto Configure the Shared Services Provider.  This provides a blurb that says:

Before you create the SSP, you must create a Web application for the SSP administration site.

So, while the SSP might be running on another server, the SSP Admin Web site might be on another.  There's a link that says Manage a farm's Shared Services Providers

Now, I've got two identical WFEs except that one of them is also my index server.  I wonder if I can get more services to run on that server and eliminate that burden from the WFE.  In fact, I'd like for one server to only be a user content site collection server and have everything else run on a different server. 

-robot

 

Configuring Kerberos Autentication on MOSS 2007

If you've been through the install, you're probably ready to get Kerberos authentication working.

One time, I had a guy tell me "it's easy" and now I don't trust him.  It's not easy.

But, our new best friend Martin has a great explanation here and there's another explanation from James here.

So, I'm deploying a three server farm, WFE, DB and SSP, and I want to use Kerberos.  As I see it, there's three steps.

  1. Add the SPN's to the user accounts.
  2. Configure the accounts for delegation.
  3. Configure the servers to support delegation.

Step 1.  Add the SPN's to the user accounts.

Which accounts?  Well that's a good question.  Microsoft suggests a number of accounts to support your multi-server farm.  I think I count 11 plus one for each web app pool and one for each search crawler other than the default.  Here's my list:

  1. MyDomainSQLServerSvc
  2. MyDomainMOSSSetup
  3. MyDomainMOSSDBAccess
  4. MyDomainMOSSSSPSvc
  5. MyDomainMOSSSearchSvc
  6. MyDomainMOSSCrawl_Default
  7. MyDomainMOSSProfileImport
  8. MyDomainMOSSExcelSvcs
  9. MyDomainMOSSWSSSearchSvc
  10. MyDomainMOSSWSSSearchContent
  11. MyDomainMOSSAppPool_01
  12. MyDomainMOSSAppPool_MySite
  13. MyDomainMOSSAppPool_SSP

You can see I'm going to use one App Pool for my portal content and then I'll have one each for SSP and MySites.

So the immediate question is "which accounts"? 

Well, Kerberos is used to support cases where the application has to connect to other applications to gather information on behalf of the current user.  In his article, James says to create SPNs for the App Pool accounts and the SSP Service account.  Martin says to create the SPNs for the DBAccess account and the App Pools. That would be:

  1. MyDomainMOSSDBAccess
  2. MyDomainMOSSAppPool_01
  3. MyDomainMOSSAppPool_MySite
  4. MyDomainMOSSAppPool_SSP

Then, my farm will route user requests to my various applications using host headers.  I'll have three and then, the machine name as follows:

  1. MyPortal
  2. MySite
  3. MySSP
  4. MyServer – this is the web front end host.

And, since users may fully qualify these host headers when they browse, that turns my four into eight like this:

  1. MyPortal
  2. MyPortal.MyDomain.com
  3. MySite
  4. MySite.MyDomain.com
  5. MySSP
  6. MySSP.MyDomain.com
  7. MyServer
  8. MyServer.MyDomain.com

In Martin's article, he says to map the two lists together like this to make seven SetSPN calls:

  1. MyServer.MyDomain.com >> MOSSDBAccess
  2. MyPortal >> MOSSAppPool_01
  3. MyPortal.MyDomain.com >>MOSSAppPool_01
  4. MySite >> MOSSAppPool_MySite
  5. MySite.MyDomain.com >> MOSSAppPool_MySite
  6. MySSP >> MOSSAppPool_SSP
  7. MySSP.MyDomain.Com >> MOSSAppPool_SSP

So the two disagree regarding the SSP service account.

There's two things going on here.  First, the SPN is the HTTP/MyPortal part and it's assigned to the user account.  James reminds us that no two accounts can have the same SPN.  So the SPN is really the web app are we're creating four.

Second, when you try to trust a user for delegation, they must have an SPN installed first or you won't see the delegation tab.  So, documents say the "trust account for delegation" is on the Account tab.  It must have been at one point because I've seen screen shots.  In my DC, the user properties has an Account tab but it does not have the noted check box.  After running the SetSPN command on the username, the user properties will have a "delegation tab" where you tell it you're using Kerebos.

When I ran the install with my setup account, I was able to install both servers using the MOSSDBAccess account.  A peculiar step is required after you tell it, yes, I want to join an existing farm.  It wants to go to the  db server and find a config database for you.  Mine worked fine returning the SharePoint_config database as my only option.

 Martin follows up with instructions to enable Kerberos on exisitng CA and SSP apps.  Since mine are not installed yes, i can't imagine that's pertinent.

Then he says configure some windows components.  I'll get right on that.

 -robot

Performance Monitors for SharePoint

OK, people, this is all new to me.  The objective is to identify a couple of dozen performance metrics that can be monitored to indicate that our farm servers are healthy.

So we need to figure out this perfmon.exe program that's part of our operating system.  Perfmon.exe is an application that will start from a command prompt and then run inside your MMC.  Out of the box, it provides a way to chart system performance over time.  You really get to the lines move from left to right over time. 

Apparently, many commercially available programs will provide "performance objects" than perfmon.exe can count; after you instally the program, you can make perfmon count occurances of things that happen inside your new program.  SharePoint obviously provides a number of these objects and if you google it, you'll find that our friend, Ben, has provided a great reference of these SharePoint Performance Objects on his blog here.

So my presumption is that somehow I can use the objects and counters in Ben's list and make the perfmon.exe program track them.

Well, Microsoft gives us this explanation of how to add a counter to your perfmon mmc.

So I run the program by selecting Performance from my Control Panel's Adminsitrative Tools menu or by typing perfmon.exe in a DOS box.  There's already a couple of counters listed at the bottom of the screen and the little red bar starts moving from left to right.  I see I can adjust the scale to get the line to move more or less.  I can also delete a counter by clicking on it and pressing Delete.

To add a counter, I right-click and select Add Counters.  The Perfromance Object pulldown is where I see the list of objects from Ben's list.  Then, the Select Counters from List option lets me choose specific counters associated with the chosen object.

For example, I select the SharePoint Publishing Cache as my Performance Object and then the Publishing cache hit count and the Publishing cache hits/sec counters.

OK, maybe those weren't such great example because I can't get them to log any activity in the mmc.

So I thought I'd try the SharePoint Search Gatherer object and select the Admin Clients counter.  The explanation says it reports the number of currently connected administrative clients.  So that starts at 2 and stays there, but, then, for a second, it climbs to 3 and goes back down.

So now I'm wondering which of these counters should I focus on to measure my server's performance.

-robot

 

Expert Help on App Pools and the MOSS Install

Application Pools were one of the more confusing items for me when I first encountered them.  Here's a great explanation from Joe Oleson in SharePointLand.

The SharePoint Reporter gives us a great list of installation steps here.

This is a pretty comprehensive look at your portal intall.  He's set it in the context of a VPC install but much of it is is relevant to any install.

-robot

 

The Help Popup

So we did the blank page a few posts ago.

Now, try this: 

In a site called MySite, create a doc library called BlankDocs.  Create a web part page called MyBlankPage.aspx and put it in that library.  Put the CEWP that I decribe HERE on the MyBlankPage.aspx.

Now put this code in a Content Editor Web Part on MySite‘s default.aspx page:

<script type=”text/java*script” language=”Javas*cript” >
function LocalHelp(strHelpURL)

{
  var wndHelp = window.open(strHelpURL, “STSHELP”, “width=425,height=600,menubar=’false’,scrollbars,toolbar=’false’,resizable”);
  wndHelp.focus();
}</script>

 

<A onclick=”LocalHelp(‘/MySite/BlankDocs/MyBlankDoc.aspx’)” href=”java*script:” mce_href=”java*script”  ;>)”>
<IMG src=”/_layouts/images/helpicon.gif” BORDER=0>
</A>

Again, take the “*” characters out of the word “java*script.”  I only do that to keep my blog host from getting nervous.

Tell me what you think.

-robot