Ballad about SharePoint

Foreword

Important! If you want to quickly get down to the technical side of things, just skip this chapter.

This reading is hardly intended for a wide range of specialists. The subject is too narrow. Too much technology and business intersection. Product is too complex. But there is always a way to dilute a dry narrative with something abstract, natural. Show the life behind the monitor screen as it really is, without embellishment. We are often too addicted to work, the computer and all kinds of gadgets rob us of a sense of reality. We stop looking around, noticing what is happening around. We stop paying attention to people dear to us. We stop living a normal, full life.
')
By the way, the picture of the “rain man” on the title is not just to attract attention, and it is precisely for this that the “lyrics” are added to the story, all events, names, etc., are the essence of the author’s fantasy. As usual, no one is responsible for anything :)


Please read the reader with a number of the following assumptions. The story focuses on SharePoint Server 2013, but sometimes other older versions will be mentioned. The new 2016 platform at the time of this writing was in the status of Preview, its official release is expected very soon, this spring. However, apparently, the 2016 version is a rather minor release, its main “chips” are closer integration with the Azure cloud and the “ennobled” deployment and update process, which doesn’t change the implementation process so much, and therefore this release should not lose relevance.

The author tried to summarize in the article his experience of implementing the SharePoint platform in various business sectors, starting with the good old WSS 3.0. Despite the experience - the author is a living person, to err is a priori.

For lovers, “well, one more thing, I did not read, but I condemn”: the article contains real experience and a description of really narrow and unobvious places with a rake and was written not as another essay on the topic “guys, I finally put it, I hasten to share, see how I'm cool, ”but with the goal of really bringing knowledge of how to go around all those rakes carefully.

Perhaps many will prefer the online (cloud) version of the product by subscription. For these, a number of chapters devoted to planning and the actual implementation methodology will still remain relevant.

The technical level of those reading this work should forgive the author for omitting the description of some trivial things, like “run setup.exe” or screenshots with the NEXT and OK buttons.

The article focuses on true samurai, who decided to introduce this complex product on their own - the usual IT departments of end-user product companies are NOT intended for professional integrators, and therefore it will not highlight abstruse group deployment techniques and unattended-installation techniques.

It is strongly recommended to use English (non-localized) versions of all products required for deployment, regardless of the political situation. Reason: they are updated first of all, the most current documentation is in English, there are no errors in the translation of terms, longer support. The quality of implementation is absolutely not affected, all language packs are available.

In the last part of the story, a summary list of all the necessary links will be provided.

Lovers of dry technical text - for your convenience, all the lyrics are removed under the spoilers and italicized. For those who dare to read everything from beginning to end - disconnect from everything, put on headphones, put on something like “Clubbed To Death” Rob Dougan for repetition and be patient. We begin…

Chapter 1. About SharePoint - as it is. The answer to the question "Why?".

Commercial companies are living organisms. They have youth, youth, a period of intensive growth, maturation, old age (decay) and death.

A newly established small company with a dozen employees is quite costly for the Windows working group and a pair of network folders, often located on the employees' PCs, and not on a separate server.

An average (by domestic standards) business is already several hundred users, dozens of departments, legal entities, server rooms, units in data centers, and much more. The host network drives, for which the Latin alphabet letters are no longer enough, each user has gigabytes of mail, which he does not allow to archive, fearing not to find a letter from the chief of five years ago, a large number of information systems and databases.

Sooner or later, employees of such companies are faced with problems of information exchange between departments, they begin to suffer from the amount of data and tasks that they fall down on them every day through the old communication channels (verbally or via e-mail), they no longer perceive their company as something small and family-like. where you all know for many years.

Systems, collectively called intranet building systems (from the word intro - internal) portals and workflow, are designed to solve the problems of information exchange, involvement in general processes, streamlining and reducing workflow . This is what our western colleagues call the terms Collaboration and Workflow . These systems allow you to streamline the flow of information in the enterprise, facilitate the general access to important data, provide a simple search in various document formats and provide the most demanded shared resources such as actual reference books of employees' contacts and their positions, i.e. transparent organization structure. The same systems realize the possibility of building fairly flexible centers for internal documentation and storage of reports in various formats from any divisions of the enterprise, which is very much appreciated by business owners and top management, who in this case forever get rid of the need to view all their bulk mail or personal computers and mobile devices in the case when it is necessary to raise the profit report for a quarter five years ago.

It is top management that is usually the company's first stakeholder in the matter of implementing a system like SharePoint, since they are the first to begin to feel that business processes in the company and relations between departments have become bloated, complicated, and have begun to lose their transparency.

They want to have quick and transparent access, preferably with a search right away, to all documents generated by employees, from the grassroots level to the most important for them - the archive of reports.

If at the growth stage of a company, it was enough for the manager to look at some 1C-ku himself, run a report on residuals or sales there and get an answer to your question, then later, as the company grows, these 1C-ok can become somewhat trite or add and not at all 1C. Therefore, he has to rely on his subordinate employees, who will prepare the entire reporting base for him and taking into account the tastes of the chief, carefully and promptly provide him with all the relevant information and key business parameters (KPI). Human capabilities are not limitless and technical progress does not stand still. The same Guy Julius Caesar, we place it in our time - hardly could directly manage a modern enterprise in its legendary manner, doing several things at the same time.

The functionality of SharePoint provides all the necessary capabilities for solving these tasks and is the leading solution in the world. We do not say that it is perfect - not at all, in it, even in the latest version, there are enough crutches, incomprehensible and often forced technical solutions and misunderstandings, but at the same time there are a number of facts:

• According to the results of the 2013 World Intranet Competition, over 70% of the winners use the SharePoint platform [source] ;
• Steve Ballmer (formerly Microsoft CEO) at one time called SharePoint the cornerstone of Microsoft’s business strategy [source] ;
• Virtually all Fortune 500 companies that have chosen the Microsoft platform to build their systems use SharePoint.

Capaciously and briefly, the goal of why SharePoint is being implemented is contained in the following two sentences (taken from the product's home page on TechNet Library ):

SharePoint 2013 can be used to increase the efficiency of business processes. SharePoint 2013 sites provide secure environments that you can use. Find out what you need to do.

Free literary translation:

SharePoint 2013 is a collaborative environment that organizations of all sizes can use to improve the efficiency of business processes. SharePoint 2013 sites provide secure environments configured by administrators to provide personalized access to documents and other information. Search functions allow users to efficiently search for content, regardless of the physical location of the data.

What do we get in fact if we decide to implement this product?

1. An internal intranet site or even an intranet portal of an organization that can be changed to taste, filled with any office content and made accessible from anywhere in the world.
2. To form within the framework of this portal the functionality of automated document processing, for example, sign documents or automatically send new orders to the enterprise.
3. Provide search by string within any document on the portal, and taking into account user rights.
4. Get a multi-level network basket for deleted documents.
5. Provide the ability to formalize tasks (Tasking) for employees and control the degree of their implementation, and in the future - organically go to the MS Project Server family of products.
6. Implement a full-fledged electronic document management, manage the chain of life of documents, ensure their joint editing.
7. Diversify the life of the company's offices, solve the problem of shared resources (meeting rooms, courier services, car fleet).
8. Facilitate the adaptation of new employees by automating contact information and displaying the structure of departments.
9. Ensure the security of all documents and data stored on the portal, build reports on access to them and receive all sorts of statistical data on their use.
10. Arrange surveys and questionnaires of employees on any important issues.
11. Ensure the integration of the portal with other systems in the enterprise: CRM, ERP, access system, personnel databases, etc.
12. The ability to view documents of the most popular office formats right in the browser window, which is especially convenient in our era of mass use of various relatively low-power electronic "gadgets": smartphones, tablets, portable netbooks, etc.
13. Building a personal “cloud” of data and intranet portal functionality.

You certainly won't get many of the features right out of the box. However, in the latest (at the time of this writing) version of SharePoint 2013, the integration tools with other products and systems have improved and expanded significantly. The product finally got a huge additional functionality in the form of powershell cmdlets, in its server and Enterprise editions the means of connecting to external information databases of analytics and visualization of data tables have significantly improved. The emergence of a separate server role of workflows with the implementation of almost full-fledged algorithms for processing list items and reacting to external events with cycles and branchors made it possible to describe and automate fairly complex business processes. Finally, the long-awaited opportunity of not traditional deployment as a set of servers on its technical site appeared, but using Microsoft Asure as a subscription service or in a cloud environment, which significantly reduces deployment costs, simplifies administration and increases the reliability of the solution being implemented.

At the same time, the SharePoint platform is essentially a designer with a large number of generic objects that can be used as a foundation and “tailored” to the needs of a particular enterprise. Quite a large number of integrator companies around the world use this and create industry-specific solutions for specific types of business.

Editorial.

Like any similar product, SharePoint has a number of revisions that differ in capabilities and, of course, cost.

In total there are three editions:

• SharePoint 2013 Foundation - basic version, designed for small businesses, free (with a license for Windows Server);
• SharePoint 2013 Server Standard - standard version, the collection of site templates has been expanded, connectors to external systems and databases have been added to visualize business logic and display various reports, a new server role of a workflow farm has been added (Workflow 2013), synchronization of internal SharePoint profiles with Active Directory, and other functionality demanded in average and big business.
• SharePoint 2013 Server Enterprise - the maximum version, designed for large companies, has even greater integration with external data sources, advanced search capabilities (for example, can search inside video files), a collection of templates for out-of-the-box sites, more functionality for creating entire portals. reports (Business Intelligence Center), etc.

Learn more about the features of each edition: article on MS TechNet

In addition to the revisions that are deployed In-Site (locally), of course, there is a revision of using the product by subscription as a SaaS service. Microsoft is actively promoting this direction recently. This approach has a number of undoubted advantages, especially for small and medium-sized businesses: saving on hardware and salary of support staff, possible security problems have been reduced, minimal risks regarding reliability and possible downtime have been reduced. No need to bother updating or upgrading hardware capacity. Implementation costs will also be minimized. Of the minuses - your organization will be assigned to the needle of a permanent license fee, you will depend entirely on the vendor in any case, the speed of working with the portal solution will depend entirely on the bandwidth of your links on the Microsoft CDN network.

As for the recommended courses and literature on sabzh.

From the latest available at the time of this writing:

For administration: courses № 331 and 332, respectively, basic (core) and advanced (advanced). MCSE certification will require both.

For a complete understanding of the tasks of architecture, administration and deployment, it is probably worth listening to No. 488, it should be enough to get into the brains of the product when needed and be prepared for large deployments, when you need to communicate with the development team under SharePoint “in your »Language and form the appropriate terms of reference for the refinement and expansion of the functional for specific business objectives.

By the way, please note that Microsoft considers SharePoint courses more difficult than some MCSA: Windows Server 2012, which once again confirms the thesis about the complexity of the product.

Of the old, but not much lost in the relevance of the courses:

M10174 - administration and M10175 - application development.

Both are on SharePoint 2010, but again, the differences with the 2013 edition will not be much in administration.

According to the literature - here, unfortunately, everything is rather sad. There are a lot of English literature and it is of good quality, for example, “Inside Microsoft SharePoint 2013” ​​and “Microsoft SharePoint 2013 Administration Inside Out”, but for its full-fledged reading you need well-delivered technical English. Honestly, until I came across normal translations, the good old Microsoft Office SharePoint Server 2007. Administrator's Reference Book is peacefully gathering dust on my shelf.

All key online resources required for the study will be listed in the addendum to this article.

Chapter 2. Planning and preparatory work. That we never do.

So, the decision on the independent deployment of the intranet portal and the workflow system was made completely and irrevocably. A number of meetings were held, the CFO showed interest in the budget planned for this event, users on smoke breaks exchange another news about the great future implementation, giggling in advance about its epic failure.

SharePoint is a complex product, I will repeat this phrase more than once in the article. Its implementation is a very complex event, which will require quite serious preparation and preliminary audit. Do communication channels between offices work steadily, is their bandwidth sufficient? What generations of Windows operating systems are used in your enterprise? What browsers are users working in? Are they updated? What about mobile clients, which gadgets they use and from which of them they hope to view documents on the portal? How many of the users work "in the field"? Are there any IT staff who support them? How do you plan to conduct training activities? There are also questions of a purely organizational nature:in what order to implement the product by department? Which ones need the internal portal more, and how can it make life difficult? These and many other questions need to be answered BEFORE implementation and deployment.

We will consider the following deployment scenario.

1. We need to deploy exactly the edition of SharePoint Server 2013. Revision Foundation is essentially a subset of the server and if you master the server, then deploying a simpler solution will not be difficult for you. Alternatively, you can deploy the Foundation and then expand the edition.
2. We have a budget for a separate physical server, which we will build as a virtual machine farm (hypervisor) and on which we will deploy three virtual servers: the roles of Web-Frontend and WebApplication, MS SQL Database and MS Office WebApps. In the future, it will also be possible to raise a separate server of workflows, if the business manages them and feels real need.
3. The structure of our organization is the main office and one or more branch offices. The intranet farm will be physically located in the main office.
4. The enterprise uses a network with MS Windows domains, a connection is implemented between offices in the form of VPN tunneling, physical or MPLS connection, trusts are configured between domains or domains are part of the same AD forest.

What are the best practices, how to prepare your enterprise for the start of implementation? In fact, much is quite obvious and has long been present in the same ITIL, written "by sweat and blood" by system administrators and IT managers.

Standardization of client software.

Ideally, one or two versions of Windows (and much better if it is Windows 7 or higher), no more than two browsers (one of which is IE), as an office software - MS Office 2007 (or better Office 2010 or higher) , a moderate number of mobile platforms and especially the screen diagonals.

Why is this all so important? Regarding Windows versions - in the old days, the implementation of the old SharePoint 2007 on Windows XP alone was a real challenge, and anyone who has ever encountered this will not forget until now: the system service of the web client, WebDav, complaints about the presentation of the conductor and the table view of the list , magically breaking after the next MS Office update and for some reason depending on the MS Access component ... With SharePoint 2013, everything is much better, but there are still enough pitfalls. For example, it’s quite tasty to download documents into the library by simply dragging them from the desktop to the browser window in Windows XP in IE you don’t make you work. Everything is simple - the maximum version of IE for XP is 8th, the corresponding javascript code does not work in it, therefore, under this User-Agent, SharePoint renders the page without it. There is certainly a way, but it is not completely licensed ...

To deal with the glitches of displaying some content, for example, playing a video from the SharePoint portal - it’s better in a couple of browsers, for example, in IE and Google Chrome. And not additionally in Mozilla FireFox, Opera, Vivaldi, Amigo, Yandex Browser, Edge and the dash — what else ... If the company has convinced witnesses to the Yablovo sect, we give them due attention and reverence, we call them exceptional, seeing the true path ... but we put them Google Chrome and urge to use the portal through it. Let them still look at everything else through their Safari, but not at our portal.

The topic of using browsers is, in general, a rather sore point for the entire SharePoint family, so we will talk about it further in a special chapter.

Good communication channels and Internet connections.

It is - by itself. If you place a SharePoint farm on your office site and do not attend to normal, high-quality communications with affiliates - get ready for the worst. Not take off. It will be difficult for you to explain to the director of a remote branch why he has a long-open PDF report with beautiful pictures, generated by the joint gloomy genius of the financial department and marketers, weighing several dozen megabytes. He (director) will torment one time, then the second, and the third he will drop on your portal to your high leadership and ... everything. Oh, everything.

For the same reason, it is highly desirable to also have redundancy and balancing of communication channels.

Order in AD.

Typical system administrators are rather lazy. Typical domestic offices are hotbeds for users who care a bit. What, secretary Masha got married (once again) and changed her last name? I did not tell anyone about this, I thought you would guess? And now she angrily calls your department and demands that her name be urgently corrected on the portal? Already fixed? And, no longer necessary, we must return everything backwards, she has already divorced. And yet - she was promoted, transferred to another department, and she lacks rights, and according to the old tradition, she put all her dissatisfaction in the head’s ears? Oh well…

Active Directory hygiene is the key to the health and safety of an organization. The user quit, brought a workaround? Immediately block. DO NOT DELETE! There are such adherents of the paranoid sect from the IB. They remove users from AD ... They say that this is the only way the user completely loses his authority in the system. And then - they sit and wonder, whose UID is hanging in the security properties of a network folder, who had access to it five years ago? Paranoia is even cooler - I witnessed, as in one very formalized office (where everything is according to PSA and according to SRM) regular, rather lengthy procedures were developed for wiping out employees from everything that is possible and adding new ones to the same…

Instead of a heap of incomprehensible technical work and red tape, get yourself a very simple and good rule. For each full-time position in the enterprise - to create a separate group. This will be the personification of his role, his authority in the electronic ocean of the enterprise. And wherever you need to specify user permissions - use ONLY these groups. And let for most of the groups inside them there will be only one user at a time - the magic of just a few clicks you will need to remove all authority from the departed to the other world, ugh, from your company, the user to a beginner by simply editing the group of his position will conquer once and for all. Need to give cross-authority between two or more units for one employee? Add group to group. And then at any time it will be possible to arrange an automated audit, which will collect for you information by groups and provide job titles, not the full names of all those hundreds and thousands of unfortunates who have worked for you for the last ten years. The load on AD will be small, not burst, do not be afraid.

Proper domain name naming for Internet organization resources and local Active Directory domain names.

Oooh, this is actually a difficult and very crucial moment.
There are two possible options.

Option one.
For a start, a vivid illustration of this option:



Active Directory has been around for a long time. Ten years, or even more, with a pedigree of gradual increases in the level of the forest from the grandfather of Windows 2000. With great probability, the name of the AD domains in this case is <something-there> .local .

For the past few years, Microsoft has been scolding in every way in the documentation and training courses this name, urging them to do as described in the second version. However, in this case, there is no limit to the slyness of “small-scale”; the situation is very similar to the bearded anecdote about Bill Gates's phrases regarding the memory size in personal PCs and TCP / IP stack protocols. The fact is that at the time of the launch of Windows 2000 Server, Active Directory presentations and hype around all of this, Microsoft did not have time or did not consider it necessary to explain to system administrators how to properly name their AD domains. As a result, an interesting incident occurred with an actually distributed DOS-attack on the root DNS servers of the entire Internet network, because the administrators of Windows servers began to use so-called single-label names of their domains en masse - the names of the domains consisted of just one word. The bearded and woolen sweaters, the true UNIX administrators of the "roots" in turn, unambiguously twisted in response to a finger at his temple. In a hurry, “small-scale” gave birth to a recommendation to rename such names of local domains, for example, simply by adding a dot after the name with a certain word “ local ”. Windows administrators took the instructions literally, since we have a huge population of local network domains in the form of " company.local ".

What does this threaten us with the introduction? SharePoint is essentially a site. The site has a name. The site is supposed to be used both from inside the local networks of the enterprise and branches, and from the outside, from mobile clients or laptops. And most likely without the use of corporate VPN.

If a user who is with his laptop out of the office but has a link to the Internet, for example in a hotel, cafe or via mobile communication, enters an address in his browser, the provider's DNS server will respond to it, which ultimately will be answered by the ns-server serving a specific domain. If the same user is located in the company's office in the zone of the office WiFi or by connecting to the outlet, the DNS server of the domain controller or another internal DNS server will respond to it.

You can give two names to the intranet portal. Let's say from the inside it will be available as intranet.company.local , and from the outside - already as intranet.company.com . And register these two different names on different DNS servers - inside the office and outside on the NS. It seems to be great, the problem is solved, but ... ugly. Yes, and users are uncomfortable, especially for those with a laptop in the office, then in the field. These two links should be made, and the two websites should not be made the start page. In the case of a corporate VPN, or using any different corporate and enterprise software, or Sophos, Cisco clients, and Fortinet clients, of course, this can be bypassed; in this case, the user will be served inside and out of the office by one set of DNS domain servers domain controllers. Yes, that's just not always similar buns are available for the budget or for some other reason. For example, Apple devices are very fond of the next update of their iOS-and demolish the settings of mobile communication and at the same time VPN connections registered in the system. And in Android, only in the latest versions appeared sane control of the device and "multiuser", which allows the user to beat his hands, though not in the case of BYOD ...

In general, it would be great to have a single link to the intranet portal, which both users are able to remember, and you can register everywhere and not to depend on corporate VPNs.

How can this be achieved if we have “ .local ” domains that you would not like to rename?
We'll have to go to the trick. It is necessary in some way to force the user's browser to direct right to the desired IP address of the WFE server of the SharePoint role, or explain to the office domain DNS server that it is also authorized to serve the “ intranet.company.com ” zone. The first way is completely “clumsy”, edit the % SYSTEMROOT% \ system32 \ drivers \ etc \ hosts file at once on the user's PC (or, indeed, to waste time on the domain DNS server) - and this is our time? The second, more elegant, is to add the zone “ intranet.company.com ” to the list of zones of the domain DNS server and enter the required IP address of the WFE server there as @ zones.

A similar operation will need to be done on all domain DNS servers in all branches.

Now everything is great: we don’t need to rename one link to the corporate intranet portal and domains.

By the way, SharePoint 2013, like many other products that are closely integrated with Active Directory, does not officially support single-label domains.

Option two.

Illustration:



We have a “new-fangled” forest, in which there is a separate server serving the forest root domain and a certain number of office domains. The forest DNS server is well aware of where the SharePoint farm is located, and the external NS server continues to send users to the Real publishing IP addresses of the farm on the perimeter of the main office site.

Everything is clear here, although “imperfect” variants are also possible, when office domains are not part of the same forest. In this case - see the first option.

Availability of SSL certificates.

The SharePoint portal is a site. If we want to make it possible to access this site from the outside, from anywhere on the Internet, we need to take care of encrypting the traffic of the transmitted site between the server on which it is installed and the user's browser outside the office.

This can be done in different ways, for example, using classic VPN, or MS DirectAccess technology, or standard SSL. The latter method is the most versatile and easy to deploy and support, although not perfect.

In order to use SSL, we need the appropriate certificate. It can be purchased at one of the certificate services center (CA) such as Thawte, Verisign, RapidSSL and others, or it can be generated independently. In the latter case, such a certificate is called self-signed and a number of potential problems are associated with it. The fact is that the browser, in order to trust any site protected with a certificate, must first trust the certification authority that issued the certificate. He can trust only when this center is explicitly registered as trusted in the settings of the browser itself (especially true for Mozilla Firefox), or the browser accesses the system certificate store and receives confirmation from it that the CA itself is trusted by the operating system, which means trust and he. This scheme works with IE in Windows and some other browsers, for example, Google Chrome.

Get information about the certificate, which site (for which domain name) it was issued and which CA issued it directly from any browser. For example, below is a certificate issued by a GeoTrust Global certificate authority to Google [24-25]:



Large, well-known certificate centers are placed in Microsoft’s Windows storage, they are updated (and certificate centers are also represented by certificates, which means they have an expiration date) along with updates to the operating system itself.

For cross-platform browsers that rely on their local certificate store, they are updated along with updating the browser itself.

Certificates themselves also differ in type: issued for one domain (single, single-domain ) or so-called. wild -issued on subdomains. Those. A certificate issued for the company.com domain will be unary, but issued for * .company.com is already a “wild”, multi-domain. The differences between them, of course, in price.

Returning to self-signed certificates - the problem of their origin is directly related to them. If we generate them manually manually, for example, using the OpenSSL utility package or using the IIS server tools, no one will trust them, because in the first browser in which we open the site protected with this certificate, an error of trust will be issued to the certificate that was issued by an unknown CA. There is a true exception to this rule in case you deploy a local domain certificate center - then the certificate trust in Windows will be automatically configured, based on the fact that each workstation entered into the domain by group policy will register a domain CA as trust.

In the case when we need to ensure trouble-free work of users who are out of the office and working from PCs that are not entered into the domain or from mobile “gadgets”, this option is certainly not suitable.

Of course, you can manually register a certificate as a trust on each device and this option is quite viable when you have dozens of users, but it is absolutely useless when you have hundreds of them, or you need to provide access to the portal, say, for your partners.

Interest in the intranet portal itself from the business side.

A business should really need a portal. And not only to tops and owners who are eager to get an additional means of control and collaborate their employees.

The more employees and managers you are interested in by its capabilities, the more successful and easier it will be to implement. Human nature is arranged in such a way that an attempt to impose something new without explaining the reason how this new can facilitate its daily life will most likely come across open antipathy or, worse, a hidden sabotage. Also, it will be a mistake to impose users to use the portal with a sigh, as if it is necessary only for high management, and you are not at all in business, you are simply a performer of their will. Users will certainly regret it, but they will sabotage with renewed vigor, Stockholm syndrome will wake up in them.

Interest HR-s with the opportunity to place on the portal contacts of all employees of the enterprise, give them the opportunity to hang in a prominent place a thread “Newcomer Handbook”, where they will write out fresh-meat-all the charms and advantages of working in your enterprise, and add to their resume In a separate line, the skill of creating an adaptation program for beginners and using their own intranet portal for this program. Promise to make the Intranet portal page a homepage in the default browsers. Conveniently it will be users, and it looks beautiful, corporate. Give them ("horseradish managers") the opportunity to jointly participate in the introduction of the product, share a bit of glory.

Having a cup of coffee in an office cafe, give a hint to the field-force manager about the interesting possibility of creating some kind of unified online repository of all the documents his employees need in the field, and in the long run, draw him a tale of setting plans for employees, too, through the intranet portal.

Having run for a minute in the accounting department or to the secretaries, tell the employees about the great opportunity to put in the future once and for all where-thread samples of letterheads with requisites so that they no longer tugged every day in the spirit of “Svetaaa, throw me your electronic form with the new bank please” .

Having come to the realm of marketing and making your way directly to its head past the pretentious marketers who soar in the clouds and dream of mastering new budgets for interesting projects, tell about the upcoming functionality of the portal, which will help to conduct an internal survey, presentations of new products (immediately to the “instu”, directly to the fielforce service, no more emails and phrases “yes I didn’t write”), post beautiful pictures of new products right on the main and other “epics” and marketing attempts.

With a decisive hand, offer everyone to solve the conflicts of shared office resources that are old as the world: all kinds of meeting rooms, courier services, car fleet and others.

Quite a bit of competent preparatory work - and the heads of departments at the next meeting will themselves choir in front of the top phrases in the spirit of “we should be nada portal!”.

Planning hardware and software resources.

Requirements for the software platform.

Operating System Requirements - Windows Server 2008 R2 Service Pack 1 (SP1) Standard or higher, please note that to install the WFE and WebApplication roles on Windows 2012R2, you will need the appropriate SharePoint 2013 with SP1 installation image.
MS SQL Server Requirements - 64-bit edition of SQL Server 2008 R2 Service Pack 1.

Hardware platform requirements.

For our scenario, I would strongly recommend using a single hardware server as a virtualization platform. At the moment, Microsoft has made a pretty strong move, offering a free version of Windows Hyper-V Server 2012 R2 as a similar platform.

In this case, a fairly standard hardware in the form of a single Intel Xeon 3.7 Ghz, 64 Gb of RAM and hybrid disk (SATA / SSD disks with a good hardware disk controller that correctly understands SSD) is enough to deploy three virtual servers (WFE & WebApps + SQL-Database + OWAps) and serve up to 1000 users with, about 50-100, simultaneously requesting pages.

The processor will be much more utilized by the “web-frontend” and “office-upa” servers due to the resource consumption of processor time on the part of the .NET platform. Memory requirements are also greater for servers of this role for the same reasons - the framework and the IIS web server use advanced caching to speed up the response.

The farm memory allocation will be normal in approximately the following proportion:

• WFE & WebApp – 24 Gb
• SQL-Database – 24 Gb
• OWAps – 8 Gb

Give the rest to the Hyper-V host system itself.

Disk will be a bottleneck for a SQL-Database role server. It would be correct to correctly approach the construction of a disk for the server of virtual machines of the future SharePoint farm. For example, two normal SATA disks are merged into RAID1 for deployment on this partition of the hypervisor system (Windows Hyper-V Server 2012R2), two more, and better four are merged into RAID1 (RAID10) to use as a volume for storage of virtual guest configurations, and also to store containers of their disks and, finally, use another RAID1 partition from two SSD drives as connected directly to a virtual machine with the SQL-Database role for storing content databases with SharePoint on this volume, which need maximum speed.
It is easier to understand the principle of disk construction in the illustration below:



There are still some tricks to optimize the use of resources. For example, for a SQL-Database role server, it is advisable to use three disk containers — one for the system, one (large) for content databases for data that is large but little used (the classic example is the media library) and, finally, directly spurred physical SSD volume for the configuration database of the farm (SharePoint_Config) and content databases that require maximum availability and speed of access. By the way, the layout of the file system on virtual machines is better to make the maximum for NTFS size, a similar rule applies to partitioning the database volumes inside the virtual machines themselves. The performance gain will of course get small, within the statistical error, but you will sleep peacefully, confident that you did everything right.

The SharePoint 2013 whole virtualized farm provides many benefits:

1. It is much easier to increase hardware resources with increasing needs, to balance resource utilization during miscalculations with planning and at times of peak loads. Also significantly simplified cardinal upgrade or move to a new iron, if necessary.
2. Acceleration of intrafarm network delays — the role servers need to “communicate” with each other — requests to the DBMS are coming up with WFE & WebApps. In the case of virtualization, all intra-farm network traffic will occur essentially in memory, without involving the physical network.
3. . , SharePoint MS SQL Server , - – .

Finally, a few words about the platform antivirus protection. Categorically, you should not use standard server or network antiviruses that do not take into account the specifics of the SharePoint farm on farm servers. According to my estimates, the deployment of anti-virus agents of Symantec products, TrendMicro or any other vendor on the servers leads to a catastrophic performance drop - subjectively about 20% or more. The server roles of SQL-Database are especially affected, even when setting up exceptions for database files or folders where they are located. Similarly, the performance of the OWAps role servers, which have a distributed file cache architecturally, drops dramatically - the difference in the speed of opening the same document can reach several times!

Leading vendors of anti-virus systems have developed special products targeted specifically to SharePoint: TrendMicro PortalProtect, Symantec Protection for SharePoint, McAfee Security for SharePoint, Kapersky Security for SharePoint Server, etc. These anti-virus systems understand how SharePoint stores documents in content databases, which of its system services are critical to farm performance, and how to correctly scan applications from Web application pools on IIS.

Enough informative article on this topic.

If the budget for the purchase of these products is not foreseen - in principle, it is possible to confine yourself to anti-virus protection of client points, only hypothetical network vulnerabilities of the farm server operating systems themselves, IIS and MS SQL services, will remain.

Chapter 3. Architecture - just about the complex.

Beginners, trying to learn more about the essence of SharePoint, as always in such situations, have to wade through the rubble of purely marketing constructs in the spirit of "a set of web-based collaboration applications" or "the product allows employees to enrich their teamwork experience on important documents." In fact, as implementers, it is enough for you to understand that SharePoint out of the box is just a website. And nothing more.In the language of webmasters - an empty CMS. What tasks he will allow to solve in your organization depends entirely on your needs and skills.

The old-timers say, in Microsoft itself, at one time, the first implementation of SharePoint failed miserably. The type of product turned out to be too flexible, and users were given too many rights, but they did not give quotas and, as a result, the servers very quickly stopped coping with the influx of content and any site structures generated by users. In this case, MS should be given its due - as the true doctors first tried on themselves, and only then released to the masses.

Who loves IT archeology - here is a link to the unofficial history of the product.

Since then, quite a lot of time has passed, new technologies have appeared, browser capabilities have multiplied many times, new needs have arisen to improve the comfort and convenience of users. SharePoint capabilities have also increased by orders of magnitude - in WSS (Windows SharePoint Services) we couldn’t even dream of AJAX technology and that when working with a list on the page you will no longer need to constantly request it again from the server, and MS Office documents and even PDF (Carl!) From now on we will be able to view directly in the browser window.

Physical architecture.

Technical language SharePoint is a collection of sites dynamically generated using MS ASP.NET technology, with content stored in an MS SQL Server database and able to interact with other applications or platforms, for example, with MS Office Web Apps, MS Exchange, MS Project Server , MS Dynamix, etc., and not necessarily with the prefix "MS" - third-party products are also enough.

Since Microsoft loves to make large, monstrous products originally designed for possible future scalability, it’s a logical step to split different parts of the product into so-called. Roles are parts that can be deployed on physically different servers or virtual machines.

The collection of these servers is called a SharePoint farm (SharePoint Farm). The following roles (servers) of the farm are minimal:

1. Web Front-End Server Role : The server (s) for this role are responsible for accepting and processing user requests. In essence, this is the MS IIS server (s) that serve the web requests coming from users.
2. The role of the Web-Application Server : the server (s) of this role are responsible for the dynamic formation of pages and server responses by processing scripts written in ASP.NET language and using the .NET Framework for this. Pages and answers are formed on the basis of data from the database. For the design of small farms, designed to serve a small number of users (several thousand users, several hundred work at the same time), this role is often combined with the previous role.
3. The role of SQL-Database Server : practically ALL content and ALL structure of SharePoint portal / sites is stored inside the database.

All of these are basic roles. It is also possible to deploy the roles of a separate search and index server, a server of new workflows (in SharePoint 2013 there was a separate server role with advanced features, while retaining the possibility of using the old mechanism). These roles will need to be deployed in the case of building really large farms, or if the need arises to use additional functionality of the new Workprocess.

In general, the farm architecture is horizontally and vertically scalable, if necessary, you can either upgrade the equipment, or allocate more resources to the role servers in the case of virtual machines, or add servers for each role as needed. Clustering capabilities are decided based on a specific role — for IIS / WebApps, these are standard system tools, and for the SQL-Database role, MS SQL functionality.

In our narrative, we will consider separately another role - the so-called. OWAps: Office Web Apps . In fact, this is not exactly the role of SharePoint, in a simple way it is a separate server for rendering MS Office documents into web pages (the web version of Microsoft Office). Previously, his ancestor was indeed included in the delivery of SharePoint Server 2010 and had rather modest capabilities; however, for the 2013 version, Microsoft made a logical decision to allocate this functionality as a separately deployable server, with the ability to connect other applications to it, not just SharePoint, for example, the same OWA in Exchange. In essence, this is a local version of the Office 365 cloud service. Its licensing policy is simple; in the free version, the product allows only to visualize documents in the browser and view them. In the paid version, you get a more or less full-fledged Office 365, i.e. documents can already be edited directly in the browser, just like in the 365th. Colleagues say that at the moment the product seems to be no longer available for free download, but it is still in the MSDN subscription and its licensing policy has not changed. The product is developing intensively and is actually really interesting, because raises the functionality of the SharePoint 2013 platform as a workflow system to a new level. There is also another case associated with this product - it is often renamed. I used to call it Office Web Apps and use the acronym OWAps , but now Microsoft calls it just Office Online .

Few words about how SharePoint 2013 works physically.
Since the intranet portal is in fact a regular ASP.Net site, of course, we have not done without an IIS server. We may have a different version of MS Internet Information Server (IIS), let me remind you that the product can be deployed starting with Windows 2008R2. Those. we have versions IIS from 7.5 to 8.5. There will be one thing common to all versions - the presence of the Microsoft .NET Framework version 4.5 will be required.

Microsoft's Web server called IIS is a rather complex, modular product. Its architecture (for different versions) is described in detail in this document. We don’t have time to read it, the pipes are burning with impatience to start the installation, especially the document in English, so I’ll try to simplifyly explain how it works in recent versions for the slowest.

In the Windows kernel, it hangs as the HTTP.sys driver, which is also otherwise called the web listener. He is responsible for receiving and processing all incoming requests to the server. It hangs by attaching (bind-a) to certain ports, the default for HTTP and HTTPS is 80 and 443, respectively. It hangs in the kernel for a reason - this is done to maximize the processing of requests, increase availability, the priority for the driver is maximal, and you don’t need to switch to the user mode context, they also write in the docks that it can use some low-level caching procedures and other things. In general, MS was eager to catch up with the recognized pillars of the industry in the popularity of his web server, and therefore they "wrote down" everything as quickly as possible.

From a security point of view, this is not very good, but in fact the function of this driver is very narrow, in fact, it works as a loader - its task is to accept user requests, redirect them further to the guys, called IIS modules, who are already working out kernels and, taking back what they have done - to give back to users in their browsers. With the requests and responses themselves, he does nothing - just passes them through himself. One has to think that HTTP.sys is maximally optimized and checked for vulnerabilities, so it’s hardly worth worrying about this part of the IIS architecture.

Then there are two system services (they can already be seen in services.msc) encapsulated in svchost.exe:

• World Wide Web Publishing Service (also known as W3SVC or WWW Service in a new way): responsible for managing HTTP.sys - makes it stop / start, serves all sorts of things like iisreset / noforce in the console, updates the settings for HTTP.sys when the configuration changes, collects statistics and stuff;
• Windows Process Activation Service (also known as WAS , has no relation to the Windows Activation Service ): it serves as a wedge between HTTP.sys and what happens next, it maintains and manages the so-called. application pools — user-mode workflows that process incoming requests by running web filters stored on a host, modules of various types (native, extensions, and (most often) ASP scripts and COM objects.

Requests from WAS are forwarded to application pools, in our case specifically to the .NET Framework , which is called from within the w3wp.exe generated by the WAS service.

This whole hodgepodge of the modern IIS architecture can be seen in the screenshot of the WFE & WebApps role server from a working (combat) SharePoint 2013 Server farm:



Application pools work in user mode, which means they can start under a certain user account, most often created specifically for this purpose locally or in an Active Directory domain. That is why in the screenshot above, they are closed by yellow rectangles - the server is fighting ...

Remember this important point - we will return to it more than once in the following chapters.
In addition to, in fact, IIS, SharePoint also includes a number of quite important system services that are automatically deployed on WFE role servers.

These services are:



These servers perform quite important functions. They essentially form single, on-demand and periodic timer service requests to IIS, which are required for the normal and automatic operation of the SharePoint farm.

It is necessary to clarify their purpose separately:

• SharePoint Administration - Service responsible for performing administrative tasks.
• SharePoint Search Host Controller - Search functionality service
• SharePoint Server Search 15 - Search functionality service
• SharePoint Timer Service — Manages one of the most important components of a SharePoint farm — an internal scheduled task scheduler. These tasks include numerous internal maintenance tasks, such as clearing internal baskets of old documents.
• SharePoint Tracing Service - Responsible for embedding into the display pages of the developer panel (Dushboard), provides functionality for debugging and performance counters and statistics
• SharePoint User Code Host - Used to run custom extensions and applications in the sandbox.
• SharePoint VSS Writer - Volume Shadow Copy Writer - participates in backup processes

Logical architecture.

SharePoint is essentially a Content Management System (CMS). Like the same Drupal, WordPress or MODx inside it all the content is divided into certain logical blocks.

The largest, fundamental structure is the site collection ( Site Collection ). A site collection is a SharePoint entity that directly connects such concepts as the URL of the start page of the site and the web application on the IIS server, which renders this family and stores all the content of the family in some database on the MS SQL server. Why precisely “family”? Because the base collection consists of at least one (root) site with a specific URL name, but can contain an arbitrary number of subsites whose URL (name) is added to the base one. For example, the site collection has the name (URL) intranet.company.com, in which there are two “subsites” site1 and site2 , which automatically receive a URL of the form intranet.company.com \ site1 and intranet.company.com \ site1 .



So, a site collection is a single root site or a root site and several subsites. Sites are nice, but in fact they are just template pages with a certain design. Inside the site pages should be content - text, images, some other objects. For the preservation of content in SharePoint so-called responsible. lists of various types. These lists can visually look like actual lists — some tabular textual data, or as “ libraries ” —special lists that can store various types of document files, images, multimedia files, calendars, tasks, etc. Why are there so many different types of lists inside SharePoint? Everything is simple, each type of content needs to be somehow shown on the page: the calendar should look exactly like a calendar, and even with the ability to edit, the document library — display documents in the spirit of Windows Explorer and give them the ability to add, rename and delete, image library — display pictures not only in the form of a list list, but also in the form of thumbnails and so on.

In detail with various types of content we will look further into the chapter on creating the portal itself, but for now just remember that within each site (the root and any of its subsites), list objects with different types of content live their lives.

By the way, inside the root site, in addition to subsites, various lists and libraries can also be contained.

Site collections within a single SharePoint portal farm can also be an arbitrary number, it is important to remember that each site has its own URL and is assigned a specific ASP.Net Web Application that runs on the WFE and Web-Application server roles. Web applications can be combined into so-called Web Application Pools; in the SharePoint architecture, the concepts of a web application and an application pool are synonymous. Several site collections can use the same web application, just below we discuss the strategy for building site collections based on specific needs.

Understanding the structure of SharePoint sites is very important from the point of view of competent construction of URL naming, which in turn directly rely on the DNS names of the intranet portal.

Also, the logical structure of sites directly affects the issue of rights for users — like any file system, SharePoint uses rights inheritance, which is enabled by default for every object, be it a site or a list, but can be turned off on any of the objects. By issuing permissions to a certain user group to the root site of a site collection when inheritance is enabled, users of this group will automatically get access to any object within this collection. We will focus on the moment Best-practice of issuing rights to users in the relevant chapter.

In our script, at least one site collection will be used, the URL of which will be intranet.company.com . Creating other site collections may be necessary in the following cases:

• when it is necessary to break the entire portal into separate structural elements at the URL addressing level;
• when disk requirements require exploding content across different SQL databases within a single web application;
• when it is necessary to physically separate sites across different web applications, this may be dictated by the load on the SharePoint farm, the utilization of its resources, its ease of maintenance, and fault tolerance;
• when there is a need for a simple and rigid division of user rights between two or more divisions (offices) of a company, for example, to highlight the opportunity for field-forces to boil in their own information field.

In the language of relational databases, all variants of relationships exist between site collections, web applications, and content databases: several site collections can easily coexist with one web application and use one content database, each can use their own database, and each can use one application and, accordingly, personal content database.

How to plan this logical architecture correctly?

In the next chapter, in the process of creating the portal, we will touch upon this directly, but for the sake of simplicity, we will remember the following rules:

1. Assigning a personal web application to each site collection and, accordingly, one personal content database simplifies the URL of these site collections (see the next chapter for some reason), simplifies and simplifies administration (the ownership of each web application is immediately visible in the same Task Manager). records, from which the application pool works, you can stop / restart a specific part of the common portal without harming other site collections), but much more demanding of server resources is required tsya much more memory and CPU time.
2. Assigning several site collections to a single web application (no difference with one or several content databases) also reduces hardware requirements (there is no additional overhead on the part of the .Net Framework platform, which is CIL / CLR, one-time launch and preliminary compilation take place in one pool) , but complicates and lengthens the URLs of family sites and leads to administrative inconveniences, especially on large SharePoint farms, designed to serve large portal solutions.
3. Different site collections can have different content bases within the same web application, but unfortunately, for SharePoint 2013 it is impossible to manage this through its full-time web console only through the PowerShell console.

You can better understand these rules and the relationship between site collections, applications, and content databases in the figure:



Pay attention to the second (green) site collections, or rather to their URLs — the naming rules for site collections in SharePoint require the second and subsequent site collections that use one web application to be placed after the name of the primary collection and the reserved part of the URL “... / sites / ... "

Chapter 4. Installation process or algorithm "experiment, pi @ #% c, reading documentation".

SharePoint 2013 is a complex product. You can not just take it and, by clicking on the installer, click on the dozen "Next" to immediately get the result out of the box. Rather, of course you can, but once for the version of the Foundation. There is also an option to deploy a server edition in the form of Stand-Alone (all farm roles on one server), but this configuration is in fact intended more for single developers or for a test farm, but not for “product”.

In general, deploying a SharePoint farm can be summarized in a number of steps:

1. Installing MS SQL Server.
2. Installing SharePoint itself, or rather its Web Frontend and Web Application roles.
3. Primary setup, building a portal structure.
4. Integration of SharePoint with other services of the company: Office Web Applications, Exchange, Project, Dynamix, etc.

Why is the "sequel" in the first place? Yes, because the SharePoint Server Installation Wizard almost immediately asks you about its availability. His first and put.

Install MS SQL Server 2014.

With the installation of MS SQL Server 2014, there should be no difficulties, then the very “Next-Next-Next”, except that you should not forget to turn off the Windows Firewall immediately before installation and pre-add .NET 3.5 to Futures, otherwise when you deploy the server, its installation wizard will issue a corresponding warning:



A good configuration checker is included in the installation package, checking if everything is normal in the field in which we are going to build a “sequelle” temple (forgive me for some sql admins and programmers who will be harmed by this slang word).

Well, do not forget about good practice - after adding a role or “feature” to a freshly deployed system, before installing something heavy, you should once again additionally drive away the Windows update, and ideally also reboot before that.

The name of the instance (Instance) of the server does not matter, you can leave the default.

All components of the server to start to put it makes no sense, just the following:

• Database Engine Services
• Client Tools Connectivity
• Management Tools Basic & Complete

The credentials of the services and the "collection" are left by default. If the SQL server is not supposed to be used in the future for any other needs besides the SharePoint farm (which is not desirable in principle), then we choose the default Windows authentication mode.

It is very important to install both MS SQL Server and SharePoint Server from under one domain administrative account, in this case you will immediately avoid heaps of unclear authorization problems and rights during the SharePoint installation process. Therefore, we immediately specify this administrative account as the primary server administrator.

We will redefine the standard paths to the database components and backup paths later, during the deployment of the roles of SharePoint itself. Yes, and perhaps in the future you will have to change them again, for example, in case of changes in the disk subsystem or changes in the backup strategy.

There is another nuance - MS recently likes to distribute installations in addition to traditional ISO and VHD, also in the IMG format. Before installation, it is advisable not just to mount them, but to unpack them somewhere in a temporary folder and launch the installer from there. I do not know why, but a couple of times I encountered strange, never described errors during the installation process directly from a mounted IMG or ISO image. Therefore, it is better to do a proven way.

It would not be superfluous to recall that after deploying MS SQL, it will be necessary to once again run out Windows Update with the option of updating applications besides the system enabled. Perhaps you have heard of companies whose administrators do not use updates of server systems and applications in principle, or put them in a planned order a couple of times a year. In some ways, they are certainly right: updating complex systems and Microsoft applications is always a challenge and a challenge for administrators, one cannot be confident in their success, or a violation of compatibility with some third-party software, but in case of problems when trying to contact anyone for support to the integrator or MS partner in support, the first standard question for you will be how “fresh” you are in terms of updates from the vendor.

The last step is to not forget for the volume “D” to add to its root full access for the service account “NT Service \ MSSQLSERVER” - essentially an account under which the service of the Database Engine itself runs.

Install MS SharePoint Server 2013.

Deployment of the product should also begin with an upgrade of the operating system "until it stops." SharePoint is a very flexible product. The structure, configuration of the portal, and its very content live in the database, and therefore the installation process of the Web FrontEnd and Web Application roles is two-step: first, we need to actually install these roles, which will create the starting "skeleton" of the system in the form of folders and basic startup scripts and templates in the IIS web folder, run the system update (again) and only then run the product configuration wizard, which will actually create all the necessary starting structure directly in the MS SQL database, which will be called SharePoint_Config and will store the configuration (settings) of the entire SharePoint farm.

So, in the installation directory, click the coveted "Hello World!", Ugh, "setup.exe". Naturally, we immediately attack the rake:



But it was not necessary to hurry ... Different products in MS make different groups of people, naturally there is the principle of uncoupling vessels. We actually need the inconspicuous file default.hta, which is indicated by autorun.inf, which of course is disabled for all normal people either by hand, or by domain policy, or by a network anti-virus policy in general.

Run:



As you can see, there is also an installation of pre-requisites. Nothing to do, put them first.

If trying to install them jumped out something like this:



So you live on Windows 2012, did not obey the author, or were not careful, downloaded “SharePoint Server 2013” ​​(without SP1) and you urgently need KB2771431 , which is not installed independently through Windows Update. Elegantly check its presence in the system through powershell: systeminfo | findstr "KB2771431" .

If you run on Windows 2012R2 with a similar problem, you need exactly the installation kit “SharePoint Server 2013 with SP1”, which was released after the appearance of 2012R2 and takes into account the new rake from MS. Otherwise, you will have to put all the necessary prerequisites by hand through the PowerShell script. You can take, for example, from here .

In case of successful installation, the system will need to reboot on its own, log in, wait a while, after which it will cheerfully report full success:



What then? That's right, update again! Most likely, something like updates for the ADRMS Client will fly - put it, it will come in handy. Avoid one very nasty bug if your portal farm serves several domains from different trees ...

Tired of the endless updates and reboots click on the coveted launch of the product installation. Here you (those who read this article) split roughly equally. For some (the lucky ones), the installation will start and cheerfully run on. For others, one rather unpleasant window will fall out:



This is due to the fact that good uncle MS constantly creates a headache for administrators and the joy of programmers - he is engaged in creative work with updating the .NET Framework. The problem is that your system has its version 4.6 (or even higher), and the installer of SharePoint 2013, even with SP1, can only work with 4.5 for its own trouble.

More about this problem , how to determine it exactly and how to treat it . In short, we are demolishing the .NET 4.5 feature (actually 4.6) using the MS DotNET CleanUp Tool, swinging and setting its handles. After you install SharePoint 2013, you can easily trust Windows Update, which again raises it to 4.6. The SharePoint farm will continue to work fine with it. It seems to be ...

By the way, in one of the recent combat situations I stumbled upon a case when removing the .NET Framework 4.5 feature through the standard system wizard on Windows 2012 R2 completely demolished the entire GUI and PowerShell to boot. That is, you understood correctly, we were left in 2012 R2 even without the Core OS mode. Explorer shell also did not load. Thank God, MS has provided an alternative console boot option, when nothing is loaded - the good old cmd.exe will alternatively be loaded. Those who are in a similar situation - here . By the way, in that case, the CleanUp utility did not work its own. Therefore, I had to think a bit, go to the control panel and remove the KB, which is responsible for the appearance of the ill-fated 4.6th Framework, in the system. After the reboot, the registry key indicated a downgrade and the SharePoint installer worked without problems. It’s strange that MS didn’t come up with this option as a completely rational way of solving the problem, but instead they preferred to shoot themselves up by removing the critical component from the system ...

The very installation of the product is simple.

Select the installation mode (normal product farm or all on one server). Our choice is obvious - the first option:



In the second tab, there are no interesting parameters for our scenario. The first parameter indicates the folder where the binary core of SharePoint will be deployed, it is better to leave it on the system volume in the standard location in the Program Files. The second parameter indicates where low-level data will be stored, they are also not interesting to us, since we will not deploy a separate server for the search subsystem, so feel free to wait for the installation button.

After some time, the installer will offer to run the configuration wizard:



Should not rush. All that the installer did so is deployed the SharePoint software core as system services. The SharePoint sites themselves have not been created yet, the configuration database has not been deployed, and so on. You can easily verify this by looking at the IIS settings (it’s still empty) and system services (which are also off for now):



The correct step will again (again) be to run Windows Update with the update search setting enabled for other MS products.

When all updates are installed, it is the turn of the actual SharePoint deployment itself. In the START menu, we search for the configuration wizard called the SharePoint Products Configuration Wizard, launch it, agree with the warning that the wizard will reload some extraneous system services and come to the question of creating a new or connecting to an existing farm.

Remember this question. The fact is that in the future you will come back to this wizard more than once, practically with every farm upgrade or the need for its low-level reconfiguration.

We naturally need a new farm. Choose it and get from the master of the second serious question:



With the server name - everything is clear, we have already prepared it. It is better to leave the name of the configuration database by default; there will be no confusion when reading the documentation. The wizard also asks you about the account under which the farm configuration application will connect from IIS to the SQL server. Since during the installation of the SQL server we chose the Windows authentication mode and we work in the domain, then we can (and should, according to Best-Practice) create a separate service account in the domain for this purpose.

Since in the future we will more than once create such accounts, it is advisable to allocate for them a separate container OU (Organization Unit or Division) to which especially experienced and paranoid comrades will be able to further tighten the group policy that tightens security.

There is no need to worry about registering this account in SQL Server - the SharePoint configuration wizard will do everything for us correctly (once, in times of WSS 3.0 and SharePoint Server 2007, this had to be done by hand).

The only thing now really worth attending to before clicking the cherished Next button is the additional alignment of the SQL server. It's time to get into the configuration and redefine the location of the files of the new databases by default. Remember, in our deployment scenario, we agreed to store all the SharePoint farm databases on the SQL Server “D”, which is specifically deployed on a fast RAID. We enter it:



Everything, it is possible to press a pedal "Next". You will be asked for the passphrase that will be used to encrypt some critical data. Something that resembles a similar window with a question when deploying Active Directory. It is recommended to remember it, because in contrast to AD, it will be required here not only at the recovery stage in case of failure, but also for any major changes in the farm structure, for example, when adding a new server.

You will then be asked about the port and authentication mode of the administrative web application and user. It is better to leave the port generated randomly by default, just remember to dig a hole for it in the Windows FireWall system if you use it in a domain environment. As for authentication, the default is NTLM. For most scenarios, this is more than enough, because after deployment and configuration, the entire farm configuration will rarely be performed, perhaps even in RDP mode, connecting to the WFE server (i.e., you will launch the browser and open the farm configuration page on the server itself where IIS is running with it) and Kerberos merits Authentication will only be justified in case of increased paranoia. If you decide to choose the Kerberos option, then be ready to manually add the necessary spn attributes to AD. My advice - do not create yourself unnecessary problems. We will encounter Kerberos more than once when creating site collections.

By the way, some not very experienced integrator administrators choose this option and then do not configure anything and for some reason everything seems to work for them ... Only in fact, this is the first attempt to authenticate via Kerberos, it fails successfully and the web application switches to the backup option - NTLM. This is clearly seen through the klist console command - a ticket is not issued.

Let's go back to our SharePoint configuration wizard. Then he will give us one last look at the parameters we entered and will start doing our work. Its results can be observed not only in the wizard window, but also periodically glancing at the SQL server - the first two databases will be created there, a new “login” in SQL will be added to the server security settings, and the necessary server roles and rights will be issued to it.

When the wizard has successfully completed, it will be time to launch the cherished administration console "SharePoint 2013 Central Administration":



If a standard IE login and password request pops up at startup, do not be discouraged. Just MS changed something in the local security policy in Windows 2012/2012R2 [16]:



The problem is included in the default check on the so-called. Loop Back check . If it bothers you, you can get rid of it by creating a new registry key BackConnectionHostNames of the Multi-String Value type in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0 , in which we list all the addresses of all site collections that you plan to access locally on this SharePoint WFE server.

All, the main server farm SharePoint Server 2013 successfully deployed, congratulations. It is time to fill them with meaning.

Chapter 5. Creating a portal. Flour creativity.

It is time to unrestrainedly indulge in creativity.
Just as the theater begins with a hanger, our portal will begin with a web-based administration console:



The administration console in SharePoint 2013 is very similar to the old Windows Control Panel - the entire functionality is logically divided into groups. This is different from the old SharePoint 2007 console, which was more like some old classic CMS.
Only the most basic control functions are displayed on the start panel, much more they are hidden inside each of the groups. We need the “Application Management” group:



Our portal farm currently contains only one site, and this site is the administration center itself. This is easy to see - just look into the IIS management snap-in. If there are no websites, and we want a portal, then we need to create these sites somehow.
As we defined in the previous chapter, sites are grouped into site collections that are served by application pools and are stored in content databases. Let's put the first block in the foundation of our future portal - let's create the first, root site family.

Creating a web application.

In Application Management, we are going to Manage web applications:



As you can see, we have only one web application at the moment, and even then the administration center serves it. We see a link (URL) on which the site, served by the web application, and the port on which this site hangs, rotates. If we look at the address bar of the browser, we will see some similarities.

Need to create a web application. The main difference between SharePoint 2013 and its predecessor, SharePoint 2010, is the layout of the interface. Microsoft remained true to its policy of consistently upgrading interfaces in its software products, so the menu design in the style of Ribbon, first introduced in MS Office 2007, gradually reached the SharePoint web interface.

Find the New button on the ribbon at the top left and click on it. The page for creating a new web application will



open : Go over all the fields in the form and fill them.

We are offered to choose an existing IIS site on the server or create a new one, set its name (on the IIS server, not to be confused with the URL), the port on which it will hang, the title (the actual URL) and the path to the site folder inside the IIS web tree file system.

We are defaulted to create a site that does not use SSL. Let's do everything right right away.

The days are long gone when SSL was used only on some sites on the Internet, and even then on them not everywhere, but only for those pages through which authorization was performed. This was dictated by considerations of reducing the load caused by the need to perform encryption on both web servers and PC users. The times have passed long ago, there is an abundance of computing power and now the question is to completely refuse pure HTTP in favor of HTTPS everywhere on the Internet.

For the test, I have already generated a self-signed certificate for the domain name intranet.company.com and registered it in the root local certificate center on the WFE & WebApp role server. If you want to do the same - you road to the IIS snap- in,Server Sertificates - on the right in the panel we select Create Self-Signed Certificate ...:



Since in the article we are dealing with a SharePoint test farm, the domain name intranet.company.com is fictitious and our domain DNS server does not know about it.

We help him with this:



Fill in the fields according to the screenshot:



Please note, in Claims Authentication Types we are offered to choose the default authentication method for NTLM users , but I chose Nogotiate (Kerberos). The fact is that the NTLM method is more universal due to the absence of the need for any setting, i.e. will work out of the box. A SharePoint-based portal can “ask” the browser (or any other program that performs a resource request from it) about the user's credentials in the Windows system, from which it works, in order not to ask unnecessary questions in the spirit of “enter the name and password".

Why did I choose Kerberos instead of NTLM? If you know how authorization works in Windows domains, then the answer suggests itself: authorization “by kerber” is faster, less “rustles” over the network and is technically more secure and reliable. There is also a reverse side of the coin - it requires manual adjustment and does not work outside the forest. Those.if we have two offices with domains deployed in different forests, but with configured trusts and a Site-To-Site VPN connection between them (typical situation), then unfortunately Kerberos will not work for requests from the second office.

The good news is that if you choose Kerberos as the main authentication method, NTLM continues to be used as a backup. If the "kerber" for some reason does not work out - will be automatically attempted through NTLM.

Setting up a domain for Kerberos is not that complicated. All we need is to fix the configuration and attribute in Active Directory.

First, go to the Active Directory Users and Computers management snap-in , switch to the Advanced menu in its View menu.) view, go to the server properties with the role of WFE and enable it to delegate:



Then go to the properties of the account from which we will run the web application on the IIS server. For simplicity, for the first site collection and its application pool, I chose the same user that we created during the SharePoint installation phase.

Active Directory is actually an object database, inside it all objects have a certain set of attributes — fields that can store some values. We need to change the servicePrincipalName attribute for the account - enter the domain names of the sites in a certain format:



Everything, all the settings required for authorization via Kerberos have been successfully completed.

We skip the web application creation form below, to the following settings that are interesting for us:



Everything is quite intuitive here. We were automatically formed a URL based on the previously entered data, offered to create a new application pool with a specific name (which I slightly corrected for beauty), advised to choose a user account (and automatically put the one we prepared for Kerberos there), suggested to specify SQL server, content database name and connection credentials. Choose any content database name to your liking, I would recommend giving it a meaningful name that directly indicates which site collection or web application uses it.

Click the OK button at the very end and wait for the result. We are pleased with the inscription that it does not take much time. By the way, you will constantly see similar inscriptions in SharePoint 2013. Developers in front of you all the time will apologize for the low performance of the product. What can you do, the .NET Framework and the chosen architecture with an eye to greater flexibility and scaling for all the fault.

At the end of the process, we will get a ready-made web application, which can be seen as a line in the list of web applications in the SharePoint admin area, and in the IIS snap-in as a website and as an application pool.

Since we already have a website on IIS, we can attach a self-signed certificate we created to it. Click on the site of the PCM, select Edit Bindings , pick up the certificate:



It's time to make a site collection.

Creating a site collection.

Again we go to Application Management and there in Create Site Collection :



Choose the name (title) of the root site of the family, choose compatibility with the version (SharePoint 2013 is backward compatible with SharePoint 2010 and in fact allow you to create sites of the old version), choose a template, if you want add credentials records of additional administrative accounts of employees to whom we allow to do anything within this particular site collection and choose a quota template:



About the site collection level administrators and quotas of users, we’ll talk about details But in the next chapter.

Click OK.

We go to our new portal. If you try to log in, you will swear on a self-signed certificate. By any method, we simply agree, we add to the local certificate store or immediately to the domain group policy.

When I try to access the site I will ask for credentials - we add the site to the Local Intranet zone or to Trusted Sites in the IE settings in the system. In order not to bother, we can also immediately add the site to the zone settings for different browser versions in the domain group policy.
Rejoice:



In the screenshot above, we see the start page of our portal. The anatomy of the page is very simple, Microsoft has done quite a bit this time for the “cleanliness” and conciseness of the interface, for the first time optimizing the design of the portal for the new METRO interface and for portable tablet screens and touch control.

Many elements are hidden by default, for example, Ribbon-style buttons at the top left in tabs:



At the top right, there are buttons for managing your local profile in SharePoint (the button with the name of the account), the settings button (Settings, in the form of a gear), the social buttons. »Actions, the button for editing the page and, finally, the button for switching the page display mode (turning on / off the side links bar on the left).

All the rest of the page field except for the above-mentioned “quick links” panel takes the actual content of the page, i.e. user data.

The most frequently used button in our case will naturally be a “gear” - Settings :

It is time to do localization.

We installed the English version of the product, which is good for us, but our users may not like it.

Microsoft has released a large number of language packs for Language 2013 ( Language Pack’s ), which can be downloaded for free. Downloading from microsoft.com and



installing : After installation, you will be prompted to run the product setup wizard, which should already be familiar to you. In the future, you will often see him again. SinceSharePoint is a website stored in a database, this wizard performs the update of the database structure and its contents. Those.In most cases, every time some third-party functionality or capabilities are added to SharePoint, each time it will be necessary to run this wizard so that it will make the necessary changes to the farm and content settings databases themselves.

SharePoint 2013 has the ability to automatically adjust the interface localization to the wishes of the user. Wishes can be expressed in two forms: the user can directly set the preferred localization in his personal settings (by clicking on the "button" with the name of his account at the top right of the page), or the default portal can read the system locale and, if there is a deployed language pack, immediately send pages to the desired language.

The administrator must first specify the language packs used in the site settings if they are installed. To do this, learn to edit the site settings - click on the “gear” in the upper right, select Site Settings in the opened menu and marvel at the wealth of possible settings:



We need Site Administration - Language settings :



As you can see, clearly after our installation, the second item of the alternative language appeared here. Activate it.

Also, it will not be superfluous to go to Site Administration - Regional settings and correct the general settings of the site locale: units of measure, calendar, days of the week, region, and so on.

After all this, if you have a Russian locale in Windows, you will see the site interface in your native language:



If you have no Russian locale for some reason, but you really want the interface in Russian - as stated above, you can correct the displayed language in your personal settings (the button with the name of the account - My Settings - My Language And Region - choose the desired language to your taste in My Display Languages. It will naturally work only if the language packs are installed and connected to a specific site:

Anatomy of a SharePoint site.

As we found out earlier, a SharePoint site is essentially a container of content in a site collection. It can contain other pages (at least one of which is initially present and is the root) and lists of various types.

To begin, learn to manage the appearance of the site. Like many other CMS, a SharePoint page is a set of templates with a specific theme of management. In the 2013 version, Microsoft has done quite a lot for the convenient possibility of editing the look and feel of a site page right on the spot, without resorting to any special tools for this.
The style of the site in one fell swoop can be changed by going to Settings - Change the look :



Please note that we can change not only the theme itself, but also the basic parameters of its design as a background of the page, typefaces and color palette [44]:



You can also try the theme in action. Very similar to the same WordPress.

In addition to the topic selection, now (in the 2013 version) there is a built-in WYSIWYG page editor. Again, now there is no need for third-party applications. By the way for the future, MS SharePoint Designer 2013 is usually understood as a third-party application - a special web editor sharpened for SharePoint. This program is with a “glorious” pedigree, its direct ancestor is FrontPage, if anyone does not know, this name was once a common noun among web-makers, when he liked to insert massive code templates where necessary and where not. It is rumored that the 2013th is the latest version of this multilinker and either it will no longer exist or its functionality, as an advanced tool for MS SharePoint, will be integrated into MS Visual Studio.

Let's go back to editing the page. It is easy to edit, just press a button.EDIT is right above, under the gear, or select the same item in the Settings menu :



The editor is very similar in appearance to MS Office Word - the same Ribbon.

Notice that on the page outline there appeared visible rectangular frames around the content elements - two blocks of the welcome “banner” Get started with your site and Documents document libraries. This included the highlighting of the so-called " Web Parts " ( Web Parts ) - page objects that are responsible for rendering something.

These web parts can be moved on the page by simple drag and drop. At first it is not so easy and requires skill, but it is quite convenient. For example, below is the same page, only converted into a two-column view:



In addition to web parts, the page also allows you to type in any place, place images and other elements. Believe me, compared to previous versions of SharePoint, in 2013 this is a direct breakthrough in capabilities.

When you finish editing the page, you must click on the save button SAVE - your users will be able to see the changes you made.

Web parts are of two types: simple ones that “live” independently on the page and web honor of “ applications ” ( App Parts). Applications in SharePoint 2013 are defined as custom content repositories — the very lists of all sorts of types.

For example, the “ Get started with your site ” web part is an independent web part, it is present only on the page and plays the role of a banner for beginners. If you delete it from the page, it will be removed “with the ends”, together with its settings, if they have been changed. Of course, you can add it again:



Application Web Parts are much trickier. Since they only visualize the contents of a specific list or application, and these lists and applications are stored in the database along with the user content placed in them, we first need to add it to the site to place them (and appear in general) on the page.

Let's do it.

Perhaps one of the most important menu items where you will first drop in is the “ Site contents ” item :



All applications of this site are displayed here, from here you can create a new application, as well as a child of this site. Please note that the root site already contains a number of applications in the newly created site collection. Some of them are service, such as Site Pages and Site Assets, they are not recommended to be deleted.

In addition, this panel contains a link to workflow management and a built-in basket of deleted items. With all this, we will deal in the following chapters.

Let's try to add a new application and place it on the page.

Click “ add an app". By the way, you can quickly add an application also from the main menu of the Site Settings : There are



quite a few applications in SharePoint 2013. And the higher the revision, the more applications will be available, and the web parts too. Some you will use all the time, for example, document libraries and lists as storages for user information. The possibilities of applications are also quite different, but their purpose is intuitive from their name.

The image library can display thumbnails of images at once and even organize them as slideshows. Calendars, tasks and contacts - synchronized with Microsoft Office Outlook, which is very convenient for teamwork. There is an application with the functionality of a simple forum, there is a list of news with a newsletter, there is an application for collecting and visualizing the results of voting, there is a simple list with links to internal or external resources. In the server and enterprise edition there are applications for connecting to external data sources, a report library, and so on. It makes no sense to describe all this in the article, it’s enough to try to play with all these applications.

Let's try to create a simple list.

Choose it ( Custom List) from the list of applications, we will be asked to enter his name. One of the remarkable changes in SharePoint 2010-2013 compared to older versions of the product is that the application name is no longer part of its URL link. The easiest way to explain this is with an example:



Here I created a list and gave it a name. It was displayed in the site content, SharePoint for our convenience highlighted it with a green flag “ new! ".If you hover the mouse cursor on it, the browser will prompt the link that will be followed by a transition if we click on it: intranet.company.com/Lists/List/AllItems.aspx . In our case, the list application received the URL name “ List ”, so the full path of the URL to the contents of the list turned out, as written earlier. In older versions of SharePoint, the name of an application URL was formed based on its name as an element entered by the user. As a result, especially in names other than English, Unicode was included and the length of the list URL could turn out to be excessively long, because the URL automatically took into account the nesting of sites and their elements.

From the point of view of SharePoint administration, this resulted in the problem of exceeding the permissible length of the URL, which is different for different browsers. And working with such links is rather inconvenient and frightening for the user. To this should be added the problem of the work of other applications, for example, MS Office, up to the 2007 version inclusive, categorically did not want to open documents from the portal by reference, if their URL length was more than 256 characters - obviously there was a length check to protect the variable from overflow. I had to go for all kinds of tricky things, for example, first give short names in applications to English, and then edit them to the desired one — the URL was automatically created at the creation stage and when the application name itself changed, it did not change.

In the latest versions of SharePoint with this full order - all the created applications are automatically assigned short English "typical" URL names and are grouped into sets of similar elements.

As an illustration, this is how the second name of the second list will look like:



With subordinate sites, it is a little more difficult - we will be required to directly indicate their URL name, which will be added to the parent:



Good habit is to learn to immediately name the URL of the sites thoughtfully. Best in one word, in English.

When creating a site should pay attention to the choice of a site template. The template in addition to some basic libraries and lists may include additional features that are included at the site level. You will learn more about all this, as well as advanced administration skills in the form of creating your own site templates and lists in one of the following chapters.

Navigation control.

Basically, almost any standard site template assumes the presence of two navigation bars - the top, main and left, side, so-called quick launch panel.

The functionality of the top panel has not changed since the time of the old SharePoint editions, however, the possibility of making it more convenient to edit directly on the page has been added, and you don’t even need to go into its edit mode. The panel can also be automatically shared by the entire site collection (inherited), or it can be unique for a specific subsite.

The functionality of the quick launch panel can also be edited “on the spot,” but the panel itself has become intelligent. Now it can automatically add links to the most recently visited lists, libraries and other things. This is actually quite convenient and worth noting for yourself for the future, as one of the "buns" that can be mentioned in user education.

The last thing I would like to consider in this chapter is changing the parameters of the site.

To access the page with them, you must select the Site Settings item in the Settings menu : There is no limit to the wealth of settings. You can customize everything - from the name of the site to the duplication of editing its navigation.





It should be noted that the settings of the root site of a site collection will differ greatly from the number of available settings of subordinate sites:



This is due to the fact that the settings of the root site affect the entire site collection as a whole, therefore there is a separate, large group of settings Site Collection Settings .

In the following parts of the article:

Chapter 6. Divide and conquer: the rights of users and administrators. How to delegate them correctly in order not to have a headache in the future.
Chapter 7. Browser wars.
Chapter 8. How to make sure that your portal is actually used.
Chapter 9. Making interoperability with other systems and platforms using the example of Office WebApps.
Chapter 10. Advanced Administration.
Chapter 11. The second system administration rule (backup).
Chapter 12. How to stay up at night or what you should know about updating the portal farm.
Chapter 13. Mysterious workflows.