Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download SharePointRNHAssessment2
Document related concepts
Transcript
Hewlett-Packard Company Microsoft SharePoint Risk & Health Assessment Prepared by: Kim Smet Version 0.2 Microsoft SharePoint Risk & Health Assessment Document Information Project Name: Prepared By: Title: Reviewed By: Microsoft SharePoint Risk & Health Assessment Kim Smet Document Version No: Microsoft SharePoint Risk & Health Assessment Document Version Date: Hans Jaspers 0.2 03 Mar 2011 Review Date: Version History Ver. No. Ver. Date Revised By Description Reviewer Status 0.1 28/01/11 Kim Smet First draft: Overview of desired content Hans Jaspers Oral feedback 0.2 03/03/11 Kim Smet First iteration of content Hans Jaspers In progress HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 2 of 50 Microsoft SharePoint Risk & Health Assessment Contents Proprietary notice ................................................................................................................................. 6 1 Introduction .................................................................................................................................... 7 1.1 Purpose ................................................................................................................................................................... 7 1.2 Applicability .......................................................................................................................................................... 7 1.3 Assumptions ......................................................................................................................................................... 7 2 Customer Dialogue ........................................................................................................................ 8 3 Farm Overview................................................................................................................................ 8 4 3.1 Hardware and resources .................................................................................................................................. 8 3.2 Usage information .............................................................................................................................................. 9 3.3 Topology ................................................................................................................................................................ 9 3.3.1 Environments ........................................................................................................................................................ 9 3.3.2 Architecture ......................................................................................................................................................... 10 3.3.3 Accounts and application pools .................................................................................................................... 16 3.4 Software................................................................................................................................................................ 16 Server Configuration ................................................................................................................... 16 4.1 Resources ............................................................................................................................................................. 16 4.1.1 SharePoint 2007................................................................................................................................................. 17 4.1.2 SharePoint 2010................................................................................................................................................. 17 4.1.3 SQL Server/cluster ............................................................................................................................................. 17 4.2 File integrity ........................................................................................................................................................ 18 4.3 Service Information .......................................................................................................................................... 19 4.3.1 All servers ............................................................................................................................................................. 19 4.3.2 Central Administration servers ..................................................................................................................... 20 4.3.3 Index and Query Servers ................................................................................................................................. 21 4.3.4 Web Front End servers ..................................................................................................................................... 22 4.4 Network configuration.................................................................................................................................... 23 4.5 Storage.................................................................................................................................................................. 23 4.5.1 Architecture ......................................................................................................................................................... 23 4.5.2 Storage Health .................................................................................................................................................... 24 HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 3 of 50 Microsoft SharePoint Risk & Health Assessment 5 6 7 4.6 Load Balancing and High Availability ........................................................................................................ 27 4.6.1 Load balancing ................................................................................................................................................... 27 4.6.2 High Availability ................................................................................................................................................ 28 4.7 Security ................................................................................................................................................................. 30 4.7.1 Account setup ..................................................................................................................................................... 30 4.7.2 Authentication .................................................................................................................................................... 32 4.7.3 Firewall/Antivirus............................................................................................................................................... 34 4.7.4 Naming conventions and Password Strength .......................................................................................... 34 4.7.5 Microsoft Checklist ............................................................................................................................................ 35 SQL Configuration ........................................................................................................................ 36 5.1 Content databases............................................................................................................................................ 36 5.2 Backup/Restore.................................................................................................................................................. 37 5.3 Disaster recovery ............................................................................................................................................... 37 SharePoint configuration ............................................................................................................ 38 6.1 SharePoint information................................................................................................................................... 38 6.1.1 Prerequisites ........................................................................................................................................................ 38 6.1.2 Version................................................................................................................................................................... 39 6.2 Configuration ..................................................................................................................................................... 39 6.2.1 General .................................................................................................................................................................. 39 6.2.2 Service Applications .......................................................................................................................................... 40 6.2.3 Search .................................................................................................................................................................... 42 6.3 Software Limitations ........................................................................................................................................ 47 6.3.1 Web application limitations ........................................................................................................................... 47 6.3.2 Web server limitations ..................................................................................................................................... 47 6.3.3 Site collection limits .......................................................................................................................................... 47 6.3.4 List and Library limits ....................................................................................................................................... 48 6.3.5 Page limits ........................................................................................................................................................... 48 6.3.6 Security limits...................................................................................................................................................... 48 6.3.7 Workflow limits .................................................................................................................................................. 48 Server Health ................................................................................................................................ 49 7.1 Event log .............................................................................................................................................................. 49 HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 4 of 50 Microsoft SharePoint Risk & Health Assessment 7.2 8 9 Health Analyzer (SP 2010) ............................................................................................................................. 49 Web applications.......................................................................................................................... 49 8.1 Site depth............................................................................................................................................................. 49 8.2 Performance & access times ........................................................................................................................ 49 8.3 Custom solutions .............................................................................................................................................. 49 Customer specific requests ......................................................................................................... 50 10 Customer Deliverables ................................................................................................................. 50 10.1 Assessment report ............................................................................................................................................ 50 10.2 Remediation steps ............................................................................................................................................ 50 HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 5 of 50 Microsoft SharePoint Risk & Health Assessment Proprietary notice © 2011 Hewlett-Packard Limited. All rights reserved. All rights reserved. No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of HP. The information contained in this document is confidential and proprietary to HP and may not be used or disclosed except as expressly authorized in writing by HP. Microsoft, Windows and Windows NT are trademarks of Microsoft Corporation. Intel, Pentium, Intel Inside, and Celeron are trademarks of Intel Corporation. UNIX is a trademark of The Open Group. All other product names mentioned herein may be trademarks or registered trademarks, in various jurisdictions, of their respective companies, including HP or its associated companies. HP acknowledges all third party trademarks used in this document. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 6 of 50 Microsoft SharePoint Risk & Health Assessment 1 Introduction HP has been providing its customers with top level SharePoint services for years. One of those services is the assessment of the customer’s existing SharePoint infrastructure. Risk and Health analysis is crucial both for the customer and for HP. The customer receives in depth information about the possible risks or flaws in his system, while HP is provided with the information it needs to resolve the customer’s issues and prepare for possible future projects. 1.1 Purpose The purpose of this document is to provide a resource for HP technical consultants to guide them in providing HP customers with an in depth assessment of their Microsoft Office SharePoint Server 2007 or Microsoft SharePoint Server 2010 Environments. It provides a list of items that need to be checked, monitored, improved or redesigned in order to be conform with best practices and to have the best performing farm possible. The service that HP Technical consultants provide for the customer is loosely based on the Microsoft Risk and Health Assessment program. HP does not provide an expensive software tool that simply lists up the possible issues with the SharePoint infrastructure, but provides a more hands-on approach. HP technical consultants will do extensive testing and monitoring over the course of one week and then provide the customer with an overview of concerns and an action plan for remediation, generating possible offers for follow-up projects. 1.2 Applicability This document is to be used by all HP technical consultants involved in SharePoint Risk and health assessment projects. The topics discussed in this document are by no means final or absolute and are subject to change as the product changes. HP technical consultants are expected to use their own expertise in conjunction with this document to successfully perform the assessment, using this document as a guide or reference. This document is meant for internal use only and should under no circumstance be exposed to third party sources without permission of the HP SharePoint team. 1.3 Assumptions The customer has requested a Risk and Health analysis project from HP and all the terms of service have been discussed and signed before farm assessment begins. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 7 of 50 Microsoft SharePoint Risk & Health Assessment HP Technical consultants have full access to the customers SharePoint farm infrastructure for monitoring purposes. HP Technical consultants have full cooperation of the customers SharePoint/Active Directory/SQL teams. 2 Customer Dialogue Before starting the standard assessment procedure it is very important for the HP technical consultant to query the customer about his reasons for requesting the Risk and Health assessment procedure. It is very common that a customer has specific requests or problems with their SharePoint infrastructure. Make note of these requests and give them a high priority throughout the assessment process. Part of the service is providing the customer with an action plan to resolve the issues with the current SharePoint infrastructure. Because the reasons for certain issues are not always apparent, we recommend going through the standard procedure before assessing any specific needs. Display the issues in section 9 “Customer specific requests” of this document, and assess them if no resolution was provided by the standard assessment procedure. 3 Farm Overview The first step to being able to perform a successful assessment of the customers SharePoint infrastructure is creating an overview of the current topology. Listing Physical machine structure, SQL clustering, SharePoint topology, search setup, etc… are key to acquiring the information needed to perform a correct and precise assessment. Using visual representation when communicating with the customer is recommended. 3.1 Hardware and resources The first batch of information that needs to be gathered is a listing and mapping of the customers physical hardware and infrastructure that the SharePoint farm is built upon. Very often SharePoint performance problems are related to an imbalanced hardware setup causing certain bottlenecks that decrease SharePoint performance significantly. Whether the SharePoint farm is virtualized or in a physical environment, hardware will always be a critical factor. HP Technical consultants should map the following things from the customers’ hardware infrastructure: HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 8 of 50 Microsoft SharePoint Risk & Health Assessment SharePoint Web front end and application server hardware: CPU, Memory, Storage and architecture. Active Directory server hardware: CPU, Memory, Storage, architecture. SQL Server hardware: CPU, Memory, Storage (SharePoint specific) and architecture. Network infrastructure: Connection speed, bandwidth, IP-setup and network devices. For example, a SharePoint web front end server hardware listing could look like this: Web front end server 1 - 64-bit System - Intel Dual Core 2x 2.33 GHz processor - 8 GB DDR3 RAM memory - 250 GB SAN Storage - 1 Gbps LAN on 10.56.0.43 Creating a structured overview of the customers’ hardware setup is an excellent first step towards gaining an overview of the complete SharePoint farm setup. 3.2 Usage information List how many users the customer has using the SharePoint farm, and how many of them are regular users. Create an overview of how the SharePoint farm is administered and maintained. 3.3 Topology At this point the HP technical consultant should create an overview of the SharePoint farm topology. This is a general overview of the farm topology; a foundation that will be used to further extend upon in the following sections of this document. 3.3.1 Environments Determine how many different types of environments the customer uses for his deployment lifecycle. Possible environments include: HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 9 of 50 Microsoft SharePoint Risk & Health Assessment Development Testing QA Staging Production 3.3.2 Architecture The first thing to map is the farm architecture. Classify the farm under the terms small, medium or large depending on the setup of Web front ends, applications servers, search crawl servers, indexing servers and SQL Server clustering. Geographical information is also useful to include here. An overview of possible farm configurations: HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 10 of 50 Microsoft SharePoint Risk & Health Assessment Single Server farm This farm topology is ideal for a user base of less than 100 concurrent users. Farms like this are typically used for development or very small project farms. This farm consists of a single server catering the requirement of WFE, Database Server as well as Application server. Two Server Farm This type of farm has one database server and one WFE that also serves as application server. In case high availability is required, a clustered or mirrored database server is used. This farm typically serves up to 10.000 users. Two-Tier Small Farm A Farm of this type typically serves a user base between 10.000 and 20.000 users with low service usage. It consists of a clustered Database server and two WFE servers, one of which serves as an application server as well. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 11 of 50 Microsoft SharePoint Risk & Health Assessment HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 12 of 50 Microsoft SharePoint Risk & Health Assessment Three-Tier Small Farm This type of farm is very similar to the Two-Tier Small Farm type, the difference being that a separate server is used as a dedicated application server. This type of farm is ideal for a solution with large databases and increased service usage. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 13 of 50 Microsoft SharePoint Risk & Health Assessment Medium Farm This is a three-tiered farm. The general rule is to have 10.000 users per WFE server. In the first tier we can use two or more WFE servers (depending on the size of the user base). In the second tier we have two servers dedicated to search functionalities and one or more servers dedicated to application services. In the third tier there is a dedicated database server for the search database and one or more for all other SharePoint databases. This is the first solution that has a large scalability. The middle tier of this structure can be expanded to serve any farm growth by adding more servers to share the service application load. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 14 of 50 Microsoft SharePoint Risk & Health Assessment Large Farm A Large farm is built on the server group concept as it is used in the medium farm. Additionally a large farm could consist of dedicated servers for custom or sandboxed code. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 15 of 50 Microsoft SharePoint Risk & Health Assessment These types of farms are mostly used by very large enterprise customers with a large SharePoint infrastructure; they offer very large scalability and high availability options. 3.3.3 Accounts and application pools The next step in creating the general overview of the customers’ farm topology is listing the accounts used for the setup of the farm, as well as the administration and management of the farm. The accounts used for the service applications and all application pools in Internet Information Services should be listed as well. List every important account and include account name, purpose and application pool identity if applicable. 3.4 Software The last step in the general overview, before going more into detail, should be an overview of all SharePoint related software and their versions on the servers within the farm. For every SharePoint related server (WFE and application servers) list the following things: Operating System: version, service packs and cumulative updates SharePoint software: version, service packs, cumulative updates and language packs. Office Software: Office products + versions, Office Web apps version. Custom software: Connectors, Solutions, development tools. Also list the operating systems and versions/updates for the SQL database server and the Active directory server. If applicable, list any possible software or and operating system information regarding servers that could have an impact on SharePoint performance (for example: SAP in case an SAP connector or BCS service is used). 4 Server Configuration The next step in the actual assessment process is taking a look at the individual servers in the farm and checking their configuration in-depth. 4.1 Resources In this section we will compare the customers’ hardware infrastructure to the Microsoft recommended hardware guidelines. Performance can often be optimized by simply expanding resources for the SharePoint farm. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 16 of 50 Microsoft SharePoint Risk & Health Assessment 4.1.1 SharePoint 2007 The recommended hardware setup for a Microsoft Office SharePoint Server 2007 as described by Microsoft is as follows: Component Minimum Recommended Processor 2.5 GHz single core 2x 2.5 GHz dual core Memory 2 GB 4 GB Disk NTFS 3 GB NTFS 3 GB + data storage requirements Network 100 Mbps between servers 1 Gbps between servers 4.1.2 SharePoint 2010 The recommended hardware setup for a Microsoft SharePoint Server 2010 as described by Microsoft is as follows: Component Minimum Recommended Processor 64-bit 4 cores 64-bit 4 cores Memory 8 GB (4 GB for development) 16 GB Disk 80 GB disk 80 GB disk with at least 5X RAM of free space Network 100 Mbps between servers 1 Gbps between servers 4.1.3 SQL Server/cluster The memory required for SharePoint is directly related to the size of the content databases that you are hosting on the SQL server. As you add service applications and features, your requirements are likely to increase. The following table gives guidelines for the amount of memory that is recommended by Microsoft. Size of database HP Global Method Memory recommended HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 17 of 50 Microsoft SharePoint Risk & Health Assessment Small deployments 8 GB Medium deployments 16 GB Large deployments up to 2 Terabytes 32 GB Large deployments between 2 – 5 terabytes 64 GB Additional SQL related best practices will be discussed further on in the SQL section of this document. 4.2 File integrity The purpose of this section is so the technical consultant makes sure that the installations and software version are up to date. An important factor in farm health and performance is the integrity and conformity of the software distributed across the SharePoint farm infrastructure. We need to check if the versions used are up to date and conform across the farm. The following software versions are critical within the farm: Operating systems: Make sure the operating systems used across servers are on the same level of service packs and cumulative updates where necessary. All SharePoint WFE and application servers should be using the same operating system software. Security related software: Make sure antivirus, security updates and other secondary software is up to date and conform across the farm (for example: Forefront security). SharePoint software: This includes conformity in software versions, language packs, cumulative updates, custom solution versions, service packs and other software that can have an impact on the SharePoint performance. SQL Server software: This includes the SQL Server software version, cumulative updates and service packs, as well as the version of several tools used to manage the SQL Server instance: SQL management studio, backup related software and other SQL tools. Software conformity is crucial for a high performance SharePoint farm. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 18 of 50 Microsoft SharePoint Risk & Health Assessment 4.3 Service Information A next step in assessing the SharePoint farm is checking the SharePoint related services on all servers in our farm that have SharePoint related roles. For every type of server we need to check if there are problems with a few specific services that are running. The services can be checked through the Services tool that is an integrated part of Microsoft Windows Server 2003 or 2008. 4.3.1 All servers The following services need to be checked on all SharePoint servers. After these checks, refer to individual server role subsections to see which additional checks need to be performed on that server. SharePoint Timer Service Process name SPTimerV3 (SP 2007) or SPTimerV4 (SP 2010). This service is a critical service for SharePoint functionality. This service controls the sending of notifications throughout the farm as well as performing scheduled tasks that are crucial for SharePoint farm performance. Possible issues: The SPTimer service is not started: This service is critical for SharePoint and needs to be started at all times. The SPTimer service is not set to start automatically: This service should not be set to manual enabling. As this service is critical for SharePoint performance, it must be set to start automatically. SharePoint VSS Writer Service The VSS Writer Service provides integration between SharePoint and the Volume Shadow Copy Service to provide a rich backup experience. Basically, it describes the data that needs to be backed up to third party backup software vendors. This Service is only required by third-party applications that take advantage of it. If the customer is not using one of the third party applications, it can and should safely be stopped. Unnecessary use of this Service can slightly decrease farm performance. If the customer is not using a third party application that makes use of this service, please ensure the following things: Make sure the SharePoint Writer service is disabled. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 19 of 50 Microsoft SharePoint Risk & Health Assessment Make sure the SharePoint Writer service is set to manual starting mode, and not automatic. SharePoint Trace Service Process name SPTraceV3 (SP 2007) or SPTraceV4 (SP 2010). This is another critical SharePoint service. This service handles the Trace and usage logging service within SharePoint. It is a crucial service for the SharePoint farm and any issues with this service should, like the Timer service, instantly be resolved. Possible Issues: The SPTrace service is not started: This service is critical for SharePoint and needs to always be started. The SPTrace service is not set to start automatically: This service should not be set to manual enabling. As this service is critical for SharePoint performance, it must be set to start automatically. Document Conversion Load Balancer Service Process name DCLoadBalancer12 (SP 2007- or DCLoadBalancer14 (SP 2010). This process acts as a load balancing agent for Microsoft SharePoint document conversion services. This process is accompanied by another service, the DCLauncher Service, which acts as an activation service for the aforementioned DCLoadBalancer Service. These 2 services are not critical for a SharePoint farm infrastructure and should only be enabled when they are required. Unnecessary use of this service can lead to a decrease in performance. Possible Issues: DCLoadBalancer Service is enabled: This service should only be started when necessary. DCLauncher Service is enabled: This service should only be started when necessary. 4.3.2 Central Administration servers The following extra services need to be checked on all Central Administration servers. SharePoint Administration Service Process name SPAdminV3 (SP 2007) or SPAdminV4 (SP 2010). This is the service that performs administrative tasks on a machine that hosts the central administration website. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 20 of 50 Microsoft SharePoint Risk & Health Assessment Possible issues: The SPAdmin Service is not started: This service is critical for SharePoint Central Administration operations and needs to always be started on a machine that hosts Central Administration. The SPAdmin Service is currently not set to start automatically: This service should not be set to manual enabling. As this service is critical for SharePoint Central Administration operations, it must be set to start automatically. 4.3.3 Index and Query Servers The following extra services need to be checked on all Index and Query servers in the farm. As there is a difference in service names and functionality between SharePoint 2007 and SharePoint 2010, we will handle them individually. SP 2007 WSS and MOSS Search services In SharePoint 2007 there are 2 different version of the Search service. One for the WSS version of SharePoint 2007 and one for the Office Server version. These are mutually exclusive and the services should under no circumstances be combined within the same Farm. Process names for these 2 versions are: SPSearchV3 (WSS search) and OSearch12 (MOSS Search). Possible issues: The WSS Search Service is currently set to disabled mode on one or more servers. While not a problem when configuring the server for MOSS Search, This can cause problems in the future if you later choose to make that machine into a WSS search server. The Office Server Search service is not started. When configured for MOSS search, this is an indication that the search service is currently not functioning correctly. The Office Server Search service start mode is set to disabled. When configuring for MOSS search, this is an indication that the search service is currently not functioning correctly. SP 2010 Foundation and Server Search Like in SharePoint 2007, there are 2 different versions for the search service (3 if we count in FAST search) in SharePoint 2010: Foundation Search and Server Search. They are mutually HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 21 of 50 Microsoft SharePoint Risk & Health Assessment exclusive in the same manner as the 2007 search versions. Process names for these 2 versions are: SPSearchV4 (Foundation search) and OSearch14 (Server Search). Possible issues: The Foundation Search Service is currently set to disabled mode on one or more servers. While not a problem when configuring the server for Server Search, This can cause problems in the future if you later choose to make that server into a Foundation search server. The Server Search service is not started. When configured for Server search, this is an indication that the search service is currently not functioning correctly. The Server Server Search service start mode is set to disabled. When configuring for Server search, this is an indication that the search service is currently not functioning correctly. 4.3.4 Web Front End servers The following extra service needs to be checked on all Web Front End server roles in the SharePoint farm. World Wide Web Publishing Service The World Wide Web publishing service is in control of traffic directed between end users and the web front end server. Problems with this service can lead to malfunctioning connections between end users and the SharePoint sites. The process name is W3SVC. Possible issues: The World Wide Web publishing service is not started. This indicates that the WFE server is currently not responding to incoming requests, Usually due to the IIS service not being started. To ensure correct WFE behavior, this service must be started. World Wide Web publishing service is not started automatically. This means the W3SVC service will not start automatically when the WFE server is rebooted. The WFE server will not respond to incoming requests until it has been activated manually, which is not compliant with best practices. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 22 of 50 Microsoft SharePoint Risk & Health Assessment 4.4 Network configuration A common misconception is that servers connected to a high-speed network segment will have plenty of bandwidth to perform all required operations. But SharePoint places a tremendous amount of demand on SQL. Each request for a page can result in numerous calls to the database, not to mention service jobs, search indexing and other operations. In order to mitigate the conflict between user and database traffic, connectivity between front-end servers and SQL should be isolated, either via separate physical networks or virtual LANs. Typically this requires at least two separate network interface cards in each front-end Web server with static routes configured to ensure traffic is routed to the correct interface. The same configuration may also be applied to application and index server. Check the customer’s network interfaces and judge them depending on the farm size and infrastructure. A badly configured network setup can cause large performance issues when the network becomes strained with a larger user request load. 4.5 Storage 4.5.1 Architecture Direct Attached Storage (DAS), Storage Area Network (SAN), and Network Attached Storage (NAS) storage architectures are supported with SharePoint Server 2010. NAS is only supported for use with content databases that are configured to use remote BLOB storage. Determining the customers’ storage architecture is the first step towards assessing the strength of it. It is important to understand the different types of storage architectures: Direct Attached Storage (DAS) DAS is a digital storage system that is directly attached to a server or workstation, without a storage network in between. DAS physical disk types include Serial Attached SCSI (SAS) and Serial Attached ATA (SATA). In general, DAS architecture is used when a shared storage platform cannot guarantee a response time of 20 ms and sufficient capacity for average and peak IOPs. Storage Area Network (SAN) SAN is an architecture to attach remote computer storage devices (such as disk arrays and tape libraries) to servers in such a way that the devices appear as locally attached to the operating system. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 23 of 50 Microsoft SharePoint Risk & Health Assessment In general, a SAN is used when the benefits of shared storage are important to the customers organization. The benefits of shared storage include the following: Easier to reallocate disk storage between servers. Can serve multiple servers. No limitations on the number of disks that can be accessed. Network Attached Storage (NAS) A NAS unit is a self-contained computer that is connected to a network. Its sole purpose is to supply file-based data storage services to other devices on the network. The operating system and other software on the NAS unit provide the functionality of data storage, file systems, and access to files, and the management of these functionalities (for example, file storage). 4.5.2 Storage Health A lot of storage related data can be monitored through the windows performance monitor by adding specific counters for specific parts of the hardware to monitor. The following section describes a number of important counters for storage. The SQL database storage infrastructure in particular. Monitor the following counters to ensure the health of disks. Note that the following values represent values measured over time — not values that occur during a sudden spike and not values that are based on a single measurement. Physical Disk: % Disk Time: DataDrive: This counter shows the percentage of elapsed time that the selected disk drive is busy servicing read or write requests. It is a general indicator of how busy the disk is. If the PhysicalDisk: % Disk Time counter is high (more than 90 percent), check the PhysicalDisk: Current Disk Queue Length counter to see how many system requests are waiting for disk access. The number of waiting I/O requests should be sustained at no more than 1.5 to 2 times the number of spindles that make up the physical disk. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 24 of 50 Microsoft SharePoint Risk & Health Assessment Logical Disk: Disk Transfers/sec: This counter shows the rate at which read and write operations are performed on the disk. Use this counter to monitor growth trends and forecast appropriately. Logical Disk: Disk Read Bytes/sec and Logical Disk: Disk Write Bytes/sec: These counters show the rate at which bytes are transferred from the disk during read or write operations. Logical Disk: Avg. Disk Bytes/Read: This counter shows the average number of bytes transferred from the disk during read operations. This value can reflect disk latency — larger read operations can result in slightly increased latency. Logical Disk: Avg. Disk Bytes/Write: This counter shows the average number of bytes transferred to the disk during write operations. This value can reflect disk latency — larger write operations can result in slightly increased latency. Logical Disk: Current Disk Queue Length: This counter shows the number of requests outstanding on the disk at the time that the performance data is collected. For this counter, lower values are better. Values greater than 2 per disk may indicate a bottleneck and should be investigated. This means that a value of up to 8 may be acceptable for a logical unit (LUN) made up of 4 disks. Bottlenecks can create a backlog that can spread beyond the current server that is accessing the disk and result in long wait times for users. Possible solutions to a bottleneck are to add more disks to the RAID array, replace existing disks with faster disks, or move some data to other disks. Logical Disk: Avg. Disk Queue Length: This counter shows the average number of both read and write requests that were queued for the selected disk during the sample interval. The rule is that there should be two or fewer outstanding read and write requests per spindle, but this can be difficult to measure because of storage HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 25 of 50 Microsoft SharePoint Risk & Health Assessment virtualization and differences in RAID levels between configurations. Look for larger than average disk queue lengths in combination with larger than average disk latencies. This combination can indicate that the storage array cache is being overused or that spindle sharing with other applications is affecting performance. Logical Disk: Avg. Disk sec/Read and Logical Disk: Avg. Disk sec/Write: These counters show the average time, in seconds, of a read or write operation to the disk. Monitor these counters to ensure that they remain below 85 percent of the disk capacity. Disk access time increases exponentially if read or write operations are more than 85 percent of disk capacity. To determine the specific capacity for your hardware, refer to the vendor documentation or use the SQLIO Disk Subsystem Benchmark Tool to calculate it. Logical Disk: Avg. Disk sec/Read: This counter shows the average time, in seconds, of a read operation from the disk. On a well-tuned system, ideal values are from 1 through 5 ms for logs (ideally 1 ms on a cached array), and from 4 through 20 ms for data (ideally less than 10 ms). Higher latencies can occur during peak times, but if high values occur regularly, you should investigate the cause. Logical Disk: Avg. Disk sec/Write: This counter shows the average time, in seconds, of a write operation to the disk. On a well-tuned system, ideal values are from 1 through 5 ms for logs (ideally 1 ms on a cached array), and from 4 through 20 ms for data (ideally less than 10 ms). Higher latencies can occur during peak times, but if high values occur regularly, you should investigate the cause. When you are using RAID configurations with the Logical Disk: Avg. Disk Bytes/Read or Logical Disk: Avg. Disk Bytes/Write counters, use the formulas listed in the following table to determine the rate of input and output on the disk. RAID level HP Global Method Formula HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 26 of 50 Microsoft SharePoint Risk & Health Assessment RAID 0 I/O’s per disk = (reads + writes) / number of disks RAID 1 I/O’s per disk = [reads + (2 x writes)] / 2 RAID 5 I/O’s per disk = [reads + (4 x writes)] / number of disks RAID 10 I/O’s per disk = [reads + (2 x writes)] / number of disks For example: if the following counters on a RAID 1 system have these example values: Avg. Disk sec/read = 80 Logical Disk: Avg. Disk sec/write = 70 Avg Disk Queue Length = 5 In this case, the I/O value per disk is calculated as follows: (80 + (2 x 70)) / 2 = 110 The disk queue length is 5/2 = 2.5 In this situation, you would have a borderline I/O bottleneck that decreases performance on the SQL machine. 4.6 Load Balancing and High Availability The next step in the assessment will be checking the presence of out-of-the-box or third party load balancing and high availability configurations. 4.6.1 Load balancing There are several options available for load balancing in SharePoint. There are a few lightweight out-of-the-box options to load balance a number of things in SharePoint, as well as a variety of Microsoft or third party products that function as load balancing agents (for example Microsoft’s Operations Manager). Investigate what mechanisms and load balancing configurations are in place and see if they are properly configured. Several options: SQL Clustering/Mirroring Network Load balancing Third party load balancing solutions The most common form in balancing the load generated from user requests on the webfront ends is Network load balancing through load balanced URL’s. This mechanism will HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 27 of 50 Microsoft SharePoint Risk & Health Assessment divide user requests between different WFE’s as well as provide failover functionality in case one of the web front end servers goes down. It is recommended to make sure the user request sessions are “sticky”. This is done through the affinity attribute. It is not bad to have a 52%/48% load balancing where the sessions are “sticky” meaning the users maintain connection to the same server throughout their browsing sessions. Reason for this is if there is a problem with one of the two servers, the problem will be much easier to define. The problem would be reproducible on one machine but not on the other. If the sessions were not “sticky” however, the problem would just consist of intermittent outages with no apparent cause. Another issue with this type of load balancing is that it only provides load balancing for the physical web front end. If one of the services no longer works it will not provide failover for that. Only in the case that the entire web front end goes down will all traffic be redirected to the other WFE. 4.6.2 High Availability What is high availability? Availability is the degree to which a SharePoint environment is perceived by users to be available. To ensure availability means to ensure that a system is resilient. Meaning service-affecting incidents occur infrequently, and that timely and effective action is taken when they do. Availability strategies minimize the user perception of planned and unplanned downtime. One of the most common measures of availability is percentage of uptime expressed as number of nines. This means the percentage of time that a given system is active and working. For example, a system with a 99.999% uptime percentage is said to have five nines of availability. The following table correlates the number of nines to calendar time equivalents. Uptime percentage Downtime/day Downtime/month Downtime/year 95 72 minutes 36 hours 18.26 days 99 14.4 minutes 7 hours 3.65 days 99.9 86.4 seconds 43 minutes 8.77 hours 99.99 8.64 seconds 4 minutes 52.6 minutes 99.999 0.86 seconds 26 seconds 5.26 minutes HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 28 of 50 Microsoft SharePoint Risk & Health Assessment There are several options to achieve these values within a SharePoint environment. They go hand in hand with load balancing configurations. SharePoint handles high availability through the use of multiple servers for the same role (i.e. using multiple WFE’s, application servers, query components, SQL clustering): High availability is a large factor in determining the Farm topology and structure during the deployment planning stages of creating a SharePoint infrastructure. High availability largely depends on the number of servers in the farm. There are however a few best practices that can easily be monitored in an already existing farm: Ensure that Central administration is enabled on multiple servers (usually servers with the application server role): Redundancy for central administration is both supported and a best practice recommended by Microsoft. Check the theoretical failover configuration based on the farm topology. Test them in practice and see if there are any issues regarding failover configuration HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 29 of 50 Microsoft SharePoint Risk & Health Assessment Search Index server redundancy cannot be achieved by installing the index role on multiple servers. To overcome the loss of an index server you will need to reinstall the server and either restore from a backup or rely on slightly stale results while the search service recrawls the content. SharePoint itself is not aware of SQL Server mirroring. While definitely recommended and supported as an availability technique, doing so requires additional automation configurations. Inquire if the customer meets his uptime requirements. Check the procedure that is followed when downtime does occur. Another important aspect on this matter is backup and disaster recovery configuration. These topics are discussed further on in this document. 4.7 Security Security is a very important aspect for any enterprise. SharePoint in particular can be quite a handful to optimally secure. What makes security so challenging is that SharePoint is a monolithic product that tries to be a large number of things for a large number of people. It is a web application, but also a collaboration tool, document server or even a development framework. The abstract and highly customizable nature of SharePoint and its components are what make it tough to secure. There is no magical solution to securing SharePoint for every customer. Every SharePoint deployment is unique, so a one-size-fits-all solution just isn’t available. There are however a few basic things that can be checked for every deployment. 4.7.1 Account setup One of the biggest security mistakes administrators make when deploying a SharePoint farm is that they don’t properly configure the service accounts. There are several points during deployment and configuration where you are asked to provide a service account (This is true for SharePoint 2007, and there are a lot more in SharePoint 2010). Administrators all too often create a single service account and use it throughout the entire installation and configuration process. Although the resulting farm can be functional, it is not a best practice from a security standpoint. The problem is that whenever you provide SharePoint with a service account, the designated account is granted rights to perform the task at hand. SharePoint provides the account with HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 30 of 50 Microsoft SharePoint Risk & Health Assessment just enough permissions to do its job, nothing more. But if you use the same service account multiple times throughout the deployment process, you end up with an account with excessive permissions because it receives additional rights each time you use it. Someone could then run code on a SharePoint server that exploits these excessive rights and gain control over the server. System Accounts The general guidelines in terms of accounts to use are the following: For SharePoint 2007: Setup account: The account SharePoint will use during the installation of any binaries. Farm Administrator Account: The main administrator account of the SharePoint farm Database Access Account: The account SharePoint will use to communicate with the SQL Server database. Search Service Account: The account that will write index files and replicate that information to the query servers. Content Access Account: the account used to crawl content. Application Pool Service Account: worker processes within IIS use this account. Web applications within the pool must have a way of accessing SharePoint content databases, and the Application Pool Identity account facilitates this process. SQL Server Service Account: dedicated account for servicing SQL. For SharePoint 2010: Setup Account: The account SharePoint will use during the installation of any binaries. Farm Administrator Account: The main administrator account of the SharePoint farm. SQL Server Service Account: dedicated account for servicing SQL. Service application accounts: Every separate service application that requires an application pool should have a separate account. Search Admin Account: dedicated account for the administration component of the Enterprise Search Service application. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 31 of 50 Microsoft SharePoint Risk & Health Assessment Search Query Account: dedicated account for the query component of the Enterprise Search Service Application Search Service Account: The account that will write index files and replicate that information to the query servers. Default Content Access Account: The account used to crawl content. Web application accounts: Every web application with its own application pool should have its own account. User Profile Sync account: When this service is used, there should be a separate account for the Syncing of data. SharePoint Permissions A great security innovation in SharePoint that was introduced with the release of SharePoint 2007 is the so called “fine-grained permissions”. Permissions can be set up to a very deep level as far as list items in within the SharePoint farm. Check if the permissions are set correctly and if any custom created permissions exists and define their purpose. 4.7.2 Authentication Authentication is the process of validating a user’s identity. After a user’s identity is validated, the authorization process determines which sites, content and other features the user can access. Authentication modes determine how accounts are used internally by SharePoint Server 2010 and are an important part of infrastructure security. A number of authentication methods are supported by SharePoint. A few differences occur between SharePoint 2007 and SharePoint 2010. The overview below should clarify these differences. Verify which ones are used by the customer and compare them with security policies and requirements. Windows based authentication The standard IIS Windows authentication methods are supported. Examples: NTLM Kerberos Anonymous Access HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 32 of 50 Microsoft SharePoint Risk & Health Assessment Basic Digest Note that at this time, Windows Certificate Authentication is not supported in SharePoint 2010. Forms-based authentication SharePoint adds support for identity management systems that are not based on Windows by integrating with the ASP.NET forms authentication system. ASP.NET authentication enables SharePoint to work with identity management systems that implement the MembershipProvider interface. You do not need to rewrite the security administration pages or manage shadow Active Directory DS accounts. Examples: Lightweight Directory Access Protocol (LDAP) SQL Database or other relational database system. Custom or third party ASP.NET based membership and role providers Web Single Sign-On (SSO) The third and final authentication method, this one is unique to SharePoint 2007 (it is replaced by its successor in SharePoint 2010). Office SharePoint Server 2007 supports federated authentication through Web SSO vendors. Web SSO enables SSO in environments that include services running on disparate platforms. You do not need to manage separate Active Directory accounts. Examples: Active Directory Federation Services (AD FS) 2.0 Other identity management systems. SAML token-based authentication This is the SharePoint 2010 version of the Web Single Sign-On authentication method from SharePoint 2007. It supports the same things with the addition of all SAML token based identity providers. Examples: HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 33 of 50 Microsoft SharePoint Risk & Health Assessment Active Directory Federation Services (AD FS) 2.0 Third party identity providers Lightweight Directory Access Protocol (LDAP) Classic or Claims-based authentication SharePoint Server 2010 introduces claims-based authentication, which is built on Windows Identity Foundation (WIF). You can use any of the supported authentication methods with claims-based authentication. Or, you can use classic-mode authentication, which supports Windows authentication only. When you create a Web application, you select one of the two authentication modes to use with the Web application, either claims-based or classic-mode. If you select classic-mode, you can implement Windows authentication and the user accounts are treated by SharePoint Server 2010 as Active Directory Domain Services (AD DS) accounts. If you select claims-based authentication, SharePoint Server 2010 automatically changes all user accounts to claims identities, resulting in a claims token for each user. The claims token contains the claims pertaining to the user. Windows accounts are converted into Windows claims. Forms-based membership users are transformed into forms-based authentication claims. Claims that are included in SAML-based tokens can be used by SharePoint Server 2010. Additionally, SharePoint developers and administrators can augment user tokens with additional claims. For example, user Windows accounts and forms-based accounts can be augmented with additional claims that are used by SharePoint Server 2010. 4.7.3 Firewall/Antivirus Make sure a recognized firewall and antivirus system such as Microsoft Forefront are installed and actively protect the SharePoint farm. 4.7.4 Naming conventions and Password Strength Unified naming convention across the board and strong passwords are an optional part of the assessment, but important for general infrastructure security nonetheless. Check the naming conventions for accounts, content databases, application pools and URLs. Check the (critical) passwords for their strength (Uppercase, lowercase, numbers, and special characters). HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 34 of 50 Microsoft SharePoint Risk & Health Assessment 4.7.5 Microsoft Checklist As a last checkup, Microsoft provides a checklist to see if the customer has a secure SharePoint topology: Server The topology incorporates dedicated front end web servers. Servers that host application server roles and database server roles are protected from direct user access. The SharePoint Central Administration site is hosted on a dedicated application server such as the index server Networking All servers within the farm reside within a single data center and on the same vLAN. Access is allowed through a single point of entry, which is a firewall. For a more secure environment on larger farms, the farm is separated into three tiers (WFE/Application/Database) which are separated by routers or firewalls at each vLAN boundary. Architecture At least one zone in each Web application uses NTLM authentication. (required for search to successfully crawl content within the web application) Web applications are implemented by using host names instead of the randomly generated port numbers that are automatically assigned. In a reverse proxy environment, consider using the default port for the public facing network while using a non-default port on your internal network. This can help prevent simple port attacks on your internal network that assume HTTP will always be on port 80. When deploying custom web parts, only trustworthy web parts are deployed within web applications that host sensitive or secure content. This protects the sensitive content against intra-domain scripting attacks. Separate application pool accounts are used for central administration and for each unique web application. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 35 of 50 Microsoft SharePoint Risk & Health Assessment Operating system Server OS is configured to use the NTFS file system Clocks on all servers within the farm are synchronized 5 SQL Configuration The SQL configuration is probably the most vital part of a SharePoint infrastructure in regards to performance. Everything in SharePoint is in fact SQL in one way or another. Faulty SQL configurations are often the biggest bottleneck in a SharePoint farm. 5.1 Content databases Content databases in SQL Server are the core of SharePoint websites. Everything configuration or content related (aside from BLOB storage) is in some way connected to a content database. Managing these content databases is one of the most important things to maintain a healthy SharePoint infrastructure. For optimal performance, it is required to respect several limitations to these content databases in terms of content and size. Microsoft provides a few guidance points specified throughout TechNet in this regard: Limit the size of content databases to 200 GB to help ensure performance; use multiple content databases when necessary. Content database sizes up to 1 TB are supported in SharePoint 2010, but only for large, single-site repositories and archives with non-collaborative I/O and usage pattern such as Records Centers. Larger database sizes are supported for these scenarios because their I/O patterns and typical data structure formats have been designed for, and tested at, larger scales. A site collection should not exceed 100 GB unless it is the only site collection in the database. Even then, it is often more performant to use a second content database in conjunction with the first. It is strongly recommended to limit the number of site collections in a content database to 2000. However, up to 5000 site collections in a database are supported. These limits relate to speed of upgrade: as the number of site collections exceeds 2000, you risk long downtimes when performing an upgrade, especially when upgrading from SharePoint 2007 to 2010. If you plan to exceed 2000 site collections, it is recommended to have a clear upgrade strategy and additional hardware to speed up upgrades and software updates that affect database performance. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 36 of 50 Microsoft SharePoint Risk & Health Assessment It is possible to set a warning level for the number of site collections in a content database with the PowerShell cmdlet Set-SPContentDatabase with the – WarningSiteCount parameter. When SharePoint is configured to use RBS (Remote BLOB Storage) and the BLOBs reside on NAS storage, consider the following boundary: From the time that SharePoint requests a BLOB, until it receives the first byte from NAS, no more than 20 ms can pass. Respecting the best practices for content database, together with a solid SQL infrastructure and organization is the key to a well-oiled SharePoint farm. Another important setting to take note of regarding this issue is the use of Quota Templates for certain site collections. Check if site collections that tend to grow in content have a realistic quota template attached to them (Mysites and other site collections where users are free to add content are good candidates). 5.2 Backup/Restore When performing an assessment for a customer there is a large chance that customer will already have a backup and restore policy and software implementation available. Very often this will be a backup solution provided by a third party customer, or the default backup software provide by SharePoint and SQL server. It is very important in the assessment process to check the backup/restore process for the SharePoint infrastructure with the customer. When using the SharePoint built in backup system remember that it can only restore content to the database. Granular recovery is also not possible using the default backup procedure. Note that backup is a very popular topic with customers. Backing up information is often an enterprise-critical procedure and its weight should not be underestimated. 5.3 Disaster recovery The next step after backup/restore procedure: Does the customer have any system in place for disaster recovery in case the farm goes down. How is this handled and how can this be improved? Compare the customers Disaster recovery procedure (and any possible exercises or occurrences) to the SLA’s. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 37 of 50 Microsoft SharePoint Risk & Health Assessment 6 SharePoint configuration The core part of the Risk and Health Assessment Project is of course to supply the customer with a full analysis of his SharePoint infrastructure. Obviously the Configuration of the SharePoint farm (WFE’s and Application servers) is the heart of the entire infrastructure. The topics discussed in this section are a bit more specific and detailed. Large performance issues will probably not be caused by this section (with the exception of the search service application), but a lot of small performance tweaks in this section can increase SharePoint site performance significantly. 6.1 SharePoint information 6.1.1 Prerequisites Check if the most recent list of prerequisites for SharePoint to function correctly are installed and fully functional. For SharePoint 2010: Web server IIS role Application Server IIS role Microsoft .NET framework 3.5 SP1 Microsoft Sync Framework Runtime 1.0 (x64) Microsoft Filter Pack 2.0 Microsoft Chart Controls for the Microsoft .NET Framework 3.5 Windows PowerShell 2.0 SQL Server 2008 Native Client Microsoft SQL Server 2008 Analysis Services ADOMD.NET ADO.NET Data Services Update for .NET Framework 3.5 SP1 Hotfixes Windows Identity Foundation (Note: If Microsoft “Geneva” framework is installed, you need to uninstall this before installing WIF) HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 38 of 50 Microsoft SharePoint Risk & Health Assessment 6.1.2 Version Check for current version, CU’s, SP’s and consistency in these across all servers in the farm. Also includes Microsoft Office installations and product version of any custom tools (Visual Studio, WSP Builder etc…). This should also include language packs and things like the Adobe iFilter. 6.2 Configuration SharePoint has a lot of settings that can individually be configured through the central administration web application. Checking these configurations is a necessary step in finding the cause of any performance issues and to see if the customers’ farm is compliant with best practices. 6.2.1 General This section includes a number of general settings that should be checked through central administration. Check if any services that should be running are stopped. If the configuration wizard was used in the creation of the farm, doublecheck account usage and application pool identities. As well as content database naming conventions. Check site collection settings such as security, self-service and quota templates. Check database settings in application management. Check incoming/outgoing email settings and possibly SMS settings. Check alternate access mappings and their corresponding DNS and IIS settings. Check the farm, web application and site collection features that are enabled. Report any custom developed solutions or sandboxed code. Review Timer Job history and status. Double check reporting settings, warning level and log storage location. Check SharePoint user groups and look for any irregularities. Check managed accounts. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 39 of 50 Microsoft SharePoint Risk & Health Assessment 6.2.2 Service Applications This section is specifically meant for SharePoint 2010 Infrastructures. Individual service applications should only be checked if they are applicable to the customers SharePoint farm. The search Service application is handled separately. Excel Services Ensure that the Service application is created, has a proxy and is configurable. Check the application pool used and if it was created with a separate account. Check if the Excel Calculation Services service is started (Manage services on server). Test the functionality in an example page. Business Data Connectivity Services Ensure that the Service application is created, has a proxy and is configurable. Check the application pool used and if it was created with a separate account. Check if the Business Data Connectivity service is started (Manage services on server). Test the functionality in a production page. Limitations: A maximum of 5000 External content types can be loaded into memory at any given point. A maximum of 500 active external system connections is allowed (default maximum value is 200) The database connector can return a maximum of 2000 items per request. Metadata Service Ensure that the Service application is created, has a proxy and is configurable. Check the application pool used and if it was created with a separate account. Check if the Managed Metadata Web service is started (Manage services on server). Check if the Farm Administrator account has been added as an administrator for the managed metadata service application. Test the functionality of the Term store. Limitations: Terms in a term set are represented hierarchically. A term set can have up to 7 levels of nesting in its terms. You can have up to 1000 term sets in a single term store. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 40 of 50 Microsoft SharePoint Risk & Health Assessment 30.000 is the maximum number of terms per term set The total number of items in a term store is 1.000.000: an item is either a term or a term set. The sum of the number of terms and term sets cannot exceed 1.000.000. PerformancePoint Service Ensure that the Service application is created, has a proxy and is configurable. Check the used application pool and if it was created with a separate account. Check if the PerformancePoint service is started (Manage services on server). Test the functionality in a production page. Limitations: A PerformancePoint scorecard that calls an Excel Services data source is subject to a limit of 1.000.000 cells per query. The maximum number of columns and rows when rendering any PerformancePoint dashboard object that uses a Microsoft Excel workbook as a data source is 15 columns by 60.000 rows. The maximum number of columns and rows when rendering any PerformancePoint dashboard object that uses a SharePoint list as a data source is 15 columns by 5000 rows. The maximum number of columns and rows when rendering any PerformancePoint dashboard object that uses SQL Server table as a data source is 15 columns by 20.000 rows. User Profile Service Ensure that the Service application is created, has a proxy and is configurable. Check the used application pool and if it was created with a separate account. Check if the User Profile service and the User Profile Synchronization service are started (Manage services on server). Check and ask about the infamous “stuck on starting” problem in the history of this service application. Test the functionality by browsing to your mysite profile and by creating new content there. Limitations: SharePoint 2010 supports up to 2.000.000 unique user profiles per service application. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 41 of 50 Microsoft SharePoint Risk & Health Assessment SharePoint 2010 supports up to 500.000.000 total social tags, notes and ratings combined. Secure Store Service Ensure that the Service application is created, has a proxy and is configurable. Check the application pool used and if it was created with a separate account. Check if the Secure Store service is started (Manage services on server). Test if the master key was created successfully. Visio Services Ensure that the Service application is created, has a proxy and is configurable. Check the application pool used and if it was created with a separate account. Check if the Visio service is started (Manage services on server). Test the functionality on a production page. Limitations: The maximum file size of Visio web drawings is 50 MB. The web drawing recalculation time-out is 120 seconds. Visio Services cache age must be between 0 and 24 hours. Word Viewing Services Ensure that the Service application is created, has a proxy and is configurable. Check the application pool used and if it was created with a separate account. Check if the Word viewing service and the word automation service are started (Manage services on server). Test the functionality on a production page. Limitations: The maximum file size that can be processed by Word Automation Services is 512 MB. Usage and Health Data collection service Check if the service is started and see if the Health analyze is gathering data correctly. 6.2.3 Search The search service is another very popular topic amongst customers prone to performance decrease. It is one of SharePoint’s most powerful features if used correctly. There are however a few possible performance issues that need to be taken into account. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 42 of 50 Microsoft SharePoint Risk & Health Assessment Gather data The first step in assessing the customers’ search service is creating an overview of the current configuration components. Most of this data can be found through the central administration site in the Search service application settings: Physical architecture: Index, Query and Crawl server distribution/redundancy/load balancing. Search Scope: what SharePoint sites and web applications are crawled? Search usage: how many queries does the query server receive? Crawl timing: How are incremental and full crawls distributed amongst content sources? Content sources: What content is defined in which content source? PDF Searching: Check if the Adobe PDF iFilter is installed and configured correctly on all servers. See if the search application finds a PDF, and displays the correct icon. Document any customer specific search issues. Best Practices Once you have the customer search data gathered, you can check for any irregularities, or recommendations to increase performance. Screen the data you gathered with the Microsoft best practices for Search in SharePoint, found below. 1. Start with a well-configured infrastructure. Deploy two or more query servers for increased availability. Use separate computers to run SQL Server for content databases and the Shared Services Provider or Search Service application. Use File groups to separate the query and crawl tables in the search database Use a gigabit network for intra-farm connections. 2. Manage access by using Windows security groups. It is recommended that you add users to Windows security groups instead of adding users to SharePoint groups for the following reasons: HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 43 of 50 Microsoft SharePoint Risk & Health Assessment Changes to windows security groups do not directly affect the access control entries (ACEs) on SharePoint sites; you do not have to crawl again when user accounts within those windows security are changed. During the indexing process, the system stores the ACE of each user who has been added to a SharePoint group instead of the ACE of the SharePoint group itself. This process supports approximately 1000 users per access control list (ACL), after which the “Parameter is incorrect” error causes crawling to fail. 3. Defragment the database. The search database contains metadata and ACLs of crawled content. Over a series of crawls, the search database can become fragmented. To improve performance of crawls and queries, periodically defragment the search database. Important: If you are mirroring the computers that run SQL Server, turn mirroring off before defragmenting the search database and turn it back on after defragmentation is completed. 4. Always keep your system updated 5. Monitor SQL Server latency Search is I/O intensive for SQL Server and is sensitive to I/O latencies on the Temp database and Search database. Both search and content hosting make heavy use of the Temp database. We recommend that you keep the Search database, SSP database, Temp database, content databases, and their corresponding log files all on separate spindles. This lets you optimize each file, depending on its specific needs. For very large server farms it is also a good idea to separate the content databases onto separate computers that are running SQL server. Doing so provides the Search and SSP databases with a different Temp database and instance of SQL Server than the content databases. For best search performance, it is recommended to maintain the following latencies: 10ms or less for the Temp database 10ms or less for the Search database 20ms or less for the database log file 6. Monitor to prevent search starvation Search starvation occurs when the crawler cannot allocate another thread to retrieve the next document in the crawl queue. Starvation can be caused by a number of things: HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 44 of 50 Microsoft SharePoint Risk & Health Assessment Resource (I/O) contention on the computer that is running SQL Server. Too many hosts are being crawled at the same time “Hungry” hosts that do not quickly relinquish a thread. “Hungry” hosts include the following: Slow hosts: A host being crawled does not have the capacity to service all of the requests that the crawler is sending to it. Hosts requiring extra work for incremental crawls: Basic HTTP crawls are partially in this category because each document requires a round trip to the server, but the modified date is checked before downloading the document. Hosts and content that are rich in properties: Business data catalog, people import and people crawls. Crawls that are paused when backups are being performed. Should search starvation occur at the customer, the following 5 tips can help to resolve this: Minimize the number of content sources you have. Group hosts of the same repository type and of similar size into individual content sources. The intent here is to reduce the overall count of crawls that your system will have. Crawl your largest SharePoint data stores first. Do not schedule more than one “Hungry” content source at a time. Start with a minimum of 4 concurrent crawls. This is the starting point. After testing this, determine if your system has the head-room to add additional concurrent crawls. If you reach a starved state it is best to pause your “hungry” crawls to let the remaining crawls complete. 7. Monitor your system to understand query bottlenecks 8. Validate the search visibility setting for each crawled site The standard best practices for optimizing sites and pages for search engines are equally relevant for Web content management (WCM) sites in SharePoint deployments. A site or page that is better optimized for search engines appears higher in the search results and will help increase traffic to your site. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 45 of 50 Microsoft SharePoint Risk & Health Assessment 9. Manually pause crawls before initializing a query server or backing up a farm 10. Test the crawling and querying subsystems after making any configuration changes We recommend that you test the crawling and querying functionality of your server farm after you make configuration changes. An easy way to do this is to create a temporary content source that is used only for this purpose. To test, we recommend that you crawl ten items, for example .txt files on a file share, and then perform search queries on them. Make sure that these items are not currently in the index. It is helpful if they contain unique words that will be displayed at the top of the search results page when queried. After the test is complete, we recommend that you delete the content source that you created for this test because doing this removes the items that you crawled from the index. Therefore, they can be crawled again when you want to perform this test and will not appear in search results after you are finished testing. 11. Review your antivirus policy for crawled objects When you use certain file-level antivirus software programs in Windows SharePoint Services 3.0, Office SharePoint Server 2007, or Search Server 2008, you should exclude certain folders from being scanned. If you do not exclude these folders, you may experience many unexpected issues. 12. If you have custom queries, mark appropriate properties as scope-able from the crawled property UI so that they do not execute expensive SQL queries Limitations Like the other Service applications, the search service application has a number of limits that need to be respected for optimal performance: A maximum of 20 Search service applications per farm are supported. A maximum of 10 crawl databases per search service application are supported, with a maximum of 25.000.000 items per crawl database. A maximum of 16 crawl components per search service application is supported A maximum of 20 index partitions per search service applications is supported, together with a total maximum of 128 index partitions. A maximum of 10.000.000 indexed items per index partition is supported. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 46 of 50 Microsoft SharePoint Risk & Health Assessment A maximum of (64 / <total # crawl components>) of query components are supported A maximum of 50 content sources per search service application are supported. A maximum of 20 concurrent crawls is supported. A maximum of 200 keywords per site collection is supported. A maximum of 10.000 metadata properties per item crawled are recognized. Once the customers’ data has been compared you should be able to generate a plan of recommendations to increase search performance. 6.3 Software Limitations There are a number of software-related limitations to SharePoint, and if not respected these can lead to minor or even severe decreases in performance. See the list below: 6.3.1 Web application limitations A maximum of up to 300 content databases per web application is supported The number of zones defined for a farm is hard-coded to 5: Default, Intranet, Extranet, Internet and custom. A maximum of 20 managed paths per web application is supported. The solution cache for the InfoPath forms service has a threshold of 300 MB per web application. Exceeding this limit will greatly decrease response time. 6.3.2 Web server limitations A maximum of 10 application pools per web server is supported 6.3.3 Site collection limits A maximum of 250.000 web sites per site collection is supported. A site collection should not exceed 100 GB unless it is the only site collection in the database HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 47 of 50 Microsoft SharePoint Risk & Health Assessment 6.3.4 List and Library limits The default maximum file size is 50 MB. This can be extended up to 2 GB, however a large volume of very large files can affect farm performance. A maximum of 30.000.000 documents per library are supported. A maximum of 400.000 Major versions is supported. When exceeded, basic file operations such as saving or deleting may not succeed. A maximum of 30.000.000 items per list are supported. In a List view, a maximum of 8 join operations are allowed in a single query The maximum number of items that can be returned by a list view query is 5000. The interface for enumerating sub-sites of a given web site does not perform well as the number of sub-sites surpasses 2000. A maximum of 10 concurrent editors for any document is recommended. The maximum number of unique security scopes for a list should not exceed 1000. 6.3.5 Page limits A maximum of 25 web parts per wiki or web part page is recommended. This number is an estimate based on simple web parts. The complexity of the web parts dictates how many can be simultaneously used on a web page. 6.3.6 Security limits The maximum number of SharePoint groups a user can belong to is 5000. The maximum number of users in a site collection is 2.000.000 A maximum of 5000 users per SharePoint group is recommended A maximum of 10.000 SharePoint groups is recommended. 6.3.7 Workflow limits 15 is the maximum number of workflows allowed to be executing against a content database at the same time. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 48 of 50 Microsoft SharePoint Risk & Health Assessment 7 Server Health This section handles the event log and the Health analyzer. 7.1 Event log Check the customers’ diagnostic logs on all servers and check for errors. In case there are errors or significant warnings, list them and handle them on an individual basis determining cause, impact and possible resolution. 7.2 Health Analyzer (SP 2010) When assessing a SharePoint 2010 environment it is of critical importance to check all errors and warnings generated through the Risk and Health analyzer tool built into SharePoint 2010. The errors generated here display a lot of information and often point to a possible cause or resolution of the same issue. Note that some of these issues will be of no importance due to certain design choices made by the customer. If this is the case, it is possible to remove them by changing the health analyzer rules. 8 Web applications If time permits it within the assessment period It can also be interesting to also take a look at general web site performance from an end-user perspective (this is not included in Microsoft’s MOSSRAPprogram). There are a lot of free tools that are able to monitor website load times and CSS/JavaScript performance. There are also several optimizations to CSS files or web parts that are quite quick to perform. 8.1 Site depth The structure of the site collections under each web application: Overly complex site depth and nesting can result in a decrease in performance. Check for extremities in site complexity and depth and see if the situation cannot be restructured into a more performant template. 8.2 Performance & access times This can easily be monitored with certain tools (some of them officially recommended by Microsoft such as Aptimize). 8.3 Custom solutions If there are any custom solutions with features or web parts running on the customers’ SharePoint environment, faulty code or incorrect usage of these can often cause high page load times or even a decrease in farm performance. One of the ways this can be checked if HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 49 of 50 Microsoft SharePoint Risk & Health Assessment you have access to the source code of these solutions is to run the Dispose checking tool that will verify if all object calls in the solution have been disposed correctly. Correctly disposing is vital for a well-coded solution. Not doing so can lead to high load times or memory leaks. 9 Customer specific requests Section for all questions or tasks requested by the customer. 10 Customer Deliverables Define what the result of the project will be for the customer. 10.1 Assessment report Detailed report containing concerns (both detailed and in chart form for management presentations). 10.2 Remediation steps An action plan (and possible follow-up projects for HP) to remediate the concerns mentioned in the assessment report. HP Global Method HP Confidential © Copyright 2017 Hewlett-Packard Development Company, L.P. Valid agreement required. Page 50 of 50
