provtest AllAboutHMC.xml

HMC and Windows Hosting related matters. This blog will also include Microsoft Exchange Server 2010 Hosting Deployment.

SharePoint 2010... Multi-tenancy Support for Hosters - It is there if you want it.

SharePoint 2010... Multi-tenancy Support for Hosters - It is there if you want it.

  • Comments 10
  • Likes

To avoid overdose of Exchange, this weekend, I took some time to look at SharePoint 2010 and just to see how much has changed since the SharePoint version we used in HMC 4.5.

In HMC 4.5, we used Windows SharePoint Services 3.0 SP1. I blogged about this back in January 2009. It is here if you are interested, HMC 4.5 and Windows SharePoint Services 3.0 SP1 (http://blogs.technet.com/b/provtest/archive/2009/01/14/hmc-4-5-and-windows-sharepoint-services-3-0-sp1.aspx). In that article, I spoke about 3 main things that HMC did to introduce multi-tenancy support in WSS 3.0. The 3 main things are,

  • Site Isolation - Each company should only be allowed to see and access their own site. It must able to cater for different domain-named sites, such as http://sharepoint.alpineskihouse.com, http://teamsite.contoso.com instead of everyone having a common site name like http://www.serviceprovider.com/sites/<sitename
  • Site Administration Isolation - Each company should only be allowed to manage their own site
  • User Isolation - Each company should only see their own users.

At the end of the article, as you could see, unlike Hosted Exchange, there were really very little HMC needs to do to change WSS to provide multi-tenancy support in SharePoint. Of course, there were many things could have been done much better but in a nutshell, WSS 3.0 itself is capable of multi-tenant support already without much customization.

In my earlier post, I recommended those who are interested in to take a look at the diagram as posted by Microsoft. It is here in case you missed it, Hosting Environment for SharePoint 2010 Products? (http://blogs.technet.com/b/provtest/archive/2010/06/24/hosting-environment-for-sharepoint-2010-products.aspx). Now, there are also another set of documents that you should look at, they are the Dynamic Data Center Toolkit for Hosters. The link is here,

Dynamic Data Center Toolkit for Hosters (http://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=ddc&ReleaseId=4297)

The above, you will find the document very similar to those in the HMC walk through but for SharePoint 2010 and it will have steps and scripts (primarily Powershell) on how you create site isolation, site administration isolation and user isolation.

Of course, it does more than that. It provides better explanation also described various way you can deploy customer sites to a SharePoint farm. Such as you can do the following,

  • Dedicated application pool and Web application
  • Shared application pool and dedicated Web application
  • Shared Web application
  • Authenticated sites
  • Unauthenticated sites

It also provided better guideline such as,

  • Use a dedicated Application Pool per customer only if needed to satisfy requirements for isolation.
  • Use dedicated Web applications for tenants that require customizations that affect resources that are shared across a Web application, such as the Web.config file.
  • When combining multiple tenants in a single Web application, use a dedicated Web application for all authenticated content and a separate dedicated Web application for all anonymous published-content. This will require two separate subscriptions IDs for tenants with both types of content. This will also simplify licensing.
  • Do not allow full-trust code to be deployed to sites. Do not allow customizations that affect shared resources, such as the Web.config file.
  • Use host-named site collections to create multiple root-level site collections (domain-named sites) within a Web application.
  • If any tenant must span to more than 1 database, they must be the ONLY tenant in all those databases (so dedicated databases.
  • If any tenant must span to more than 1 database, they must be the ONLY tenant in all those databases (so dedicated databases)

It provides architecture option you can choose for your hosting environment. It also provides architecture guideline on how to scale out a hosted environment for your Services farm, Search farm and Tenant content farms. It provides information how one should design their Active Directory and SharePoint 2010 also introduces some new concept like managed accounts, proxy groups, business data catalog and etc. The underlining tenant provisioning hasn't changed much though. It still uses host header concept and for people picker, it still uses user account directory path concept. The Powershell script works pretty well for me for most parts, it even included some stuff that you don't really need in production environment such as putting some entries in the HOST file.

Here is the summary of multi-tenant setup steps (which I am not going to go into each of them in detail because the document has all the needed explanations). It is assumed that the server has been installed and setup,

  • Setting up the multi-tenant environment
    • Step 1: Create Managed Account
    • Step 2: Create Proxy Group
    • Step 3: Create Site Subscription
    • Step 4: Create Site Subscription Feature Packs
    • Step 5: Create Managed Metadata
    • Step 6: Create User Profile
    • Step 7: Create Business Data Catalog
    • Step 8: Create Secure Store
    • Step 9: Create Search Application
  • Tenant Provisioning
    • Step A: Create New Site Subscription
    • Step B: Assign Feature Pack to Site Subscription
    • Step C: Create Site Collection
    • Step D: Set Site User Account Directory Path 

Follow the above through, you should be able to create a SharePoint Site for your tenant organization like me like the following,

And the Admin site for your tenant organization,

The above are pretty straightforward. There is really one thing I like to highlight here which is Step D: Set Site User Account Directory Path. In this step, you are supposed to set the path to the Tenant organization OU. In the SharePoint document, you will find they recommended the AD to be designed in the following,

Doesn't the above look familiar? Now, the question comes in is that what happen when I introduce Exchange Server 2010 SP1 into the mix? Exchange itself provision the organization OU into a specific OU, which is, OU=Microsoft Exchange Hosted Organizations like the following,

Well, it means, if you are providing both Hosted Exchange and Hosted SharePoint, you may want to first create the OU using the Exchange cmdlet first and then when you perform Step D, just set it to the appropriate path like the following,

stsadm -o setsiteuseraccountdirectorypath -path "OU=ProvTest, OU=Microsoft Exchange Hosted Organizations,DC=FABRIKAM,DC=com" -url http://intranet.

I strongly recommend you to download the documents, go through the steps, the Powershell and get yourself familiarized with it. The concept hasn't changed tremendously from WSS 3.0 but obviously, the product has grown much more matured and it is being developed, like Exchange Server 2010 SP1, with hosters in mind.

Comments
  • Hello,

    This command : "stsadm -o setsiteuseraccountdirectorypath -path "OU=ProvTest, OU=Microsoft Exchange Hosted Organizations,DC=FABRIKAM,DC=com" -url http://intranet." works with SharePoint Foundation ?

    SharePoint foundation support multi-tenant organization like SharePoint server 2010 ?

  • Hi Jack,

    To be honest with you, I haven't run this or tested this before in SharePoint Foundation, so I really am not too sure about this.

    I would say this though, Server will probably suits you better as a hoster more so than Foundation. If you are doing hosting, you probably want to make sure you can host as many customers as possible on each server and at the same time has the level of scalability, so, my recommendation is to go with SharePoint Server rather than Foundation.

    Make sense?

    Kip

  • Yes, I agree with kip.ng, SharePoint server 2010 is better than foundation. Sharepoint server has many features than foundation. And I have try SharePoint server with http://www.asphostportal.com. And everything looks very great. I started from their MOSS silver hosting, cheaper than the other.

  • Hi Kip, great post!  I was trying to figure this one out.  Out of curiosity though, if a user is created as a hosted SharePoint user first and then becomes a hosted Exchange customer, would it be possible to create the Exchange Hosted organization and then move the AD objects from the SharePoint Hosted Organizations in to there, then perform your updated command?  We have two clients that are likely to go CRM and SharePoint first, before going Exchange at a later date so this will be an issue for us further down the track.

    Jason.

  • Hi,

    Jason: I think it wont hurt your Sharepoint users when you move them in AD. I tested it few months ago, and it worked without any problem. In my view, Sharepoint doesn't care where the user is, it stores user's Domain\samAccountName in Sharepoint Database.

    Regards,

  • Hi Kip,

    Currently we are offering Hosted exchange solution on exchange 2007 (HMC)

    Now we are adding up few more services like Hosted SharePoint foundation and Lync 2010.

    With the help of custom designed control panel we are able to host Exchange 2010 sp1 along with Lync 2010

    Unfortunately I am totally new to SharePoint and could not able to get step by step guide or documentation on SharePoint foundation hosting.

    I request you to please guide us or share some document links to build SharePoint site and host tenant organizations with proper isolation.

    Shashank K.

  • i have tried several times and can not get this to work. kip can you tell us how you did it on the sharepoint 2010 server version?

  • Hi Kip Ng,

    Great article, thanks.

    I've got one question.  i've got a sharepoint site going and working well.  Can i simply run the command above to create a site locked down to that OU used in Exchange???

    Hope so as really keen and i'm using enterprise version not foundation.

    Cheers, and thanks again.

    pjmartins

  • Everything is extremely open and quite clear explanation of concerns. that is  truly data for the my ideas.... Your site

    is really useful. Many thanks for sharing.

  • oes a multi tenant SharePoint web application stores user accounts on "child" websites or in the root web?

    I need to provide forms authentication at this multi tenant web application but the users can't be shared between "child" websites and if the user types the root web url, he must be redirected to the "child" website he has permissions (when logging in). Is it possible?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment