Bill Baer

Microsoft Case Studies: Coca-Cola Enterprises and Microsoft Online Services

Recently posted:  A Microsoft Case Study examining Microsoft Online Services and Coca-Cola Enterprises.

Read more about this Microsoft Case Study here:  Coca-Cola Enterprises Tackles Competition with Microsoft Online Services

To read more Microsoft Online Services case studies visit https://partner.microsoft.com/40090617 or to learn more about Microsoft Online Services visit http://www.microsoft.com/online/default.mspx.

Quota Templates and Powershell

Continuing the series using Powershell and Microsoft SharePoint Products and Technologies, this weeks script sample illustrates how Powershell can be leveraged to programmatically provision Quota Templates in Windows SharePoint Services 3.0 and/or Microsoft Office SharePoint Server 2007.

Instructions

1. Copy the source below into somefile.ps1.
2. Copy the Xml source in QuotaTemplates.xml.
3. In the Windows Powershell console call ./somefile.ps1

Source

#-------------------------------------------------------------------------------
# Function:    main
#
# Description:    Main entry point for the script.  Loads the configuration source
#        Xml and initializes the foreach loop to iterate over a
#         collection of Xml nodes.
#
# Parameters:    None
#-------------------------------------------------------------------------------

function main()
{
  [xml]$cfg = Get-Content .\QuotaTemplates.xml

  if( $? -eq $false ) {
    Write-Host "Cannot load configuration source Xml $cfg."
    return $false
  }

  $cfg.Configuration.QuotaTemplates.QuotaTemplate | ForEach-Object {
    new-QuotaTemplates( $_ )
  }
}

#-------------------------------------------------------------------------------
# Function:     new-QuotaTemplates
#
# Description:     This script enables you to do programmatically what you can do
#         manually through the user interface in the SharePoint Site
#         Management section on the Central Administration Quota
#         Templates page.
#
# Parameters:     None
#-------------------------------------------------------------------------------

function New-QuotaTemplates( [object] $cfg )
{
  [Void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Sharepoint")

  $webService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
  $quota=New-Object Microsoft.SharePoint.Administration.SPQuotaTemplate

  $quota.Name = $cfg.Name
  $quota.StorageMaximumLevel = $cfg.StorageMaximumLevel
  $quota.StorageWarningLevel = $cfg.StorageWarningLevel

  $webService.QuotaTemplates.Add($quota);

  $webService.Update();
}

main

Source Xml

<?xml version="1.0" encoding="utf-8"?>
<Configuration>
  <![CDATA[SPQuotaTemplate (Microsoft.SharePoint.Administration)]]>
  <QuotaTemplates>
    <QuotaTemplate Name="2GB">
      <StorageMaximumLevel>2097152000</StorageMaximumLevel>
      <StorageWarningLevel>1887436800</StorageWarningLevel>
    </QuotaTemplate>
    <QuotaTemplate Name="3GB">
      <StorageMaximumLevel>3145728000</StorageMaximumLevel>
      <StorageWarningLevel>2936012800</StorageWarningLevel>
    </QuotaTemplate>
    <QuotaTemplate Name="4GB">
      <StorageMaximumLevel>4194304000</StorageMaximumLevel>
      <StorageWarningLevel>3670016000</StorageWarningLevel>
    </QuotaTemplate>
    <QuotaTemplate Name="5GB">
      <StorageMaximumLevel>5242880000</StorageMaximumLevel>
      <StorageWarningLevel>4718592000</StorageWarningLevel>
    </QuotaTemplate>
    <QuotaTemplate Name="10GB">
      <StorageMaximumLevel>10485760000</StorageMaximumLevel>
      <StorageWarningLevel>9961472000</StorageWarningLevel>
    </QuotaTemplate>
    <QuotaTemplate Name="100GB">
      <StorageMaximumLevel>104857600000</StorageMaximumLevel>
      <StorageWarningLevel>99614720000</StorageWarningLevel>
    </QuotaTemplate>
  </QuotaTemplates>
</Configuration>

Interesting find on Event Id’s 3760 and 5586…

I was recently asked to look at an issue in which SharePoint would intermittently drop its connection to SQL.  Taking the typical course of action, I started looking at the Application Event Logs, Trace (ULS) logs, etc.  I noticed in the Application Event Logs event Id 3760 and 5586 occurred every hour on the hour.  The initial event Id 3760 indicated authentication issues, the Domain Controllers did not see issue that corresponded to the events reported by SharePoint; Scalable Networking Pack Features, MaxConcurrentAPI, etc. settings looked clean across the machines as well, event Id 5586 immediately followed event Id 3760.

I did some research and came across Todd Carter’s post and considered IPSec as a potential problem, ran IPSec diagnostics, and eventually after parsing the diagnostic logs ruled out IPSec as a potential cause.  While walking through the environments' configuration I noticed a SQL Server Connection Alias was implemented on the SharePoint WFE and application servers.  Typically a Connection Alias is used when an administrator would like to redirect a SQL connection with the existing SQL Server to another SQL Server instance on any machine or more commonly make a connection to a SQL Server using a specific protocol (e.g. TCP, Named Pipes, etc) with specific parameter (e.g. TCP port, pipe name), the database design consisted of two (2) SQL servers in a Database Mirroring architecture so the implementation of a Connection Alias was expected. 

While checking the information in the SQL Server Client Network Utility I noticed that the option to dynamically determine port was selected, since the SQL server instance was configured to listen on 1433 and not an alternative port, I configured the fixed port and protocol in the Client Network Utility.  NOTE When no port number is stored for the alias entry the DBNETLIB attempts to contact the server through a known UDP port to obtain the correct connection information to establish the connection.   After configuring the connection parameters to use the fixed port of 1433 the issue subsided.  Going back to the failures, parsing Trace Log data, the connectivity drops appeared to correlate to the execution of built-in Timer Jobs which taking the dynamic port detection into account seems to have been the cause of the problem.

HA/DR Whitepaper

I missed this one, but better late ….

A new whitepaper has been released outlining configuring disaster recovery across SharePoint farms by using SQL Server log shipping – read more…

Windows Rights Management Services, Microsoft SharePoint Products and Technologies, and Forest Boundaries

I recently was asked about the possibility of implementing Windows Rights Management Services with Microsoft Office SharePoint Server 2007 in a resource forest, or otherwise, the Microsoft Office SharePoint Server 2007 deployment was in a forest other than that where the users reside (login forest).  In this particular scenario, a one-way non-transitive trust was implemented, which provided an isolation boundary between the resource and login forest.

Microsoft Office SharePoint Server 2007 is generally supportive of the resource forest concept (see posts tagged Cross-Forest Hosting) however, with the Windows Rights Management Services (RMS) cluster in a forest other than that of the resource forest, problems will surface in that SharePoint will need to obtain a RMS user certificate / RAC (from the /_wmcs/certification pipeline) that is trusted by the RMS Licensing pipeline(s) configured in SharePoint 3.0 Central Administration – as a result there are two (2) requirements during the certification process that Microsoft Office SharePoint Server 2007 is unable to support when the RMS cluster resides outside of the resource forest:

1. Authentication
2. Boundaries

Authentication

Since Microsoft Office SharePoint Server 2007 is deployed in the resource forest, the identities associated with the individual IIS application pools are also most likely identities derived from the resource forest.  Those identities are not valid in the login forest because the one way trust is the wrong way in this particular scenario.

Boundaries

The RMS certification service can only issues certificates to identities from the same forest as the RMS cluster.

Possible Solutions

Deploy an RMS certification cluster in the resource forest and configure the RMS server in the login forest to trust the user certificates issues from this server or optionally (haven’t tested this theory ;-)), implement identities for the IIS application pools from the login forest.

The result of an implementation that does not meet the requirements of RMS will be presented in the Event Log on the front-end Web servers as:

Event Type:        Error

Event Source:    Windows SharePoint Services 3

Event Category:                IRM

Event ID:              5058

Date:                     6/10/2009

Time:                     8:47:07 PM

User:                     N/A

Computer:          <WFE_SERVER>

Description:

Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.

Unspecified connection error. Try activating again later.

Additional Data

Error value: 8004cf3b

Server URL: /_wmcs/certification">/_wmcs/certification">/_wmcs/certification">https://<RMS_CLUSTER>/_wmcs/certification

Event Type:        Error

Event Source:    Windows SharePoint Services 3

Event Category:                IRM

Event ID:              5133

Date:                     6/10/2009

Time:                     8:47:07 PM

User:                     N/A

Computer:          <SERVER>

Description:

Information Rights Management (IRM): There was a problem while obtaining a Rights Management Services (RMS) group identity certificate (GIC).

A GIC is an essential credential that allows a user to read/view rights protected documents.

Additional Data

Error value: 8004cf3b

Alternate Access Mappings and Windows Powershell

I had a request this week on how to leverage Windows Powershell to add Alternate Access Mappings to the collection for a specific Web application.  Surprisingly after some searching I was unable to find anything existing on the topic, so for those curious see the attached script and corresponding source Xml.

Instructions

1. Copy the source below into somefile.ps1.
2. Copy the Xml source in AAM.xml.
3. In the Windows Powershell console call ./somefile.ps1.

Source

#-------------------------------------------------------------------------------
# Function:    main
#
# Description:    Main entry point for the script.  Loads the configuration source
#        Xml and initializes the foreach loop to iterate over a
#         collection of Xml nodes.
#
# Parameters:    None
#-------------------------------------------------------------------------------

function main()
{
  [xml]$cfg = Get-Content .\AAM.xml

  if( $? -eq $false ) {
    Write-Host "Cannot load configuration source Xml $cfg."
    return $false
  }

  $cfg.Configuration.WebApplication | ForEach-Object {
    new-SPAlternateUrl( $_ )
  }
}

#-------------------------------------------------------------------------------
# Function:     New-SPAlternateURL
#
# Description:     This script adds the specified URLs to the collection of
#        alternate request URLs for the Web application.
#
# Parameters:    None
#-------------------------------------------------------------------------------

function New-SPAlternateURL( [object] $cfg )
{
  [Void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Sharepoint")

  $webApp = $nul;
  $webApp = [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($cfg.Url)
  trap [Exception] { 
      Write-Host
    Write-Error $("Exception: " + $_.Exception.Message);
    continue;
  }

  $cfg.AlternateUrl | ForEach-Object {
  $map=New-Object Microsoft.SharePoint.Administration.SPAlternateUrl($_.IncomingUrl, $_.UrlZone)
  $webApp.AlternateUrls.Add($map)
  return $map
  }

main

Source Xml

<?xml version="1.0" encoding="utf-8"?>
<Configuration>
  <WebApplication Url="http://contoso">
    <AlternateUrl IncomingUrl="http://www.contoso.com" UrlZone="Internet" />
    <AlternateUrl IncomingUrl="http://contoso:1234" UrlZone="Custom" />
    <AlternateUrl IncomingUrl="http://contoso:4321" UrlZone="Custom" />
  </WebApplication>
</Configuration>

STSADM -o preparetomove Implications on Search Redundancy

I was just reading Todd's post on preparemove, and he does a good job of covering the changes in profile synchronization and related GUID reset/reassignment introduced by the application of the Infrastructure Update. There is one significant problem this change mitigates, specifically for those looking for a level of search redundancy through a dual-crawl architecture. In most scenarios where a dual-crawl architecture is implemented, an Office SharePoint Server Search instance in the primary datacenters crawls its localized content, and a separate, unique Office SharePoint Server Search instance in the secondary datacenter crawls the content in the primary datacenter. Prior to the Infrastructure Update, this architecture offered little benefit in that when transitioning service to the secondary datacenter, the content would have to be re-crawled, which resulted in little value; however, now that the GUID associated with each individual site collection does not get reset/reassigned when the content databases are moved across Web applications, transitioning the content databases to the secondary datacenter does not require a re-crawl. While the solution still does not provide high-availability for Office SharePoint Server Search, it does open the possibility to effective redundancy.

HTTP to HTTPS Redirection with SharePoint Products and Technologies

I've received several requests in regards to redirecting HTTP to HTTPS.  In this post I will briefly cover a select number methods and/or technologies that can be used to accomplish HTTP to HTTPS redirection.

ISA 2006

Modify the Web Listener connection properties to enable HTTP to HTTPS redirection (see below).

1. Open Web Listener Properties on the Published Site.
2. Select the Connections Tab.
3. Select Redirect all Traffic from HTTP to HTTPS under HTTP to HTTPS Redirection.

Port Forwarding

In a port forwarding scenario you would allow an arbitrary inbound port on your router and configure a destination (forwarded) IIS Website on port 80 that implements native IIS redirection to forward the request to the SSL secured Web application.  This solution provides the highest level of security and requires the least amount of customization on behalf of your Web application; however, port forwarding is not supported by all devices, may not be offered by your network engineering team, or conflicts with other corporate policies, etc.

403.x Modification

In this scenario you would modify the header if the 403.x to implement a META REFRESH to redirect clients to a specified Url.  This solution provides a level of security; however, the redirect is limited to a static Url and in many cases is not supported by all browsers (NOTE This is a proprietary extension to HTML, introduced by Netscape but supported by most web browsers), individual configurations, requires modification of IIS system files, and also does not communicate information about the source or destination to the browser.

HTTP Module

The following sample illustrates a HTTP module that replaces the http prefixes with https and handles the request.  In the sample code each event handler in this HTTP module is written as a private method of the module and when registered events are raised, ASP.NET will call the appropriate handler in the module.  The implementing (base) class provides initialization and disposal events through the IHttpModule Interface (System.Web namespace).

The IHttpModule Interface provides module initialization and disposal events to the implementing class.  An initialization function registers HttpApplication events by adding an OnBeginRequest as the handler.  HttpApplication and HttpContext event objects are created to access the request and response properties in the handler.  The intrinsic request object for the current request are obtained by getting information about the Url of the current request as a canonical string representation of the instance.  If the beginning of the instance matches http: a replace method is called to replace that occurrence with another specified string as https:.  An intrinsic response object is then called for that request and redirects the client to a new Url and terminates execution of the current page.  As a finalizer any current buffered output to the client is stopped in addition to execution of the page and a HttpApplication.EndRequest event raised.

NOTE The HTTP module approach requires removing the SSL required setting in Internet Information Services to permit the HTTP module to be loaded; otherwise, the request is thrown to the 403.x.

Sample Code

using System;
using System.Web;
[assembly: CLSCompliant(true)]

namespace Microsoft.SharePoint.SslRedirect
{
    public class RedirectModule : IHttpModule
    {
        #region IHttpModule Members
        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(OnBeginRequest);
        }

        private void OnBeginRequest(object src, EventArgs e)
        {
            HttpApplication context = src as HttpApplication;
            string httpUrl = context.Request.Url.ToString();

            if (httpUrl.StartsWith("http:"))
            {
                httpUrl = httpUrl.Replace("http:", "https:");
                context.Response.Redirect(httpUrl.ToString(), false);
                context.CompleteRequest();
            }
        }

        public void Dispose()
        {
        }
        #endregion
    }
}

SharePoint Diagnostics Tool 1.0

I completely missed this one; the SharePoint Diagnostics Tool was recently released (included in the Microsoft SharePoint Administration Toolkit v3.0).  The SharePoint Diagnostics Tool enables an administrator to simplify troubleshooting by gathering pertinent information about a farm and displaying it in a meaningful way providing a programmatic approach to locating and isolating issues in your environment.  Find it and other great tools and utilities under Tools.

Microsoft Certified Master for SharePoint 2007

In early November, Microsoft announced the Microsoft Certified Master for Office SharePoint Server 2007 and the Microsoft Certified Architect for Office SharePoint Server 2007.  [See http://blogs.msdn.com/sharepoint/archive/2008/11/10/introducing-the-microsoft-certified-master-and-certified-architect-for-sharepoint.aspx] 

I was fortunate in that I had the opportunity to spend three (3) weeks in this first rotation of the program and was extremely impressed, not only with the depth and breadth of the knowledge that was made available throughout the three (3) weeks, but also the ability to collaborate with the brilliant instructors and students alike.  While a challenging undertaking that takes a  focused level of commitment, it was well worth the investment and comes as a definite recommendation for those seeking the top-tier technical certification for SharePoint Products and Technologies.

Read my comments on the Microsoft Certified Master for SharePoint 2007 at ‘The Master Blog’.

Learn more about the Microsoft Certified Master Certification

Learn more about the Microsoft Certified Master for SharePoint 2007

Read the ‘The Master Blog’

Meet the Microsoft Certified Master Instructors

Developer News, SPDisposeCheck Released and Updated Developer Guidance

Today we announced the availability of SPDisposeCheck and updated the guidance [Using Disposable Windows SharePoint Services Objects].  The published guidance provides best practices to follow when using Windows SharePoint Services objects to avoid retaining the objects in memory in the Microsoft .NET Framework, SPDisposeCheck facilitates a programmatic method to enable developers to efficiently adhere to that guidance throughout the development lifecycle.

Learn more and download SPDisposeCheck

People Picker Port/Protocol Requirements

While working on a deployment this week, the OOB People Picker caught my attention and I realized there was not a great deal of documentation available on its requirements and troubleshooting.  Driving this thinking was the nature of the deployment on which it was to be configured - a cross forest, secured deployment with Web front-end servers in a firewalled perimeter network.

Purpose

The People Picker enables an end-user to specify a name or partial name when provisioning a user on a site collection and have the input resolved and validated against a directory source.  (see illustration).  If more than one potential match exists, all related results will be displayed in the dialog.

Conceptually the port requirements become clear, 1) we know we are executing an LDAP query against a directory source impersonating an account with access to that source, binding to the users container and a SearchResultCollection object to hold a collection of SearchResults returned by the FindAll method (see example later in this article) and 2) we require name resolution to resolve a directory server at the destination.  Specifically when you enter a name or partial name in the user interface the Windows API will return a SID for that account, once the SID has been acquired, the People Picker attempts to retrieve additional information about that user from the Active Directory.  Quite clearly under these conditions we will require either port 389 LDAP or port 636 sLDAP, or where a Domain Controller is granted the Global Catalog role, 3268 and 3269, and in both cases 53 DNS, 445 Directory Services in addition to authentication protocols, Kerberos, Kerberos-Adm, and Kerberos-IV.  A complete list of ports and protocols required to successfully instantiate and execute a People Picker request are as follows (WFE):

TCP/UDP 135, 137, 138, 139 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm) [Opt.]
TCP port 750 (Kerberos-IV) [Opt.]

Troubleshooting

Troubleshooting occurrences where the People Picker either cannot resolve a known user name or the connection times out is a process by which there are several opportunities.

Review the Event Viewer and Trace Logs for errors.

The Event Viewer can be used to diagnose any application errors that may be preventing the People Picker from resolving a name or partial name, in addition to the Event Viewer, the Trace Logs provide valuable information on diagnosing issues with the People Picker.  If a search query fails, check the Trace Logs filtering by the requested name or partial name, use the exception message or stack trace information to determine the appropriate course of action.  Most errors are caused by either an unreachable directory service or timeouts due to latent connectivity between the WFE and Directory Services server(s)...keep in mind the default Active Directory search timeout for the People Picker is 30 seconds.

Develop similar functionality using the .NET DirectoryServices namespace DirectoryEntry and DirectorySearcher classes.

Sample Code

//Initialize a new instance of the DirectoryEntry class that binds to the specified Active Directory object
DirectoryEntry de = new DirectoryEntry("LDAP://OU=USERACCOUNTS,DC=CONTOSO,DC=COM");
//Set the user name to use when authenticating the client
de.Username = contoso\\user;
//Set the password to use when authenticating the client
de.Password = <password>;
//Initialize a new instance of the DirectorySearcher class with the specified search filter
DirectorySearcher ds = new DirectorySearcher(de);
//Sets a value indicating the LDAP format filter string.
ds.Filter = "(SAMAccountName=jdoe)";
//Executes a search and returns only the first entry that is found.
SearchResult rs = ds.FindOne();
de = rs.GetDirectoryEntry);
Console.WriteLine(de.Name);

The C# code will enable searching for a specific user from the specified object thereby replicating base People Picker functionality.  Proper exception handling will provide a good source for determining where a potential issue may exist.

Check Configuration

Check the Configuration Database and Web application property bags, People Picker configuration values are stored in the Web application and Configuration Database objects with the values exposed through the properties bag.

Confirm the necessary ports and protocols to traffic the request are available using PortQry or similar application and consider, in the case of PortQry, putting together an XML template that captures these requirements and validate using that template with each build out.

Resources

Configuring the People Picker

Windows Server 2008, SQL Server 2008 Disaster Recovery Notes with SharePoint Products and Technolgies

In recent months there has been a great deal of discussion and debate on disaster recovery and high availability with Microsoft SharePoint Products and Technologies and with the recent releases of both Microsoft SQL Server 2008 and Windows Server 2008 there are open opportunities to leverage components available natively to these technologies and compliment a SharePoint Products and Technologies disaster recovery design.

One of the most significant challenges has been overcoming latency penalties applied through distance between the active and passive datacenters, particularly with Microsoft SQL Server Log Shipping since we're dealing with SMB and a synchronous process.  This is where both SQL Server 2008 and Windows Server 2008 come in...

SQL Server 2008 introduces backup compression which can be further integrated in the Microsoft SQL Server Log Shipping configuration (see also http://msdn.microsoft.com/en-us/library/ms188168.aspx).  By compression the Transaction Log backups and scheduling an aggressive backup schedule in the configuration and administrator can apply a general level of predictability surrounding the size and number of Transaction Log backups and make more efficient use of bandwidth where working with limited throughput and maintaining synchronicity is a concern.

To compliment a Microsoft SQL Server Log Shipping configuration, an administrator can leverage the improvements made to Distributed File System in Windows Server 2008 to optimize WAN performance when copying Transaction Log backups to a remote Secondary server instance.  Windows Server 2008 DFSR improvements include:

• RPC Asynchronous Pipe vs. Multiple RPC Calls in Windows Server 2003 R2
• Asynchronous I/Os vs. Synchronous I/Os in Windows Server 2003 R2
• Unbuffered I/Os vs. Buffered I/Os in Windows Server 2003 R2
• Low Priority I/Os vs. Normal Priority I/Os in Windows Serve 2003 R2
• 16 Concurrent File Downloads vs. 4 Concurrent File Downloads in Windows Server 2003 R2

In this scenario, Windows Server 2008 DFSR would be configured with the Microsoft SQL Server 2008 backup and load shares as members of a replication group actively replicating Transaction Log backups generated in through the Microsoft SQL Server 2008 Log Shipping configuration.  The Microsoft SQL Server Log Shipping Copy job would be disabled permitting DFSR to perform replication between the shares.

So what about my Domain Controllers?

Windows Server 2008 introduces support for Read-Only Domain Controllers and additionally Windows Server 2008 DFSR improvements can be realized providing AD DS schema version 31.

Best Practice Resource Center is now live...

[To avoid common pitfalls and keep your Office SharePoint Server 2007 environment available and performing well, follow these best practices based on real-world experience from Microsoft Consulting Services and the product team.]

http://technet.microsoft.com/en-us/office/sharepointserver/bb736746.aspx

Microsoft SharePoint Administration Toolkit v2.0 Released

http://www.microsoft.com/downloads/details.aspx?FamilyID=263cd480-f6eb-4fa3-9f2e-2d47618505f2&DisplayLang=en