Showing posts with label managed service accounts. Show all posts
Showing posts with label managed service accounts. Show all posts

Thursday 9 September 2010

SPAutoinstaller accounts

Change the setup.xml file to use 5 accounts:
  1. SP-Install - domain account with admin local rights on each WFE also need SQL dbcreator and dbsecurity roles (used to login and install binaries, use this account for add new servers to the farm);
  2. SP-Farm - domain account no permissions, will be the account to run timer job and other key roles;
  3. SP-Web-App-Pool - Content Web app account - Domain account only;
  4. SP-Services - Install all services to use the same domain account, this can be seperate for each services but for easy of setup and mainentance use 1 account. Exception is the User Profiles service, setup seperately using Spence Harbors post as the user domain account needs unique security, and
  5. SP-Crawl - Used to crawl SP content.
6th SP-SQL - Domain user account with no prividges used to start the SQL service (recommended) can use local/builin accounts but for Reporting services, and other advanced functionality need a domain account.
 
7th account should be used for User Profiles called SP-Service-UP.  This is a complex issue and needs full review don't try install this blindly hoping it will work.

References
Todd Klindt's Blog
Todd's netcast 49 about installation (specifically install accounts, user profile services and an SP2010 internet version enterprices edition licence bug).
Liam Cleary's list of SharePoint 2010 Service Accounts

Thursday 1 July 2010

Installing Sharepoint 2010 options & Basic SP2010 manual installation tips

You have 4 options for installing SharePoint farms:
  1. Manually sun the setup and follow the installation wizard (this is discussed below);
  2. Deploy SharePoint 2010 via a slipstream install, this was my prefered method for MOSS.  I ran the install from a batch file that got it's configuration from an xml file;
  3. PSConfig installation (sic); or
  4. Use PowerShell to Install SharePoint. and technet scripted deployment
 Summary: For environments such as live the PowerShell/Slipstreamed options are best as they allow for recreation and input is always identical.  Manual install is fine for development servers however their is no advantage except for a lower learning curve for the IT admin.
Post below is a Manual Installation:
SP2010 install video
Install the pre-requisites
  • Prerequisits will install roles and software you need internet access on the server to fetch the prerequisits software (this can be put on the server to stop the machine going to the Internet).
  • Preferably have seperate instance of SQL 2008 R2 but for dev/demo machines. If 1 machine rather setup SQL devleoper or a instance (I dislike using SQL express).
Setup / SP 2010 install tips
  • Install "Server farm" option not standalone
  • "Complete" installs all component prefered option
  • Connect to a new farm
  • Database server name us name rather than IP (incase it changes)
  • DB account (must already exist in AD)
  • Passphrase used to connect new servers to this server farm (remeber/keep it)
  • Kerbros - if your network supports it but use NTLM if you aren't sure.
  • Wizard - follow screens, services can be heavy so add them when you need them, however for demo I select all services and create a new site collection - a good options is to use the Team Site Template.
  • Need 3 accounts for min Best practices: 1) Managed Service account (domain user account) that SQL Server runs in, 2) Managed Service Account (domain user account) all services will be installed on this account (MS suggests using a seperate managed account for each service) on small farm s/dev I use 1 account,  and 3) Farm install account (domain account) this needs to be a local admin on each SP2010 server and have creator & dbsecurity accouts on SQL.
  • 5 Accounts is a better option excluding the SQL services account namely:
  1. SP-Install - domain account with admin local rights on each WFE also need SQL dbcreator and securityadmin roles (used to login and install binaries, use this account for add new servers to the farm),
  2. SP-Farm - domain account no permissions, will be the account to run timer job and other key roles,
  3. SP-Web-App-Pool - Content Web app account - Domain account only,
  4. SP-Services - Install all services to use the same domain account, this can be seperate for each services but for easy of setup and mainentance use 1 account.  Exception is the User Profiles service, setup seperately using Spence Harbors post as the user domain account needs unique security, and
  5. SP-Crawl - Used to crawl SP content.
Additional Info on accounts:
  1. SQL Server needs to run as a windows service, you need an account, I would use a managed account in AD with no permissions called SP2010-SQLService.
  2. Farm Installation account, you need to create a domain user account in AD, give the account local admin access to each SP2010 machine.  Call it SP2010-Admin.
  3. SP2010 Service account/s, you need to create a managed service account with zero permissions in AD.  You can use 1 account or create a seperate account for each service (MS Best Practice).  I call my 1 account SP2010-Services. 
Use slipstreaming for SharePoint it's faster and consistant.
Use:
  1. Windows 2008 R2 x64
  2. SQL 2008 x64
  3. On HyperV/VMWare except the db which should be a seperate physical machine/SAN
Update 08 November 2010:  Notes on deploying a 3 server farm consisting of 2 WFE's that are NLB using Windows NLB.  Installation done using AutoSPInstaller. 
Installation Notes for a 3 server NLB SharePoint 2010 farm

Update 10 November 2010: SharePoint install account - Todd Klindt.
Update 11 May 2011: SharePoint 2010 database management article