IIS setting for SharePoint 2013

Some checks and reminders for IIS - This is a work in progress!

1.> Change the IIS log location for existing websites, this needs to be done on each WFE in your farm, providing you want to change them. 
PS Script to Change the IIS log directory for existing web sites.
2.> Disable IIS recycling
3.> Ensure app pool accounts have low levels of network permissions.
4.> Certificates used by IIS, when do they expire.
5.> Application Initialisation for IIS8 or warm-up scripts to stop the long delays after and IISREST/app pool recycle.

   **************
CPU over utilisation

   ********************

Verify when certificates are going to expire:

import-module webadministration

$DaysToExpiration = 365
#change this once it's working
$expirationDate = (Get-Date).AddDays($DaysToExpiration)
$expirationDate5yrs = (Get-Date).AddDays(1020)

$certs = Get-ChildItem IIS:SSLBindings

foreach($cert in $certs)
{
 $store = $cert.Store.ToString()
 Write-Host " Cert Store:" $cert.Store.ToString()
 Write-Host " Cert Port:" $cert.Port.ToString()
 Write-Host " Cert Thumbprint:" $cert.Thumbprint
  $body = Get-ChildItem CERT:LocalMachine/$store
  foreach ($me in $body) {

   if ($expirationDate -gt $me.NotAfter) {
    Write-Host " Expiring soon" -BackgroundColor red
   }
   elseif ($expirationDate5yrs -gt $me.NotAfter) {
    Write-Host " Expiring in 5 years" -BackgroundColor Yellow
   }
   elseif ($expirationDate -le $me.NotAfter) {
    Write-Host " Expiring more than a year away" -BackgroundColor green
   }
   Write-Host " - Body subject: " $me.Subject
   Write-Host " - Body thumbprint: " $me.Thumbprint
   Write-Host " - Body fiendly name: "$me.FriendlyName
   Write-Host " - Body Expiry: "$me.NotAfter
  }
     Write-Host ""
}

 *********************

 Check the service account do not have too many permissions:

Script below retrieves pswd to show client potential issue



Import-Module WebAdministration

$webapps = Get-WebApplication

foreach ($webapp in get-childitem IIS:\AppPools\)

{

$iispath = "IIS:\AppPools\" + $webapp.name

$pswd = $webapp.processModel.password

$state = (Get-WebAppPoolState -Name $webapp.name).Value

$color = "White"

$forecolor = "Black"

if ($pswd.Length -gt 0)  {$color = "red"} # verify the domain accounts don't have excessive priviges

if ($state -eq "Stopped")  {$forecolor = "blue"} #Why are there stopped IIS websites

Write-Host "Name:" $webapp.name " | Version:" (Get-ItemProperty $iispath managedRuntimeVersion).Value `

" | Username:" $webapp.processModel.userName " | Pswd:" $pswd `

" | State:" $state -BackgroundColor $color -ForegroundColor $forecolor

}

 Tip: Advise client to change Windows service account used to run the SP timer job.  Check ramifications.


**********************************

Understanding SQL backups on SharePoint databases using the Full recovery mode

Overview:  This post looks at reducing the footprint of the ldf file.  SharePoint related databases with using the Full recovery mode keep all transaction since the last "differential". It explains how SQL is affected by backups such as SQL backups, SP backups and 3rd party backup tools (both SP backup and SQL backup tools).

This post does not discuss why all your databases are in full recovery mode or at competing backup products.  It also contains steps to truncate and then shrink the size of the transaction log.

Note: Shrink a ldf file for it to regrow each week/cycle is bad practice.  The only time to shrink is when the log has unused transactions that are already covered by backups.

Background: 

• Using the full recovery model allows you to restore to a specific point in time.
• A Full backup is referred to as your "base of the differential".
• A "copy-only" backup cannot be used as a "base of the differential", this becomes important when there are multiple providers backing up SQL databases.
• After a full backup is taken, "differentials" differential backups can be taken.  Differentials are all changes to your database since the last "base of the differential".  They are cumulative so obviously, they grow bigger for each subsequent differential backup until a new "base of the differential" is taken.
• To restore, you need the "base of the differential" (last full backup) and the latest "differential" backup.
• You can also back up the transaction logs (in effect the ldf).  These need to be restored in sequential order, so you need all log file backups.
• If you still have your database you can produce the "tail-log" backup this will allow you to restore to any point in time.
• Every backup get a "Log Sequence Number" (LSN), this allows the restore to make a chain of backup for restore purposes.  This chain can be broken using 3rd party tools or switching the database in the simple recovery mode. 
• A confusing set of terminology is "Shrinking" and "Truncating" that are closely related.  You may notice an ldf file has got extremely large, if you are performing full backups on a scheduled basis this is a good size to keep the ldf at.  You don't want to grow ldf files on the fly as it is extremely resource intensive.  However say your log file has not been purging/removing transactions within a cycle, then you may have a completely oversized ldf file.  In this scenario, you want to perform a full backup and truncate your logs.  This remove committed transactions but the unused records are marked an available to be used again.  You can now perform a "shrink" to reduce the size of the ldf file again, you don't want ldf's growing every cycle so don't schedule the shrinking.
• "Truncating" is marking committed transactions in the lfd as "free" or available for the writing new transactions too.
• "Shrinking" will reduce the physical size of the ldf.  Shrinking can reclaim space from the "free" space in the ldf.

 The process to Shrink the transaction log files:

1.> Determine which databases are suitable candidates for shrinking the log file. 
DBCC SQLPERF(LOGSPACE);

2.> Perform a Full backup,
3.>  Next perform a transaction log backup and truncate the database.

 4.> Run DBCC ShrinkFile as shown below (please remember to leave growth so the ldf file is not growing, keep extra room in the ldf - this should be used to reduce the size log file that has grown way to far).  The example below will leave my transaction log at 100MB.
USE AutoSP_Config;
GO
DBCC SHRINKFILE (AutoSP_Config_log, 100);
GO

5.> Verify the ldf file has reduced in size.

Update 2014-02-05: I have Always on my separate SharePoint Reporting Services database.  The SP_RS_ServiceTempDB should be excluded from the availability groups.  Keep it in the simple recovery mode.  The logs grow extremely qu8ickly and it does not need to be in Full recovery mode.

Update 2014-04-25: Always on databases shrinking does not require you to remove the database from the AOAG, you can merely perform a full backup on the primary and then shrink the database. Note: Watch the backup chains you can break them especially if you have a 3rd party backup tool on SharePoint.

Update 2019-04-18:
Change a database from Full recovery model to simple using T-SQL and shrink the ldf file
Use [LiveDB]
            GO 
           ALTER DATABASE [LiveDB] SET RECOVERY SIMPLE WITH NO_WAIT
           GO 
           DBCC SHRINKFILE ('LiveDB',10) 
           GO 

Normal process is to change the db as follows 1) Set Simple Recovery 2) Shrink the Ldf (remember to size so it can handle a full backup cycle) 3) Set Full Recovery  4) Perform a Full backup (start the SQL backup chain again) 

Verify SP 2013 Search Installations

This Script runs PowerShell to check the Search on a farm, it shows where components are configured & working.

There are more details scripts on the web, this is a simple check.

 

Restricting SharePoint Designer access

Overview: I dislike SharePoint Designer (SPD).  Depending on your companies/clients SharePoint governance, you can control the use of SPD on you farms.  My default position is turn it completely off.  SPD can be configured at web application (WA) or Site collection level.

My position is turn off SharePoint designer on your production and UAT farms.  If someone needs access they probably should rather do it in dev and package it for deployment or turn on specific access.  SharePoint CA can be used to configure how SPD can work on specific Web Apps.

Controlling SPD at a WA level is can be done via PS or using CA.  Tip: CA > General Settings > SharePoint Designer > Configure SharEPoint Designer Settings > Select the web app to edit and adjust accordingly.

More Info:
http://blog.ciaops.com/2013/06/disabling-sharepoint-designer-access-in.html

Planning Suggestion for SharePoint 2013

Overview:  It is always a good idea to have an exact breakdown of your SharePoint achitecture. I do this using a diagram and a corresponding spreadsheet.  This post has an example of the spreadsheet, I have a tab for each DTAP environment before I build it out. 

Server Name	Server Role	Logical Group	CPU	C	D	RAM	Location	IP	Environment
SVR-PR-WFE1	SharePoint Web Front End	SP WFE	4	90	80	16	London	10.189.10.50	Production
SVR-PR-WFE2	SharePoint Web Front End	SP WFE	4	90	80	16	London	10.189.10.51	Production
SVR-PR-WFE3	SharePoint Web Front End	SP WFE	4	90	80	16	M	10.189.10.52	Production
SVR-PR-WFE4	SharePoint Web Front End	SP WFE	4	90	80	16	M	10.189.10.53	Production
SVR-PR-APP1	SharePoint Application Server	SP APP	4	90	80	16	London	10.189.10.54	Production
SVR-PR-APP2	SharePoint Application Server	SP APP	4	90	80	16	London	10.189.10.55	Production
SVR-PR-APP3	SharePoint Application Server	SP APP	4	90	80	16	M	10.189.10.56	Production
SVR-PR-APP4	SharePoint Application Server	SP APP	4	90	80	16	M	10.189.10.57	Production
SVR-PR-OWA1	Office Web Applications	OWA	8	90	80	16	London	10.189.10.58	Production
SVR-PR-OWA2	Office Web Applications	OWA	8	90	80	16	London	10.189.10.59	Production
SVR-PR-OWA3	Office Web Applications	OWA	8	90	80	16	M	10.189.10.60	Production
SVR-PR-OWA4	Office Web Applications	OWA	8	90	80	16	M	10.189.10.61	Production
SVR-PR-WF1	Workflow Services	SP WF	4	90	120	8	London	10.189.10.62	Production
SVR-PR-WF2	Workflow Services	SP WF	4	90	120	8	M	10.189.10.63	Production
SVR-PR-SRCH1	SharePoint Search Type A	Search	8	134	80	32	London	10.189.10.70	Production
SVR-PR-SRCH2	SharePoint Search Type A	Search	8	134	80	32	M	10.189.10.71	Production
SVR-PR-SRCH3	SharePoint Search Type B	Search	8	134	300	24	London	10.189.10.72	Production
SVR-PR-SRCH4	SharePoint Search Type B	Search	8	134	300	24	M	10.189.10.73	Production
SVR-PR-SRCH5	SharePoint Search Type C	Search	8	134	500	24	London	10.189.10.74	Production
SVR-PR-SRCH6	SharePoint Search Type C	Search	8	134	500	24	M	10.189.10.75	Production
SVR-PR-SRCH7	SharePoint Search Type D	Search	8	134	500	24	London	10.189.10.76	Production
SVR-PR-SRCH8	SharePoint Search Type D	Search	8	134	500	24	M	10.189.10.77	Production
SVR-PR-SRCH9	SharePoint Search Type D	Search	8	134	500	24	London	10.189.10.78	Production
SVR-PR-SRCH10	SharePoint Search Type D	Search	8	134	500	24	M	10.189.10.79	Production
SVR-PR-DBS1	SharePoint Databases	SQL	16	134	500	32	London	10.189.10.85	Production
SVR-PR-DBS2	SharePoint Databases	SQL	16	134	500	32	M	10.189.10.86	Production
CL-PR-DBS	Cluster							10.189.10.87
LS-PR-DBS	Listener							10.189.10.88
SVR-PR-DBR1	SSRS & SSAS Databases	SQL	8	134	500	32	London	10.189.10.89	Production
SVR-PR-DBR2	SSRS & SSAS Databases	SQL	8	134	500	32	M	10.189.10.90	Production
CL-PR-DBR	Cluster							10.189.10.91
LS-PF-SP-DBR	Listener							10.189.10.92
SVR-PR-DBA1	TDS & K2 Databases	SQL	16	134	500	32	London	10.189.10.93	Production
SVR-PR-DBA2	TDS & K2 Databases	SQL	16	134	500	32	M	10.189.10.94	Production
CL-PR-DBA	Cluster							10.189.10.95
LS-PR-DBA	Listener							10.189.10.96

Note: Window "Page File" or "Paging File" is a contentious issue, depending on the recovery.  So the dump logs go to 1 of the drives and I normally make sure they go to the c drive that is over provisioned for the is size.  I don't really know how important this is but I always estimate on the c drive for at least 2 times the maximum ram for my calculations.