Best Practices for operational excellence in SharePoint 2010 - Part 2

1. Server Updates
• Turn on windows update to download automatically but not install automatically.
• Install updates manually at off-peak hours and rotate servers one at a time during update process to ensure business continuity.
2. Service Accounts
• Use one service account for search per farm.
• Use one  service account for excel service external connection.
3. Use local disk for backups and later copy them else where
4. Backup and truncate the log file regularly.
5. Test & validate backups regularly to ensure business continuity.

Best Practices for operational excellence in SharePoint 2010 - Part 1

1. Network adapters
• Gigabit network adapters for all server roles
• Dual network adapters in production environment for WFE and App servers. One for users and other for SQL Server communication.
• Private network adapters for inter-server communications, for tasks like backups so that this traffic does not affect the overall farm performance.
•  Consider VLANs to reduce network traffic under heavy load conditions
2. Keep minimum network distance between WFE, App and DB servers
• Maintain Latency under one millisecond
3. Web servers and app servers
• Separate system components into logical derives and user RAID for redundancy.
• Allocate 200 GB of disk space for operating system and temporary files
• Allocate 150 GB of disk space for logs.
• Consider number of users, requests and feature required to identify the WFE servers required.
• Consider HA and DR appropriately.
4. Database Servers
• The following databases should be kept separate from other databases:
• TempDB
• Size: Medium
• Must be on a separate spindle from all other databases
• Secure Store
• Size: Small
• Host on a separate database instance and limit the access to one administrator
• Search Crawl
• Size: Extra Large
• Optimize for read
• Host on a separate server from the Search Property database
• Search Property
• Size: Large
• Optimize for write
• Host on its own server
• Usage
• Size: Extra Large
• Optimize for write
• Must be on separate spindle.
• This DB does not need high performance and will not effect farm performance.
• The following databases should be stored in the same location as other databases.
• Configuration DB
• Size: Small
• ReportServerTempDB
• Size: Small
5. DB server health
1. Pre-grow all databases and logs
2. Limit content DB to 200 GB
3. Don't store more than 50 databases on a single physical instance of SQL server when use SQL server mirroring. 
4. Defragment and rebuild indices if possible
5. Performance Counters
1. Network Wait Queue: 0 or 1
2. Average Disk Queue Length(Latency): <5 ms
3. Memory used: <70%
4. Free disk space:>25%
5. Buffer cache hit ratio: >=90%

Boundaries and Limits of SharePoint 2013

- SharePoint 2013 allows 2,50,000 site collection per web application.

- Now SharePoint 2013 supports 300 Content Databases per web application.

- Content database size can be 200GB for normal usage and 4TB in all usage scenarios.

- One content database can support up to 60 million items including list, library, app etc.

- A site collection can have 2,50,000 sites or sub sites.

- A SharePoint 2013 list and library can contain 30 million of items or documents.

- A user can belongs to maximum of 5000 groups.

- A SharePoint 2013 site collection can contain 2 million users.

- A SharePoint site collection can contain 10000 SharePoint groups.

- A web application can contain 5 zones.

SharePoint COE

Please find @ http://dl.dropbox.com/u/89399945/SharePoint%20COE.docx

 

Kerberos VS NTLM Authentication

NTLM Authentication: Challenge- Response mechanism.

In the NTLM protocol, the client sends the user name to the server; the server generates and sends a challenge to the client; the client encrypts that challenge using the user’s password; and the client sends a response to the server. If it is a local user account, server validate user's response by looking into the Security Account Manager; if domain user account, server forward the response to domain controller for validating and retrieve group policy of the user account, then construct an access token and establish a session for the use.

Kerberos authentication: Trust-Third-Party Scheme.

Kerberos authentication provides a mechanism for mutual authentication between a client and a server on an open network. The three heads of Kerberos comprise the Key Distribution Centre (KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). When the client user log on to the network, it request a Ticket Grant Ticket (TGT) from the AS in the user's domain; then when client want to access the network resources, it presents the TGT, an authenticator and Server Principal Name (SPN) of the target server, contact the TGS in the service account domain to retrieve a session ticket for future communication w/ the network service, once the target server validate the authenticator, it create an access token for the client user.

SharePoint 2010 - Claims-based authentication

Claims-based authentication (CBA) is based on concept of identity that works with any identity system. An Identity is represented by a security token. The security token is presented to an application which user is trying to get access. CBA provides a trust-based system between applications and a centralized provider that issues the token. Application trusts the user because it trusts the provider. Therefore, in addition to providing single sign-on environment, this eliminates each application authenticate the user individually.

Also CBA answers two important questions:

1. How users will gain access to the enterprise`s applications regardless to their locations?
• Claim-based identity provides a common way for applications to acquire identity information from users, irrespective of whether they are inside the organization, in other organization or on the internet.
2. How different types of user information will be retrieved by the applications so that applications can accomplish their required functions?
• Identity information is stored in token. A token may contain one or more claims (identity information) about the user. We can think Claim as metadata of a user which stays with the token.

Implementing Claims-based identity generally requires using and understanding a set of core technologies:

1. Windows Identity Foundation (WIF):
• WIF is a set of application programming interfaces (API) that can be used to develop custom applications that uses claims and capable of creating federation with other systems.
2. Active Directory Federated Services 2.0:
• ADFS 2.0 is a security token service (STS) responsible of issuing tokens. ADFS provides both identity federation and single sign-on services.
3. Windows CardSpace 2.0:
• CardSpace stores users` digital identities, and represents the identity information in visual information Cards. Users can exchange these Cards between systems like a real business cards. 

SharePoint 2010 Authentication Options:

There are two options:

1. Classic Mode:
• This authentication refers to the Integrated Windows authentication model supported in SharePoint 2007. Classic mode does not utilize any of the claims infrastructure, and therefore none of the claims features are available.
2. Claims-Based:
• CBA supports 3 different authentication providers out of the box
• Windows Authentication: Includes all the same authentication that Classic Mode Authentication.
• Form Based Authentication: This method includes LDAP, database or custom membership and or role providers.
• SAML Token-Based Authentication: This includes ADFS 2.0, Windows Live ID, and third party providers.

 

SharePoint 2013 Search Architecture Overview

SharePoint 2013 Search Architecture overview along with end-to-end component interaction @ http://dl.dropbox.com/u/89399945/Search%20Component%20Overview.docx

SharePoint 2013 - Search Interface Improvements

The users can quickly identify useful results without opening each search result in ways such as the following:

• Users can rest the pointer over a search result to preview the document content in the hover panel to the right of the result.
• Users can quickly distinguish search results based on their type. For example, Microsoft Office documents display the application icon in front of the title of the search result. Newsfeed conversation results display the number of replies and the number of likes to the right. Site results list the top links that users often click on the site. People in results show the picture and the Lync availability status to the left.
• By default, certain types of related results are displayed in groups called result blocks. A result block contains a small subset of results that are related in a particular way. For example, results that are PowerPoint documents appear in a result block when the word "presentation" is one of the search terms. Administrators and site owners can also create result blocks to group other results. Like individual search results, you can promote result blocks or rank them with other results.

Search helps users quickly return to important sites and documents by remembering what they have previously searched and clicked. The results of previously searched and clicked items are displayed as query suggestions at the top of the results page.

In addition to the default manner in which search results are differentiated, site collection administrators and site owners can create and use result types to customize how results are displayed for important documents. A result type is a rule that identifies a type of result and a way to display it.

Site collection administrators and site owners can use display templates to customize the appearance of search results by using an HTML editor, and they can customize the behaviour of search results by using JavaScript. They can specify display templates that determine how result types appear.