This is a continuation of my previous post titled “AutoSPInstaller: Getting Prepared”
In my previous post, I showed you how to stage all the software. Do this once, you’re set for life! OK, maybe not for life, but at least for any SharePoint server installs you’ll need to do now or later. Next, we need to configure several files.
Here’s the list of files we need to configure:
- answerfile-ForeFront.xml â€“ Optional. This is the configuration file if you’re installing ForeFront Protection 2010 for SharePoint.
- config.xml â€“ Required. This is the settings for the SharePoint installer.
- config-OWA.xml â€“ Optional. This file is used to configure Office Web Apps.
- AutoSPInstallerInput.xml â€“ Required. This is the file where we’ll configure all the options for AutoSPInstaller, the actual configuration of SharePoint.
The main file we need to configure (AutoSPInstallerInput.xml) is also the most complex, so let’s save it for later. Use your favorite XML editor, avoid Notepad or WordPad, they make things harder. Personally, I like Notepad++ which can be downloaded here.
AutoSPInstaller will call “answerfile-ForeFront.xml,” which replaces the “answerfile.xml” that you’ll find in the ForeFront folder. Most of the options are self-explanatory so I just want to point out one section:
Specify a user account and password for database access. This account should be entered using the Domain\Account format when the server is part of a domain. This account needs a lot of privileges, it must:
- Be a member of the Local Administrators group on the SharePoint server(s).
- have SharePoint Farm Administrators privileges.
- Be a member of the SQL sysadmin role on the database server.
These fields must be populated with valid credentials or unattended installations will fail. I’m using the Farm account. Why? Because it requires similar permissions. The Farm account needs to be a local administrator at least for provisioning User Profile Service. Even after initially installing UPS, it needs that right to be able to restart (re-provision) after backups. It needs to be a Farm Administrator (of course) and although it doesn’t require sysadmin role on the database server, it does require dbcreator, securityadmin and dbo on all the databases. Sysadmin role is not a far stretch from that.
In the end, I’d rather give my Farm account a bit more permissions to run ForeFront than to have another account with very high privileges. Now, I just need to secure/audit this one account.
For detailed information on all the options in this configuration file, check out the TechNet article here.
The “config.xml” is the same as the one found on the SharePoint DVD or ISO file. It’s where we configure SharePoint installer options. Let’s look at some of the options.
The INSTALLLOCATION tells SharePoint where to install the binaries (bits). For example, if you wanted to install to a non-system drive (e.g., E:\), this is where you’d change it. I recommend leaving the default.
The PIDKEY Value is your key for SharePoint, so you’ll enter 25-character license key here. This is required!
Don’t worry about the terminology in this file, such as “spswfe” or SERVERROLE Application. These will not determine your server roles and don’t need to be changed. To find out more about what can be configured here, check out the TechNet article here.
For my install, I’ve kept all the defaults and just added my 25-character license key for “PIDKEY Value”.
Office Web Apps
The “config-OWA.xml” contains the configuration options for Office Web Apps. It replaces the “config.xml” files in the OfficeWebApps folder (under the Setup sub-folder). This is similar to the file above. You must edit this with your license key, just like config.xml. So, I’ve updated this file with my 25-character license key for PIDKEY Value and kept all the other defaults.
Recently, the configuration file for AutoSPInstaller has matured and is now heavily commented. So, I won’t go through all of the options but I’ll highlight a few of them here.
Before we get to that though, let me explain how this works. When you’re ready, you’ll launch AutoSPInstaller using the “AutoSPInstallerLaunch.bat” batch file. The batch file will check for an XML file with the following names, in order:
My preference is to use one configuration file for each server in my farm. You can also just use one file but I’ve seen people have problems with this method. So, I’ll make a copy of the file and name it AutoSPInstallerInput-SHARECLOUD.xml
Note: You will not be passing the xml file as a parameter to AutoSPInstaller so you must name it according to one of the options listed above.
So, lets start.
Change this to your environment. I often have Dev, Test, and Prod environments so I like to specify one of those. It’s just here for your personal reference. I’ll change mine to Prod and leave the version alone. The Version is for the version of AutoSPInstaller you’re using. You must use the XML configuration file for the version of AutoSPInstaller being used, don’t mix and match.
In my first post, I downloaded the prerequisite files, so I’m going to set this to true.
I’m going to set all of these to true. Although disabling LoopbackCheck isn’t exactly the proper way, adding BackConnectionHostNames is too much work for what I’m doing here, trying to automate. See this article for more information.
The same reasoning applies to CRL Checking and IE Enhanced Security. For me, these do more harm than good but set the options according to your preference.
The principle of least privilege prescribes that accounts should not be given more privileges than necessary. So, why am I setting LeaveInLocalAdmins to true? Two reasons. For me, its too much of a pain to add the Farm account back in every time I do a backup or troubleshoot UPS. Second, and more importantly in this case, I’m using the Farm account for ForeFront which requires local administrator rights.
OK, so I do want to create a SQL alias because I always do. I’ve written about this before, here and here. Basically, there are times when you NEED an alias and other times when you don’t. Instead of trying to remember when, I just create one and use a naming convention that tells me its an alias. That way, the next guy won’t be looking for a server name “SPSQL” somewhere on the network.
For DBInstance, you’ll either put the SQL Server name (as I have) when you’re using the default instance, or put the SERVERNAME\INSTANCE when you’re using a named instance or a cluster. I left DBPort blank so that the default port of 1433 will be assigned.
Just a note on DBPrefix; by default the XML file has â€œlocalhostâ€ which will be changed to the computer name. Youâ€™ll probably want to change this. Set it to blank for no prefix. You donâ€™t need to put a separator value here, it will append an underscore ( _ ) automatically. If you want to change that separator value, see this posting for a tip.
The Claims To Windows Token Service (C2WTS) must be started locally on any server where you have a service (such as Excel Services) that will use it. AutoSPInstaller won’t check this for you, so keep that in mind. In my case, I’ll be starting Excel Services on my Web Server (and perhaps Application Server) so I’m setting it to true.
COCOLYNN\svc.spapps pass@word1 COCOLYNN\svc.spapppool pass@word1 COCOLYNN\svc.spmypool pass@word1 COCOLYNN\svc.spsearch pass@word1
The “CommonName” cannot be changed. AutoSPInstaller uses the names to reference these accounts. I recommend filling in the passwords, you could leave them blank and be prompted for them later but that defeats the automation aspect. Iâ€™d rather find another way to secure the configuration file, such as zipping them up with a password or use encryption software.
I want my URLs added to my servers hosts file. In most of my configurations, I’m using a load balancer and I want to avoid directing SharePoint services through it, plus I need to be sure when I’m on the server that it’s using itself. This is especially useful for the crawler (my crawl server is always a web server as well).
By default, this parameter is blank which means unlimited. Iâ€™m wary of setting anything to unlimited. Since Iâ€™m not changing my log location (to something other than the system drive), I certainly need a limit here. Without one, I risk running out of disk space, potentially causing my machine not to boot.
AutoSPInstallerInput.xml is very well commented for this section so Iâ€™ll just reiterate some points. First, donâ€™t change the type. In this case, consider the type to mean â€œfirst web app.â€ It doesnâ€™t have to be a portal, in my case itâ€™s just going to be a team site. However, since it is the â€œfirst web app,â€ AutoSPInstaller will take some â€œnice to haveâ€ actions for you. For example, it will add this web app to the Excel Services trusted file location and as a â€œPortal Site Collection.â€ If you donâ€™t need it, either comment it out (this section) or just remember to go back in later and delete the web app; thatâ€™s the easiest way.
In my case, I do want this as sort of a â€œrootâ€ site and I want it to be SSL-enabled. So Iâ€™ve updated the URL and port. The script will try to find the correct certificate and assign it in IIS. It can also create self-signed certificates if no match is found! However, you should check it afterwards and correct it if needed. I believe a limitation in IIS/Certificate PowerShell cmdlets make it impossible to specify a certificate name to assign.
Iâ€™m not using Claims. Hereâ€™s a tip, if you donâ€™t NEED Claims, donâ€™t use it. If you donâ€™t know if you need it, you donâ€™t. You can always convert to Claims later, but you canâ€™t convert back (not supported).
I will use the same settings for URL, name, etc. in the next section for Site Collection (not shown). That section is also where you specify the template and Iâ€™ll change it from the default of SPSPORTAL#0 (Collaboration Portal) to STS#0 (Team Site). For a nice post on templates, including a list of whatâ€™s what, check out this blog post.
The same advice applies to the MySite section. Donâ€™t change the type and in this case, also donâ€™t change the Template for the Site Collection.
Iâ€™m going to provision the User Profile Service (UPS). If you do want to provision this, make sure youâ€™ve created your My Site Host earlier. If you donâ€™t, the script will error out. Iâ€™ve left the defaults of starting UPS Sync and not creating default sync connections. I recommend not automating the sync connections because its far from perfect and unsupported:
Please note that these cmdlets are only intended for use within SharePoint Online environments by SharePoint Online engineers. Their use in on premises deployments is NOT supported.
Iâ€™m going to make this server a Crawl and Query server as well. I can always change the topology later. Remember, anywhere you have â€œlocalhost,â€ it will be changed automatically to the local server name.
In the OfficeWebApps section, Iâ€™m setting Install to true and will also provision all of the Office Web Apps to true as well, EXCEPT Excel. Iâ€™ve already created an Excel Service app, you donâ€™t need two unless you just really want two. For this and any other service, follow the capacity planning guidance available on TechNet.
Iâ€™ve skipped over a lot of settings because I believe they need no further explanation. Here’s a copy of the AutoSPInstallerInput configuration file I’ve configured, with the comments removed for easier readability. Click the arrow to expand.
config.xml true true true true true pass@word1 COCOLYNN\svc.spFarm pass@word1 firstname.lastname@example.org AdminContentDB 7777 true Alias_SPSQL SOPS Config SHARECLOUD email@example.com firstname.lastname@example.org COCOLYNN\svc.spApps pass@word1 COCOLYNN\svc.spAppPool pass@word1 COCOLYNN\svc.spMySitePool pass@word1 COCOLYNN\svc.spSearch pass@word1 COCOLYNN\svc.spCacheUser COCOLYNN\svc.spCacheRead 20 Metadata Profile Sync Social StateService WebAnalyticsReporting WebAnalyticsStaging UsageAndHealth SecureStore BusinessDataCatalog WordAutomation PerformancePoint
Almost done. Itâ€™s common for typos and syntax errors to pop up because the XML file is so long and has so much information. We need to run it through a validator. So, head over to http://www.w3schools.com/xml/xml_validator.asp and paste your entire XML in the validator.
No errors? Now, we’re ready to go! In the next post in this series, I’ll show you how to run this and how it looks as it progresses.
As a reference, here are the service accounts Iâ€™ll be using and what they get assigned using the default options in the XML configuration file.
|Runs following services:
Runs IIS App Pools:
|Runs IIS App Pool for Portal Web Application.
Site Collection owner for Portal site (by default).
|Runs IIS App Pool for MySite Web Application.
Site Collection owner for MySite host (by default).
Runs following services:
|<SuperUser>||svc.spCacheUser||Full Control User Policy on Portal Web Application (and other Web Apps you create).|
|<SuperReader>||svc.spCacheRead||Full Read User Policy on Portal Web Application (and other Web Apps you create).|
|<Farm>||svc.spFarm||Runs the following services:
Runs IIS App Pool for:
|<EnterpriseSearchServiceApplication>||svc.spCrawl||Default Content Access account will be used under Search Service Application.|
|<EnterpriseSearchServiceApplication>||svc.spSearchPool||Runs IIS App Pool for Search Service.|
|<EnterpriseServiceApps>||svc.spUnattend||configâ€™d in Secure Store?|
|Not Configured in Script||LocalSystem||Run the following services:
And as a reminder, although I donâ€™t mind answering questions or responding to comments on my blog, if you have specific questions related to AutoSPInstaller, its best to use the discussion boards there: http://autospinstaller.codeplex.com/discussions