Préparer SharePoint Server 2016/2019 pour le portail MIM
Au moment de la rédaction de cet article, MIM 2016 supporte jusqu’à SharePoint Server 2019 pour héberger le portail MIM. Voici une méthode rapide et pratique pour installer SharePoint Server 2019 pour le portail MIM, avec juste ce qu’il faut. En effet, la documentation Microsoft propose d’installer le MinRole FrontEnd mais ce rôle va installer plusieurs Service Applications SharePoint qui seront inutiles pour le portail MIM. La méthode ci-dessous, que j’ai adaptée pour SharePoint 2016/2019 à partir de scripts trouvé sur le site http://www.harbar.net/articles/fimportal.aspx, permet d’installer un serveur SharePoint avec le minimum de Service Applications.
1 – Prérequis
Je ne couvre pas l’installation des différents prérequis à SharePoint, notamment :
- Certificats SSL (il est fortement recommandé d’utiliser HTTPS pour les sites SharePoint)
- Prérequis SharePoint (i.e. PrerequisiteInstaller.exe)
- Installation des binaires SharePoint qui consiste juste à choisir le chemin d’installation de SharePoint et de l’index de recherche (ça ne sera pas utile pour MIM). A la fin de cette étape, ne surtout pas lancer le SharePoint Products Configuration Wizard !
2 – Important
Pour être sûr que ça fonctionne bien, ouvrir un nouveau SharePoint Management Shell avant d’exécuter chaque script !
3 – Création de la ferme
Il suffit d’utiliser le script suivant, de renseigner les variables, pour créer la ferme et le site Central Administration. L’astuce ici consiste à spécifier l’option ServerRoleOptional dans la commande New-SPConfigurationDatabase pour ne pas utiliser de MinRole mais un Custom Role.
<#
FIM Farm Creation.ps1
Creates a new SharePoint Farm
Creates Central Administration on Port 443
Update initial variables as needed to reflect your environment
Script will prompt for the password of the farm account.
Original Source: http://www.harbar.net/articles/fimportal.aspx
This version (slightly modified to support SharePoint 2016/2019): https://plizgawpbloglinux.azurewebsites.net/category/microsoft-identity-manager/
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell
$databaseServer = "sql-mim.lab.stefanplizga.net"
$configDatabase = "MIM_SP_Config"
$adminContentDB = "MIM_SP_Content_Admin"
$farmAccountName = "LAB\MIM_SPFarm_Svc"
$caUrl = https://mimportal-admin.lab.stefanplizga.net
$farmAccount = Get-Credential $farmAccountName
$passphrase = (Get-Credential "SharePoint Farm Passphrase").Password
Write-Host "Creating Configuration Database and Central Admin Content Database..."
New-SPConfigurationDatabase -DatabaseServer $databaseServer -DatabaseName $configDatabase `
-AdministrationContentDatabaseName $adminContentDB `
-Passphrase $passphrase -FarmCredentials $farmAccount `
-ServerRoleOptional
$spfarm = Get-SPFarm -ErrorAction SilentlyContinue -ErrorVariable err
if ($spfarm -eq $null -or $err) {
throw "Unable to verify farm creation."
}
Write-Host "ACLing SharePoint Resources..."
Initialize-SPResourceSecurity
Write-Host "Installing Services ..."
Install-SPService
Write-Host "Installing Features..."
Install-SPFeature -AllExistingFeatures
Write-Host "Creating Central Administration..."
New-SPCentralAdministration -Port 443 -WindowsAuthProvider NTLM -SecureSocketsLayer
Write-Host "Fixing Internal URL..."
Set-SPAlternateURL -Identity https://$env:COMPUTERNAME -Url $caUrl
Write-Host "Installing Help..."
Install-SPHelpCollection -All
Write-Host "Installing Application Content..."
Install-SPApplicationContent
Write-Host "Farm Creation Done!"A la fin de cette opération, il faut aller dans IIS pour configurer le certificat SSL sur le site créé, et activer SNI (case Require Server Name Indication).
4 – Création des Services Applications nécessaires
Ce script va créer le State Service et le Usage and Health Data Collection Service.
<#
FIM Core Services.ps1
Starts the Service Instances for and creates Service Applications and Proxies:
State Service
Usage and Health Data Collection Service
Update initial variables as needed to reflect your environment.
Original source: http://www.harbar.net/articles/fimportal.aspx
This version (slightly modified to support SharePoint 2016/2019): https://plizgawpbloglinux.azurewebsites.net/category/microsoft-identity-manager/
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell
## UPDATE THESE VARS ##
# Service Application and DB names
$stateName = "State Service"
$stateDBName = "MIM_SP_StateService"
$usageName = "Usage and Health Data Collection Service"
$usageDBName = "MIM_SP_Usage"
## END VARS ##
# Create State Service Application and Proxy, add to Proxy Group
Write-Host "Creating $stateName Application and Proxy..."
$stateDB = New-SPStateServiceDatabase -Name $stateDBName
$state = New-SPStateServiceApplication -Name $stateName -Database $stateDB
$proxy = New-SPStateServiceApplicationProxy -Name "$stateName Proxy" -ServiceApplication $state -DefaultProxyGroup
# Create Usage Service Application and Proxy, add to Proxy Group, and provision it's Proxy
Write-Host "Creating $usageName Application and Proxy..."
$serviceInstance = Get-SPUsageService
New-SPUsageApplication -Name $usageName -DatabaseName $usageDBName -UsageService $serviceInstance
$proxy = Get-SPServiceApplicationProxy | ? { $_.TypeName -eq "Usage and Health Data Collection Proxy" }
$proxy.Provision();
Write-Host "MIM SP Core Services done!"
5 – Création de la Web Application
Ce script va créer la Web Application qui va héberger le portail MIM et aussi appliquer les autres recommendations pour MIM (ViewState désactivé, Timer Job Health Analysys désactivé, ASHX autorisé sur SharePoint 2019)
<#
FIM Web Application.ps1
Creates a new Managed Account
Creates a new classic mode SSL Web Application in a new Application Pool
Configure ViewState
Disable some timer jobs
Unblock ASHX extensions if SharePoint 2019
Update initial variables as needed to reflect your environment.
Script will prompt for the password of the App Pool account used for the Web App.
Original source: http://www.harbar.net/articles/fimportal.aspx
This version (slightly modified to support SharePoint 2016/2019): https://plizgawpbloglinux.azurewebsites.net/category/microsoft-identity-manager/
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell
## UPDATE THESE VARS ##
$waAppPoolUserName = "LAB\MIM_SPPool_Svc"
$waAppPoolName = "MIMPortalAppPool"
$waUrl = "https://mimportal.lab.stefanplizga.net"
$hostHeader = "mimportal.stefanplizga.net”
$webAppName = "MIM Portal"
$contentDBName = "MIM_SP_Content_Portal"
## END VARS ##
# Create Managed Account
Write-Host "Please supply the password for the $waAppPoolUserName Account..."
$appPoolCred = Get-Credential $waAppPoolUserName
Write-Host "Creating Managed Account..."
$waAppPoolAccount = New-SPManagedAccount -Credential $appPoolCred
# Create a new SSL Web App in the default Proxy Group using Windows Classic on Port 443 with host header
Write-Host "Creating Web Application..."
$webApp = New-SPWebApplication -ApplicationPool $waAppPoolName -ApplicationPoolAccount $waAppPoolAccount -Name $webAppName -Port 443 -SecureSocketsLayer:$true -AuthenticationMethod Kerberos -HostHeader $hostHeader -DatabaseName $contentDBName
# configure ViewState as FIM likes it
Write-Host "Configuring View State..."
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();
# Disable SharePoint task "Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)
Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob
# SharePoint 2019 Only - Unblock .ASHX files used by the MIM Portal
if ((Get-SPProduct).ProductName -match "2019") {
Write-Host "SharePoint 2019 detected. Unblocking ASHX extension..."
$webApp = Get-SPWebApplication $waUrl
$webApp.BlockedASPNetExtensions.Remove("ashx")
$webApp.Update()
#$webApp.BlockedASPNetExtensions
}
Write-Host "MIM SP Web Application done!"
A la fin de cette opération, il faut aller dans IIS pour configurer le certificat SSL sur le site créé, et activer SNI (case Require Server Name Indication).
6 – Création de la Site Collection
Il ne reste plus qu’à créer la Site Collection racine dans le mode de compatibilité 15 pour héberger MIM selon les recommandations.
<#
FIM Web Site.ps1
Creates a root Site Collection using the blank site template
Update initial variables as needed to reflect your environment.
Script will prompt for the password of the App Pool account used for the Web App.
Original source: http://www.harbar.net/articles/fimportal.aspx
This version (slightly modified to support SharePoint 2016/2019): https://plizgawpbloglinux.azurewebsites.net/category/microsoft-identity-manager/
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell
## UPDATE THESE VARS ##
$waUrl = https://mimportal.lab.stefanplizga.net
$ownerEmail = MIMSetup@lab.stefanplizga.net
$ownerAlias = "LAB\MIM_Setup"
## END VARS ##
# Create a root Site Collection in "15" mode
Write-Host "Creating root Site Collection..."
$SiteTemplate = Get-SPWebTemplate -compatibilityLevel 15 -Identity "STS#1"
New-SPSite -Url $waUrl -owneralias $ownerAlias -ownerEmail $ownerEmail -Template $SiteTemplate -CompatibilityLevel 15 -Name "MIM Portal"
Write-Host "MIM SP Site created!"
7 – Désactivation de Health Rules supplémentaires
Afin de ne pas avoir des alertes inutiles dans le site Central Administration SharePoint, il faut désactiver ces règles :
Disable-SPHealthAnalysisRule "WindowsClassicTest"
Disable-SPHealthAnalysisRule "BuiltInAccountsUsedAsProcessIdentities"
Disable-SPHealthAnalysisRule "OutgoingEmailIsNotConfigured"
8 – Configurer Distributed Cache pour ne pas utiliser le compte de la ferme SharePoint
On va configurer Distributed Cache pour utiliser le compte de la Web Application plutôt que le compte de la ferme, cela évitera une erreur dans les règles Health Analysis et sera mieux par rapport aux bonnes pratiques.
$farm = Get-SPFarm
$cacheService = $farm.Services | where {$_.Name -eq "AppFabricCachingService"}
$accnt = Get-SPManagedAccount -Identity LAB\MIM_SPPool_Svc
$cacheService.ProcessIdentity.CurrentIdentityType = "SpecificUser"
$cacheService.ProcessIdentity.ManagedAccount = $accnt
$cacheService.ProcessIdentity.Update()
$cacheService.ProcessIdentity.Deploy()
Sur SharePoint 2016, il faut aussi activer le Garbage Collector (GC). Ce n’est pas nécessaire avec SharePoint Server 2019 car le GC est activé par défaut pendant l’installation de SharePoint.
[system.reflection.assembly]::LoadWithPartialName("System.Configuration") | Out-Null
# intentionally leave off the trailing ".config" as OpenExeConfiguration will auto-append that
$configFilePath = "$env:ProgramFiles\AppFabric 1.1 for Windows Server\DistributedCacheService.exe"
$appFabricConfig = [System.Configuration.ConfigurationManager]::OpenExeConfiguration($configFilePath)
# if backgroundGC setting does not exist add it, else check if value is "false" and change to "true"
if($appFabricConfig.AppSettings.Settings.AllKeys -notcontains "backgroundGC")
{
$appFabricConfig.AppSettings.Settings.Add("backgroundGC", "true")
}
elseif ($appFabricConfig.AppSettings.Settings["backgroundGC"].Value -eq "false")
{
$appFabricConfig.AppSettings.Settings["backgroundGC"].Value = "true"
}
# save changes to config file
$appFabricConfig.Save()
Le serveur SharePoint est désormais prêt pour l’installation du portail MIM. Il peut être intéressant de pencher aussi sur :
- Configuration du logging de SharePoint (on ne sait jamais, ça peut servir)
- Configuration du logging dans IIS et purge des vieux fichiers de logs IIS
- Rajout des administrateurs SharePoint pour qu’il n’y ait aucun problème en SharePoint Management Shell avec la commande Add-SPShellAdmin -UserName LAB\PLIZGA_Admin -database (Get-SPDatabase | ? {$_.Name -match « CentralAdmin »})
— Stefan