Comprehensive checklist for SharePoint 2016 offline setup

If you have ever set up SharePoint farm without Internet, you probably know how challenging it is. Because you don’t have Internet connection, Microsoft SharePoint Products Preparation Tool cannot connect directly to Microsoft Download center to download all prerequisites and help you automatically install and configure each of prerequisite.

Once you encounter, it is hard to know which is the root cause because you leave the tool all. Offline setup is very often required if you work in a secure environment where the virtual machine you are going to install SharePoint has no Internet connection. Such an environment can be government, banking, software company or so on where data loss is a big concern which would make significant impact on business.

This article is going to give your a comprehensive checklist for offline setup of SharePoint 2016 in a production environment which multiple parties get involved (e.g infrastructure team, Active Directory, security…). Each party is responsible for a specific scope. You cannot just be someone who is capable of touching or creating everything you need for your setup.

As said, this article gives an assumption that you don’t control the entirely infrastructure and system. You need to provide other teams what you want.

Hardware preparation

Assume that you have already conducted a sizing blueprint after reading requirement or having many meetings with clients. Now you need to prepare a hardware and software requirement in accordance with your sizing blueprint. Whatever you plan, make sure one thing that Microsoft indicated below

If you contact Microsoft Customer Support Services about a production system that does not meet the minimum hardware specifications described in this document, support will be limited until the system is upgraded to the minimum requirements. – Source

The hardware requirement can be found here.

You should also conduct a hardware verification checklist to verify given virtual machines and specs. The checklist ideally includes:

  • Operating system
  • vCPU
  • RAM
  • HDD

This verification checklist is to ensure if the infrastructure team gives you inadequate virtual machine compared with your sizing blueprint, you can pursue to update.

Software Requirement

The software required for OS, SharePoint and database is listed here. In the context of multi-vendor engagement, setting OS is not your responsibility so you should not worry about the setup. With SharePoint, you need to download from the Internet and ask for license key. However, with SQL Server, you need to ask your vendor to log into Microsoft Licensing center to download an ISO which includes a key. If you use evaluation trial version, then you will have to re-configure SQL Server to enter your key which needs farm downtime.

Active Directory domain controller

All virtual machines in your SharePoint farm must be joined to the corporate domain controller. Installing SharePoint 2016 without domain controller is not supported. You can use PowerShell to create a configuration database though. Moreover, in a production environment I have never seen a case of SharePoint farm without a managed domain controller.

Service Account Preparation

You can use one account to run all services including farm account role in SharePoint Server 2016. However this is a recommended best practice. Running all-in-one account would lead to security threat if this account is compromised to bad guy. The entirely farm would be easily taken. You need to consider running services with a number of service accounts. Of course it is not necessary to use many accounts for your farm which leads to overhead of account management and control. To me, the following is enough:

  • Farm account
  • SQL Service (if your database server is dedicated).
  • Web application pool account
  • Service application pool account
  • Claims to Windows Token service account
  • Search crawl account
  • User Profile sync account
  • Portal super user account
  • Portal super reader account

The list must be sent to the AD team before your setup. And every account needs some special permission you need to explicitly point out in your account request list.

My friend in the community Vlad gives a very comprehensive list of accounts. Go check here.

Firewall Port

If offline setup is required, I strongly believe firewall port gets asked by the security team. SharePoint Server 2016 uses some special ports to run. And the port requirement DOES depend on your designated topology. First, look at the given guidance here to know all the ports required in your SharePoint farm. Next, map it to your topology. Look at the example below. I designate to run my Search crawl component in APP01-PRD virtual machine so I do need to open HTTP port (80 or 443) from it to each front-end virtual machine. Search crawl component crawls website content by sending HTTP request under port 80 (if HTTP) and 443 (if HTTPS required as a policy). In the same example, note that I also use APP01-PRD to run MIM (Microsoft Identity Manager) to connect to Active Directory to pull user information. In this case, I must open port 5725 from this machine to AD. From the load balancer, there is a need of direction to each web front-end machine.

Note that I don’t need a bidirectional request so from the illustration, you don’t see bidirectional arrow. For example, there is not any requirement to let my web front-end machine to send a request to load balancer. Or my web front-end does not need to call Search crawl component.

If you need to set up a 5-tuple firewall with SharePoint farm to evaluate, do purchase my book “Azure IaaS Defense In Depth” here. The book gives you step-by-step including screenshots to absolute beginners.

Almost firewall in the environment I’ve worked with is network-based 5-tuple firewall. So in the firewall request, you need to indicate at least the following:

  • Source (e.g. APP01-PRD)
  • Destination (e.g. WEB01-PRD)
  • Protocol (e.g. HTTP, TCP…)
  • Port (e.g. 80, 443…)
  • Direction: unidirectional/bidirectional
  • Justification (optional): better to have this one to give the security team justification including reference as to why to open a port.

SharePoint Prerequisites

Because you don’t have Internet connection, you must download all prerequisites. There are many PowerShell to help you out but I think sources from DanHome gives a trust. Go download here. If you are still not really confident, go to this link to download each individual.

The common process I have to follow is to download prerequisites, then copy to the given thumb drive. They are all scanned throughout a corporate anti-virus software before being copied to the target SharePoint virtual machines.

Your files downloaded from Internet may be blocked by Windows Server Smart Screen Filter. Make sure every prerequisite is not blocked before the installation. You can unblock by opening File property.

Feature & .NET Framework installation

One of the most common missing tasks before SharePoint installation is .NET framework installation. And such an installation must be done by targeting the same OS installation source you use.

The PowerShell script below is recommended for automation

D:\sources\sxs is the location where the sxs is located. With this way, you don’t have to worry about correct framework build you need to download. Just ask the FM team to mount the installation ISO to specify the path in your script.

If you run the script on Windows Server 2016, remove Application-Server,AS-Web-Support,AS-TCP-Port-Sharing,AS-WAS-Support,AS-HTTP-Activation,AS-TCP-Activation,AS-Named-Pipes,AS-Net-Framework. Reference which reflects to WS 2012 R2 is here.

The new one looks like below

Credit to Vlad’s article.

PowerShell to run prerequisites

This is one of the most important steps in the entirely offline setup. If you don’t pass this step, you cannot install SharePoint.

Before SharePoint installation, prepare two folders:

  1. PreSP16: this folder is to store all prerequisite files needed for SharePoint, including all components.
  2. SP16_Sources: this folder is to store SharePoint Server 2016 installation source. If you download an ISO file, you need to extract it to ensure after restarting your virtual machine, the Preparation Tool (prerequisiteinstaller.exe) still can recognize the installation path

The script does trigger the prerequisiteinstaller.exe and connect to the folder PreSP16 to automatically install all prerequisites. During the installation and configuration, you are asked to restart the computer to finish the process. If there is no issue and you are a lucky person, you will see the outcome below.

This script is shared by a Microsoft PFE here.

AppFabric: installation error

What happen if the prerequisite installation is not done? One of the most common issues is broken AppFabric installation. Even  every prerequisite is successfully installed and configured, without AppFabric you still cannot run setup.exe to start installing SharePoint binaries.

First, do check if the required prerequisites are correct versions and are not blocked:

Also make sure you run feature & .NET framework installation successfully. Next, uninstall AppFabric 1.1 for Windows Server via Control Panel. Run the following command again

C:\SP16_Sources\prerequisiteinstaller.exe is the location of preparation tool.

Advanced MinRole

For every setup, you may be given a SharePoint Server 2016 RTM source. This source does not include Service Pack 1 (aka November 2016 CU) which allows you to use Shared Roles capability. This happens when you need to combine two roles on a virtual machine, for example Front-end with Distributed cache. Go download SP 1 here to use Shared Roles.

Below is the outcome if everything is setup correctly.

Hardening VM

Hardening virtual machine and make it a base template is a common security practice. That said, there are a few cases you may have seen:

  1. The security team gives you a hardening guideline which includes a set of local security policies to apply on OS level, or specific rules to IIS or SQL Server.
  2. PowerShell script to automate the security policy configuration
  3. The security gives you a virtual machine image template which is already configured.

If #1 and #2, you are lucky to verify every rule before your deployment. If you are an experienced SharePoint guy, you will know how things impact your SharePoint. For example, enabling FIPS can cause broken search or security token service. Another example is Bypass Traverse Checking. A default security policy is only to grant this policy to administrator. However, if you install and configure SharePoint, you need to grant the policy to at least every service account which touches to Windows service (e.g. farm account, Search account…)

If #3, the best way is to ask for which have been configured. Otherwise, you have to spend much of your time doing debug or tracking using some hacking techniques which are prohibited.


These things are what I’ve collected during my work for government agencies. All the things can be simulated if you use IaaS cloud. Give it a try with Microsoft Azure to perform the entirely simulation, even with 5-tuple firewall using Network Security Group (NSG).

If I have missed something, please kindly share and I will update.


Leave a Reply

© 2018 The Soldier of Fortune.