Setting up your SharePoint 2013 environment At Work – Part 3

It’s been a long time since I have written the second part of the series “Setting up your SharePoint 2013 environment at work” due to a few reasons that got the series pending. I wanted to complete it before the May of 2013 but was very busy with several SharePoint projects and community activities. I have got many requests from folks in terms of continuously writing this series they have been waiting for months. This does inspires me to keeping my fingers on the keyboard to write something right now.

In previous articles, you have learned about Hyper-V features with some pragmatic configuration and advices for SharePoint deployment. One of remarkable points is Dynamic Memory which saves system administrator responsible for administering virtual machines running under Hyper-V but in SharePoint 2013, Dynamic Memory doesn’t work with Distributed Cache and Search. If you follow my series, your environment now just has Hyper-V completely installed and there are some virtual machines being setup Windows Server 2012 operating system. In this article, we will learn to deploy Active Directory Domain Service and then promote the server to domain controller. At the last, we will look at new virtualization improvement for Active Directory domain controller

Why Active Directory for SharePoint 2013 deployment?

Prior to the release of SharePoint 2013, SharePoint can be installed in the client operating system, such as Windows 7 and it doesn’t require Active Directory. This kind of installation saves lots of money for those who don’t have sufficient financial resource to invest a real server or a powerful computer for testing. Unfortunately, money we have saved for that now is going to be squeezed slowly by Microsoft; SharePoint 2013 is not supported without Active Directory. In other words, your environment must have Active Directory domain controller before SharePoint is deployed. However, Active Directory provides tons of benefits for SharePoint deployment.

First, Active Directory allows centralization of user management. It provides user identity and authentication mechanism when you log into SharePoint. Additionally, official stance of Microsoft is to use managed account with rights to run services; for example, the account used to run User Profile Synchronization service must be the Farm account that has very high privileges on SQL Server such as dbcreator role. With Active Directory, you can provide isolation among application pools or SharePoint services. Having unique accounts will surely increase data protection. Imagine if an all-in-one account is compromised, the malicious user will have access to entirely sensitive data. For enterprise social collaboration deployment, SharePoint 2013 strongly leverages Active Directory attributes (e.g. Position, Manager, Address…) so people over the globe can get connected with each other to interact and collaborate at work.

In terms of security, SharePoint takes advantages from basic windows authentication provider and authentication protocol to validate credentials. In additional to authentication, with Active Directory Federation Service already integrated, user accounts from external organization are able to be authenticated to access SharePoint data in your organization through claim-based authentication or SAML token-based authentication. Utilizing this, you can deploy SharePoint extranet for your vendors, partners or customers to work on SharePoint resources.

SharePoint has IRM (Information Right Management) feature that is able to integrate with Active Directory Rights Management Service (AD RMS) to help organization build a secure infrastructure to protect sensitive documents among departments especially over the Internet. With thousands of documents shared in such the most common document management platform, you do need to enforce document rights. With AD RMS, you can control who has View rights on what documents and prevent from reading and accessing defined actions, such as printing, copying or saving documents.

The new app model of SharePoint 2013 does require proper DNS configuration supporting Active Directory.

There are many advantages when having Active Directory acting as an identity provider in your SharePoint environment that one page couldn’t describe fully. Broadly, the following are helpful references covering Active Directory benefits including new features of Windows Server 2012 we will be installing in this article

Deploying Active Directory Domain Service

Windows Server 2012 shifts to Windows system administrators the new updated management interfaces that reduce time to install roles and features. You don’t have to separately install these things like Windows Server 2008. You might not be familiar with the process of installation thought.  Before you install AD DS role, make sure your IP address is properly configured to provision DNS configuration unless you will have to install DNS Server during AD DS installation.

Open Server Manager, click Manage > Add Roles and Features. Like Windows Server 2008, as a careful administrator, you should read information on the Before you begin page before installing Active Directory Domain Services role. This page provides some tasks you have to verify first. For example, the Administrator account has a strong password.

On the Select installation type page, you have two options one of which is a new approach to installing features in Windows Server 2012.

  • Role-based or feature-based installation: this option that is similar to the one available in Windows Server 2008 is used to add roles, features in single server. You must be on the server you want to add features.
  • Remote Desktop Services scenario-based installation: This option allows you to install, configure through a new central location with Session Virtualization. (http://technet.microsoft.com/en-us/library/hh831527.aspx)

On the Select destination server page, select the server pool under SERVER POOL. The term Server Pool refers to the group of servers on the same network share. Here you can see the new feature through GUI that allows you to add features and roles to an offline virtual hard disk that isn’t attached to any virtual machine.  You can see added features on the virtual machine after attaching the virtual hard disk.

On the Select server roles page, select Active Directory Domain Services. The Add Roles and Features Wizard popup appears prompting that you have to install required services first. These are administration tools including PowerShell module.

On the Select features page, select features you want to add. As said earlier in this article, you don’t have to go to another node to add features; all can be added in the unified administration experience. On the Confirm installation selections page, select Restart the destination server automatically if required option that is new in Windows Server 2012. You  can export configuration settings to the DeploymentConfigTemplate.xml. If you install .NET Framework 3.5 Features in the same location where .NET Framework 4.0 is already installed, you need to specify alternate source path unless you will get the error “The source files could not be found“. Check the list of roles and features you have selected and then click Install.

After AD DS feature is installed completely, you need to configure your server to become a domain controller in case you don’t have one yet. For the infrastructure that already has at least one domain controller, you may still need to add one more acting as a Read-Only Domain Controller for security purposes when having multiple domain child globally

To promote to a domain controller, you can use GUI or PowerShell or even the familiar command Dcpromo although it has been deprecated.

On the Deployment Configuration page, select Add a new forest. The first two options are used when you already have at least an existing domain controller or forest in your environment. Type the root domain name and make sure this name doesn’t coincide with any NetBIOS names across your enterprise infrastructure. The name should be clear and classifiable. Microsoft has provided a very good guidance on naming conversion in Active Directory (http://support.microsoft.com/kb/909264). I’ve seen people don’t really care about that when naming their domain. You might deal with some issues on that when having multiple applications running inside and outside of your organization.

On the Domain Controller Options page, you need to select the forest and domain functional level for the domain controller. The choice depends on whether you have an existing domain controller or forest. You might keep the Windows Server 2008 R2 level until that existing domain controller is upgraded to Windows Server 2012. Anyway, because this is the first installation you should select the highest level to utilize maximum Windows Server 2012’s capabilities. Under Specify domain controller capabilities, select Domain Name System (DNS) server as you are following this series so you haven’t configured DNS yet. DNS server in SharePoint 2013 environment serves for not only web application access mapping but also SharePoint app webs that host your custom apps.

Finally on this page, type the Directory Services Restore Mode (DSRM) password. This kind of password allows you to recover or restore Active Directory database so don’t forget it.

Keep setting by default on the DNS Options page. Next page, verify the NetBIOS domain name on the Additional Options page.

On the Paths page, keep all settings by default if you don’t want to specify the location of Active Directory database, log files to another volume. However, following best practices, you should store these things on another location in order to facilitate backup especially performance. For example, Active Directory logging may consume large amounts of drive space. It also writes to the drive while another application is performing. This may affect drive performance.

On the Review Options page, review again what you have all set up. Make sure everything is configured as you have planned. Click View Script in order to get a PowerShell script that is able to be run to configure Active Directory.

# Windows PowerShell script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSForest
-CreateDNSDelegation:$false
-DatabasePath "C:WindowsNTDS"
-DomainMode "Win2012"
-DomainName "soldier.lab"
-DomainNetbiosName "SOLDIER"
-ForestMode "Win2012"
-InstallDns:$true
-LogPath "C:WindowsNTFS"
-NoRebootOnCompletion:$false
-SysvolPath "C:WindowsSYSVOL"
-Force:$true

On the Prerequisites Check page, the system helps you check all pre-requisites to make sure there will be no error during AD setup.

Finally, restart your machine after te promotion of domain controller and AD DS are completely configured.

Virtualization improvement of Windows Server 2012 Active Directory?

As a professional administrator, you may have concern regarding the possibility of virtualization of Active Directory in Windows Server 2012. In the past, we had to deal with time synchronization when having Active Directory domain controller virtualized. Hyper-V has its own time service for virtual machine so this could lead to many problems in asynchronous time between your machines.

In terms of security, a lot of things relating to isolation and guest host privileges have been come up. Even we say this virtual machine is completely isolated with another but there is not really at least a persuasive proof indicating the security point. Another thing is that the host administrator typically has full control in entire virtualization infrastructure that make people are fully aware of security when Active Directory – the heart of Microsoft system – isn’t always safe. Imagine if someone holds control of the Hyper-V, he can roll back your Active Directory that is fully installed the latest security updates to the snapshot that has many vulnerabilities then he exploits using techniques hacking & security communities promulgate. Until now, virtualization security is still a burden to administrators especially stakeholders who are considering moving to the virtualization environment like cloud.

In Windows Server 2012, Microsoft confidently proclaims the safer virtualization for domain controllers described here: http://technet.microsoft.com/en-us/library/hh831734.aspx#safe_virt_dc. With the new capability called Virtual Machine Generation ID, system administrator would feel relieved in operation of returning a virtual machine to an earlier point in time.

This article provides very much content of Active Directory in Windows Server 2012 and helpful resources for you before deploying Active Directory in your organization. The next article is all about practical SQL Server installation for SharePoint 2013 deployment.

Stay tuned!

7 comments

Leave a Reply

  1. Pingback: Setting up your SharePoint 2013 environment At Work – Part 1 -
  2. Pingback: Setting up your SharePoint 2013 environment At Work – Part 2 -
  3. Edward J. · June 23, 2013

    Who said it can’t be installed without AD? The stand alone installation?

    • Thuan Soldier · June 23, 2013

      Hi Edward J,

      I’ve experienced using stand-alone deployment for SharePoint 2013. You even install but at the Configuration Wizard you would get the error below:

      An exception of type System.ArgumentException was thrown. Addition exception information: The SDDL string contains an invalid sid or a sid that cannot be translated”
      Parameter name: sddlForm

      This error does indicate to the security-related when your installation account doesn’t have sufficient permission on the server.

      Would love to discuss with you on the magical stand-alone installation 😉

      Regards,
      -T.s

  4. Pingback: Fully configure host header for Web application (Step-by-Step) |
  5. Pingback: Setting up your SharePoint 2013 environment At Work – Part 4 |
  6. Pingback: Setting up your SharePoint 2013 environment At Work – Part 5 | A soldier of fortune