The Art of Installing SharePoint 2013 in a 3 Tier Topology- Part Three

So you’ve got your Active Directory Server up and running and SQL server 2012 is configured and good to go. If not see my previous posts for how to go about this Lets install SharePoint 2013 on your Web server. One thing to note is that my web server on which I am installing SharePoint 2013 will also act as my application server. My environment is not for client use as of yet so I don’t need a separate application server. If you have a client requirement for this type of topology, then by all means separate it out.

First the Requirements…

  1. You have an active and fully configured Active Directory.
  2. You have a SQL 2012 Server fully updated and configured, with the correct permissions set up for SharePoint required service accounts. See my previous post for this.
  3. You have all your service accounts created in Active Directory, I’ll cover this below.
  4. All servers in the topology are connected to the same domain.
  5. Your web/application server on which you are installing SharePoint 2013 has all required software and updates applied.

This post assumes you have all the above sorted before you install SharePoint 2013. Remember I am using the hyper V service to manage my servers and they are all running on a Server 2008 Guest OS.

Service Accounts

Why do we need these service accounts? Let’s thing separation of data. When it comes down to the nitty gritty and there needs to be “physical” boundaries between data you’ll want to use different service accounts. Think about search content access, user profile data etc. Custom Database Names
is a roundabout way pro for using separate service accounts and really is a point towards not using the Service Application wizard. It goes hand in hand that by not using the wizard you can use your own service account for the application and therefore being able to name the databases that get created when configuring specific Service Applications. When not using the wizard and using your own service accounts it lets you dictate what names most Web Apps are called as well as what services run under them. Call it a control thing! Separate service accounts mean multiple points of redundancy. Just as multiple accounts could be failure points. They are also redundancy levels.  Think if you had all your services running under the same service account. What if that account went bad, password expired etc. All your services go down. Now think if you had all your proper service accounts structured out maybe just search goes down but the rest of your farm and access to its features is still up.

With the new feature of managed accounts in SharePoint 2010 we can now set credentials and forget about them.  We can now set SharePoint to manage the passwords of our Service Accounts (yes that can be scary) but some of that risk is taken out of needing to worry about the passwords. Least Privileges basically means that you can manage and control the exact level of permissions that SharePoint can operate under. Search on “SharePoint Least Privileges” it will give you a good understanding of just how lean you can run SharePoint and still have all things work correctly. Ok let’s vamoose…

You need at least the following service accounts created in AD to successfully install SharePoint 2013:

SQL Server Service Account, e.g. sqlSvcAcc (If you have been following my previous posts, this has already been created and assigned permissions on the SQL server)

SharePoint Setup Administrator, e.g. spAdmin

SharePoint Farm Account, spFarmAcc

In SharePoint 2013 these accounts will fall under the managed accounts where you control the ability for passwords to expire or whether users cannot change their passwords. I always use in my development environment the options “User cannot change password” and “Password never expires”.

SQL Server Service Account

Permission are assigned automatically during installation of SQL Server 2012. The SQL Server service account should be a domain account and is used to run SQL Server.

SharePoint Setup Administrator

You need to manually assign permissions for this account. The setup administrator is used to install SharePoint 2013. The SharePoint 2013 setup administrator has to be a member of the administrators group on every server SharePoint should be installed. This account also needs the securityadmin and dbcreator and sysadmin (If creating a development environment so you can have only 1 account to administer Windows Server, SQL Server and SharePoint) role in SQL Server.

Farm Account

Permissions are automatically assigned by the SharePoint 2013 setup administrator so you don’t have to do it.

The farm account is used for the following things [1]:

“Configure and manage the server farm.”

“Act as the application pool identity for the SharePoint Central Administration Web site.”

“Run the Microsoft SharePoint Foundation Workflow Timer Service.”

See the Microsoft site for recommendations for service accounts: http://technet.microsoft.com/en-us/library/ee662513.aspx

 

In addition to the main accounts you need a separate account for each service application you intend to run as well as:

Application pool account

The application pool account is used for application pool identity. The application pool account requires the following permission configuration settings:

The following machine-level permission is configured automatically: The application pool account is a member of WSS_WPG.

The following SQL Server and database permissions for this account are configured automatically:

  • The application pool accounts for Web applications are assigned to the SP_DATA_ACCESS role for the content databases.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

Default content access account

The default content access account is used within a specific service application to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. This account requires the following permission configuration settings:

  • The default content access account must be a domain user account that has read access to external or secure content sources that you want to crawl by using this account.
  • For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this account full read permissions to the web applications that host the sites.
  • This account must not be a member of the Farm Administrators group.

Content access accounts

Content access accounts are configured to access content by using the Search administration crawl rules feature. This type of account is optional and you can configure it when you create a new crawl rule. For example, external content (such as a file share) might require this separate content access account. This account requires the following permission configuration settings:

  • The content access account must have read access to external or secure content sources that this account is configured to access.
  • For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this account full read permissions to the web applications that host the sites.

Excel Services unattended service account

Excel Services uses the Excel Services unattended service account to connect to external data sources that require a user name and password that are based on operating systems other than Windows for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although account credentials are used to connect to data sources of operating systems other than Windows, if the account is not a member of the domain, Excel Services cannot access them. This account must be a domain user account.

My Sites application pool account

The My Sites application pool account must be a domain user account. This account must not be a member of the Farm Administrators group.

The following machine-level permission is configured automatically: This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the SharePoint_Admin content database.
  • The application pool accounts for web applications are assigned to the SP_DATA_ACCESS role for the content databases

Other application pool accounts

The other application pool account must be a domain user account. This account must not be a member of the Administrators group on any computer in the server farm.

The following machine-level permission is configured automatically: This account is a member of WSS_WPG.

The following SQL Server and database permissions are configured automatically:

  • This account is assigned to the SP_DATA_ACCESS role for the content databases.
  • This account is assigned to the SP_DATA_ACCESS role for search database that is associated with the web application.
  • This account must have read and write access to the associated service application database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the SharePoint_Admin content database.

FYI the database roles mentioned above are created automatically during installation.

You will need additional accounts for each additional service application you install, see here for the Microsoft best practice plan for service accounts:

http://technet.microsoft.com/en-us/library/cc263445.aspx

It’s impossible to define a real set of service accounts that could fit any scenario, from a small development farm to a huge multi-tier farm. Each environment is different and will require its own customised set of service accounts. The Microsoft best practices link is very detailed, but you need to use your initiative to decide, based on your requirements, which accounts to use and which not to use.

Ok let’s install SharePoint 2013:

 

Make sure you are logged on using the SharePoint Setup Administrator.
The installer will also configure the Windows Server Application Server and Web Server role.

I used this as a reference: http://technet.microsoft.com/en-us/library/ee805948.aspx

Run the installation application and you will be presented with the following screen (Excuse the quality of the images, I will get better ones and replace as soon as I can):

Click on the Install software prerequisites link to automatically install all the pre required software.

After the Install, the system needs to reboot. When this is done, start up the installation again and select to install SharePoint 2013:

Enter your License Key, Accept Microsoft’s terms and conditions and choose to perform a complete install:

Once the Installation is completed, close the installation wizard.  Select the check box “Run the SharePoint Products Configuration Wizard now” (default).

You will be presented with notification of services being restarted during the configuration:

Select to create a new server farm:

Enter the appropriate information. Be careful of using the correct server names. I kept getting a permission error when trying to create the farm. It look hours of investigation to realise that I was using the incorrect database name for my SQL server. My database server was called SP2013DatabaseServer but its FDQN was SP2013DBServer, thus I was getting permissions issues as there was no server with that name. Good old SharePoint, always giving us uninformative error messages! I had to use the IP address in the end to get it to work.

Enter a passphrase and now it down.

Pick your Central Administration Settings:

Double check your configuration:

Configuration proceeds:

Hopefully not after too many grey hairs you should have a successful configuration:

Then a browser window will open with the following page, select to ‘Start the Wizard’ to configure the farm:

You will be asked to select the services you require to run in the farm as well as the service account. You can create a new one (needs to be in AD first) or select from the list but you can only select one for all of the services. I had to go back and manually change the service accounts for each of the service applications…boring!:

Notice some new faces in the service applications?

Then we see this screen with the words which will become both an annoyance and a joy for you as you will be bombarded with it, at least they are apologising now:

If everything is successful you will get this screen:

And voila, your farm is created… now go create a web application and site collection and have a play! Good luck.

Next I will try to automate the install and config of SharePoint 2013 using Powershell for multiple server farm… exciting I know. Powershell and I have a fractious relationship as I don’t like dark screens, I’m a girl I like bright pretty things, but the new Powershell commands for SharePoint 2013 are doing their job in making my life much simpler, so I can handle a simple life, even though I have to occasionally use a black screen!

FYI If you followed these instructions you might not get internet access on your DB and Web servers. What happens is that when you configure your AD Forest, Windows 2012 automatically expects all Internet traffic should be rerouted to this domain and that the domain is able to serve as a gateway to the Internet, meaning the domain can (or will later) have a DNS Server. My guest OS is using a wireless connection which is shared between all the servers, when connecting the DB and web servers to the domain you have to enter an IP address as well as a subnet mask and connect your DNs server (AD server). Doing this immediately blocks the internet. I have yet to configure the AD server to route internet connections, and when I do I will post the solution or you can research it, if you require your servers to have internet access. I don’t require internet access as I want control over the windows update service. I’m not a DNs expert so will have to consult the experts on this.

That’s all for now, wow 3 posts in one day..

Peace Love and Happiness!

Advertisements

3 thoughts on “The Art of Installing SharePoint 2013 in a 3 Tier Topology- Part Three

  1. Todays application developers are really experienced people and they are well
    versed in the use of the sophisticated tools, so, regarding
    the quality and performance of the products, there is not even a
    single point to worry. The IT companies like in US, UK and Canada form the
    dedicated offshore companies’ helps us in chopping down in saving the big costs that would be around 40-60% of development costs. It saves a lot of time and money because these offshore companies incur low cost to develop large number of projects.

  2. Hi, thanks for the good explanatory of the whole process; certainly for SPS2013 it is much more involved than Sp2010; while I managed to install my instance using lots of advice from Randy at http://rhrempel.wordpress.com/, and the ‘troublesome” Search Services PowerShell script at MelcherIT, ”http://melcher.it/2012/07/sharepoint-2013-create-a-search-service-application-and-topology-with-powershell/” (it worked after running it 3 times and changing some service accounts credentials, using as much as possible least privileges); I have yet to try out the User Profile (will do so this week), but rather than use Haber’s famous method, I think Microsoft has upgraded and nailed UPS for SP2013, it is very extensive. For SQL Server 2012, I found that Todd Klindt’s method worked well. I certainly liked your emphasis on the services accounts, because I believe they are the key to the whole experience.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s