SharePoint Getting Started with Ryan Fleming

SharePoint Getting Started with Ryan Fleming
Getting Started
Ryan Fleming
Dan Holme
Kevin Laahs
Michael Noel
Matt Ranlett
Brendon Schwartz
sponsored by
i Contents
Getting Started with SharePoint
Chapter 1: Windows SharePoint Services 3.0 Out of the Box . . . . . . . . . . . . . . . . . . . 1
Chapter 2: SharePoint Server 2007 Unleashed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SharePoint Services 3.0 in a Nutshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing SharePoint Services 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating an Intranet Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Allow Access to the Intranet Top-Level Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Bit of Branding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Departmental Site with Version 3 Whiz-Bang . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Better Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is SharePoint Server 2007? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 1: Obtaining and Installing SharePoint Server 2007 . . . . . . . . . . . . . . . . . .
Experience 2: Configuring the Top-Level Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 3: Creating a Departmental Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 4: Creating a Document Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 5: RSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 6: outlook Integration— SharePoint’s Answer to Public Folders . . . . . . . .
Experience 7: Slide Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3: SharePoint Server 2007 Revealed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Experience 8: Content Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 9: Content Queries and roll Ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 10: RSS Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 11: Déjà Vu: Creating a Departmental Subsite . . . . . . . . . . . . . . . . . . . . . . .
Experience 12: Report Libraries: Excel Services and Dashboards . . . . . . . . . . . . . . . . .
Experience 13: Key Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience 14: Create an Expense report and Workflow . . . . . . . . . . . . . . . . . . . . . . . .
Experience 15: My Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Journey Continues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ii Chapter 4: SharePoint Security Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
SharePoint 2003 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SharePoint 2003 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Site-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SharePoint 2007 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SharePoint 2007 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrative Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Powerful Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 5: High Availability for MOSS 2007 Server Farms . . . . . . . . . . . . . . . . . . . . . 31
Services and Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Failure Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
It’s All About Reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 6: The File Share Is Dead: Long Live SharePoint Document Libraries . . . . 39
Creating a Document Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Populating a Document Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing and Editing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Control Document Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring Document Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Try That with a File Share! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
I’m Not Dead Yet! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 7: Stsadm: Taking Control of SharePoint Administration . . . . . . . . . . . . . . 47
Stsadm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Favorite Stsadm Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Stsadm to Automate Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Leverage the Command-Line to Extend SharePoint’s Web-Based Management . . . . . . 47
Chapter 8: Safeguard Your SharePoint Content with Data Protection Manager . . . 51
Introducing System Center Data Protection Manager 2007 . . . . . . . . . . . . . . . . . . . . . .
Designing a SharePoint DPM Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the DPM System Recovery Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparing Servers for Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Protection Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restoring Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding DPM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Not Perfect, But... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1:
Windows SharePoint Services 3.0
Out of the Box
By Dan Holme
Let me be the first to declare, officially, if prematurely, “The file server is dead!” With the release of
Windows SharePoint Services 3.0, Microsoft delivers simple, secure, and effective support for collaboration, knowledge management, and business processes.
To understand and implement SharePoint Services 3.0 and get a feel for some of its key new features, let’s create an intranet home page and a SharePoint site for the IT department of a fictional company, You’ll see why I believe the grim reaper is a-knockin’ on your shared folders’
SharePoint Services 3.0 in a Nutshell
SharePoint Services 3.0 is a free add-on to Windows Server 2003. If you’re new to the SharePoint family
of products, let me get you up to speed. Once upon a time, there was Content Management Server,
which focused on large-scale content management issues. About the same time, Bill Gates caught the
collaboration bug and SharePoint Team Services was born.
Microsoft’s modus operandi seems to be to invest maximum effort when a product reaches version
three, and SharePoint technology is no exception. Windows SharePoint Services 2.0 improved on the
first version but left gaping holes in functionality and ease of use. Content Management Server morphed
to become Microsoft SharePoint Portal Server 2003, which built a portal “umbrella” over SharePoint
sites. Now, SharePoint Services and SharePoint Portal Server have made a significant leap: Both were
completely redesigned and are now joined at the hip. SharePoint Services 3.0 is now a .NET application,
leveraging all the capabilities of Microsoft .NET Framework 3.0, including workflow. And SharePoint
Portal Server 2003, renamed Microsoft Office SharePoint Server 2007, has become an add-on extension
to SharePoint Services 3.0, providing not only extraordinary functionality, but also demonstrating the
robust platform for Web-application development delivered by SharePoint Services 3.0.
Installing SharePoint Services 3.0
The scenario I present here reflects a typical out-of-the-box installation of SharePoint Services 3.0 on a
Windows 2003 Service Pack 1 (SP1) domain member server. (To give you an effective “learn-by-doing”
experience in these few short pages, I’ll leave it to you to read the SharePoint Services 3.0 readme file
and deployment documentation, available from the SharePoint Services 3.0 Web site at http://www.
Although Microsoft recommends you use a dual-processor server with many gigabytes of RAM, for
a small rollout of SharePoint Services 3.0 you can get by with less, depending on what you’re doing with
SharePoint, so don’t let the published hardware recommendations prevent you from taking SharePoint
Brought to you by Quest Software and Windows IT Pro eBooks
2 Getting Started with Sharepoint
Services 3.0 for a test drive. In fact, I used a 1GB virtual machine (VM) to create the prototype used in
this chapter. I wouldn’t suggest using such scant resources for a production intranet, but even a VM can
provide a functional sandbox for SharePoint Services experiments.
To install SharePoint Services 3.0, you’ll need to have already installed .NET Framework 3.0. Before
you launch the SharePoint Services 3.0 setup, log on to the server using an account that has administrative privileges. This account will be the initial owner of the SharePoint Central Administration site and
the default SharePoint Services team site. You can easily configure the account to receive alerts related to
the health and usage of the SharePoint Services server farm and sites, so you might want to use a domain
user account in the Administrators group on the server, rather than the local Administrator account.
The SharePoint Services 3.0 setup will automatically configure the Windows Internal Database, a
“lite” instance of Microsoft SQL Server (which is listed as SQL Server 2005 Embedded Edition in SharePoint Services), on the server. However, for a production rollout you’ll certainly benefit from the scalability and manageability provided by SQL Server, and SharePoint Services lets you run with a separate
SQL Server installation to host the configuration and content databases.
When the installation is complete, run the SharePoint Products and Technologies Configuration
Wizard from the Administrative Tools folder on the SharePoint server. The wizard initializes SharePoint Services 3.0 and creates the first two SharePoint applications: the SharePoint Central Administration site, and the default content site based on the Team Site template. You can visit the default site at
the URL, http://servername, which Figure 1 shows. Take a quick look, but don’t change anything until
you’ve configured your server.
Figure 1: Default Team Site home page
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 1 Windows SharePoint Services 3.0 Out of the Box 3
Configuring the Server
Whether you install SharePoint Services 3.0 on one server or on multiple servers, you now have a server
farm. A SharePoint server farm hosts SharePoint Web applications. For many implementations, the two
default applications (Central Administration and the default Web application) will suffice, as the default
Web application can host an organization’s hierarchy of multiple sites. The SharePoint Central Administration site, created by the SharePoint Products and Technologies Configuration Wizard, lets you manage
the farm and the applications it hosts. You can open the site by using the SharePoint 3.0 Central Administration shortcut in the SharePoint Services 3.0 server’s Administrative Tools folder. Make a note of the
port on which the site is hosted (which you can change from the site’s properties by using Microsoft IIS
administrative tools). You can access Central Administration from any computer via a Web browser.
The Central Administration home page reveals a task list of important, post-setup configuration
procedures, which Figure 2 shows. Click each procedure to read more about it, then mark the item as
complete after you’ve performed the operation. I would suggest making it a priority even for this simple
SharePoint site to assign a second farm administrator and to configure outbound email settings for the
server farm. You can perform these tasks by using Update Farm Administrator’s Group and Outbound
Email Settings, respectively, at the task list or from the Operations tab. You can create, delete, and
manage Web applications by using the Central Administration site’s Application Management tab. Using
the links on that tab, set the time zone.
Figure 2: Central Administration site
Brought to you by Quest Software and Windows IT Pro eBooks
4 Getting Started with Sharepoint
Within each application is one or more site collections, each consisting of a top-level site and one
or more child sites. Each site contains lists, or data tables, such as task lists, contact lists, and document
libraries. Each list contains items: records or documents, for example. If you’re unfamiliar with the
structure of a SharePoint implementation, visit and look for the chapter
“Windows SharePoint Services, an out-of-box learning experience.”
In the example we’re creating in this chapter, we’ll make our intranet home page be the default
site collection at the root URL of our default Web application. At the top-level site, we’ll allow any
user, even anonymous users, to have read-only access to that site. Beneath the top-level site, we’ll create
departmental subsites, readable by all authenticated users. Users in a department will have higher levels
of access to create and manage content based on the functionality and resources in their department’s
site. Beneath departmental sites, we’ll have project or team sites for secure collaboration and document
sharing. So the URL namespace will be http://servername for the home page (site collection and top-level
site), http://servername/department for the department, and http://servername/department/project-or-team
for collaboration.
Creating an Intranet Home Page
Opening the top-level URL (http://servername), we see the default site based on the Team Site template,
which Figure 1 shows. The logon control in the upper right corner, which reads “Welcome WINDOMAIN\administrator” in Figure 1, drops down to reveal a small but welcome change in SharePoint
Services 3.0: the ability to quickly log on as another user and easily access your user profile information. Because SharePoint Services 3.0 is a .NET application, it accepts any .NET membership provider
for authentication. By default, SharePoint Services 3.0 uses Windows authentication, meaning that all
authentication is performed by your local server and its Active Directory (AD) domain. However, you
can also use other membership providers, including the ASP.NET SQL Membership Provider. Authentication for each SharePoint Services application is managed in Central Administration.
Where SharePoint Services 2.0 placed actions clumsily in a top-of-page bar, SharePoint Services 3.0
consolidates actions into toolbars and drop-down menus. Click the Site Actions menu box on the upperright side of the window to expand the drop-down menu. Select Site Settings, which opens a significantly improved dashboard of site-administration options, as Figure 3 shows.
In Site Settings, look for the options listed beneath Users and Permissions. You’ll see the Site collection administrators link, which you’ll use to add an additional administrator for the site collection. Click
People and groups to begin assigning access to the site. You’ll see three default groups displayed: the
Owners group, which has full control of the site and its content; the Members group, which can contribute to the site; and the Visitors group, which has read access to the site. For each group, navigate to
Settings, Group Settings to rename each group to make it more meaningful for your users, then, on the
toolbar, click New, and choose Add Users to add members. For the intranet home page, the Members
group might include your communications team.
Allow Access to the Intranet Top-Level Site
While you’re adding members to a group, note that you can click Add all authenticated users. For
example, you’d probably want to add all authenticated users to the Visitors group so that all employees
could read the intranet home page.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 1 Windows SharePoint Services 3.0 Out of the Box 5
Figure 3: Site Settings page
Alternatively, you could enable anonymous access, at least to the intranet toplevel site. To do this,
open the Central Administration page, select the Application Management tab, and click Authentication
Providers. Click Default and modify the authentication provider settings to enable anonymous access.
Then, back in the Site Settings of the site itself, click Users and Permissions, Advanced permissions, and
select Settings, Anonymous Access to determine what level of access non-authenticated users can have to
the site. For an intranet, you might choose to let anonymous users access the entire site. If you choose to
restrict anonymous access to lists and libraries, you’ll need to continue and enable access for anonymous
users to each appropriate list and library. Remember that subsites inherit permissions, so you’ll want
to disable anonymous access to departmental or team/project subsites, which are likely to contain more
sensitive information than the intranet home page.
In SharePoint Services 3.0, you don’t need to use standard IIS tools to enable or disable anonymous
access. In fact, as of press time, you must use Central Administration to fully enable authentication for
anonymous access. From configuring service account credentials to backing up and restoring sites, you’ll
find welcome new support for SharePoint Services administrative tasks within the Central Administration and Site Settings pages.
Brought to you by Quest Software and Windows IT Pro eBooks
6 Getting Started with Sharepoint
A Bit of Branding
To customize the intranet site, click the Team Site link in the upper right corner of any page to return
to the Team Site, then click Shared Documents in the Quick Launch navigation bar (on the left side of
Figure 1), click Upload, and upload two logos: one large (about 150 pixels wide) and one small (about 20
to 24 pixels high). When you’re done, you’ll see the two pictures listed in the Shared Documents library.
Right-click the names of the pictures and choose Copy Hyperlink. Paste the hyperlinks into Notepad—
we’ll need them in a moment.
While you’re still in the Shared Document Library, click the Settings menu in the toolbar and
choose Document Library Settings. You can fully manage and customize all lists (and document libraries
are a type of list) by using this Settings page. Use the links in the General Settings section to change the
title of the document library to something like “Intranet Site Elements” and to remove it from the Quick
Launch view, since users won’t need easy access to the library.
Return to the home page again by clicking Team Site in the upper-left corner. In SharePoint Services
3.0, the top and left panels of a SharePoint site help you navigate. The top panel’s navigation bar, which
Figure 1 shows below the URL, represents the site structure by default. Initially, you’ll see only one tab for
the top-level site, in this case, the Home tab. But as you add sites, each site becomes a tab. Additional navigation is enabled by the site’s left navigation panel, which contains the Quick Launch view by default.
You can also navigate using the “breadcrumb control,” which shows the path to the current page.
Figure 3 shows the breadcrumb to the Site Settings page: Windomain Intranet>Site Settings.
Unlike SharePoint Services 2.0, in version 3.0 the Quick Launch view appears on every page, and
both the top navigation and Quick Launch
bar can be easily edited or hidden entirely
at the Site Settings page. Click Site Actions
and select Site Settings, Look and Feel, Quick
Launch. Click the Edit icon and delete
the headings Documents, Discussions,
and People and Groups, and the Tasks list.
Change the heading “Lists” to “Company.”
Check out the results by returning to the
home page. Alternatively, return to Site Settings, Look and Feel, and, from the Tree View
link, disable the Quick Launch altogether,
since the top navigation tabs will provide
navigation to departmental sites.
To modify the site title and to paste in
the hyperlink to your small logo as the icon,
use Site Settings, Look and Feel, click the
Title, description, and icon link. Experiment
with color schemes by using Site Themes to
find an appropriate Web-site color scheme.
Return to the home page and click Site
Actions, Edit Page. The home page, a section of which Figure 4 shows in Edit Mode,
is an example of a Web Part page. To modify Figure 4: A section of the home page showing Edit mode
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 1 Windows SharePoint Services 3.0 Out of the Box 7
a Web Part’s properties, click the Edit link. Here is where you can change the Site Image to link to your
large logo.
A Departmental Site with Version 3 Whiz-Bang
To create the site for our IT department, start at the intranet home page and click Site Actions, then
Create, Sites and Workspaces. Create a friendly title for this site, such as Information Technology, but give
it a short URL, such as “IT.” Configure a Team Site template and use unique permissions, so that you
can more easily give IT employees access to resources on the IT site. You’ll be prompted to create the
Visitors, Members, and Owners groups, which you can always do later from Site Settings.
In our departmental site, let’s leverage three great new capabilities of SharePoint Services 3.0. Click
Site Actions, select Create, Wiki Page Library and name the library “IT Wiki.” Wikis are a fantastic tool
for a capturing knowledge.
Link to another page by using the syntax page name can contain spaces. For example, you might have
a message at your site: “Don’t forget to bring your family to the upcoming corporate baseball games.
The schedule is on the Baseball Schedule page.” Clicking the link Baseball Schedule brings the user to
the existing Baseball Schedule page or, if that page doesn’t exist, will create a new page called Baseball
Schedule. So it’s easy to create a new page from an existing page by creating a link to a nonexistent page,
then clicking the link.
Blogs are another useful tool for unstructured knowledge capture. Click Site Actions, select Create,
Sites and Workspaces and create a blog site named IT Blogs and the URL blogs/, also using unique permissions so that you can control who is allowed to blog to the site.
Probably one of the most important enhancements to SharePoint Services 3.0 is item-level security.
From the IT site home page, click Shared Documents and upload a Word document. Hover over the
document and, from its drop-down menu, choose Manage Permissions. By default, permissions are
inherited from the parent—in this case, the document library. Choose Actions, Manage Permissions to
configure the permissions on the document. After the document is uploaded, click the document link,
and it will open directly in Microsoft Office Word 2007 or Microsoft Word 2003. Both versions of Word
can also open and save directly from and to a SharePoint document library by using the library’s URL
(e.g., http://wss01/IT/Shared%20Documents). When you open a document from a library, unlike a traditional file share, the document is “checked out” to the current editor, and the document library itself can
be configured to maintain versions.
Security also extends to the UI, with “security trimming.” If a user doesn’t have permission to see
part of a SharePoint site, links to that part of the site won’t be displayed in the UI. For example, you can
configure permissions so that an administrator of a team site can see the Site Actions option but readers
Better Collaboration
Add SharePoint Services 3.0’s support for workflow, Microsoft Outlook integration, offline files, Digital
Rights Management (DRM), and forms and your business processes are now supported more completely
and more securely than ever before, with a software cost of exactly zero. May the file share rest in peace.
Brought to you by Quest Software and Windows IT Pro eBooks
8 Getting Started with Sharepoint
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 2:
SharePoint Server 2007 Unleashed
By Dan Holme
Microsoft Office SharePoint Server 2007. What a mouthful. And what a handful. First, let’s take care of
the mouthful—the product is often referred to as SharePoint Server, just SharePoint, or MOSS. I’ll refer
to it as SharePoint Server or SharePoint Server 2007. As for the handful, SharePoint Server addresses an
exceptionally broad range of business scenarios by delivering capabilities in six categories: Portal, Enterprise Search, Collaboration, Business Intelligence, Business Process, and Content Management.
Whether you’re new to SharePoint Server and want to learn what business value it offers your organization, or you’ve experienced earlier versions of SharePoint Server and want to see what 2007 brings,
I’d like to guide you on a journey into SharePoint Server 2007 through seven “experiences”:
1. Obtain and install SharePoint Server 2007.
2. Configure the top-level site.
3. Create a departmental site.
4. Create a document library.
5. Subscribe to changes in the library by using RSS.
6. Take the library offline through Microsoft Office Outlook 2007 integration.
7. Generate a repository for standard Microsoft Office PowerPoint 2007 slides.
However, before we dive in, let’s get a quick overview of SharePoint technology.
What Is SharePoint Server 2007?
SharePoint Server 2007 is a server product that’s part of Microsoft Office System 2007. It sits on top of
Windows SharePoint Services 3.0, which I examined in “Windows SharePoint Services 3.0 Out of the
Box.” SharePoint Server leverages Windows SharePoint Services 3.0’s plumbing and adds its own significant functionality. Figure 1 shows some of SharePoint Server’s Web application features. Some of these
features—such as forms services, Excel Services, and the Business Data Catalog—are exclusive to the
Enterprise version. The rest are included in the Standard version.
As you approach SharePoint Server, you might find, as I did, that its full capabilities are somewhat
mind-blowing. I had to work with SharePoint Server piece by piece, getting acquainted with its features
gradually. That’s why I’ve created these “experiences”—to help you learn as we create our SharePoint
Server sandbox for a fictional organization,
Experience 1: Obtaining and Installing SharePoint Server 2007
The most important SharePoint Server– related URL for you to know is
sharepointserver. This URL will get you to the SharePoint Server Web page, from which you can locate
documentation, support, and (as of this writing), a downloadable trial of both the Standard and Enterprise editions of SharePoint Server 2007.
Brought to you by Quest Software and Windows IT Pro eBooks
10 Getting Started with Sharepoint
Figure 1: SharePoint Web application features
Download the trial version of SharePoint Server, as well as Microsoft.NET Framework 3.0, which
you can access from the .NET Framework page at I recommend using a “clean” server for your sandbox, to eliminate any idiosyncrasies that might otherwise cause
problems. Log on to your soon-to-be SharePoint Server system with a user account that’s not the Administrator account but that is a member of the Administrators group. The account you use to install SharePoint Server becomes the default “owner” of the site collection and its sites.
Install .NET Framework 3.0, then install SharePoint Server. There’s no rocket science to either of
the installations. The only choice you need to make is the type of SharePoint Server installation. For our
purposes, choose Basic installation. This installation takes care of the configuration of the server farm,
the server, the applications, and the shared services. However, for a production installation, you’ll more
likely choose the Advanced installation so that you can manually configure the components and set up
your single server in anticipation of eventually increasing to a farm of multiple servers. With the Basic
installation, the standalone server can’t later become part of a multiserver farm.
When installation has completed, you’ll be prompted to run the SharePoint Products and Technologies Configuration Wizard. If you don’t run it now, you can launch the wizard from the Administrative
Tools folder on the SharePoint server. The wizard performs a series of tasks depending on the type of
installation you’ve performed. When the wizard finishes, it informs you of your next step.
In the Administrative Tools folder of your SharePoint Server system, open the SharePoint Central
Administration application. The SharePoint Central Administration Web page will appear. This is where
you’ll perform most of the administration of SharePoint Server. Make a note of the URL for the site—
it will be your server name with a randomly assigned port number, such as http://wss01.windomain.
com:22222. Now you can open the same site from any machine on the network by using the full URL
that includes the port. If you’re prompted to authenticate, use the account you used when installing
SharePoint Server, in the form DOMAIN\username. You’ll need to add the Central Administration Web
site to your Trusted Sites zone to ensure proper functionality. Feel free to poke around and see what has
been configured, but don’t change anything just yet—the Basic installation already configured what was
needed at this point.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 2 SharePoint Server 2007 Unleashed 11
Experience 2: Configuring the Top-Level Site
Open the SharePoint Server site by using the URL http://servername (e.g., http:// wss01). The default
home page appears, which you can see in Figure 2.
Figure 2: Default Home page, People and Groups menu
The Basic installation you performed created a site collection. A site collection contains one or more
sites, each of which can inherit security policies, settings, templates, and user and group definitions. In
many production implementations of SharePoint Server, one site collection will suffice. You’ll typically
have a top-level intranet portal with-in which you’ll create sites for departments, functions, teams, or
SharePoint Server 2007 doesn’t use the areas concept that Microsoft SharePoint Portal Server 2003
uses. SharePoint Server 2007 uses sites, a term that’s more intuitive and effective. By default, sites are
represented as tabs in the global navigation panel at the top of each page. Figure 2 shows tabs for several sites created by default when you install SharePoint Server 2007: Document Center, News, Reports,
Search, and Sites. Also, you’ll see at the left on every page a site navigation panel that contains the Quick
Launch bar and/or a tree view, based on the site’s settings. This is a welcome change from previous versions, in which the Quick Launch appeared only on the default page.
For guidance about how you can customize and brand SharePoint Server, check out “Windows
SharePoint Services 3.0 Out of the Box.” For this chapter, I focus on functionality. Because SharePoint
Server is all about collaboration and access to information, you need to open the site to your users. Click
the Site Actions button in the upper-right corner of the page, and choose Site Settings, People And
Groups (as Figure 2 shows).
On the People And Groups page, select Home Members in the left panel, then click New, and
choose Add Users. Here is where you specify the members of this site by associating permissions with
members and other default groups. You can experiment with locking down your top site later, after
you’ve studied the planning and deployment guides, but I suggest you add your users to the Members
group for now so that their My Site configuration is easier to do.
Brought to you by Quest Software and Windows IT Pro eBooks
12 Getting Started with Sharepoint
On the Add Users: Home page, select Add all authenticated users. This configures the group to
include all authenticated users—that is, all of your domain’s users. For our fictitious organization,, the users include Colleen Outyall, director of communications; Penny Xavier, budget
manager; and yours truly, Dan Holme.
Experience 3: Creating a Departmental Site
As I mentioned above, the default installation creates several functional subsites, including Document
Center, News, Reports, Search, and Sites. I want to create a site for the communications department.
Colleen’s team wants to collaborate but also needs a way to distribute company brochures to the sales
and marketing teams. I start by returning to the Home page and, from the Site Actions menu, choosing
Create Site. The New SharePoint Site page (in Figure 3) appears. This is where you configure the title,
URL, template, and permissions for the new site.
Figure 3: The New SharePoint Site page
Enter “Communications” as the title and “communications” as the URL. Select the Team Site template (the default). Under User Permissions, select Use unique permissions.
Using unique permissions is important: you might want some users to contribute to a departmental
site but not to the corporate or parent portal, and vice versa. With SharePoint Server 2007’s security
model, each new site inherits the parent site’s security permissions by default. You can “break” that
inheritance while creating a site, as we’re doing now, or you can reconfigure permissions later for an
existing site by using the permissions section of Site Settings. One nice feature of the SharePoint Server
security model is that group definitions belong to the site collection, so if one group requires certain permissions across several sites, you need define the group only once, then give it appropriate permissions
in each site.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 2 SharePoint Server 2007 Unleashed 13
When you specify Use unique permissions during site creation, you’re sent to the Set Up Groups for
this Site page, which Figure 4 shows. You can define Visitors, Members, and Owners by using either a
group previously defined in the site collection or by creating a new group and specifying the members.
The members can be users or groups, and the SharePoint Server “picker” makes it easy to search your
domain for those accounts. It’s worth noting that SharePoint Server doesn’t have to use Active Directory
(AD) and the local SAM database as its source of user and group accounts: It can use any.NET Membership Provider, including ASP.NET 2.0’s SqlMembershipProvider.
Figure 4: Set Up Groups for this Site page
A discussion of such “forms-based” or custom membership providers is beyond the scope of this
chapter, but you should still know about them because at some point, you’ll probably need to open part
of your SharePoint Server infrastructure to partners, customers, or others without domain accounts.
Experience 4: Creating a Document Library
Now that you’ve created the Communications site, let’s create a document library for the corporate brochures. On the Communications home page, select Site Actions, Create. Click Document Library, and
give the library a name: I chose “Marketing Communications.” On the New document library page, you
can also turn on versioning, which preserves the history of changes made to a document so that you can
open previous versions. For corporate marketing communications documents, it makes sense to preserve
previous versions, so turn on versioning.
Brought to you by Quest Software and Windows IT Pro eBooks
14 Getting Started with Sharepoint
Experience 5: RSS
SharePoint Server lists and libraries are wired for RSS, thanks to Windows SharePoint Services. In the
Marketing Communications library, which Figure 5 shows, click the Actions button and choose View
RSS Feed. Use your preferred RSS reader to subscribe to the feed. I used the built-in RSS capability of
Microsoft Internet Explorer (IE) 7.0.
Figure 5: Document Library Actions
Return to the Marketing Communications library and upload a document. Then check the RSS feed.
You should see your document in the RSS feed within minutes.
Experience 6: Outlook Integration— SharePoint’s Answer to Public Folders
When you add Office applications to the SharePoint mix, you get even more functionality. Office 2003
applications do a good job of integrating with SharePoint Server, but Office 2007 applications integrate
even better. As you walk through a demonstration of Outlook 2007 integration with SharePoint Server,
you’re bound to elicit “oohs,” “ahhs,” and “wows” from your team and management. You’ll also get a
glimpse into how Microsoft is moving toward replacing public folders with SharePoint.
In the Marketing Communications library, click Actions and choose Connect to Outlook. The document library will appear in your Outlook folder hierarchy and will be synchronized based on your Send/
Receive settings. Figure 6 shows the uploaded brochure within Outlook—Outlook made it available
offline automatically.
Experience 7: Slide Libraries
Give this experience a try if you have access to PowerPoint 2007. From the Communications home page,
select Site Actions, Create. This time, choose Slide Library and give the library a name. I chose “ slides,” but it would be wiser to keep names restricted to alphanumeric characters and
spaces because SharePoint Server deletes periods.
In PowerPoint, create a presentation with several slides and save it. Then, in the slide library, click
Upload and choose Publish Slides (you can also publish from the Office menu in PowerPoint). You’ll be
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 2 SharePoint Server 2007 Unleashed 15
Figure 6: Document Library in Outlook
asked which presentation to publish, and you’ll be given the chance to select specific slides. When you’re
done, refresh the slide library, select one or more slides, then click Copy Slide to Presentation. SharePoint
launches PowerPoint and creates a presentation with the selected slides.
Can you imagine how happy your communications team will be to create “standard” slides that can
be reused, instead of reinvented, and can be managed (updated and deleted) centrally? This might be the
best thing to ever happen to PowerPoint. My clients’ dreams of consistent communications might actually begin to come true.
Experience SharePoint
Many of my clients are IT organizations that need to know what “low-hanging fruit” can be picked
with SharePoint Server. I hope the experiences I’ve led you through so far will give you something to
show your management or other stakeholders in your organization and will give you the confidence and
interest to approach SharePoint Server yourself and get acclimated to its capabilities.
Brought to you by Quest Software and Windows IT Pro eBooks
16 Getting Started with Sharepoint
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 3:
SharePoint Server 2007 Revealed
By Dan Holme
Let’s continue our journey into Microsoft Office SharePoint Server 2007 to gain an understanding of its
new features and capabilities. In “SharePoint Server 2007 Unleashed,” I covered seven “experiences”
that I designed to introduce you to SharePoint Server 2007 functionality. Now let’s look at eight more
experiences (including one that repeats a lesson from last time), which will help you become familiar
with SharePoint Server 2007 sites, lists, and libraries, as well as SharePoint workflow, forms, and business intelligence.
Experience 8: Content Management
SharePoint content management lets you control when, by whom, and how content gets published to an
intranet or Internet site. We’ll use SharePoint’s default News site to look at some of the fundamentals of
content management in SharePoint. Because this experience is browser based, you don’t need any Microsoft Office 2007 applications for it.
Go to the News tab in the top link bar, then click News, Sample News Article. We’ll begin by modifying this existing sample article, then we’ll create a new article. Click the Site Actions button on the
upper right side and choose Edit Page.
You’ll see the page change into Edit mode, which Figure 1 shows, which displays the Page Editing
toolbar. You can use the toolbar controls to change the content of this article. You’ll see labels for content components, such
as Page Image, Article
Date, Byline, Content,
Image Caption, and
Rollup Image, which
appear as a result
of the specific page
layout that was chosen.
Notice that when
you edit a content
component, you use a
rich, Microsoft Office
Word–like WYSIWYG
editor that you can
configure to include
features you want.
Besides editing, you
can format text, embed
pictures, and create
Figure 1: Using the Page Editing toolbar
Brought to you by Quest Software and Windows IT Pro eBooks
18 Getting Started with Sharepoint
tables. You’ll learn more about page layouts in a moment, but for now, change the title, date, byline, and
content. The layout itself will look much better when the article is not in Edit mode, and you can choose
Preview In New Window from the Tools menu to see that.
When you’re finished, click the Publish button to make the edited page visible to users. Pages can
be submitted as drafts by clicking Check In To Share Draft, in which case the page becomes a minor,
or “dot” version (e.g., version 0.1 or 1.3). Draft versions aren’t visible to all site users. When a page is
approved and published, it becomes a major version (e.g., 1.0 or 2.0). You can configure who is allowed
to view drafts and workflows to determine who can approve a submitted draft. You’ll learn more about
workflows in a later experience.
Now let’s create a new page. Click Site Actions, Create Page. Give the page a title (I chose “More
Good News”) and a URL (I used moregoodnews). Then select a page layout. The page layout you select
determines the content components of the page. The page we edited earlier was the Article page with
image on left layout. Click Create and the page will be created and put immediately into Edit mode.
Create some content for your article and click Publish to publish it. Page layouts can be completely customized by using Microsoft Office SharePoint Designer 2007 or Microsoft Visual Studio 2005.
Experience 9: Content Queries and roll Ups
SharePoint Server lets you query content from one site or across multiple sites and “roll it up” for display in one place. Go to the News home page. Click Site Actions and choose Edit Page. You use the same
command that we used to modify the article to modify Web part pages such as at each site’s home page.
In Edit mode, you can see the three Web parts that make up the News site. In Figure 2, the Web parts
appear in the main section of the window, each in their own box below an Add a Web Part heading.
Click the edit button on the Recent News Web part, and choose Modify Web Part. As Figure 2
shows, a panel will open on the right of the screen to show the Web part’s properties. In our example,
this Web part is, in fact, a Content Query Tool Part, one of the Web parts installed by SharePoint Server
2007. The Recent News Web part queries all news articles and, importantly, sorts them in descending
order of date modified and
limits display to only one
item. In this way, the “headline” on the page will always
show the most recently published News page.
The News Roll Up Web
part is also a Content Query
Tool Part. You can configure
this Web part to sort news
articles by such variables as
date created or date modified, and to display news
articles in ascending or
descending order. You can
also configure how many
articles to display.
Figure 2: Editing the Recent News Web part
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 3 SharePoint Server 2007 Revealed 19
Experience 10: RSS Aggregation
Although you can use an external feed reader to subscribe to a SharePoint library or list, Windows
SharePoint Services includes an RSS Viewer Web part, which you can insert in any Web part page.
On the News home page, click Site Actions, Edit Page. Click the edit button on the RSS Viewer
Web part and choose Modify Web Part. In the RSS Viewer Web part properties panel, expand the RSS
Properties section and enter an RSS feed URL. I used sharepoint/rss.xml, which
is the Microsoft SharePoint team’s blog. Click OK, then click Publish. You should see an RSS aggregation on your SharePoint page.
Experience 11: Déjà Vu: Creating a Departmental Subsite
I covered this experience in my previous chapter, but before we continue, let’s create a site for the
people who will write the check for your SharePoint Server license: your Finance department.
Go to SharePoint Server’s Home tab; choose Site Actions, Create Site; and configure the site with
Finance as the title, finance as the URL, a Team Site template, and unique permissions. Either add a real
user account or create one for testing. I use Penny Xavier, budget manager, as an example.
Experience 12: Report Libraries: Excel Services and Dashboards
Use Microsoft Office Excel 2007 to create a simple worksheet that contains some numbers. We’ll use this
to create a performance indicator that will appear on our SharePoint page, so make sure that one cell has
a value that you can compare against another cell’s “goal” value. For example, create a spreadsheet with
a grand total value in cell C7 and a goal value in cell C8.
At the Finance site that you created in Experience 11, click View All Site Content, Create. Select a
Report Library and call it Reports. Click the Upload button and upload the spreadsheet you created.
You’ll be prompted to fill in document properties such as a filename, friendly title, description, and
whether you wish to maintain version history for the report.
Like other SharePoint Server features we’ve looked at, SharePoint Server’s Excel Services packs
power. Calculations are actually performed on the server and heavy-duty crunching can even be
offloaded to Windows compute clusters. However, for this experience, our budget manager, Penny, just
needs to see the data to know whether the business is on track.
In the Reports library, click New and choose Dashboard Page. Enter a filename (I used finance.
aspx), title (I used Finance Dashboard) and a two-column vertical layout, and select Create a KPI list for
me automatically. The Finance Dashboard will be created.
In the Excel Web Access [1] Web part, select Click here to open the tool pane. The page will enter Edit
mode. When the Web part’s properties panel appears on the right, find the text box labeled Workbook
and click the browse button. Locate the Excel worksheet you just uploaded, then click OK on the Web
part’s properties panel. Because we have only one worksheet to upload, click the close button on the
Excel Web Access [2] Web part. Click Exit Edit Mode under Site Actions, and SharePoint will refresh the
page, showing your Excel worksheet embedded in the page, rendered by the Excel Web Access Web part
and Excel Services. This view is available even to users who don’t have Excel installed.
Experience 13: Key Performance Indicators
Although Budget Manager Penny might like seeing numbers, decision-makers often want a quick visual
cue as to what is, and is not, on target. Key Performance Indicators (KPIs) can help. In the Finance
Dashboard, click the New button under Key Performance Indicators and choose Indicator from data in
Brought to you by Quest Software and Windows IT Pro eBooks
20 Getting Started with Sharepoint
Excel workbook. On the Finance KPI Definitions: New Item page, enter a friendly name for the indicator
(e.g., Business Performance). Click the Excel-like icon next to the Workbook URL field and browse
for your report. After you’ve selected it, you’ll be able to select the cell containing the indicator value
(the “actual” value) and the cells containing the goal value (“desired” value) and the value at which a
warning should be triggered. Click OK to create the indicator, and the KPI you just configured will
appear on the Finance Dashboard.
Experience 14: Create an Expense report and Workflow
SharePoint Server facilitates moving your business processes and forms online. Let’s set up an online
expense report submission and approval application, using InfoPath 2007, another application in the
Office System.
On the Finance home page, click Site Actions, Create. Select a Form Library and name it Expense
Reports—all other defaults are fine. Now we need to open InfoPath 2007. In the Getting Started dialog
box, select Customize a Sample and choose Sample – Expense Report. Change the header to match your
company name, then click File, Publish. The Publish command lets you save the form to SharePoint,
but first prompts you to save a copy locally.
The Publishing Wizard then appears. Choose the option to publish the form to a SharePoint Server
and click Next. Enter the URL of the Finance site (e.g., http://wss01/finance). You don’t have to enter the
full URL for the Expense Report library—in fact, it doesn’t seem to help to do so, as you’ll be prompted
for the library soon, anyway.
Click Next and ensure that you select the options to enable the form to be filled out using a browser
from a document library. Click Next again. Choose Update the form template in an existing document
library, and select Expense Reports. Click Next two times, skipping the Column Name page, which we
don’t need. A summary page appears. Click Publish. After the form is published, click Close on the final
page of the Publishing Wizard.
Now we’ll create a workflow.
Workflows are ways to support business processes using SharePoint. We’ll specify that after an
expense report has been submitted, Penny or your user must approve it before a check is cut. Back in
your browser, in the Expense Reports library, click the Settings button and choose Form Library Settings, Workflow Settings.
On the Add a Workflow: Expense Reports page, give the workflow a name (e.g., Expense Report
Approval) and select the Start this workflow when a new item is created option and the Start this workflow when an item is changed option. All other defaults are fine. Click Next.
On the Customize Workflow: Expense Report Approval page, enter Penny or your user’s name as an
approver. Click Check Names to confirm that you entered a recognized name—the name will become
underlined. Alternatively, you can click Approvers to find your approvers. Approvers can be individual
users and/or groups. At the bottom of this page, select Update approval status when the workflow is complete.
Now comes the moment of truth. Test it! In the Expense Report library, click New. On a computer
with InfoPath installed, the form will open in InfoPath, ready for the user to complete with the full
functionality provided by the standalone InfoPath client. On a computer without InfoPath, the form
will open in the browser.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 3 SharePoint Server 2007 Revealed 21
Fill in the form and click Submit at the top or bottom of the form. If you have any trouble with that
in your test environment (which I did), just click the Close button at the top of the form and then save
the report when prompted.
Now, let’s see if the workflow triggered correctly. Click the Tasks link in the Quick Launch navigation. You should see the task for your user to approve the just-submitted expense report.
Experience 15: My Site
We don’t want our users to have to look for their tasks. Although users could subscribe to Alerts or RSS
feeds from a task list, or integrate a SharePoint task list directly into Microsoft Office Outlook 2007, a
better solution is to use My Site. My Site, which Figure 3 shows, is a user’s personal portal. You can customize, and manage it, and push content to it.
Figure 3: My Site page showing Tasks list
Open a separate instance of Microsoft Internet Explorer (IE) and browse to the Finance site. You’ll
likely be authenticated as yourself. Click the Welcome link with your name at the top of the page and
you’ll see a dropdown menu that lets you sign on as a different user. Log on as your test finance user
(e.g., Penny Xavier). You’ll see the Welcome link change to indicate your new credentials.
Click the My Site link next to the Welcome link at the top right of the window. The first time a user
clicks My Site, SharePoint generates a personal site for the user. The personal site has many capabilities,
and the one we’ll look at right now is task roll up. After the user’s My Site has been created, you should
see Finance listed in the SharePoint Sites section. This list of sites is dependent on the user belonging to
the site, so if you don’t see the Finance site on the list, perhaps you forgot to give the user permission to
it. You can also click the Sites dropdown menu and add the site manually.
Brought to you by Quest Software and Windows IT Pro eBooks
22 Getting Started with Sharepoint
When you click the Finance button, you’ll see the titles of tasks, as Figure 4 shows. Users can
browse tasks by department, team, or project, depending on how you’ve configured the site structure.
Figure 4: Creating the Finance Dashboard page
The Journey Continues
After your users experience SharePoint, they might realize its potential for significant ROI. Join me at
the Windows IT Pro SharePoint Web site,, to discuss SharePoint and
to share in the collective knowledge of a great SharePoint community.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 4:
SharePoint Security Evolution
By Matt Ranlett and Brendon Schwartz
Microsoft SharePoint Services 2003 has evolved into Microsoft Office SharePoint Server 2007, offering a
much fuller, richer security toolset. Whereas SharePoint 2003 relied on logon security backed by Active
Directory (AD), portal security, and list-level security, SharePoint 2007 improves previously existing
security features while adding auditing features, storage policies, and secure collaboration products such
as Excel Services. Let’s take a look at how security has evolved in SharePoint, how each version tackles
authentication and authorization, and how SharePoint 2007 will benefit your organization.
SharePoint 2003 Authentication
Let’s start by taking a closer look at the security features of Microsoft’s SharePoint 2003 products and
technologies. The foundation of any secure product is the ability to control access to secured materials—
which essentially boils down to digital identity and passwords. Because SharePoint 2003 technologies
rely on AD to provide user-account validation, the password policies of any SharePoint site are basically
the password policies of the underlying AD network. As the Microsoft SharePoint Products and Technologies Resource Kit points out, password policies need to take a host of recommendations into account,
particularly when you’re considering the addition of SharePoint technologies to a network. These recommendations include minimum password length, password complexity, limits on consecutive password attempts, prohibition of sharing passwords, and smart card or biometric device usage.
What exactly does the reliance on AD mean in terms of user authentication (verifying that users
are who they claim to be)? SharePoint 2003 offers two modes of operation: preexisting-account mode and
account-creation mode. In the preexisting-account mode (aka domain mode), an AD account must exist
before a user can access a SharePoint site. In the account-creation mode (selected during SharePoint
installation) you can have an AD account automatically created each time you add a new SharePoint
user. If you’re unsure which mode you’re in, you can use the included Stsadm.exe command-line tool to
find out.
In either case, the existence of this AD account provides the authentication necessary to access
SharePoint. SharePoint validates the existence of the user in AD either through NTLM or Kerberos
protocols. To provide authorization, the system compares the authenticated account with a list of accesscontrol information for the SharePoint site itself. These authorization lists are stored in Microsoft SQL
Server content databases and are modified from within SharePoint. You can organize these lists or
groups at the user level, in site-level groups, or in multisite level groups.
(I’ve just stated that SharePoint relies on AD to provide account validation, but that’s not 100 percent accurate. You can also use local Windows accounts. However, if you don’t use AD, you lose the
ability to pre-populate the SharePoint profile database. And if any users have personal sites, they won’t
be registered for cross-farm synchronization in a server farm environment. Because of these severe
restrictions, AD environments are highly recommended.)
Brought to you by Quest Software and Windows IT Pro eBooks
24 Getting Started with Sharepoint
SharePoint 2003 Authorization
What does the reliance on AD mean in terms of user authorization (validating that users have permissions to access a resource)? SharePoint 2003 authorization is based on groups of rights to which specified users or groups of users are assigned. You can easily customize security groups, but by default five
security groups ship with Windows SharePoint Services:
• Administrator—Wields complete control over the Web site
• Web Designer—Controls the look and feel of the Web site
• Contributor—Can add content to existing Web Parts
• Reader—Has read-only access to content in lists and document libraries
• Guest—Holds the lowest levels of permissions. This group is designed to give read access
to sub-portions of a site without giving access to the entire site.
The rights fall into three general categories: list rights, site rights, and personal rights. The system
checks list rights to determine whether a user is able to contribute to a list, edit list items, manage
columns in a list, and so on. The system checks site rights whenever a user attempts to create a site,
manage a site’s users, change the look and feel of a site, and more.
The system checks personal rights when a user tries to create or change a personal list view and use
private or personal Web Parts. Figure 1 shows the full list of available rights in SharePoint 2003.
Figure 1: Available rights in SharePoint 2003
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 4 SharePoint Security Evolution 25
After you grasp how your SharePoint system organizes its rights into groups, you’ll understand how
to organize your users. It’s possible to individually manage each user’s permissions, but creating groups
to hold your users is the recommended best practice. You have two options for grouping your users: site
groups and cross-site groups. A site group is a group of users available for assignment on that particular
SharePoint site. If your users are grouped in a cross-site group, the system actually creates that group at
the top level for the site collection, and it’s available to any site in that site collection.
Suppose your organization, Contoso, has several departments, such as Marketing, Executive,
Finance, and IT. If each of these departments has its own site under the top-level Contoso site, a user in
the Executive department might not have access to documents stored by the Finance department unless
he or she is explicitly granted those rights. However, if the users for each department reside in cross-site
groups, the manager of the Finance department has to grant only the Executive cross-site group read
access to its portal, and all members of the team can be admitted at once.
Site-Level Security
Now, you have groups of users and groups of rights. What can you do with these groups to secure the
SharePoint portal? SharePoint 2003 offers two levels of security: site level and list level.
When you create a SharePoint site, you—as the creator or owner—have a choice about how to
handle security. The options are to inherit the permissions of the parent site or to use unique permissions. If you decide to inherit the parent’s permissions, the security options flow down to the new portal
site and everyone who has any level of access in the parent site has the same level of access in the new
site. If you select unique permissions, you are initially the only user given any access to the new portal
site. After the site’s creation, you can add new users or groups of users to the site and can grant specific
Suppose your Contoso organization has an IT department. The IT department wants to grant
employees the ability to track trouble tickets through their SharePoint issue-tracking list. To that end,
the IT department has created an IT portal site off the main Contoso site. In this fictional organization,
every member of the domain has at least read access at the main company site. When you created the
IT portal site, you did so with inherited permissions; any domain user has the ability to connect to the
IT portal site and see the data on the home page, including the issue-tracking list on the IT portal site’s
home page. Now, the IT department needs to have a location at which it can save IT-specific information, such as server passwords. The IT department doesn’t want users to see that this documentation
exists, so it has created a new portal site with unique permissions. This PrivateIT portal site might have
only members of the IT department as users. When non-IT users attempt to access the PrivateIT portal
site, they’ll see an error message stating that they don’t have permission to access that resource. Optionally, you can have the system prompt them with a message stating that they can ask the administrator to
grant them access to the restricted portal.
List-Level Security
List-level security works similarly, but at the individual list level as opposed to the site level. Consider
again the example of the public IT portal site with its issue-tracking list. Suppose the IT department
wants to give any user the ability to read items in the list, but the department wants to give members of
the Managers cross-site group the ability to add new issues and edit existing issues. In the list’s permissions options, you can add users or groups and assign them various permissions. You simply enter the
Brought to you by Quest Software and Windows IT Pro eBooks
26 Getting Started with Sharepoint
list, click Modify Settings and Columns, and click the Change permissions for this list link. Figure 2 shows
the most granular list of rights available for assignment. You might notice the tantalizing Modify itemlevel security link in the left pane. This link offers you only the ability to toggle users’ views from seeing
and editing all entries in the list to seeing only their own entries in the list.
Figure 2: Granular rights in SharePoint 2003
This item-level permission is a hint of what is to come in SharePoint 2007, which represents a
major evolution in terms of authentication and authorization over that which SharePoint 2003 offers.
Choices are more diverse, more granular, and more intuitive.
SharePoint 2007 Authentication
In SharePoint 2007, you not only have the same Windows-integrated options as before—you also have
the ASP.NET provider model. Use of the ASP.NET provider model removes the need for AD or Windows accounts and gives you new options, such as forms authentication against any store of user data
(e.g., a SQL Server database). You also have the option to use Web-based single sign-on (SSO) options in
which the user is logged on via a non-SharePoint logon form. A familiar example of a Web-based SSO
option is Windows Live ID (formerly known as .NET Passport). This authentication evolution gives
developers and administrators much greater flexibility while installing and configuring SharePoint 2007.
SharePoint 2007 Authorization
The SharePoint authentication changes are important, but they’re not nearly as big as the forthcoming
authorization improvements. In SharePoint 2003, users and administrators are concerned with rights,
but in SharePoint 2007, the term is permissions, and the division between groups of users and groups of
permissions is much more clearly defined. People are assigned to logical groups, such as IT managers,
junior finance employees, and executive team members. Permissions are assigned to logical groups, such
as designers and readers, and the permissions associated with those groups are clearly defined. In SharePoint 2003, distinction is blurred. At the site level, you might assign a person to the Readers role, but at
the list level, the Readers group acts more like a rights specification. In SharePoint 2003, this dynamic
leads to confusion among administrators: Which group of users is allowed to do what in each site and
in each list?
Another major security improvement in SharePoint 2007 is the addition of finer-grained permissions. Now, not only can you secure a site or list, you can also secure a folder and an item in that list.
Therefore, you can use the same library to store sensitive documents and publicly available docuBrought to you by Quest Software and Windows IT Pro eBooks
Chapter 4 SharePoint Security Evolution 27
ments. To prevent unauthorized access attempts, SharePoint 2007 offers a security-trimmed interface.
If a user doesn’t have permission to view a document or menu item, that document or menu selection
doesn’t even appear to that user. The entire Site Actions menu won’t appear if the user doesn’t have the
required permissions to use any of the menu’s elements.
SharePoint Groups are logical groupings or collections of people. Out of the box, the software offers
three groups: Owners, Members, and Visitors. These groups function like SharePoint 2003’s cross-site
groups in that you can assign them anywhere in a site collection and they will be henceforth available
for use anywhere in that site collection. These groups let you scale permission assignments across large
numbers of people.
The original concept of SharePoint site groups is extremely flexible, making it difficult to effectively organize users and roles. You can assign users to a site group, and you can assign rights to the site
group. Then, by assigning the site groups of users to those groups that contain rights, you effectively
create a role by defining which users can do specific actions. The new version addresses this ambiguity
in the definition and purpose of groups. In SharePoint 2007, the role-based concept of collections of
permissions is now clearly defined as a permission level, which functions as a role. You assign permissions to these permission levels, and you assign these permission levels to SharePoint groups.
Groups are also now always defined at the site-collection level, enforcing a consistent naming convention within all the sites of a site collection. All of this reduces the potential for confusion.
Consider a hands-on example. In a SharePoint portal, click the People and Groups link in the Quick
Nav bar, which Figure 3, shows. Click More to view all your groups. By doing so, you see that your site
has only the default groups available. You want to add two new groups to represent your Contoso IT
department users and your Finance department users. Click New, and select New Group from the dropdown list.
Figure 3: The Quick Nav bar
Brought to you by Quest Software and Windows IT Pro eBooks
28 Getting Started with Sharepoint
For the IT department, fill out the form that you see in Figure 4. Notice the permission levels at the
bottom of the form. Before you go on to add a group for the Finance department, create a new security
permissions level for the Finance users.
Figure 4: Adding a new group
Back in the list of groups, click Site Permissions to access the screen that Figure 5 shows. On this
screen, you can see the permission levels and groups to which the Finance users are assigned, and you
can manage the many-to-many relationship between groups and permission levels. You can see that the
roles of Read, Contribute, and Full Control (i.e., administration) exist, along with the new SharePoint
2007 levels of Limited Access (equivalent to SharePoint 2003’s Guest level) and Approver. To add a new
permission level for your Finance team members, click Settings, Permission Levels. A list of available
permissions will appear. Click Add a Permission Level to create a new Finance user role.
Figure 5: Adding a new permissiion level
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 4 SharePoint Security Evolution 29
On the screen that Figure 6 shows, you can see how many more permission options are available in
SharePoint 2007 than in SharePoint 2003. Select the permissions you want (grant lots of list rights) and
click Create. Now, you have a new permission level for Finance department employees. Go back to your
Permissions home page and add a new group to contain your actual Finance employees. When you do
so, the added Finance user permission group will appear at the bottom of the New Group screen. Now,
you can add users to the Finance group, and any user of the Finance group will have the same permissions in any site in the SharePoint site collection.
Figure 6: Permission options available in SharePoint 2007
Now that you understand how to collect users into groups and how to assign the groups various
permissions, you can see how you’ll use these groups to secure SharePoint 2007. Just as in SharePoint
2003, you can explicitly grant or deny access to a site or a list, but you now have the additional ability
to secure individual list items and document library folders. So, a user might have access to a site and a
document library, but you can have individual documents or folders to which the user has no access.
Brought to you by Quest Software and Windows IT Pro eBooks
30 Getting Started with Sharepoint
Administrative Security
This has been a discussion of user-level and site-level security in SharePoint 2003 and SharePoint 2007.
There are additional levels of security available to SharePoint administrators, who can also apply security at the Shared Services level and at the Central Administration level in SharePoint 2007.
Shared Services isn’t a new concept, but it’s now much more apparent. Essentially, Shared Services
administration means that the server-farm administrator can delegate authorization for certain tasks to
other users. This capability is handy when users make unwanted changes, such as item deletions (and
subsequent Recycle Bin clearing). Now, with delegated user authorization, the user doesn’t have to go to
the farm administrator for help.
The final possible level of security configuration in a SharePoint 2007 installation is at the Central
Administration level. There are a lot of new administration features at this level, including security
policies—a set of permissions that apply everywhere across the farm. These Grant and Deny policies
override all other permissions, and you can configure them per Web application and per Web zone.
Common examples of security policy use include granting full read access to auditors and denying all
write access to anyone in the Internet zone (i.e., Extranet). You can also set up the AD service accounts
at this level to prevent unauthorized application behavior on the network. You configure the application
pool accounts, the SharePoint service (SPTimer and Admin Service) accounts, and access to SQL Server
at this level.
A Powerful Force
SharePoint 2007 is poised to greatly improve the SharePoint end-user experience. Thanks to a slicker
interface and features such as security trimming, the user will see only the sites, lists, and documents
that they have permission to see. More important, SharePoint 2007 will simplify the life of the administrator, thanks to cleanly organized users and roles defined at one level, the ability to delegate activities to
others via Shared Services, and the introduction of system-wide security policies.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 5:
High Availability
for MOSS 2007 Server Farms
By Ryan Femling
Microsoft Office SharePoint Server (MOSS) 2007 answers many business needs, from document storage
and information sharing to centralized project tracking to exposing business intelligence (BI) data. As
such, MOSS is considered a business-critical application in most organizations, and therefore you need
to ensure that the services provided are available when needed. In this overview of MOSS 2007 high
availability, I discuss four key areas that will help you design and deploy a highly available SharePoint
environment: selecting the appropriate architecture, understanding core services and their availability
options, implementing your high-availability strategy, and planning for failures.
Architecture Selection
There are many ways to design a MOSS farm, but it’s important to choose a farm layout that is conducive to high availability. Factors such as budget, availability of hardware, desired performance, and service level agreements (SLAs) will affect the number of servers in your farm and their placement. There
are two basic SharePoint architectures that provide high availability: the two-tier architecture and the
three-tier architecture. Figure 1, illustrates both architectures.
Figure 1: Two-tier and three-tier SharePoint architectures
Brought to you by Quest Software and Windows IT Pro eBooks
32 Getting Started with Sharepoint
The Web content tier consists of servers that host the Microsoft IIS Web sites that deliver content
to the end user. The application tier hosts all the background services (e.g., Excel Web Access, Search)
that are used by Web parts to display information to the end user.
The two-tier approach features a clustered Microsoft SQL Server back end and a Web server front
end. In this scenario, the front-end servers host the Web content and the application-tier functionality.
The benefit of the two-tier approach is that it’s simpler to design and implement than the three-tier
setup. The major drawback comes in potential performance loss if there’s a heavy reliance on Excel Calculation Services, which performs calculations on Excel workbooks stored in the database, and other
application-layer services.
In the three-tier design, Web servers serve only Web content, and the application services are delegated their own servers. You need to keep in mind a few caveats, which I discuss later on a per-service
basis. The main benefit of the three-tier approach is that it’s highly scalable, allowing for easy expansion.
On the downside, it’s more complex and harder to monitor and maintain.
You also need a load-balancing technology. Network Load Balancing (NLB) and Microsoft Cluster
Service (MSCS) are Microsoft’s two load-balancing technologies. In an NLB architecture, machines
host the same data and share an IP address that clients use to access the load-balanced site or service.
Requests are divided up between the load-balanced hosts according to rules set by an administrator. In
an MSCS environment, hosted services reside in virtual servers. Virtual servers are a group of services
required to run a clustered application; they are coupled with an IP address, network name, and usually
a shared physical disk that all nodes in the cluster have access to. When one node fails, the next node
configured as a possible owner of the service takes the shared resources (IP, network name, physical
disk) and starts the necessary services, thereby starting the virtual server. In our example, we’ll use NLB
on front-end servers and MSCS to cluster the SQL Server back end.
Note that when load-balancing the front-end servers, keep in mind that NLB operating in unicast
mode with a single NIC will prevent inter-host communications, possibly interfering with the functionality of the farm. In this situation, it’s usually best to implement the NLB cluster in Internet Group
Management Protocol (IGMP) multicast mode (provided your switch vendor supports this). Alternatively, you can use a third-party hardware load-balancing solution.
Because failover clusters depend on their shared storage, your storage design is important. There
are many shared-storage devices available today, taking advantage of different technologies from Fibre
Channel to iSCSI. The one consideration that you need to take into account regardless of the technology
leveraged is storage redundancy. It does no good to have redundant servers if your storage device represents a possible single point of failure. If the situation warrants redundancy, it probably warrants redundant storage devices. For both two-tier and three-tier scenarios, SQL Server must be set in an active/
passive failover cluster. This provides for redundancy and ensures that the failure of one node doesn’t
affect the availability of the database.
Services and Availability Options
Knowing the core SharePoint services, their functions, and methods for providing redundancy, when
possible, will help you keep the server farm highly available. MOSS 2007 has five key services:
• The Web Server serves Web content to end users.
• The Query service provides query functionality for MOSS 2007 search.
• Excel Calculation Services performs calculations on Excel workbooks stored in
the database.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 5 High Availability for MOSS 2007 Server Farms 33
he Index service collects and propagates the results of SharePoint Search crawls. This
information is then used by the Query service to return search results.
• Windows SharePoint Services (WSS) 3.0 Search provides search functionality in the
absence of Query and Index services, and provides full text search of SharePoint Help.
Only the first three services in the list can be made redundant in your server farm, and Table 1
shows you how to do so. The remaining two services, WSS Search and the Index service, can’t be made
The WSS Search service isn’t required if you’re running the Query service and the Index service,
unless you want full-text search in SharePoint Help. If you do, you can run WSS Search on the same
server farm as the Query and Index services with no change in functionality.
Note that although you can’t make these services redundant via load balancing or by installing
them on multiple servers, it’s possible to make them redundant by installing them on a Microsoft Virtual Server virtual machine (VM) and using MSCS to cluster them. Bear in mind that this
redundancy protects only from hardware issues, and might not provide the desired level of performance. For more information on clustering VMs, visit
cfm?articleid=45901&feed =articleLink.
You can attain database redundancy by using a clustered SQL Server configuration; you would then
configure SharePoint to use the SQL cluster virtual server during installation. For more information
about clustering SQL Server, see the SQL Server 2005 Books Online (BOL—
com/en-us/sqlserver/bb428874.aspx) materials and search for “clustering.”
Note: During the install of SQL Server 2005 to multiple cluster nodes, keep in mind that the
installation must be performed from one of the nodes; however, if you’re logged on to one of the other
target nodes during the installation, the install on that node will fail.
Brought to you by Quest Software and Windows IT Pro eBooks
34 Getting Started with Sharepoint
To maintain a highly available SharePoint environment, you need to ensure that the availability options
at each tier of your architecture meet your needs. The following procedures relate to the three-tier
architectural model: Web servers in one tier, application services in another tier, and the database back
end in the third tier. To accomplish the following implementation tasks in a two-tier environment, just
add the application server services to the Web servers.
Web servers. To make Web servers highly available, you need two or more servers. You also need to
run NLB or use an external load balancer.
The first step is to install MOSS on the servers you’ll be using for the Web front end. When you
begin the installation, you’ll be prompted whether you want to perform a Basic or Advanced installation. Because this won’t be a standalone installation, select Advanced, and on the next page, select Web
Front End-Only install components required to render content to users, as Figure 2 shows.
Figure 2: Installing MOSS on front-end servers
Then click Install Now. When the installation completes, click Close, which opens the SharePoint
Products and Technologies Configuration Wizard. Proceed through the wizard by performing these
1. Click Next at the Welcome screen and click Yes in the dialog box that advises that you
might have to start or reset related services during configuration.
2. Next, select whether you want to connect to an existing farm or start a new one.
3. Specify the configuration database server and the name of the database, as Figure 3 shows.
Then enter the credentials for the account that the machine will use to connect to the configuration database.
4. If you want to install the Central Administration Web application on your Web server,
select that check box and note the port number (in case you want to load balance it across
your Web servers). You’ll see a summary of your choices. Confirm that they’re correct and
click Next. Click Finish.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 5 High Availability for MOSS 2007 Server Farms 35
Figure 3: Entering configuration database settings
After you install MOSS on your Web servers, you’ll need to configure load balancing. For this
example, I show you how to set up NLB with IGMP Multicast on Windows Server 2003. I prefer to use
the Network Load Balancing Manager, which you’ll find under the Windows 2003 Administrative Tools
menu. To set up NLB, perform these steps:
1. Start the Network Load Balancing Manager on any machine in the domain and click
Cluster, New.
2. On the Cluster Parameters screen, enter the cluster’s IP address and Subnet mask. Under
Cluster operation mode, select the Multicast option and the IGMP Multicast check box, as
Figure 4, shows. Click Next.
3. You’ll be prompted to enter additional cluster IP addresses, which is handy if you plan to
host multiple Secure Sockets Layer (SSL) sites and want them to be load balanced. Click
4. Next, you need to configure port rules. Using the options here, you can specify which ports
are load balanced on a per IP address basis. This means that if you’re only hosting one protocol in your NLB cluster (e.g., HTTP), you need to open only the related ports. Click Next.
5. On this screen, you specify the first host to be added to the cluster. Enter the name of one
of your Web servers and click Next. This screen shows the configuration of the host you’ve
selected. It contains the host priority (which is the host ID within the cluster), the dedicated IP information of the host, and the initial host state (the defaults is Started). Click
Figure 4: On the Cluster Parameters screen,
enter the cluster's IP address and Subnet
mask. Under Cluster operation mode, select
the Multicast option and the IGMP Multicast check box.
Brought to you by Quest Software and Windows IT Pro eBooks
36 Getting Started with Sharepoint
6. T
he left panel of the Network Load Balancing Manager shows your first host along with its
description and state, as Figure 5 shows.
7. Click Cluster, Add Host, and enter the name of the next host you want to join to the
cluster. Click Next, then click Finish. Repeat this step for each host you want to add.
Figure 5: Showing a host added to a cluster
Don’t forget to add DNS records that point to the NLB cluster IP address for the sites you’re loadbalancing.
Application servers. You can run the Query service on any number of application servers. However,
the Query and Index services can’t reside on the same server. If they do, the Index service recognizes
that the Query service is installed and it won’t propagate the index. If the content you’re hosting is relatively static (50 percent or more of the requests for your Web servers are for static content), you can see
a potential performance boost by moving the Query service to your Web servers. The resulting performance boost is due to the content caching done by the Query service.
Excel Calculation Services provides support for server-side calculation of workbooks hosted
through Excel Web Access in MOSS 2007. A request to process a workbook is sent to a server running
Excel Calculation Services. The service stores session-state information so that the same server processes
the request until the user session ends or the workbook is closed.
Excel Calculation Services is a resource-intensive service, so in large environments with heavy utilization of complex workbooks, you might want to dedicate a couple of high power servers solely to this
service. I’ve worked at companies that relied on workbooks so complex that it took a high-end, dualcore machine longer than an hour to do the calculations on them. Cases like that let you see SharePoint’s
true value. If you upload the workbook and make it accessible through Excel Web Access, the calculations are performed from a central location, and you need to buy only the application servers instead
of buying expensive workstations for all employees that need to view the worksheets. Keep in mind,
though, that because these operations are so resource-intensive, they might affect other services running
on the servers.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 5 High Availability for MOSS 2007 Server Farms 37
Failure Management
Despite all precautions, failures will occur. If a failure involving any of the redundant services occurs,
the server will be unavailable, but the service will continue to function. For this reason, it’s important
that you have a monitoring solution in place, such as Microsoft System Center Operations Manager,
that will notify administrators in the event of a failure. Here’s how to handle a failure, depending on
which server fails:
• Web servers—If a Web server fails, the server will no longer be running on the virtual IP
address and NLB won’t direct requests to it. Repair the server, and bring it back up in the
NLB cluster.
• Application servers—If a server hosting Excel Calculation Services or the Query service
fails, that server will no longer respond to requests, and those requests will go to another
server hosting the service. If a server hosting the Index service fails, the Query servers
will continue to respond using cached information. After the server is recovered, index
propagation will resume.
• SQL Server (database) server—In a clustered environment, SQL Server will fail over to
the inactive node in the event of a failure. It’s important to repair the failed node and test
failover/failback to ensure uptime in the event of future failures.
It’s All About Reliability
SharePoint is a crucial application in most environments, necessitating a high-availability infrastructure. The two-tier and three-tier architectures satisfy the need for high availability by placing services
that can be made redundant on multiple hosts, and NLB and MSCS technologies provide continuous
access to content in the event of a single cluster node failure. Using the available tools, administrators
can enable the necessary reliability to ensure that data and productivity are maintained.
Brought to you by Quest Software and Windows IT Pro eBooks
38 Getting Started with Sharepoint
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 6:
The File Share Is Dead:
Long Live SharePoint Document Libraries
By Dan Holme
The traditional collaborative file share has lived its 15-odd–year life well. From its roots in other network OSs, through its proliferation during the explosive growth of Windows NT, Windows 2000, and
Windows Server 2003 file servers, to today, the file share served our needs. But it’s fading into the
sunset, and a new day is dawning: the era of collaborative document sharing using Windows SharePoint
Services document libraries. To grasp the implications of the shift to document libraries, you’ll need
to understand first why they’re destined to replace file shares in most common filesharing scenarios.
(Sometimes, file shares still serve the purpose better than document libraries. For a look at these scenarios, see the sidebar “I’m Not Dead Yet!”.) From there, you’ll need to get a handle on the fundamentals of document library implementation: creating, configuring, and securing libraries and viewing,
editing, and monitoring documents in those libraries.
By document libraries, I mean primarily typical information-worker shared folder scenarios, in
which groups of users—a team, a department, or even an entire organization—share access to files for
day-to-day reference and collaboration. SharePoint document libraries will very likely replace file shares
in these scenarios. Document libraries enable capabilities that are crucial to an agile, collaborative enterprise—including checkout and monitoring, which I’ll discuss here—as well as version history, content
approval, workflow, and remote and offline access.
Creating a Document Library
Let’s start with how to implement document libraries in Windows SharePoint Services 3.0 (the process
is virtually identical in Microsoft Office SharePoint Server 2007). To create a document library from a
standard SharePoint team site, or most other templates, either click View All Site Content in the Quick
Launch bar and click Create, or click the Site Actions button and choose Create.
In the Libraries section, you can see what libraries are available, and your first task will be to
determine what type of library you require. Document libraries are the closest equivalent to traditional,
collaborative file shares. Picture libraries are specialized for graphics and include a useful thumbnails
view and a well-implemented slide-show view. There are also form libraries, wiki page libraries, and (in
SharePoint Server 2007) several other types of document libraries.
When you choose to create a document library, you’re asked to enter a name and description,
and you can configure the document library to appear in the left panel, Quick Launch navigation, and
whether versioning is enabled. In the Document Template section of the page, which Figure 1 shows,
you can also specify the type of document that’s created when users click the New button in the document library.
Brought to you by Quest Software and Windows IT Pro eBooks
40 Getting Started with Sharepoint
Figure 1: Creating a SharePoint document library
If a document library will generally or exclusively contain one type of document, such as generic
Microsoft Office Word, Excel, or PowerPoint, and if that type is in the Document Template drop-down
list, select it. However, in certain situations you should choose None as the template:
• The template for the type of document you want to create when clicking the New button
in the document library isn’t listed.
• The library will contain a custom document type (e.g., Contracts, Expense Reports).
• The library will be used to create multiple document types.
• A document library will be populated only by uploading documents, not by clicking the
New button.
After you’ve created the document library, you can modify each of these configurations in the document library settings by clicking the Settings button and choosing Document Library Settings. In fact, I
urge you to go to the document library’s settings immediately after creating the library, so that you can
configure it to fully support the capabilities you require, such as forced check-out and version history.
Finally, if you expect to provide search for your document library, you might need to add IFilters,
which are plug-ins that enable SharePoint to index specific document types, such as PDFs. The Microsoft article “No Adobe PDF documents are returned in the search results when you search a Windows
SharePoint Services 3.0 Web Site” ( explains how to install
the Adobe PDF IFilter and modify the registry to enable SharePoint search to crawl and index PDF
documents. Be sure to install the IFilter early, before adding documents of that type to the library.
SharePoint includes a number of IFilters for common document types, including Microsoft’s own document types. Contact application vendors, such as Adobe Systems, for IFilters that support their document types.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 6 SharePoint Document Libraries 41
Managing Security
You’ll probably want to configure permissions, which can be assigned to any securable object in the
SharePoint model—that is, a top-level site, subsite, library or list, folder, document, or item. By default,
permissions are inherited from the parent object, so that permissions applied to the top-level site are
inherited by all sites, libraries, and documents. But you can “break” the inheritance at any object in
the hierarchy, then configure permissions on that object, which will then be inherited from that point
To set permissions on a document library, open the library. Click Settings, Document Library
Settings, then click Permissions for this document library. Current permissions are displayed, and the
description bar shows the text This library inherits permissions from its parent web site. Click the
Actions menu button, then click Edit Permissions, and confirm by clicking OK. Permissions previously
inherited from the parent object will be copied as the default new explicit permissions for this library,
and you can then add, remove, or modify permissions to meet your requirements. To change the permissions of users or groups, you can select groups or users and use commands in the Actions button menu
(Remove User Permissions and Edit User Permissions). To add a new user or group and configure its
permissions, click New, as Figure 2 shows.
Figure 2: Configuring permissions for a SharePoint group
Although the UI suggests that these are “user permissions,” in actuality you can configure permissions for any user or group. Accounts can be SharePoint groups (created by clicking Site Actions,
finding the Site Settings command, then navigating to People and Groups) or users or groups from the
site’s authentication provider(s) such as Active Directory (AD). As with Windows folder permissions, it’s
a best practice to manage permissions by using groups, not individual users, but there are always exceptions to that rule. I also recommend that you use SharePoint, rather than AD, groups because of the
ease with which site administrators who are nontechnical users can manage SharePoint group memberships. Using SharePoint groups also makes it possible to configure SharePoint groups to enable access
requests—a powerful permissions-management provisioning capability.
Brought to you by Quest Software and Windows IT Pro eBooks
42 Getting Started with Sharepoint
Be aware that once an object no longer inherits permissions from its parent, any changes to the
parent won’t “drill down” to the object. To revert an object to inheriting permissions from its parent,
click the Actions button on the Permissions Settings page and choose Inherit Permissions. Doing so
removes all explicit permissions. Unlike Windows NTFS permissions, a SharePoint object can’t have a
mixture of both inherited and explicit permissions: only one or the other.
One of the most important improvements in Windows SharePoint Services 3.0 is the ability to
configure item- (or document-) level security. In previous releases, you could configure security only to
the document-library level. Now, you can configure permissions on individual documents. To see how
this works, hover over a document name and, from the dropdown menu that appears, choose Manage
Permissions. Again, you’ll be informed that the document is currently inheriting permissions from the
library. And, as you can do for the library itself, you’ll be able to choose Actions, Edit Permissions and
set permissions on the document.
Populating a Document Library
After you’ve created and secured a document library, you’re ready to add documents to it. You can add
an existing document to a library by clicking the Upload button in the library’s command bar to upload
one or more documents to the library.
Another way to add a document to a library is to create a new document from the document
library. Click the New button on the document library’s command bar, just above the document list,
then choose the type of document you want to create. The list that’s displayed will include a default
document template, if you configured one as explained earlier. If you want to have a custom document
template or support multiple document types, click the Help button in the upper-right corner of your
SharePoint site and read the online documentation related to template modification or content types.
After the new document is created, the user can modify its contents; when the document is saved, it’s
saved directly to the SharePoint document library.
You can also save a document directly to a SharePoint document library from a SharePointcompatible application. You need to know the URL for the document library (e.g., http://sharepoint. In the SharePoint-compatible application, use the Save
command, enter the URL in the File name box, press Enter, and you’ll navigate to the document library.
Enter the document name and click Save, as Figure 3 shows. It’s just like saving to a shared folder,
except that you use a URL instead of a Universal Naming Convention (UNC) path.
There are a couple of caveats here. First, as you can see from the sample URL, any embedded punctuation or spaces can make the URL look a bit unwieldy. But although you can generally enter the URL
without the embedded punctuation (e.g., finance/shareddocuments
instead of and access the right location, it’s a wise practice to keep URLs short and clean. Second, users aren’t yet accustomed to navigating
to URLs in interfaces other than a Web browser, so you should consider providing navigation aids, such
as shortcuts (placed on the desktop or in My Documents) or Network Places to the document library
URL. Microsoft Office 2007 system helps somewhat by creating a My SharePoint Sites link in the Open
and Save dialog boxes, as you can see in Figure 3.
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 6 SharePoint Document Libraries 43
Figure 3: Saving a document to a SharePoint document
library from a SharePoint-compatible application
There are two other ways to get documents into document libraries. One way is to use the Windows
Explorer view. Click the View button and choose Explorer View, or click Actions and choose Open with
Windows Explorer. The folder then appears as an Explorer control within the document library or opens
as a Windows Explorer window. You can now use copy (or cut) and paste or drag and drop to copy or
move files between your computer and the document library. Note that if you use the Explorer view,
you might need to configure Internet Explorer’s (IE’s) security zones (Local intranet or Trusted sites) to
include your SharePoint site; otherwise, you’ll be constantly prompted to confirm your actions.
You can also email enable a document library. The steps for configuring email-enabled document
libraries are beyond the scope of this chapter; you can find them in the online SharePoint Help. However, here’s a related tip: If you email enable a document library, configure the library’s Description to
include the email address, so that when users visit the library online they’ll be able to easily identify its
Finally, applications that are SharePoint clients, such as Microsoft Office Outlook 2007 and Microsoft Office Groove 2007, provide excellent support for working with SharePoint document libraries.
Viewing and Editing Documents
A document library displays documents as links. To view a document, click the link, and the document
will be opened by default in read-only mode (although Office 2007 applications will prompt you to select
read-only or edit mode). If you want to edit a document, hover over the document name, and a dropdown arrow appears. Click the arrow for a menu that includes the Edit command for that document
type, such as Edit in Microsoft Office Word. Doing so opens the document in edit mode, so that you can
Brought to you by Quest Software and Windows IT Pro eBooks
44 Getting Started with Sharepoint
make changes. When you close or save the document, it’s saved to the document library. Be sure to train
users about the difference between clicking the link (for read-only viewing) and clicking the drop-down
arrow (for commands such as Edit). This knowledge will provide end users the most consistent experience across document types and associated applications.
Control Document Editing
If multiple users may edit documents, you should control editing to avoid conflicts in which two users
try to make and save changes to a document. This is the first SharePoint capability I’ve discussed that
simply isn’t possible by using traditional collaborative file shares. When a user checks out a document,
it’s locked so that no other users can make changes until the user checks in the document. Site administrators can also discard a checkout, which will let other users check out the document, but the original
user can no longer upload his or her changes to the document.
If check-out seems like a good idea (and I think it is), you should configure the document library
to require check-out. To do so, in the document library settings, click Versioning Settings and, at the
bottom of the following page, click Yes to Require Check Out. Now, when a user chooses to edit a document, the document is automatically checked out to the user.
Monitoring Document Changes
If you want to monitor activities in a document library, such as the addition, deletion, or modification
of documents, you can use email alerts or RSS feeds. To configure email alerts, click the Actions button
and choose Alert Me. You’ll be sent an email message if something changes in the library, and you can
specify the Alert Title (i.e., the subject line of the email), to whom the email alert will be sent, what
types of changes will trigger an alert, and how often alerts are sent (immediately, daily, or weekly).
Windows SharePoint Services 3.0 automatically generates an RSS feed for document libraries and
lists. To activate the RSS-feed option, click the Actions button and choose View RSS Feed. You can then
subscribe to the feed by using any RSS reader, such as NewsGator or the RSS aggregator integrated into
IE 7.0 or Outlook 2007.
Try That with a File Share!
Once you’ve created and secured document libraries, and users are creating, viewing, checking out and
editing documents and can more directly track changes to documents and libraries, you’ve mastered the
fundamentals of document-library implementation.
I’m Not Dead Yet!
Although I’ve proclaimed that the traditional collaborative file share is dead, don’t throw your
file servers out the window just yet! You likely have file shares that don’t fit into the shared
folder scenarios I just mentioned, which you’ll need to retain. So before we look at how to
implement document libraries, let’s quickly explore why some file-sharing scenarios are best
suited to traditional file shares.
Large files and archives. SharePoint imposes a fixed maximum size of 2GB per document,
as well as quota settings (defined at the site-collection level) that are generally recommended to
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 6 SharePoint Document Libraries 45
be set at 50MB to 100MB per file but can be increased up to the 2GB ceiling. Storage of large
files in a traditional file share is a bit “cheaper” from a total cost of ownership perspective than
storage of documents in SharePoint’s SQL Server–based content databases and becomes even
cheaper given the interesting storage enhancements that will be introduced in the next release
of the Windows Server OS (Longhorn Server). Access to large files also can become problematic over a WAN, which can stretch the capabilities of the HTTP-based access to documents in
SharePoint. For the same reasons, historical archives can be maintained at somewhat lower cost
in file shares.
Distributed scenarios. DFS and DFS Replication (DFSR) can be used to abstract and
localize access to distributed resources, such as software distribution points, if those resources
are stored in server message block (SMB) shares. So distribution scenarios, such as Microsoft
Systems Management Server (SMS) packages, will be better supported in file shares because no
comparable distributed-resource access method exists for document libraries.
Personal-data storage. Although you could theoretically encourage users to store their personal data in their Microsoft Office SharePoint Server 2007 MySite or in another SharePoint
document library instead of My Documents, it’s generally recommended that you continue
using shell-folder redirection to a traditional file share for user data. Too many applications and
“hooks” in the Windows shell point to My Documents, and users are accustomed to the My
Documents metaphor.
Relational databases and executables. Most flat databases can benefit from migration to
SharePoint, but complex, relational databases will best remain in Microsoft Access, SQL Server,
or other database platforms. Scripts and executables are blocked from SharePoint document
libraries, so files of these types should be stored in file shares.
Source-control systems. Developer source control, through which developers track and
maintain changes over time, is better supported by using applications targeted to that task
instead of a system of document libraries.
Even in these scenarios, SharePoint can still play a valuable role. For example, you might
choose to store large archives or streaming media files in a shared folder but provide links to
those files in a SharePoint links list to make those files easier for users to find. If your developers are storing code in a source-control application, they still might use a SharePoint team
site to collaborate. Or, if you have SharePoint Server 2007, you can configure it to index the
contents of shares, so that their contents are included in search result lists.
The trick is to balance the needs of your organization, your network’s capabilities, and the
types of resources you’re managing in a way that maximizes value and agility. Although the file
server isn’t dead, close analysis of your information-access and collaboration needs will likely
suggest that most traditional file shares in your organization will benefit from migration to
SharePoint document libraries, and those file shares that remain can be supported by SharePoint.
Brought to you by Quest Software and Windows IT Pro eBooks
46 Getting Started with Sharepoint
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 7:
Stsadm: Taking Control
of SharePoint Administration
By Kevin Laahs
Each new version of SharePoint has brought changes in the options for managing it via a graphical UI.
The current versions of SharePoint—Windows SharePoint Services (WSS) 3.0 and Microsoft Office
SharePoint Server (MOSS) 2007—provide a Web UI called Central Administration. This application lets
you manage the Share- Point farm at different levels—from individual services on servers to Web applications to shared services.
However, some operations, for example changing the schedule of a background task or setting the
diacritical sensitivity on a search index, aren’t exposed through the UI. To perform such operations,
SharePoint administrators need to call upon the stsadm .exe command-line utility. Let’s look at what
Stsadm is, some of the operations it supports, and how you can use it to automate common management tasks.
Stsadm has been shipping with SharePoint products since its inception. It helps IT pros perform operations that can’t be done through Central Administration and automate and batch operations that would
take longer to complete using the Web interface. Indeed, the tool’s name alone gives us a clue to how
long it’s been around: The first real SharePoint offering was called SharePoint Team Services (STS), and
it primarily was managed via Stsadm.
Each SharePoint release has significantly extended the operations that Stsadm can perform,
and today, MOSS has 183 operations that the utility can perform. You can extend the functionality
of Stsadm by adding other operations to it, which is useful for third parties that layer applications
on top of SharePoint. It’s also useful for extending the base capability of SharePoint. You can find
information about how to extend Stsadm in the Windows SharePoint Services Software Development Kit (SDK) at
You’ll find Stsadm on any server that has had either WSS or MOSS installed on it. It’s located in
the \%ProgramFiles%\Common Files\Microsoft Shared\web server extensions\12\BIN\ folder. That’s a
long path to have to navigate to whenever you want to use Stsadm, so the first thing I recommend is to
set up a command prompt short cut that starts in this folder. Note that to run Stsadm, you must be a
member of the local Administrator’s group on the server.
You control what each operation does by passing it relevant parameters. You can see the syntax for
each operation by opening a command line and typing
stsadm –help
Brought to you by Quest Software and Windows IT Pro eBooks
48 Getting Started with Sharepoint
You can dump the list of all operations by using Stsadm with no parameters. Microsoft provides
more information about Stsadm at and and via the WSS and MOSS SDKs, but the
information isn’t complete. Therefore, trial and error may be required to achieve the desired result. You
can also find documentation for commands that aren’t available from the UI at
The output of an operation will differ for each operation and may or may not be useful for automating common management tasks. For example, the enumsites operation, which enumerates the site
collections in a Web application, produces XML output that you can subsequently parse to perform
mass management tasks on all site collections. Attributes within each XML node provide further information, such as the content database and storage limits associated with each site collection, so you could
use this functionality to move all the site collections in one content database to another.
5 Favorite Stsadm Operations
It would be impossible to go through all 183 Stsadm operations, so here I highlight five of my favorites.
I selected these operations because they’re likely to be used in most Share- Point installations.
MigrateUser. When a user is granted access to a site collection, certain details about the user are
written to the UserInfo table in the back-end Microsoft SQL database. One such detail is the user’s SID,
which ultimately controls access to the site collection. Should the user’s SID change for any reason—for
example, if his or her AD account is moved to a different domain—the user loses access to existing site
collections because the old SID is still in the database. You can use the migrateuser operation to fix the
problem. This feature reads the old and new logon details and updates the relevant details in the database.
Createsiteinnewdb. Every site collection exists in only one content database. By this I mean that all
the content from all the sites and subsites within the collection are stored in the same database. When
you create a site collection through the UI or through the createsite operation in Stsadm, the content
database that houses the collection is the one that is currently least full in terms of the number of site
collections that it can host. The createsiteinnewdb operation is especially useful for situations when you
want to target a particular site to a particular content database—for example, certain sites may have particular service level agreements (SLAs) associated with them and are therefore stored on separate SQL
Backup. The backup operation lets you back up individual site collections as well as the entire farm
(including search indexes) to disk. The ability to back up site collections is useful if you have crucial
sites that need to be backed up more frequently than your regular backup. You can create a single file
that contains everything within a site collection, and you can automate the backup through a scheduled
recurring task. You can also use the export operation to produce a backup file that doesn’t contain the
full contents of the site collection or farm. For example you can omit item versions, thus reducing the
size of the backup file.
Restore. Of course having a backup of a site collection is pretty useless if you can’t restore the site
collection if need be. The restore operation can take a file created using the backup operation and
restore a full fidelity copy of the site collection, either by overwriting the existing site collection or
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 7 Stsadm: Taking Control of SharePoint Administration 49
creating a brand new site collection. This operation is useful for making copies of site collections for
testing/debugging purposes (e.g., copying a production site collection to a test or staging farm).
SetProperty. The setproperty operation, along with its counterpart getproperty, is used to set attributes on many different SharePoint components. For example, you can use the jobusage- analysis property to control the frequency and time of day for usage-analysis processing on the server. Similarly, there
are properties that control the frequency and time that the server sends out alerts. You can see a list of
the configurable properties by typing the command
stsadm –o setproperty
A partial list of documented properties is available at
There are many SharePoint timer jobs that you can view using the Operations tab from SharePoint
Central Administration. You can also see the frequency of each job, but Central Administration provides
no way to change this frequency or the time of day that the timer job runs. As I mentioned earlier, some
jobs are controlled via a configurable property, but others are controlled via their own operation. For
example, there are operations for controlling when the information management expiration policy runs
(setpolicyschedule) and when profile synchronization occurs (setsearchandprocessschedule). These operations take a “recurrence string” as a parameter (e.g., “every 10 minutes between 0 and 59” or “daily at
13:00”). Therefore, if you need to kick off a task immediately, you use Stsadm to tweak its schedule. To
find out what the syntax for using these recurrence strings are, look at the Help for setcontentdeploymentjobschedule.
Using Stsadm to Automate Tasks
Because Stsadm is a simple command-line utility, you can further simplify its use by wrapping it in
a script or command file that can take parameters. You can also use the Windows Task Scheduler to
schedule common tasks you perform with Stsadm. For example, you can schedule regular backups of
particular site collections by placing the appropriate backup operations in a command file and scheduling the file to run at the appropriate times.
You can also leverage the output from some Stsadm operations. A simple example here is the
enumsites operation that I mentioned earlier and its companion operation enumsubwebs. These output
XML files are convenient fodder for many Web Parts. Therefore, if you schedule a task that enumerates
your sites and directs the output of that task to a central file, you can use that file as input to a Web Part
to display your up-to-date list of sites in a Web Part page.
Leverage the Command-Line to Extend SharePoint’s Web-Based Management
Stsadm is the SharePoint administrator’s friend. Whether you want to automate standard operations or
perform tasks that are not so common, you can turn to Stsadm. If you haven’t already done so, I urge
you to fire up that command prompt and see what Stsadm can do for you.
Brought to you by Quest Software and Windows IT Pro eBooks
50 Getting Started with Sharepoint
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 8:
Safeguard Your SharePoint Content with
Data Protection Manager
By Michael Noel
Microsoft SharePoint Products and Technologies have become a crucial component of the infrastructure in many organizations, with the platform serving as a mission-critical document repository and
collaboration tool. Unfortunately, the platform’s built-in backup and restore capabilities have never
really delivered the type of enterprise capabilities that organizations have come to expect. Of particular
note is the fact that there’s no native way to provide for item-level recovery of documents or list items
stored within SharePoint. With the release of Microsoft System Center Data Protection Manager (DPM)
2007, however, administrators have access to a rich set of recovery tools for Share- Point, allowing for
advanced snapshot-based recovery of SharePoint content from within a simple but powerful interface.
As with any new technology, there are tips and tricks involved with DPM’s deployment and caveats that
you need to take into account. Read on to learn what it takes to deploy DPM into a Windows SharePoint Server (WSS) 3.0 or Microsoft Office SharePoint Server (MOSS) 2007 environment, including bestpractice architectures and maintenance requirements of the application.
Introducing System Center Data Protection Manager 2007
In the past, organizations that required robust enterprise backup and restore capabilities for SharePoint
either purchased third-party software or constructed an elaborate process of invoking command-line
utilities such as Stsadm that performed site-collection-level backups. Although many of these thirdparty products offer great functionality for SharePoint, they can be expensive and cumbersome to use.
Microsoft was on the line to produce a utility that could easily manage and back up SharePoint on its
own terms, allowing both for day-to-day recovery of individual items within SharePoint and for fullscale disaster recovery of the entire SharePoint infrastructure.
System Center DPM is Microsoft’s foray into the enterprise backup space. It’s the second generation
of a product that was designed to provide simple but powerful backup capabilities for Microsoft infrastructures, including the Windows OS, Microsoft SQL Server, Exchange Server, and SharePoint. Microsoft developed DPM to integrate directly with Windows’ Volume Shadow Copy Service (VSS), allowing
the product to create snapshots of data on a protected system as frequently as every 15 minutes. This
means you could potentially configure DPM to recover a failed server to a point in time no more than 15
minutes in the past.
DPM offers two distinct benefits for SharePoint administrators. The first is the ability to take a VSS
snapshot, back up the SharePoint SQL databases, and provide up-to- the minute restoration capabilities.
The second benefit is DPM’s SharePoint-aware item-level recovery capabilities, which allow administrators to restore items from the moment of the last recovery point. It’s important to note that SharePoint
content databases and SharePoint content, although the most critical components to backup in a SharePoint environment, don’t provide for restores of the SharePoint indexes, Web part binaries, or the IIS
Brought to you by Quest Software and Windows IT Pro eBooks
52 Getting Started with Sharepoint
metabase on Web front ends. These components should be backed up using SharePoint’s XML-based
backup that is included in the product.
DPM also allows for other advanced functionality such as Exchange database and mailbox-level
recovery capabilities, bare-metal recovery of servers, and the ability for end users to restore earlier file
versions directly from protected file servers simply by using Windows Explorer. In addition, Microsoft makes DPM administration robust and simple using either a PowerShell console or the standard
GUIbased DPM Administrator console, which Figure 1 shows.
Figure 1: The DPM console
To keep managers happy, the console also includes a series of built-in
reports, such as the ones shown in
Figure 2. These capabilities position
DPM as a powerful tool not only for
SharePoint, but for any Microsoftfocused organization.
Figure 2: DPM built-in report options
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 8 Data Protection Manager 53
Designing a SharePoint DPM Solution
DPM performs backups from a central console server. This server is directly attached to any disk volumes or tape backup libraries to which data will be backed up. DPM performs both short-term (backup
to disk) and long-term (backup to tape) content protection, and you can configure it to “expire” content
from the disk-based storage and archive that content to tape.
I highly recommend DPM’s short-term backup-to-disk capabilities. They allow an organization to
perform backups quickly, without the need to spool to tape. To use this option, you need to allocate
a large chunk of disk space to the DPM console. Typically, the types of disks presented to DPM are
slower, cheaper disks such as 7200rpm Serial ATA (SATA) drives on a SAN, or a large DAS storage
enclosure. The amount of space required will vary depending on how much data DPM is backing up,
how frequently it takes snapshots of the data, and how often it performs Express Full Backups. (DPM
defines Express Full Backups as backups that include all data from the target, but transfer only changed
files, reducing the amount of time and bandwidth that the backups take.) In addition, a SharePoint
item-level recovery backup is a separate type of backup from a SharePoint SQL database backup, so
you might need to allocate more disk space for this type of backup to have the most flexibility with the
SharePoint restores.
To illustrate, let’s say you have 500GB of data stored in SharePoint content databases. Because the
backup-to-disk volumes used must be larger than the size of the data, you would need approximately
700GB to 800GB of space on the backup-to-disk volume just for the SharePoint SQL database backups
and the snapshots associated with them. In addition, you need to set aside 600GB to 800GB of space for
backups of SharePoint items, as these types of backups are stored on different volumes than the SQL
backups are stored. Total amount of space consumed to back up 500GB of SharePoint content could
easily eclipse 1.5TB on the DPM console in this scenario. Therefore, it’s important to plan out the disk
infrastructure required for DPM’s backup-to-disk capabilities.
Incidentally, one common mistake administrators make when allocating disk space to DPM is that
they create or format volumes before presenting them to DPM through the Management tab of the console. However, DPM prefers unformatted, raw disk space, because it creates a large number of smaller
volumes as part of its provisioning process. You should simply add raw disk space to the server and add
the disks to the console as needed.
Using the DPM System Recovery Tool
It’s not immediately obvious how to back up the DPM console, but it’s highly crucial to do so to prevent the backup infrastructure from collapsing. Microsoft provides a separate tool, known as the DPM
System Recovery Tool (SRT), which Figure 3 shows, for backing up the DPM console. The tool lets you
create a boot disk and provides bare-metal recovery of any server it backs up. This essentially lets you
recreate the exact running state of any server, even if the original server no longer exists.
There are a few key points that are important to understand about the DPM SRT. First, the tool is
completely independent from the standard DPM product. It installs from separate media, uses its own
agents, and operates independently. Second, by default, the SRT keeps all system backups indefinitely,
which could cause the server to quickly run out of disk space. Be sure to configure the server to keep
only a specified number of backups. Finally, remember that without SRT, a DPM infrastructure has a
major Achilles heel: If the DPM console goes down, all backup history and logs will be lost, and recovering the data would be a challenge.
Brought to you by Quest Software and Windows IT Pro eBooks
54 Getting Started with Sharepoint
Figure 3: The DPM System Recovery Tool
Preparing Servers for Backup
There are several prerequisites you need to satisfy before you install DPM and before it can protect
managed servers. First, the DPM console must have access to its own SQL Server database for storing
DPM-specific configuration and job information. Best practice would be to use a local SQL Server
Express database on the DPM console server, as storing the database on a protected server could be
catastrophic if that server went down.
You should also install both Microsoft IIS and Windows Deployment Services (WDS) on the
machine before you install the DPM software. From experience, I can tell you that if you forget to install
IIS and WDS in advance, DPM installation will likely fail, particularly if the server you are installing
DPM on is running Windows Server 2003 SP2. You must also install PowerShell 1.0 and the VSS patch
referenced in the Microsoft article “Availability of a Volume Shadow Copy Service (VSS) update rollup
package for Windows Server 2003 to resolve some VSS snapshot issues,” at
The DPM console must be installed with Windows Server 2003 SP1 or R2, as Windows Server 2008
is not yet supported. I also recommend that you install the 64-bit version of both Windows and DPM
2007, because memory support is better, and the system will scale much better than a 32-bit version
will. As a side benefit for Exchange Server 2007 administrators, installing the 64-bit version of DPM lets
you run the native version of Eseutil against backed up copies of Exchange databases.
All managed servers must be running Windows 2003 SP1 or later and have the KB940349 patch
installed. SQL servers must be either SQL Server 2005 SP1/SP2 or SQL Server 2000 SP4, and must have
the VSS Writer service running.
To perform an item-level backup of SharePoint, the SharePoint Web front-end servers must satisfy their own specific requirements. This involves installing a SharePoint-specific patch referenced in
the Microsoft article “Description of the Windows SharePoint Services 3.0 post-Service Pack 1 hotfix
package: January 31, 2008,” (, starting the VSS Writer service, and
providing the protection agent with the credentials for the MOSS/WSS farm. This last step is a bit more
Brought to you by Quest Software and Windows IT Pro eBooks
Chapter 8 Data Protection Manager 55
involved, but essentially involves running the ConfigureSharePoint.exe tool from the SharePoint Web
front-end server. This tool, located in the \bin subfolder of the DPM installation directory on the DPM
server, prompts you to enter the farm administrator credentials for SharePoint. You must re-run the tool
whenever the farm administrator credentials change.
And, of course, before any backups can take place from the console, you must deploy specialized
DPM agents to any system that will be backed up. These agents, deployed and administered from the
console, as Figure 4 shows, can be pushed out to systems using an account with local admin rights
on the servers. After you’ve satisfied all prerequisites and pushed out the agents, you create the initial
backup replicas via the use of Protection Groups.
Figure 4: Deploying DPM agents to protected systems
Creating a Protection Group
DPM uses the concept of a Protection Group, such as the ones that Figure 1 shows. Each Protection Group provides for different schedules, snapshot frequencies, and retention ranges, which you
configure when you create the Protection Group. For each Protection Group, a replica volume and a
recovery point volume is created for each protected resource. For SharePoint content databases, this
means that each protection group will create two volumes for every content database. The recommended sizes for the replica and recovery point volumes will change based on criteria you specify when
creating the group, so it’s not a bad idea to play around with those numbers to see how performing
additional Express Full Backups or taking snapshots of data more often increases or decreases recommended volume size. Bear in mind that the recommended size for each of these volumes is determined
according to the current size of the database, so you should increase the volume sizes if you anticipate
that content database size will increase.
It’s crucial that you understand the difference between a SQL content database backup and a SharePoint item-level backup. The SQL content backup is based on VSS snapshots, but an entire database
would need to be recovered in the event of data loss. These types of backups are geared toward scenarios involving disaster recovery. The SharePoint item-level backups, which are performed against a
SharePoint Web front-end server, aren’t snapshot-based, so items can be recovered only at the point of
Brought to you by Quest Software and Windows IT Pro eBooks
56 Getting Started with Sharepoint
the last Express Full Backup, but this type of backup lets you recover individual items without initiating
a full database restore.
Restoring Content
The Recovery tab of the DPM console is where administrators can initiate restores of individual SharePoint items or of entire SharePoint content databases. You can restore SharePoint SQL content databases from SQL backups—either by overwriting an existing database or recovering it to a different SQL
Server instance or even a flat network folder.
SharePoint item-level recovery using the DPM console simply requires navigating through a folder
hierarchy to find the individual document or list item and restoring it to the SharePoint site. Assuming
the item hasn’t been archived to tape, it’s immediately restored to the site.
Understanding DPM Licensing
DPM licensing costs are calculated according to the type of server being backed up. Standard Windows
servers, such as file servers, require a DPM standard license; application servers such as Exchange, SQL
Server, and Share- Point servers require an enterprise license. Your organization might already own
DPM licenses, particularly if you’re invested in other System Center products such as Operations Manager 2007 or Configuration Manager 2007. It’s best to check with Microsoft to see what type of deal you
can obtain.
Not Perfect, But...
For those organizations heavily invested in SharePoint and without a current itemlevel recovery product
in place, DPM is an excellent choice. DPM is an impressive product, and there’s something quite
magical about how simple it is to restore an entire environment painlessly with a few mouse clicks. It’s
not perfect—I’d personally like to see the ability to install multiple redundant primary consoles, for
example—but all in all, it’s an excellent tool to provide for enhanced recovery and protection capabilities for a SharePoint 2007 environment.
Brought to you by Quest Software and Windows IT Pro eBooks
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF