Preparing W2K8 for SharePoint 2007/2010 Installation.

Add a comment December 9th, 2010

The following tweaks can be made to the Windows 2008 Operating System to allow for a smooth installation of SharePoint while increasing the performance of the sites as well:

  1. Remove Internet Explorer Enhanced Security – This option is removed in order to prevent Enhanced Security from interfering with the process of ensuring farm configuration is proceeding correctly

  1. Install the IIS 6 (Works with IIS 7) Resource Kit on each of the SharePoint servers; this includes several useful tools and/or scripts that may be used throughout the installation, configuration, and maintenance process. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

Ensure User Account Control is turned off:  

  1. Click Start, click Control Panel, click User Accounts, click Turn User Account Control On or Off.
  2. Uncheck Use User Account Control (UAC) to help protect your computer, Click OK.
  3. A reboot is required for this change to take effect; do not reboot until the end of the configuration/optimization section where it asks for a reboot to effect all changes from this section.

 Ensure FIPS is disabled on all MOSS Servers:

  1. Click Start, Run
  2. Type gpedit.msc, Click OK
  3. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  4. Look for System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
  5. Double click it, select Disable, and then click OK.

Disable IPv6 Helper Service (if not being utilized):

  1. Click Start, Run
  1. Type: services.msc
  2. Double-click IP Helper.
  3. Click the drop-down menu beside Startup type:
  4. Click Disabled.
  5. Click Apply.
  6. Click Stop.
  7. Click OK.

Disable IPv6 on Network Interface Card/s:

  1. In the Network Connections folder, obtain properties on all of your connections and adapters and clear the check box next to the Internet Protocol version 6 (TCP/IPv6) components in the list under This connection uses the following items.
Note
  • This method disables IPv6 on your LAN interfaces and connections, but does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface.
  • Step 2 is optional.
  1. Add the following registry value (DWORD type) set to 0xFFFFFFFF: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents
Note
  • This method disables IPv6 on all your LAN interfaces, connections, and tunnel interfaces but does not disable the IPv6 loopback interface. You must restart the computer for this registry value to take effect.
  • For additional information about the DisabledComponents registry value, see Configuring IPv6 with Windows Vista/7.
  • If you disable IPv6, you will not be able to use Windows Meeting Space or any application that relies on the Windows Peer-to-Peer Networking platform or the Teredo transition technology.

 Disable Firewall on All Servers:

Disable the firewall portion of Windows Firewall with Advanced Security from a command prompt:  

  1. Open an Administrator: Command Prompt. To do so, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. At the command prompt, type the following command:

netsh advfirewall set allprofiles state off

 Disable the firewall portion of Windows Firewall with Advanced Security by using the Windows Firewall Control Panel program:

  1. Click Start, click Control Panel, click Network and Internet, and then under Windows Firewall, click Turn Windows Firewall on or off.
  2. On the General tab of the Windows Firewall Settings dialog box, select Off (not recommended), and then click OK.

To disable the firewall portion of Windows Firewall with Advanced Security by using the Windows Firewall with Advanced Security MMC snap-in:

  1. Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.
  2. In the navigation pane, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
  3. On each of the Domain Profile, Private Profile, and Public Profile tabs, change the Firewall state option to Off (not recommended).
  4. Click OK to save your changes.
Caution
Do not disable Windows Firewall by stopping the service. Instead, use one of the preceding procedures (or an equivalent Group Policy setting) to turn the firewall off. If you turn off the Windows Firewall with Advanced Security service, you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, Windows Service Hardening, and network protection from attacks that employ network fingerprinting. For more information about Windows Service Hardening, see http://go.microsoft.com/fwlink/?linkid=104976. Non-Microsoft firewall software that is compatible with Windows Vista and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility. You should not disable the firewall yourself for this purpose. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.

Install IIS 7 and Application Server components on all SharePoint servers:


Configure Windows 2008 Server/Application Performance:

  1. Click Start
  2. Click Control Panel
  3. Double Click System
  4. Click Advanced system settings
  5. Click on Settings in the Performance section.
  6. On the Visual Effects tab, select Adjust for best performance, Click Apply
  7. On the Advanced tab, under Adjust for best performance of: Select Background Services
  8. Under Virtual Memory
  9. Click Change
  10. Uncheck Automatically manage paging file size for all drives
  11. Select No paging file on C:\
  12. Click Set
  13. Select D:\
  14. Click Custom Size
  15. Initial Size (MB): Type amount of memory in server in MBs: Example: 12GBs x 1024 = 12288
  16. Maximum Size (MB): Multiply Initial Size x 1.5 = 18432
  17. Click Set
  18. Click OK, OK (This requires a reboot, do not reboot until this section is complete.)
  19. Click Environment Variables
  20. Locate System Variables (It’s the second window, be careful not to look in the user variables which is the first window).
  21. Navigate to your D:\ drive and create a folder at the root called TEMP.
  22. Locate the TEMP and TMP variables
  23. Change the path for TEMP to D:\TEMP
  24. Change the path for TMP to D:\TEMP
  25. Locate Path, double click it, locate Variable value, scroll to the end of the current path and type: ;”C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Bin”
  26. Click OK, OK

Changing Binding Order of Network Adapters:

  1. Click Start, Run,
  2. Type ncpa.cpl, and then click OK.
  3. You can see the available connections in the LAN and High-Speed Internet section of the Network Connections window.
  4. On the Advanced menu, click Advanced Settings, and then click the Adapters and Bindings tab.
  5. In the Connections area, select the connection that you want to move higher in the list.
  6. Use the arrow buttons to move the connection. It is recommended that your Public NIC is first in the list.

Install Microsoft Certificate Revocation List:

  • Recommend using option 1.
  • Use option 2 if you cannot use option 1.
  • Option 3 allows you to use a VBS script to disable it. (Can be used to create a policy)

Option 1:

  1. Open Internet Explorer
  2. Go to Internet Options
  3. Click the Advanced tab go scroll to the Security Section.
  4. Uncheck Check for publisher’s certificate revocation

Option 2:

  1. Download the CRLs and add them to the server manually (I haven’t tested this, but it may work):
  1. Open a command prompt and Change Directory to file location.
  2. Type: certutil -addstore CA CodeSignPCA.crl  and press enter.
  3. Type: certutil -addstore CA CodeSignPCA2.crl and press enter.

Option 3:

You can also run the following VBS script to disable it in the registry:

const HKEY_USERS = &H80000003
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\" _
& strComputer & "\root\default:StdRegProv")
strKeyPath = ""
objReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
strKeyPath = "\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
For Each subkey In arrSubKeys
objReg.SetDWORDValue HKEY_USERS, subkey & strKeyPath, "State", 146944
Next

Disable Lookback:

To set the DisableLoopbackCheck registry key, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Apply the following registry change to the file server. To do so, follow these steps:
    1. Start Registry Editor (Regedt32.exe).
    2. Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

  1. On the Edit menu, click Add Value, and then add the following registry value:

Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1

  1. Locate following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  1. Right-click Lsa, point to New, and then click DWORD Value.
  2. Type DisableLoopbackCheck, and then press ENTER.
  3. Right-click DisableLoopbackCheck, and then click Modify.
  4. In the Value data box, type 1, and then click OK.
  5. Quit Registry Editor.
  6. A registry import that will disable Loopback is also available on the provided DVD under scripts, it is named disableloopbackcheck.reg

Configure SQL Client Alias:

If your network is configured to block UDP port 1433 or TCP port 1434 on the computer running SQL Server, you must create a SQL Server client alias on all other computers in the server farm. You can use SQL Server client components to create a SQL Server client alias for computers that connect to SQL Server.

  1. Run Setup for SQL Server on the target computer, and select the following client components to install:
  • Connectivity Components
  • Management Tools
  1. Open SQL Server Configuration Manager
  2. In the left pane, click SQL Native Client Configuration.
  3. In the right pane, right-click Aliases, and select New Alias.
  4. In the Alias dialog box, enter a name for the alias and then enter the port number for the database instance. For example, enter SharePoint_Alias.
  5. In the Port No field, enter the port number for the database instance. For example, enter 40000. Ensure that the protocol is set to TCP/IP.
  6. In the Server field, enter the name of the computer running SQL Server.
  7. Click Apply, and then click OK.

Test SQL Client Alias:

Test connectivity to the computer running SQL Server by using Microsoft SQL Server Management Studio, which is available by installing SQL Server client components:

  1. Open SQL Server Management Studio.
  2. When you are prompted to enter a server name, enter the name of the alias that you created, and then click Connect. If the connection is successful, SQL Server Management Studio is populated with objects that correspond to the remote database.

Note:  To check connectivity to additional database instances from within SQL Server Management Studio, click Connect, and then click Database Engine.

Create SQL client alias on SharePoint Servers:

  1. Run cliconfg.exe
  2. Enable TCP/IP
  3. Click on Alias Tab
  4. Click add alias
  5. Create new alias
  • Alias Name: ie “SharePoint”
  • Servername: ie “SQL”
  1. Select TCP/IP
  2. Click OK

Move Inetpub Directory off of the C:\Drive

  1. Paste the script below into a new text file, name the file MoveIIS7Root.bat (This script is also located at D:\SP2010_Build\Scripts)
  2. Open an administrator command prompt, change directories to where the above file has been saved.
  3. Type:
  4. MoveIIS7Root.bat <drive you want to the Inetpub directory to>
  5. Example: MoveIIS7Root.bat D
REM PLEASE BE AWARE: SERVICING (I.E. HOTFIXES AND SERVICE PACKS) WILL STILL REPLACE FILES
REM IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE
REM TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES
REM IS NOT POSSIBLE.
@echo off
IF "%1" == "" goto err
setlocal
set MOVETO=%1:\
REM simple error handling if drive does not exist or argument is wrong
IF NOT EXIST %MOVETO% goto err
REM Backup IIS config before we start changing config to point to the new path
%windir%\system32\inetsrv\appcmd add backup beforeRootMove
REM Stop all IIS services
iisreset /stop
REM Copy all content
REM /O - copy ACLs
REM /E - copy sub directories including empty ones
REM /I - assume destination is a directory
REM /Q - quiet
REM echo on, because user will be prompted if content already exists.
echo on
xcopy %systemdrive%\inetpub %MOVETO%inetpub /O /E /I /Q
@echo off
REM Move AppPool isolation directory
reg add HKLM\System\CurrentControlSet\Services\WAS\Parameters /v ConfigIsolationPath /t REG_SZ /d %MOVETO%inetpub\temp\appPools /f
REM Move logfile directories
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.traceFailedRequestsLogging.directory:"%MOVETO%inetpub\logs\FailedReqLogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"%MOVETO%inetpub\logs\logfiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"%MOVETO%inetpub\logs\logfiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"%MOVETO%inetpub\logs\logfiles"
REM Move config history location, temporary files, the path for the Default Web Site and the custom error locations
%windir%\system32\inetsrv\appcmd set config -section:system.applicationhost/configHistory -path:%MOVETO%inetpub\history
%windir%\system32\inetsrv\appcmd set config -section:system.webServer/asp -cache.disktemplateCacheDirectory:"%MOVETO%inetpub\temp\ASP Compiled Templates"
%windir%\system32\inetsrv\appcmd set config -section:system.webServer/httpCompression -directory:"%MOVETO%inetpub\temp\IIS Temporary Compressed Files"
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:%MOVETO%inetpub\wwwroot
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='401'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='403'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='404'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='405'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='406'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='412'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='500'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='501'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='502'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
REM Make sure Service Pack and Hotfix Installers know where the IIS root directories are
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d %mOVETO%\inetpub\wwwroot /f
reg add HKLM\Software\Microsoft\inetstp /v PathFTPRoot /t REG_SZ /d %MOVETO%\inetpub\ftproot /f
REM Do the same for x64 directories
if not "%ProgramFiles(x86)%" == "" reg add HKLM\Software\Wow6432Node\Microsoft\inetstp /v PathWWWRoot /t REG_EXPAND_SZ /d %MOVETO%inetpub\wwwroot /f
if not "%ProgramFiles(x86)%" == "" reg add HKLM\Software\Wow6432Node\Microsoft\inetstp /v PathFTPRoot /t REG_EXPAND_SZ /d %MOVETO%inetpub\ftproot /f
REM Restart all IIS services
iisreset /start
echo.
echo.
echo ===============================================================================
echo Moved IIS7 root directory from %systemdrive%\ to %MOVETO%.
echo.
echo Please verify if the move worked. If so you can delete the %systemdrive%\inetpub directory.
echo If something went wrong you can restore the old settings via
echo     "APPCMD restore backup beforeRootMove"
echo and
echo     "REG delete HKLM\System\CurrentControlSet\Services\WAS\Parameters\ConfigIsolationPath"
echo You also have to reset the PathWWWRoot and PathFTPRoot registry values
echo in HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp.
echo ===============================================================================
echo.
echo.
endlocal
goto success
REM error message if no argument or drive does not exist
:err
echo.
echo New root drive letter required.
echo Here an example how to move the IIS root to the F:\ drive:
echo.
echo MOVEIISROOT.BAT F
echo.
echo.
:success

Move IIS Logs:

  1. Click Start, Administrative Tools, and click Internet Information Services (IIS) Manager
  2. Click the Server Name at the top of the left column, locate the IIS section on the right and select Logging.
  3. Locate Directory, click Browse, select a new location, Make New Folder for the IIS logs, select it, and click OK.
  4. This will assist you in finding the LOGs when you need to troubleshoot or point log reader applications to it.

Enable Content Expiration:

  1. Click Start, Administrative Tools, and click Internet Information Services (IIS) Manager
  2. Click the Server Name at the top of the left column, locate the IIS section on the right and double click HTTP Response Headers.
  3. Locate Set Common Headers… under Actions on the far right menu bar.
  4. Check the box next to Expire Web Content:
  5. Select the radio button next to After:
  6. Enter 7 Day(s).

Set Maximum Bandwidth and Concurrent Connections to Unlimited:

  1. Click Start, Administrative Tools, and click Internet Information Services (IIS) Manager
  2. Right click the website you want to edit, click Manage Web Site, and then click Advanced Settings…
  3. Locate the Behavior Section, expand the Connection Limits node, adjust the following:
  4. Connection Time-out (seconds): 300
  5. Maximum Bandwidth (Bytes/second): 0 (zero value sets unlimited)
  6. Maximum Concurrent Connections: 0 (zero value sets unlimited)

Enable Compression:

  1. Create a directory on your D:\ drive called IIS Temporary Compressed Files.
  2. Click Start, Administrative Tools, and click Internet Information Services (IIS) Manager
  3. Click the Server Name at the top of the left column, locate the IIS section on the right and select Compression.
  4. Check the box next to: Enable Dynamic Content Compression.
  5. Point the Cache Directory location to D:\IIS Temporary Compressed Files.
  6. Click Apply, this will enable Dynamic and Static caching for all IIS sites.

Optimize IIS 7 Application Pools

Please keep in mind that these setting can vary slightly depending on your environment.  Things to consider here are the amount of memory and CPUs in your servers as well as your user’s usage trends.

  1. Click Start, Administrative Tools, and click Internet Information Services (IIS) Manager
  2. Click the plus sign next to the Server Name at the top of the left column, click Application Pools.
  3. On the far right pane, under Actions, click Set Application Pool Defaults
  4. Configure the following settings:

Restart server to insure all of the above changes are applied to the Operating System.

  1. December 28th, 2010 at 18:12 | #1
    Ashley

    Great post, helped a lot, thank you.

  2. February 1st, 2011 at 22:48 | #2
    Mike Owens

    Nice post, it’s part of my build documentation now. 😉

  3. March 16th, 2011 at 15:33 | #3
    Jan

    Good hints, thanks a lot, it helped!!

  1. |
    January 31st, 2011 at 22:48 | #1

    […] Preparing W2K8 for SharePoint 2007/2010 Installation. […]

  2. |
    February 23rd, 2011 at 08:28 | #2

    […] Standardization of SharePoint 2010 deployments are important. It’s my belief that standardization could minimize environmental issues while giving all of us engineers a baseline understanding of how farms have been deployed in common environments, reducing spin up to final resolution times. The use of PowerShell allows us to do this without having to rely on the user to click or not click something which lets face it, sometimes we can’t rely on ourselves to click the right thing every time, so we can’t expect it from anyone else. Preparing W2K8 for SharePoint 2007/2010 Installation. […]

Comments feed