Export (0) Print
Expand All
3 out of 4 rated this helpful - Rate this topic

Install Windows SharePoint Services 3.0 with least privilege administration by using the command line

SharePoint 2007

Updated: December 4, 2008

Applies To: Windows SharePoint Services 3.0

Updated: 2008-12-04

In this article:

This article discusses how to install Windows SharePoint Services 3.0 on a stand-alone server or on a server farm by using least-privilege administration.

The Windows SharePoint Services 3.0 standard configuration uses a set of user accounts and installation settings for both stand-alone servers and server farms to simplify the installation process. However, enterprises are often required to use the least-privilege security practice in which each service or user is provided with only the minimum permissions and group memberships that they must have to do the tasks that they are authorized to perform. Installing Windows SharePoint Services 3.0 to meet least-privilege requirements requires additional preparation and configuration steps. We strongly recommend that you use least-privilege administration.

To install Windows SharePoint Services 3.0 by using least-privilege administration on either a stand-alone server or a server farm, you must complete the following steps:

  1. Plan the deployment and ensure that you have installed all the software requirements.

  2. Determine the required accounts that are used during installation.

  3. Use the least-privilege Setup user account to install Windows SharePoint Services 3.0 by using Setup at a command prompt, and specifying a configuration file.

  4. Configure the server by using the Psconfig command-line tool with the appropriate options.

  5. Create a Web application by using the Stsadm command-line tool (only applies on server-farm installations).

  6. Create a site collection by using the Stsadm command-line tool (only applies on server-farm installations).

Install software requirements

Before running Setup, you must perform several actions to prepare the deployment. For more information about the complete list of actions you must perform before installation, see Install Windows SharePoint Services 3.0 for a server farm environment. Ensure that you have the following software requirements before you run Setup in any deployment:

  • Windows SharePoint Services 3.0 on a clean installation of the Windows Server 2003 operating system with the most recent service pack. To install Windows SharePoint Services 3.0 on Windows Server 2008, see Chapter overview: End-to-end deployment scenarios (Windows SharePoint Services).

    NoteNote:

    All the instances of Windows SharePoint Services 3.0 in the farm must be in the same language. For example, you cannot have both English and Japanese versions of Windows SharePoint Services 3.0 in the same farm.

  • The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features.

    NoteNote:

    You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=110508).

  • ASP.NET 2.0 enabled in Internet Information Services (IIS) Manager on all servers that are running Windows SharePoint Services 3.0.

  • Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service pack running on at least one database server before you install Windows SharePoint Services 3.0 on the Web servers.

To deploy a server farm, you must have at least one server computer acting as a Web server and an application server, and one server computer acting as a database server.

Determine required accounts for least privilege administration

Before installing Windows SharePoint Services 3.0 by using least-privilege administration in any security configuration, you should understand the two-tier security model for Windows SharePoint Services 3.0 and the detailed account permissions that are required for each configuration. For more information, see the following resources:

Many requirements and configuration steps for installing Windows SharePoint Services 3.0 by using least-privilege administration resemble the standard farm installation, with which you should be familiar. For more information about the standard farm installation, see Install Windows SharePoint Services 3.0 for a server farm environment.

The following table describes the accounts that are used to install Windows SharePoint Services 3.0 by using least-privilege administration, compared to the standard account requirements for farm installation.

Account Purpose Server farm standard requirements Least-privilege administration using domain user accounts requirements

Setup user account

The Setup user account that is used to run the following:

  • Setup on each server.

  • The SharePoint Products and Technologies Configuration Wizard.

  • The Psconfig command-line tool.

  • The Stsadm command-line tool.

  • Domain user account.

  • Member of the Administrators group on each server on which Setup is run.

  • SQL Server login on the computer that is running SQL Server.

  • Member of the following SQL Server security roles:

    • securityadmin fixed server role

    • dbcreator fixed server role

If you run Stsadm command-line commands that read from or write to a database, the Setup user account must be a member of the db_owner fixed database role for the database.

Server farm standard requirements with the following additions or exceptions:

  • Use a separate domain user account.

  • The Setup user account should not be a member of the Administrators group on the computer that is running SQL Server.

Server farm account or database access account

The server farm account is used to:

  • Configure and manage the server farm.

  • Act as the application pool identity for the SharePoint Central Administration Web site.

  • Run the Windows SharePoint Services Timer service.

  • Domain user account.

Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.

The server farm account is automatically added as a SQL Server login on the computer that is running SQL Server and added to the following SQL Server security roles:

  • dbcreator fixed server role

  • securityadmin fixed server role

  • db_owner fixed database role for all databases in the server farm

Server farm standard requirements with the following additions or exceptions:

  • Use a separate domain user account.

  • The server farm account is not a member of the Administrators group on any server in the server farm. This includes the computer that is running SQL Server.

  • The server farm account does not require permissions to SQL Server before you create the configuration database.

The minimum requirements to achieve least-privilege administration include the following:

  • Separate accounts are used for different services and processes.

  • No executing service or process account is running with local administrator permissions.

By using separate service accounts for each service and limiting the permissions assigned to each account, you reduce the opportunity for a malicious user or process to compromise the environment.

You can implement least-privilege administration in many ways, depending upon the security configuration of each scenario. The configurations for least-privilege administration include:

  • Separate domain user accounts

  • SQL Server authentication

  • Domain user accounts connecting to existing databases

Install Windows SharePoint Services 3.0 on the server by using the least privilege account

After you have determined the required accounts for the installation, you can install Windows SharePoint Services 3.0. To install Windows SharePoint Services 3.0, you perform the following actions:

  1. Install Windows SharePoint Services 3.0 and save the SharePoint.exe file to the computer.

  2. Extract the SharePoint.exe file.

  3. Select a Config.xml file.

  4. Run Setup with the selected Config.xml file, and by using the least-privilege Setup user account that you previously created.

NoteNote:

You must install Windows SharePoint Services 3.0 on the same drive on all load-balanced front-end Web servers.

Depending on hardware requirements, install Windows SharePoint Services 3.0 from one of the following resources, and save the SharePoint.exe file to the computer:

The SharePoint.exe file has to be extracted, which you do at the command prompt:

drive:\path\SharePoint.exe /extract:drive:\path

The folder to which you extracted the SharePoint.exe file contains examples of configuration (Config.xml) files. These example files are stored under the \Files folder in the root directory of the DVD, in folders that correspond to different scenarios. The example files are listed and described in the following table.

Configuration file Description

Setup\Config.xml

Single server installation

SetupFarmSilent\Config.xml

Server-farm installation in silent mode

SetupGradualUpgradeSilent\Config.xml

Gradual upgrade of an existing farm in silent mode

SetupSilent\Config.xml

Single server installation in silent mode

SetupUpgradeSilent\Config.xml

In-place upgrade of an existing farm in silent mode

ImportantImportant:

The example configuration files that are included with Windows SharePoint Services 3.0 omit the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this setting if you want to suppress restarts during a command-line installation.

Example

The following example shows the configuration for setting up a farm in silent mode (SetupFarmSilent).

<Configuration>

<Package Id="sts">

<Setting Id="REBOOT" Value="ReallySuppress"/>

<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>

</Package>

<Logging Type="verbose" Path="%temp%" Template="Microsoft Windows SharePoint Services 3.0 Setup(*).log "/>

<Setting Id="SERVERROLE" Value="WFE"/>

<Setting Id="USINGUIINSTALLMODE" Value="0"/>

<Display Level="none" CompletionNotice="no" />

</Configuration>

Run Setup with a Config.xml file at a command prompt

  1. On the drive on which Windows SharePoint Services 3.0 is installed, change to the root directory to locate the setup.exe file.

  2. Run Setup with the selected Config.xml file.

    setup /config <path and file name>

    NoteNote:

    You can select one of the example configuration files, or customize your own configuration file.

  3. Press ENTER.

Setup is now complete.

Example

To set up a farm in silent mode, type the following command at a command prompt, and then press ENTER:

setup /config Files\SetupFarmSilent\config.xml

You can also customize your own configuration file. To control the installation, first edit the Config.xml file in a text editor to include the elements that you want with the appropriate settings for those elements. Then run setup /config<path and file name> to specify that Setup runs and uses the options that you set in the Config.xml file. For example, a typical configuration option includes adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose" Path="path" Template="file name.log"/>, which you can view if command-line installation fails.

ImportantImportant:

Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose XML editor such as Microsoft Office Word 2007.

For more information about the options available for customizing the configuration file, see Config.xml reference (Windows SharePoint Services).

For more information about the command-line options for Setup, see Setup.exe command-line reference (Windows SharePoint Services).

Configure the server by using the Psconfig command-line tool

You use the Psconfig command-line tool to configure Windows SharePoint Services 3.0 after Setup has completed. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin. The configuration options are different depending whether Windows SharePoint Services 3.0 is installed on a stand-alone server or on a farm.

For more information about the Psconfig command-line tool and its operations and parameters, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Windows SharePoint Services).

Configure Windows SharePoint Services 3.0 on a stand-alone server

In stand-alone server deployments that use least-privilege administration, you can run the Psconfig command-line tool with the setup command.

The following procedure describes how to configure Windows SharePoint Services 3.0 on a stand-alone server.

Configure Windows SharePoint Services 3.0 on a stand-alone server by using the Stsadm command-line tool

  1. Log on by using the Setup user account that you created and configured previously.

  2. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.

  3. Type the following command, and then press ENTER:

    stsadm -cmd setup

The Psconfig command-line tool describes the configuration steps as they occur and notes the successful completion of configuration. For a stand-alone server installation, this is the final step in a command-line installation.

Configure Windows SharePoint Services 3.0 on a farm

In server farm deployments that use least-privilege administration, you use the Psconfig command-line tool to create a new farm or connect to an existing farm. The Psconfig command-line tool installs the SharePoint Central Administration Web site on the first server in the farm. Therefore, we recommend that the first server on which you install Windows SharePoint Services 3.0 is a server from which you want to run the Central Administration Web site.

The following procedure describes how to configure the first server in the farm.

NoteNote:

Ensure that you follow the procedure in the order that it is written to avoid configuration problems.

Configure Windows SharePoint Services 3.0 on a farm by using the Psconfig command-line tool

  1. Log on by using the Setup user account that you created and configured previously.

  2. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.

  3. Create the configuration database:

    psconfig -cmd configdb -create -server <database server name> -database <database name>

    [ -dbuser <domain\user name> -dbpassword <password>]

    -user <domain\user name> -password <password>

    -addomain <domain name> -adorgunit <org unit>

    -admincontentdatabase <Central Administration Web application content database name>

    NoteNote:

    The dbuser and dbpassword parameters are only used in deployments that use SQL Server authentication. If you are using Windows authentication, these parameters are not necessary.

  4. Install the Help collection:

    psconfig -cmd helpcollections -installall

  5. Perform resource security enforcement:

    psconfig -cmd secureresources

  6. Register services in the server farm:

    psconfig -cmd services -install

    NoteNote:

    After installing services, you must start and configure Windows SharePoint Services Search by using the Stsadm command-line tool:

    1. stsadm -o spsearch -action start -farmserviceaccount <domain\user name> -farmservicepassword <password> [-database name <content database name>] [-database server <server instance>] [-search server <search server name>]

      For more information, see Spsearch: Stsadm operation (Windows SharePoint Services).

      NoteNote:

      Use the domain and user account information for the server farm account that you previously created and configured.

    2. Provision the services of the farm:

      psconfig -cmd services –provision:

  7. Register all features:

    psconfig -cmd installfeatures

  8. Provision the SharePoint Central Administration Web application:

    psconfig -cmd adminvs -provision -port <port> -windowsauthprovider onlyusentlm

  9. Install shared application data:

    psconfig -cmd applicationcontent –install

The Central Administration Web site has now been created.

We recommend that you install and configure Windows SharePoint Services 3.0 on all of the farm servers before you start to create sites.

NoteNote:

If any of these commands fail, look in the post-Setup configuration log files. The log files are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Logs, and can be identified by a file name starting with “PSC” and the .log extension.

To connect to an existing configuration database and join the server to an existing server farm, run the configdb command with the -connect parameter instead of the –create parameter.

psconfig -cmd configdb -connect –server <server name> -database <database name>

NoteNote:

Omit the –admincontentdatabase command because you have already included this command when you created the configuration database.

Use the psconfig -cmd adminvs -provision –port <port> -windowsauthprovider onlyusentlm command if you want to provision the SharePoint Central Administration Web application on additional servers, which reduces the risk if the server that is running the SharePoint Central Administration Web application fails.

To successfully complete command-line installation on a server farm, you must use the Stsadm command-line tool to create a Web application, and a site collection for the farm. However, before you create a Web application and a site collection, we recommend that you first perform some additional configuration tasks.

Perform additional configuration tasks

Create a Web application and a site collection by using the Stsadm command-line tool

After you create and configure Windows SharePoint Services 3.0 on a farm, you must use the Stsadm command-line tool to create a Web application and a site collection. A Web application is composed of an Internet Information Services (IIS) site together with a unique application pool. When you create a new Web application, you also create a new database and define the authentication method that is used to connect to the database.

If you are in an extranet environment where you want different users to access content by using different domains, you might also have to extend a Web application to another IIS Web site. This action exposes the same content to different sets of users by using an additional IIS Web site to host the same content.

ImportantImportant:

To run the Stsadm command-line tool, you must be a member of the Administrators group on the local computer.

Create a Web application and a site collection by using the Stsadm command-line tool

  1. On the drive on which SharePoint Products and Technologies is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.

  2. Type the following command, and then press ENTER:

    stsadm -o extendvs

    -url <URL name>

    -ownerlogin <domain\user name>

    -owneremail <e-mail address>

    [-exclusivelyusentlm]

    [-ownername <display name>]

    [-databaseuser <database user name>]

    [-databaseserver <database server name>]

    [-databasename <new content database name>]

    [-databasepassword <database password>]

    [-lcid <language>]

    [-sitetemplate <site template>]

    [-description]

    [-sethostheader]

    [-apidname <application pool name>]

    [-apidtype {configurableID | NetworkService}]

    [-apidlogin <domain\user name>]

    [-apidpwd <application pool password>]

    For more information, see Stsadm command-line tool (Windows SharePoint Services) and Extendvs: Stsadm operation (Windows SharePoint Services).

Example

The following command creates a Web application and a site collection with the URL http://intranet that uses the corporate team site template.

stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail <user@domain.com> sitetemplate STS#0 -exclusivelyusentlm -databaseserver <database server name> -databasename <content database name> -apidname <application pool name> -apidtype {configurableID | NetworkService} -apidlogin<domain\user name> -apidpwd <password>

If you do not specify the template to use, site owners can choose the template when they first browse to the site.

If you want to create additional Web applications or site collections by using the Stsadm command-line tool, you can use either the extendvs or createsite operation.

The extendvs operation extends a Web application and creates a new content database. The createsite operation creates a site collection at a specific URL with a specified user a site collection owner and site collection administrator.

NoteNote:

The createsite operation does not create a new content database. If you want to create a new content database together with the new site, use the createsiteinnewdb operation.

For more information, see Createsite: Stsadm operation (Windows SharePoint Services) and Createsiteinnewdb: Stsadm operation (Windows SharePoint Services).

The extendvs operation also enables you to specify the language of the site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used for the top-level site collection. For more information about the available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?LinkId=63028&clcid=0x409).

After creating sites, you might want to configure alternate access mappings. Alternate access mappings direct users to the correct URLs during their interaction with Windows SharePoint Services 3.0 (while browsing to the home page of a Windows SharePoint Services 3.0 Web site, for example). Alternate access mappings enable Windows SharePoint Services 3.0 to map Web requests to the correct Web applications and sites, and they enable Windows SharePoint Services 3.0 to serve the correct content back to the user. For more information, see Plan alternate access mappings.

Configure the trace log

The trace log can be useful for analyzing problems that might occur. You can use events that are written to the trace log to determine what configuration changes were made in Windows SharePoint Services 3.0 before the problem occurred.

By default, Windows SharePoint Services 3.0 saves two days of events in the trace log files. This means that trace log files that contain events that are older than two days are deleted. When you are using the Windows SharePoint Services Search service, we recommend that you configure the trace log to save seven days of events.

You can use the Diagnostic Logging page in Central Administration to configure the maximum number of trace log files to maintain, and how long (in minutes) to capture events to each log file. By default, 96 log files are kept, each one containing 30 minutes of events.

96 log files * 30 minutes of events per file = 2880 minutes or two days of events.

You can also specify where the log files are written or accept the default path.

Trace log files can help you troubleshoot issues related to configuration changes of the Windows SharePoint Services Search service. Because problems related to configuration changes are not always immediately discovered, we recommend that you save all trace log files that the system creates on any day that you make any configuration changes. Store these log files for some time in a safe location that will not be overwritten. We recommend that you store log files on a hard disk drive partition that is used to store log files only.

Download this book

This topic is included in the following downloadable books for easier reading and printing:

See the full list of available books at Downloadable content for Windows SharePoint Services 3.0.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.