Separate Active Directory Directory Service Organization Unit Deployment
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
A new feature of Microsoft is account creation mode for Active Directory directory service. This feature replaces the local account creation feature in from Microsoft. Use Active Directory account creation mode when it is necessary to create new user accounts rather than using existing domain accounts. For example, an Internet service provider (ISP) may need the ability to allow SharePoint site owners the capability to create user accounts or invite users to collaborate on a Web site where existing domain accounts for those users do not already exist.
In order to run in Active Directory account creation mode, your Web servers must be members of a Microsoft Windows 2000 or Microsoft domain.
Note: Active Directory account creation mode is not supported when you install to a domain controller computer.
There are two modes that you can choose from when you install and configure with a separate Microsoft Active Directory directory service organizational unit:
Nonscalable hosting modea simple configuration with one server running Microsoft SQL Server 2000 Service Pack 3 or later and and one domain controller.
Scalable hosting modean advanced configuration with a server farm containing multiple front-end Web servers running and one or more back-end database servers running SQL Server 2000 Service Pack 3 or later, plus one or more domain controllers.
To configure either mode, you follow the same process. First, you prepare the domain controller by:
Creating a domain controller account for processes.
Creating an organizational unit (OU) for the user accounts.
Delegating permissions to the organizational unit.
Then you prepare the Web server computers by:
Installing with the remotesql=yes property.
Creating the administration virtual server application pool.
Configuring SQL Server with permissions for .
Creating the configuration database and specifying Active Directory account creation mode.
Specifying the e-mail server settings.
Extending a virtual server.
Specifying the host name for the first site (scalable hosting mode only).
Creating a site.
The steps for preparing the domain controller are the same for either mode. The steps for preparing the Web server computers differ slightly. When you are using scalable hosting mode you must be sure to use the hh parameter when you create the configuration database.
You must have at least one member Web server with SQL Server 2000 Service Pack 3 or later installed and at least one domain controller to be able to configure in Active Directory account creation mode following the steps below.
Preparing the Domain Controller
Whether you are planning a smaller installation of (nonscalable hosting mode) or a large server farm (scalable hosting mode), you follow the same steps to prepare your domain controller computer.
Create a domain controller account for processes
On the domain controller, create an account that will be used by to create new domain accounts.
For example, create a new account called SharePoint_admin.
Configure the account such that the password does not need to be changed at the next logon and does not expire.
The account must be a member of the Domain Users group, which is the default group for new accounts. For more information about creating an account on your domain controller, see theHelp system.
After the domain controller account has been created, you need to define an organizational unit within which can create new user accounts. You must use the same organizational unit for all user accounts for within a server farm.
Caution: When configuring your server in Active Directory account creation mode, it is recommended that the server administrator account is not in the same organizational unit as the one used for creating accounts. The application pool identities associated with each virtual server must have permissions to change account properties in the defined organizational unit. This configuration allows site collection administrators to have the right to change some properties (such as the password) in that organizational unit. Because of this, it is strongly recommended that you do not add any accounts in the defined account creation organizational unit, and only allow the accounts that creates.
Create an organizational unit (OU) for the user accounts
On your Active Directory server, click Start , point to All Programs , point to Administrative Tools , and then click Active Directory Users and Computers .
Right-click the Active Directory domain name, click New , and then click Organizational Unit .
Type a name for the organizational unit.
For example, name the organizational unit "sharepoint_ou" for simplicity.
Click OK .
For more information about creating an organizational unit, see theHelp system.
In order for to have permissions to create accounts in the sharepoint_ou organizational unit, the domain controller account must have the correct permissions delegated to it.
Note: The steps below reflect the user interface for and may vary from a Windows 2000 domain controller. For more information about delegating permissions to an organizational unit, see the Help system for or Windows 2000.
Delegate permissions to the organizational unit
On your Active Directory server, click Start , point to All Programs , point to Administrative Tools , and then click Active Directory Users and Computers .
Right-click the new organizational unit, and then click Delegate control .
In the Welcome pane, click Next .
In the Users and Groups pane, click Add .
In the Enter the object names to select box, type the user name that you are planning to use for the administration application pool identity, and then click OK .
Click Next .
In the Tasks to Delegate pane, select the Create, delete, and manage user accounts checkbox and the Read all user information checkbox, and then click Next .
Click Finish .
Configuring the Web Server Computers
To use Active Directory account creation mode, you must install without installing WMSDE. To do so, you use the remotesql=yes property. Note that this property is used even if your SQL Server installation is on the same computer.
Install with the remotesql=yes property
Download STSV2.exe to your computer.
You can download STSV2.exe from the Microsoft Web site.
Run STSV2.exe to extract the installation files.
When the installation starts, click Cancel .
Click Start , and then click Run .
In the Open box, type c:\folder\setupsts.exe remotesql=yes (where c:\folder is the path to the Setupsts.exe file on your local computer).
For example, if you installed the US English version of STSV2.exe, then the folder is c:\program files\STS2Setup_1033.
Click OK .
The Setup program opens.
On the End-User License Agreement page, review the terms, and then select the I accept the terms in the License Agreement check box, and then click Next .
On the Type of Installation page, click Server Farm , and then click Next .
On the Summary page, verify that only will be installed, and then click Install .
Setup runs and installs .
After the Setup process is complete, you can configure your administrative virtual server (including specifying an application pool to use for the virtual server processes), connect to your SQL Server computer, and then provide your virtual servers with . For Active Directory account creation mode, it is recommended that you use the command-line operations to configure your Web servers.
For more information about the operations used in these steps, see Command-Line Operations .
When creating the administrative virtual server's application pool, specify that application pool to run under the account you created when you prepared the domain controller.
Create the administration virtual server application pool
Administration processes for must run under the domain controller account you created earlier. You use the setadminport operation to create the administration virtual server, and create an application pool for the administration virtual server that uses the domain controller account you created.
Stsadm.exe -o setadminport -port 8080 -admapcreatenew-admapidname stsadmin -admapidtype configurableid-admapidlogin domain\account -admapidpwd password
If you have used a domain account that does not already have database creation rights in SQL Server, you can give the account this access in SQL Server Enterprise Manager. This is a one-time only change. Once you have granted the Security Administrators and Database Creators roles to the account used by the administration virtual server, this account can create databases for any subsequent virtual servers.
Configure SQL Server with permissions for
On your SQL Server computer, click Start , point to All Programs , point to Microsoft SQL Server , and then click Enterprise Manager .
In Enterprise Manager , click the plus sign (+) next to Microsoft SQL Servers , click the plus sign (+) next to SQL Server Group , and then click the plus sign (+) next to your SQL Server computer.
Click the plus sign (+) next to Security , and then right-click Logins , and click New Login .
In the Name box, type the account you created earlier, in the format DOMAIN\name.
Click the Server Roles tab.
In the Server Role list, select the Security Administrators and Database Creators check boxes, and then click OK .
You are now ready to create the configuration database.
Create the configuration database and specify Active Directory account creation mode
When you create the configuration database, you specify that uses Active Directory account creation mode. If you are using scalable hosting mode, you must also use the hh parameter with the setconfigdb operation.
To create the configuration database in nonscalable hosting mode, use the following syntax:
Stsadm.exe -o setconfigdb -ds <database server name> -dn sts_config -adcreation -addomain <domain_name> -adou sharepoint_ou
Note: Be sure to use server name or netbios name for the Active Directory domain, not the fully-qualified domain name. For example, use the form server_name_test, not server_name_test.example.com.
To create the configuration database in scalable hosting mode, use the following syntax:
Stsadm.exe -o setconfigdb -ds <database server name> -dn sts_config -hh -adcreation -addomain <domain_name> -adou sharepoint_ou
Specify the e-mail server settings
You must specify an SMTP server to use in order for invitation e-mail to work in Active Directory account creation mode. To specify an e-mail server, you use the email operation.
stsadm.exe -o email -outsmtpserver <SMTP server> -fromaddress <someone@example.com> -replytoaddress <someone@example.com> -codepage <codepage>
Extend a virtual server
After you set up the connection to your SQL Server computer, you are ready to extend the virtual servers on your Web server computer with . When you extend a virtual server, is applied to a virtual server and a top-level Web site is created. For either mode, you must extend the virtual server without creating a site. You use the donotcreatesite parameter with the extendvs operation to extend a virtual server without creating a site.
To extend the virtual server without creating the default top-level Web site use the following syntax:
Stsadm.exe -o extendvs -url https://server_name.domain -ds sqlservername -dn sts_content -donotcreatesite -apcreatenew -apidname stscontent -apidtype configurableid -apidlogin DOMAIN\name -apidpwd password
For the apidlogin parameter, enter a domain account in the format DOMAIN\name.It is recommended that you use a different account than the account you used for the application pool for the administration virtual server.
Note: This account must also have the correct permissions delegated to it. This account must be able to create, delete, and manage accounts in the organizational unit for .
Specify the host name for the first site (scalable hosting mode only)
For scalable hosting mode, you must create the first host-named site for each virtual server. To specify the host name for the site, open the \WINDOWS\system32\drivers\etc\hosts file and add an entry for the site. For example:
xxx.xxx.xxx.xxx www.example.com
Where the x's are the IP address of the server.
Note: If Domain Name Service (DNS) is not configured, it is still possible to simulate the real environment. You can ping the Web server name to find the IP address.
After the host name is configured, you can create a site.
Create a site
You can create a site in either scalable or nonscalable hosting mode by using the createsite operation with the following syntax:
stsadm -o createsite -url https://www.example.com -owneremail someone@example.com
Be sure to use a valid e-mail address for the owneremail address. This address will be used to send account credentials to new users who access the site.