Skip to main content
Sign In |
  Help (new window)

Chris Gideon

Go SearchAdvanced Search
Chris Gideon
  

Categories
SharePoint
Other Blogs
Todd Carter (Microsoft, SPMCM)
Andrew Connell (MVP)
Spence Harbar (MVP, SPMCM)
The official blog of the SharePoint Product Group
Dan Winter (Microsoft)
Bob Fox (SharePoint MVP)
Bill Baer (Microsoft, SPMCM)
Microsoft Enterprise Content Management (ECM) Team Blog
Larry Kuhn (Microsoft)
Cory Burns (Microsoft)
Tony McIntyre (Microsoft)
Heather Solomon (MVP)
Mark Harrison (Microsoft)
Mike Gannotti (Microsoft)
Kimberly Tripp (SQL)
Links
Photos
Chris Gideon > Categories

9/14/2007

Post Hotfix installation steps

During the installation of a hotfix for SharePoint technologies in V3 (as long as you are not running in silent mode for the patch) you will get a dialog like the one below prompting you to run psconfig.

It is easy to forget about this dialog after the patch is complete. However, it is critical that you run the SharePoint Products and Technologies Configuration Wizard (psconfig) after a hotfix. This wizard or command line depending on the way you run it, will perform an inplace build to build(b2b) upgrade on the SharePoint installation. SharePoint hotfixes are inplace upgrades from one build of SharePoint to another. The hotfix package simply copies the files to disk and registers the binaries. It is the SharePoint Products and Technologies Configuration Wizard that actually upgrades the installation to the new patch.

If you run psconfig -help upgrade from the command line as opposed to the wizard you will see the following.

PSCONFIG.EXE -cmd upgrade

[-wait]

[-force]

[-reghostonupgrade]

[-finalize]

[-inplace <v2v|b2b>]

[-sidebyside]

 

Performs SharePoint upgrade. This command is automatically executed when running the SharePoint Products and Technologies Configuration Wizard if SharePoint needs to be upgraded.

 

wait: If specified, the SharePoint Products and Technologies Configuration Wizard does not return until upgrade completes. If not specified, the wizard returns after dispatching a SharePoint Timer service job to perform upgrade. You can view the upgrade job status by accessing the SharePoint Central Administration Web Application using your web browser.

force: If specified, the SharePoint Products and Technologies Configuration Wizard stops any currently running upgrade actions, and then restarts upgrade.

reghostonupgrade: If specified, the SharePoint Products and Technologies Configuration Wizard will revert all content streams during the upgrade.

finalize: If specified, the SharePoint Products and Technologies ConfigurationWizard will finalize the current upgrade. You will not be able to undo this action.

inplace: If specified, the SharePoint Products and Technologies Configuration Wizard will perform an in-place upgrade. If v2v is chosen, then an in-place version to version upgrade will be performed. If b2b is chosen, then an in-place build to build upgrade will be performed.

sidebyside: If specified, the SharePoint Products and Technologies Configuration Wizard will perform a gradual upgrade.

Therefore if you choose to run from the command line you will need to use this syntax.

Psconfig –cmd upgrade –wait –inplace b2b

But this is not enough for hotfixes that include search fixes. For those you also need to let search know about the changes. The way to do this is by running the following stsadm command after patches that contain search fixes.

For MOSS:

Stsadm –o osearch –action start 

For WSS help search:

Stsadm –o spsearch –action start

 

Posted at 7:16 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)

3/12/2007

Upgrade Definition Files, they aren’t magic

One of the most common things I hear is that someone created an Upgrade Definition File (UDF) and it didn't work. Usually this is followed by me asking this question:

Did you create a new Site definition in MOSS/V3 that matches your custom site definition in v2? Usually the response is, "No, do I need one?"

If you customized by creating a custom site definition and now upgrade is failing, then yes you probably do need one. And you will need a UDF to help you map into that new site definition in order to take advantage of all the new features of MOSS/V3.

The point is that if you create a UDF by itself and don't create a destination MOSS/V3 site definition you are effectively mapping it to nothing. You will see in the upgrade.log file the skip message and end up with a site that looks an awful lot like v2.

Posted at 3:23 PM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
DST and SharePoint
Please check out the product group blog.   http://blogs.msdn.com/sharepoint
 
Posted at 6:33 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)

3/9/2007

Boxin Li and Creating a Custom Area Definition

Boxin Li a developer in the SharePoint product team has described the process very well. Enjoy!

How to upgrade a custom area definition

 

Posted at 7:13 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
Understanding and Troubleshooting SharePoint Explorer View Whitepaper

Steve Sheppard has released an excellent white paper on SharePoint Explorer View. You can find it here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C523AC7A-5724-48BE-B973-641E805588F4&displaylang=en

 

Posted at 7:12 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
Keeping Kerberos in Mind

This is my first post in awhile because I have been intently learning and experimenting with WSSv3 and MOSS 2007. I will be focusing on upgrade for awhile. In fact, I am going to put a series of short posts on getting ready for WSSv3/MOSS.

First quick note: If you have followed my earlier advice and are running with Kerberos instead of NTLM for WSSv2/SPS then this is important. Make sure if you choose to perform a gradual upgrade that you have registered your servicePrincipalNames (SPN) for the new URL you will be using during the redirect prior to running setup. Why? It is necessary because clients ask for a ticket based on the URL of the server (or load balancer). Once you start redirecting for the gradual upgrade your tickets will be invalid for the v2 environment.

For example, if your URL is http://SharePoint.Contoso.com for the pre upgrade URL and you choose http://SharePointOld.Contoso.com , then you will need two SPNs. One for v2 redirects URL which will now be http://SharePointOld.Contoso.com and another for v3 which is http://SharePoint.Contoso.com. It is recommended that you use the same Application Pool Identity (account) in v3 that you used in v2. Therefore, you will end up with both SPNs registered on the same account. To sum up:

App Pool Identity= Contoso\SpPoolAcct

Domain= Contoso

Pre upgrade URL for v2= http://SharePoint.Contoso.com

Post upgrade URL for v2 = http://SharePointOld.Contoso.com

Post upgrade URL for v3 = http://SharePoint.Contoso.com

Setspn command to register the new SPN for upgrade= setspn –A http/SharePointOld.Contoso.com contoso\SpPoolAcct

 

Posted at 7:11 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
Central Admin and Kerberos

I recently came across a problem with trying to use Kerberos for Central Administration Virtual Server/Web Application/IIS Web Site. In short here is the problem:

Symptoms: Unable to get to Central Admin with 401.2

Troubleshooting: Machine name = SpServer, App Pool Identity= SPServiceAcct, Domain= Contoso

  • Used ADSUTIL to check the NTAuthenticationProviders metabase key for the Central Admin WebApp. It was set to "Negotiate, NTLM"
  • Ran SetSPN –L on the Application Pool Identity SpServiceAcct (NT account). This revealed that we had http/SPServer:<centraladminport> and http/SPServer.Contoso.com:<centraladminport>.
  • Ran SetSPN –L on the SPServer account. This revealed that we had the expected HOST/SPServer and HOST/SPServer.Contoso.com records.
  • Checked the Event Viewer for errors. Kerberos was reporting a duplicate registration.
    • Deleted SPN for http/SPServer:<centraladminport> and http/SPServer.Contoso.com:<centraladminport> from the Contoso\SPServer account.

Root Cause: Registration of SPN for Central Admin caused a duplicate. Integrated authentication failed to fall back to NTLM since our target service had a valid registered Kerberos entry point.

 

Why did this happen? To paraphrase a KB on ASP.NET…

If multiple Web sites are reached by the same URL but on different ports, Kerberos will not work. To make this work, you must use different hostnames and different SPNs. When Internet Explorer requests either http://www.Contoso.com or http://www.Contoso.com:81, Internet Explorer requests a ticket for SPN HTTP/www.contoso.com. Internet Explorer doesn't add the port or the virtual server/Web Application to the SPN request. This behavior is the same for http://www.contoso.com/app1 or http://www.contoso.com/app2. In this scenario, Internet Explorer will request a ticket for SPN http://www.Contoso.com from the Key Distribution Center (KDC). Each SPN can be declared only for one identity. Therefore, you would also receive a KRB_DUPLICATE_SPN error message if you try to declare this SPN for each identity.

 

There are built-in SPNs that are registered for computer accounts. These SPNs are recognized for computer accounts if the computer has a HOST SPN. The Troubleshooting Kerberos Delegation white paper, Table 1   Built-in SPNs Recognized for Computer Accounts explains this very well. By adding the registration on the App Pool Identity account it created a duplicate because by default we would map HOST/SPServer to HTTP/SPServer regardless of port.

Ok, back to WSSv3/MOSS upgrade…

 

Posted at 7:10 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
Best Practices for Object Disposal WSS

This is a document that I have been eagerly awaiting. If you are doing SharePoint OM development you definitely need to check this out.

Best Practices: Using Disposable Windows SharePoint Services Objects

Although it’s posted under the V3 SDK, the methods are just as valuable for V2 Development. If someone were to create a series of code snippets for these techniques…

 

Posted at 7:08 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
50070: Unable to connect to the database <Database Name>

During my trek through Windows SharePoint Services I frequently hear about this error message. I like to refer to “Unable to connect to the database” as one of the dreaded errors of SharePoint. Why would I do this? Because in the majority of cases this is not a WSS problem. It comes from a variety of environmental factors which are difficult to diagnose and troubleshoot. Rather than get into a philosophical debate on the how or why of WSS error reporting in V2 it’s better to just list the causes that I know about.

  1. The Ad Hoc Query Plan bug. Most easily identified with SpSitemanager, first fixed and explained here.
  2. Speed & Duplex Settings NOT Specified for both the NIC and switch.
  3. NIC Drivers misconfigured or a bad NIC driver (no naming names).
  4. A damaged NIC or very rarely a bad/damaged network cable.
  5. Using one VLAN on the switch and then putting both the Internal NIC and the Public NIC on the same subnet.
  6. Unicast mode for WLBS without following the steps in the whitepaper or article. This results in the switch perceiving WLBS as port flooding.
  7. Multicast mode with WLBS without setting up a static ARP entry in the router/switch.
  8. Setting more than one Default gateway on a multi-homed server when both NIC’s are on the same subnet.
  9. Hardware based Load balancing not configured correctly. For an example on configuring this correctly see this.
  10. SynAttackProtect turned on after installing SP1 for Windows Server 2003. This is explained in the SQL Server 2005 release notes but affects SQL 2000 as well.
  11. Not using Aliases when accessing SQL on a port other than 1433.
  12. The SharePoint application pool account locked out.
  13. SQL Server Paused.
  14. A poorly architected web part behaving badly.
  15. High CPU on SQL from another application sharing the same server.
  16. Blocking on SQL server the result of backup software or another application.
  17. Anti-Virus gone awry. Corrected with SP2 for WSS.
  18. App Pool Recycling under load.
  19. Incorrect permissions in SQL server for the SharePoint App Pool account (Need Security Admin and Database Creators).
  20. NTLM Bottleneck see my previous posts for details.

I am certain there are other possible causes. The point is that many of these items are beyond the control of SharePoint. However, I am very pleased with the work the WSS Dev team has done with Beta 2 of V3. Many of the items listed above are caught and reported. I encourage you to try it for yourself.

 

Posted at 7:06 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
NTLM Authentication and SharePoint Part 2

In my last post I laid out the basic flow of NTLM authentication with SharePoint when all the accounts (user, service and machine) reside in the same domain. In this post I will discuss the implications of multiple domains in two different scenarios.

Scenario 1:

Active Directory Forest=Farbrikam.com; Domain for users= CHILD.Fabrikam.com; SharePoint WFE, SQL DB have machine accounts in Fabrikam.com; SharePoint Application Pool and SQL Service accounts are in Fabrikam.com.

In this scenario the secure channel DC servicing SharePoint has to contact its peer DC in the CHILD domain via the trust. By default the MaxConcurrentApi for a Domain controller over a trust is one. That’s right one concurrent request (one user at a time) will be processed over the trust. That’s why adjusting the MaxConcurrentApi on the DC’s servicing SharePoint (or any other high volume application, ISA comes to mind) is important. Again profile and test don’t just jump to ten.

Scenario 2:

Active Directory Forest=Farbrikam.com; Domain for users= CHILD.Fabrikam.com; SharePoint WFE, SQL DB have machine accounts in Fabrikam.com; SharePoint Application Pool and SQL Service accounts are in GrandChild.Fabrikam.com.

In this scenario you have the same need to walk the trust for users but you also have a new need to walk the trust for the service accounts.

These two scenarios require another item to consider under high volumes of authentication, Secure Channel “float”. There are a handful of reasons as to why secure channel resets to a different DC. The first is a response greater than or equal to 45 seconds. This is usually the result of a secure channel being established over a slow link or a Secure Channel to a DC that is overloaded (high CPU). Second, there is a network failure to get to the secure channel DC. This can be caused by a physical network failure; Spanning Tree running on the switch which is outlined here; a hiccup from auto negotiate (determining the speed and duplex settings) at the NIC to the switch outlined here; or the Secure Channel DC being rebooted. Once the secure channel is unbound from a DC it goes through the DC Locator process to find a DC. If you have multiple geographical sites in your environment it is important to designate Active Directory Sites to keep your SharePoint servers using local DC’s. Under a high load the last thing you want is your Secure Channel DC being over a slow WAN link and this can happen if you don’t architect this into your design. This can also happen if you place DC/GC over slow links for the domains you are authenticating. For example, in Scenario 1 if the DC/GC for the CHILD domain is over a slow link a bottleneck will be possible. The better design would have DC/GCs for the Fabrikam.com and CHILD domains close (high speed links) to the SharePoint servers and an Active Directory Site specified to keep Secure Channels local if the DC Locator process is called.

To sum up my recommendations for best performance:

  1. Consider creating an Active Directory site just for the SharePoint boxes (if in the same forest) and add GC’s for each domain going against SharePoint.
  2. Make certain that the DC/GC’s are physically as close (high speed links) as possible to the SharePoint boxes.
  3. If possible make all DC’s GC’s if in Native Mode.
  4. Hard set NIC’s and Switches Speed and duplex settings to avoid loss of connecting during auto negotiate.
  5. Check with your switch vendor on the settings for spanning tree to avoid Secure Channel drops. Most vendors have an option to keep this from happening while still benefiting from Spanning Tree.
  6. Increase MaxConcurrentApi and profile DC/GC (for domains in play) with SPA to see if they can handle the load. Make certain to do this on the SharePoint servers and DC/GC for all domains in play.
  7. Monitor Secure Channels with NLTest.exe after patches that cause a reboot to ensure that secure channels don’t float to slow link DC/GCs.
  8. For extreme performance consider the use of x64 DC/GCs. See the impressive results here.
  9. If possible change to Kerberos authentication.

To see a good explanation as to the troubleshooting process check out SPAT’s blog post on the subject.

Why am I taking the time to point this out with regard to SharePoint specifically? Because slow NTLM authentication is one of the leading causes of the dreaded Cannot connect to the configuration/site database and this is rarely considered in troubleshooting this error (problem). It is also a factor in slow portal search crawls because of the number of Group Membership evaluations that are required for Security Trimming.

 

Posted at 7:05 AM by NORTHAMERICA\cgideon | Category: SharePoint | Permalink | Email this Post | Comments (0)
1 - 10 Next