Microsoft Sharepoint Online Customer Build Guide for SP2013 Farms

Microsoft SharePoint Online

Customer Build Guide for SP2013 Farms

Applies to: SharePoint Online - Dedicated

Topic Last Modified: 23-December-2015

Version: EO11.0

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.> © 2015 Microsoft Corporation. All rights reserved.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Contents Microsoft SharePoint Online ...... 1 Customer Build Guide for SP2013 Farms ...... 1

Introduction ...... 6 Purpose ...... 6 Audience ...... 6 Process Overview ...... 7

SharePoint Online Hosted Environment ...... 8 Basic Characteristics of Host and Virtual Machines...... 9 Network and DNS Configuration ...... 11

Prepare Prerequisites ...... 15 Verify Accounts ...... 15 Least Privileges Model ...... 15 Accounts from Managed Domain ...... 18 Accounts and Security Groups from the Customer Domain ...... 19 User Group Membership ...... 19

Build the Platform ...... 20 Build Virtual Machines ...... 20 Create Virtual Machines ...... 21 Configure Virtual Machines ...... 22 Configure Networking ...... 22 Verify Connectivity to Default Gateway ...... 23 Configure Page Files ...... 23 Set End Point Antivirus Exceptions ...... 23 Disable Recycle Bin ...... 24 Disable IE ESC ...... 24 Disable User Account Control ...... 24 Disable Loopbackcheck ...... 24 Configure Drives for SQL Server ...... 25 Disable SSL 2.0 and 3.0 Support ...... 25 Restrict SCHANNEL to FIPS Compliant Cipher Suites Only ...... 26 Allow CredSSP Authentication ...... 27 Modify WinRM Shell Property Settings ...... 28

Configure Common Machine Settings ...... 30

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Change Time Zone ...... 30 Install .NET Framework 3.5 ...... 30

Configure SQ Server Settings ...... 31 Create Inbound Firewall Rules ...... 31 Configure Disk Layout for SQ Servers ...... 31

Install SQL Server ...... 33 Check for .NET 4.0 ...... 33 Install SQL Server 2012 ...... 33 Install SQL Server Cumulative Updates ...... 34 Configure Security and Trace Flags ...... 35 Allow Lock Pages in Memory ...... 35 Set Max Degree of Parallelism ...... 36 Configure SQLAgent Job History...... 36 Verify SQL Server is Working ...... 36

Build Web Servers ...... 38 Configure Inbound Firewall Rules ...... 38 Run the Prerequisite Installer ...... 40 Install IIS Advanced Logging ...... 40 Install Hotfixes ...... 40 Configure Advanced Logging ...... 41 Prepare Office Web App Machines ...... 41 Delete Default IIS Sites and Application Pools...... 41

Build the SharePoint Servers ...... 42 Install SharePoint 2013 ...... 42 Install Language Packs ...... 42 Install the Latest SharePoint Updates SharePoint SP1 ...... 42 Manage SSL Certificates ...... 43 Update the Hosts File ...... 45

Build the SharePoint Online 2013 Farm ...... 46 Provision the Farm ...... 46 Join Servers to the Farm...... 46 Enable Licensing ...... 47 Register Managed Accounts ...... 47 Configure Services (Generic)...... 47 Configure Distributed Cache ...... 47

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Create Quota Templates ...... 52 Configure Outgoing Email ...... 53 Create Web Applications ...... 53 Create Web Application to Host SharePoint Apps ...... 55 Set Up People Picker for Each URL ...... 56 Configure Web Applications (Common Settings) ...... 57 General Settings ...... 57 Configure Managed Paths ...... 58 Configure Blocked File Types ...... 58 Enable the BLOB Cache ...... 59 Apply Web App Policy and User Policy (Kiosk Worker) ...... 60 Set Up Super User and Super Reader Accounts ...... 61 Add Administrators to Web App Policy ...... 62 Configure List Throttle Settings ...... 63 Set Setup User Account as System ...... 63 Create Site Collections ...... 64 Create Service Applications...... 66 Configure the App Management Service ...... 71 Create Host Header Site Collection for Monitoring Apps Management Site ...... 72 Configure Managed Metadata Service Application ...... 72 Configure Excel Service Application ...... 73 Configure InfoPath Forms Services...... 73 Configure Machine Translation Service Permissions ...... 73 Configure Search Service Application ...... 74 Configure the Visio Graphics Service Application ...... 78 Start the User Profile Synchronization Service ...... 78 Update WMI Control for Farm Account ...... 79 Grant User Profile Permissions to Service Apps ...... 79 Manage User Permissions for the User Profile Service Application ...... 80 Change Default ULS Log Retention ...... 81 Configure Usage and Health Data Collection Service ...... 81 Modify SPHA Rules ...... 82 Disable Selected Site Templates ...... 82 Disable Site Templates in the 14 Hive ...... 83 Disable Site Templates in the 15 Hive ...... 83 Configure Settings for Sandboxed Code ...... 84 Confirm or Modify Service Account Associations ...... 85 Add Support for People Fields in Office Documents ...... 86

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Install and Configure Azure Workflow Server ...... 88 Install Azure Workflow Server ...... 88 Install Azure Workflow Client ...... 88 Install Service Bus and Workflow Cumulative Updates ...... 88 Pair the SharePoint Server farm with the Workflow Manager Client farm ...... 89

Install Office Web Applications ...... 90 Prerequisites ...... 90 Install Office Web Apps Server ...... 90 Create Office Web Apps Farm ...... 90 Connect the SharePoint Farm to the Web App Farm ...... 91 Configure Office Web Apps Licensing ...... 91

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Introduction Topic Last Modified: 2014-01-23 This document details the processes associated with building and configuring the individual standard components of a Microsoft SharePoint Online 2013 server farm. Use this instruction for new farm builds only. This document does not include instructions for installing optional or customer-specific features.

Purpose This document was designed to assist customers in the creation of accurate development and test environments to build out solutions on the hosted SharePoint environment. This document does not include some key production farm components, such as backups, service continuity management, monitoring, or SQL Maintenance. If you encounter references in this build document to any of these applications or activities, please disregard them. They are not necessary for development and test activities. The goal of this document is to assist in producing a functional replica of our production configuration, but it will not be identical. Activities such as performance testing will not yield the same results as a production environment; however, the relative performance aligned to a baseline will produce data good enough to interpolate.

Audience The Customer Build Guide is intended to be used by customers building development and test SharePoint environments. Personnel performing the tasks detailed in this guide should be experienced and familiar with the installation and operation of SharePoint, SQL Server, and Windows Server. An attempt has been made in explaining how to perform a task to use plain language and added background, however a solid familiarity with the operational aspects of all three products is recommended.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Process Overview The Build Guide is designed to guide the installer through the following basic processes:  Validate Hardware provided  Configure Host Machines  Create Virtual Machines in Hyper-V on Host Machines  Configure General VM settings  Configure the SQL Role  Configure the Backup Role  Configure Front End and Application Roles  Create and configure SharePoint Farm This document contains steps to virtualize the environment and setup the various SharePoint roles on virtual machines.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

SharePoint Online Hosted Environment Topic Last Modified: 2014-01-29 The Online environment is structured to manage the hosting of multiple customer environments each isolated to meet security and compliance requirements. The isolation begins with separate customer Virtual Local Area Networks (VLANs) and separate managed customer Active Directory Forests (managed Forest). The basic trust relationship and configuration is outlined in the diagram below. There are generally 3 Forests, one for Management (named MGMT, central forest for all Management Administration Accounts), one for Managed (named MGD, the forest where SharePoint is hosted), and one forest provided by the customer (Customer Domain Accounts and Customer Data Sources).

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Trust relationship and configuration diagram

Basic Characteristics of Host and Virtual Machines Topic Last Modified: 2014-01-29 SharePoint Online has designed a network configuration tailored specifically for SharePoint 2013 that would be difficult to replicate in this document and is not necessary for development and test purposes. When developing applications, the domain trusts are generally more important than segmentation within networks and separate VLANs. The SharePoint farm requires some or all of the following Host Names:

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

SKU Storage RAM CPU NIC Notes HA 8 x 600 GB 10K 96 GB 2 x 8 Core 1 x 10 Gbit Multi-purpose SAS Xeon SRF+ SKU Used for Array A (2: PPE, App, WFE, [RAID1]) SQL Head Unit Array B (6: [RAID 5]) HB 8 x 600 GB 10K 96 GB 2 x 8 Core 1 x 10 Gbit SQL Storage SAS Xeon SRF+ SKU Used for 25 x 600 GB SQL Role 10K SAS Array A (2: [RAID1]) Array B (6: [RAID 5]) Array C (24: [RAID 5]) HD 12 x 4 TB 7.2K 32 GB 1 x 8 Core 1 x 10 Gbit File SAS Xeon SRF+ Server/Backup Array A (2: SKU Used for [RAID 1]) backups and Array B (9: SQL mirror [RAID 5]) witness role.

Note: For test/development purposes (assuming little to no performance testing) we recommend using virtual machines and scale down the resources allocated to the servers above. The SharePoint 2013 service offering uses physical machines built out on the SKUs listed above.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Network and DNS Configuration Topic Last Modified: 2014-02-11 SharePoint Online has designed a network configuration tailored specifically for SharePoint 2013 that would be difficult to replicate in this document and is not necessary for development and test purposes. When developing applications, the domain trusts are generally more important than segmentation within networks and separate VLANs. The SharePoint farm requires some or all of the following Host Names:  portal.contoso.com – portal web application  team.contoso.com – team sites web application  my.contoso.com – SkyDrive pro web application  partner.contoso.com – partner sites web application (optional)  wac.contoso.com – Office Web Applications farm  o365wfl.contoso.com – 2013 Workflow service end point (port 12290)  *.001dspoapp.com – SharePoint Apps namespace What is important in setting up your development environment is to create a DNS entry for the wildcard app zone (*.001dspoapp.com in the example above). All other host names can be managed either via DNS or hosts files on the SharePoint and client windows servers. In production, Microsoft uses the load balancer to create virtuals that map to different service endpoints exposed to different networks. The following 2 diagrams are provided for reference purposes.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Load Balancer VIPS, Virtuals, and Traffic Routing

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Traffic Flows and VIPs on Load Balancer

If you are configuring DNS, we recommend that you follow an approach similar to what is used in production between the customer environment and SharePoint Online as outlined in the diagram below:

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

DNS Settings on Customer Private (GNS)

There are a total of 3 zones above, this is not strictly necessary. The zones include a DNS Apps Zone for the SharePoint applications that just contains the wildcard record for the farm. The DNS control zone is optional; you can choose to just point your DNS records directly to an A record instead of using CNAME aliases as illustrated above. The above example uses a managed DNS service hosted by Microsoft called 001d.mgd.msft.net. The third zone is the customer private zone that contains the contoso.com namespace.

Note: If you do define DNS records, we recommend for dev/test environments you use URLs different then production.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Prepare Prerequisites Topic Last Modified: 2014-04-15 Before you begin, establish a remote desktop connection to each host machine with your installation account.

Verify Accounts Topic Last Modified: 2014-04-15

Least Privileges Model When creating your development environment, SharePoint Online dedicated recommends that you configure your farm using a least-privilege model to ensure the highest level of security. The following tables describe the accounts and the minimum level of permissions required to deploy a farm.

Server farm-level accounts Account Requirements SQL Server service account Domain user account Member of the Administrators group on the SQL Server machine Setup user account Domain user account Member of the Administrators group on each server on which Setup is run. SQL Server login on the computer running SQL Server. Member of the Server admin SQL Server security role. Tip: If you run Stsadm commands that affect a database, this account must be a member of the db_owner fixed database role for the database. Server farm account Domain user account

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Account Requirements Additional permissions are automatically granted for this account on web servers and application servers that are joined to a server farm. This account is automatically added as a SQL Server login on the computer running SQL Server and added to the following SQL Server security roles: dbcreator fixed server role securityadmin fixed server role db_owner fixed database role for all databases in the server farm

Service application service accounts Account Requirements SharePoint Server Search service account Must be a domain user account. Must not be a member of the Farm Administrators group. The following are automatically configured: Access to read from the configuration database, administration content database, the search administration database, crawl databases. Full Control access to the index partitions on the query servers. Default content access account Must be a domain user account. Must not be a member of the Farm Administrators group. Read access to external or secure content sources that you want to crawl by using this account. For sites that are not a part of the server farm, this account must explicitly be granted Full Read

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Account Requirements permissions on the web applications that host the sites. The following are automatically configured: Full Read permissions are automatically granted to content databases hosted by the server farm. Content access account Read access to external or secure content sources that this account is configured to access. For web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the web applications that host the sites. Profile import default access account Read access to the directory service. The account must have the Replicate Changes permission in AD DS. Manage User Profiles personalization services permission. View permissions on entities used in Business Data Catalog import connections. Excel Services unattended service account Must be a domain user account.

Additional application pool identity accounts Account Requirements Application pool identity No manual configuration is necessary The following are automatically configured: Membership in the SP_DATA_ACCESS role for content databases and search databases associated with the web application. Membership in specific application pool roles for the configuration and the SharePoint_AdminContent databases.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Account Requirements Additional permissions for this account to front- end web servers and application servers are automatically granted.

Accounts from Managed Domain Confirm that the following accounts (prefixed with ms-svc-*) exist in the managed domain for all environments except Federal. For Federal (fed) environments, confirm that the following accounts exist and are prefixed with mgd-svc-*.

Accounts from Managed Domain Full Name MGD Account Name Service Account? SharePoint 15 Farm Account ms-svc-frm Yes SharePoint 15 SQL Service ms-svc-db Yes SharePoint 15 Sandbox Service ms-svc-sbx Yes SharePoint 15 Portal Super ms-svc-psr No Reader SharePoint 15 Portal Super User ms-svc-psu No SharePoint 15 Content Web App ms-svc-wap Yes Pools SharePoint 15 Search Crawl ms-svc-crl No Account SharePoint 15 Service ms-svc-sa Yes Applications Windows Azure Workflow ms-svc-wrk Yes Service

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Accounts and Security Groups from the Customer Domain The following accounts and security groups must be present in the customer domain. This information is available in the ToBuild Record, as noted below.

Accounts and security groups from the customer domain Account or Group Description Kiosk Workers One or more security groups or role claims that represent all kiosk workers at the customer. Only applicable if customer has purchased DW licenses. Information Workers Unattended Account An account name from the customer forest for unattended data connections for Excel/Visio. Optional, the account may not be provided by the customer. Partners One or more security groups or role claims that represent all partner users for a customer. Only applicable if customer has purchased PAL licenses. People Picker AD Account and Profile Import One or more accounts with permissions to look up Account users/groups from AD for configuration of the people picker and profile import of AD users.

User Group Membership

Important: The user running the farm setup must be a member of the MGMT\MGMT-GSG-SPO- SP2013FarmAdmins group.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Build the Platform Topic Last Modified: 2014-05-06 When you configure a test/development environment, there are a few core elements that must be replicated to adequately test any custom code built or tested by the customer:  All host URLs must use SSL certificates and be fully qualified i.e. https://team.contoso.com. Failure to do so will mask potential problems in how the browser will treat the site with respect to zones and protocols. This is especially important for connectivity with internal Line of Business systems and data sources.  All customer accounts must come from a forest that has a one-way external trust between managed and the customer forest. Failure to do so may mask authentication/impersonation issues when connecting to Line-Of-Business applications or data sources within the customer forest.

Note: Kerberos authentication is not supported; it doesn’t work across Forest and Domain boundaries.  Use a minimum of two Web Front End (FE) role machines to ensure that any and all custom code properly deploys across multiple machines in a farm.  Use static IP addresses if at all possible. If you use dynamic IP addresses, there is a good chance over time that the farm will have problems, especially with any load balancing solution you use.  This document does not detail a load-balancing solution. We use a hardware load balancing solution in our production and pre-production environments, for test/development purposes Windows Network Load Balancing (WNLB) should be adequate. There will be a difference in performance that is unavoidable when contrasting hardware vs. software based load balancing solutions.

Build Virtual Machines Topic Last Modified: 2014-01-29 In this section, you will create and configure virtual machines. There is no recommended order in terms of the creation and the configuration of the machines; you may create all the machines first and then configure them one by one, or complete the creation and immediately configure one machine at a time.

Note: All machines should be created before SharePoint is installed.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Create Virtual Machines Topic Last Modified: 2014-05-06 1. Create the VMs in Hyper-V. The following Table should provide details on both the VHD distribution and basic properties for each VM role.

VM Quantity Storage/VHDs RAM CPU NIC AP 1 OS (200 GB) 14 GB 4 Cores 1 Virtual FE 2 OS (200 GB) 14 GB 4 Cores 1 Virtual AS 1 OS (200 GB) 14 GB 4 Cores 1 Virtual WC 1 OS (200 GB) 14 GB 4 Cores 1 Virtual SQ 1 OS (200 GB) 16 GB 4 Cores 1 Virtual LOGS1 (1 TB) DATA1 (2 TB)

2. The SQL role requires additional VHDs for both Data and Log drives. It is important that the SQL Data drive be at least twice the size of the Log drive. For production we provision 6 TB spanned Data Drives and a 1 TB Log drive.

VM Name Category Type Size File Name SQ Data Dynamic 2040 GB SPSQXX_disk_1 SQ Logs Dynamic 1020 GB SPSQXX_disk_4

To create and start the virtual machines execute the following PowerShell script on the Hyper-V host machine (HH01). This script configures the virtual machines with legacy network adapters in order to install the operating system from the network. $SharePointMachines = "FE01", "FE02", "AP01", "AS01" $SQLMachine = "SQ01" $vhdPath = "E:\Virtual Machines\" $defaultMemory = 16GB $defaultDiskSize = 200GB if ((Get-Item $vhdPath -ErrorAction SilentlyContinue) -eq $null) { New-Item -Path $vhdPath -Type directory | out-null } function CreateMachine($machineName, $memoryInBytes, $diskSizeBytes) { if ((Get-VM -Name $machineName -errorAction SilentlyContinue) -ne $null) { Write-Host "Virtual machine $machineName already exists. Skipping." - ForegroundColor DarkYellow

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

continue; } Write-Host "Creating VHDX for $machineName" -ForegroundColor Green New-Item -Path $vhdPath -Name $machineName -Type directory -Force | out-null New-VHD -Path "$vhdPath\$machineName\$machineName.vhdx" -SizeBytes $diskSizeBytes | out-null Write-Host "Creating virtual machine for $machineName" -ForegroundColor Green New-VM -VHDPath "$vhdPath\$machineName\$machineName.vhdx" -Name $machineName - MemoryStartupBytes $memoryInBytes | out-null Add-VMNetworkAdapter -VMName $machineName -Name "Legacy Network Adapter" - IsLegacy $true -SwitchName "Default External Switch" Set-VMProcessor -VMName $machineName -Count 4 } foreach($machineName in $SharePointMachines) { CreateMachine $machineName $defaultMemory $defaultDiskSize } CreateMachine $SQLMachine $defaultMemory 1TB $allMachines = $SharePointMachines + $SQLMachine $allMachines | % { Write-Host "Starting $_" Start-VM $_ Start-Sleep -Seconds 30 } reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 w32tm /config /syncfromflags:DOMHIER /update net stop w32time & net start w32time w32tm /resync /force

Configure Virtual Machines Topic Last Modified: 2014-05-06 The following VM configuration steps are common to all VMs in the farm.

Configure Networking 1. In Control Panel, go to Network and Sharing Center | Change adapter settings. 2. Right-click the Local Area Connection network adapter, and then click Properties. 3. Clear the Internet Protocol Version 6 (TCP/IPv6) check box. 4. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

5. In the Properties dialog box, select Use the following IP address, and then enter the following information. These settings must be supplied by the customer:  IP address  Subnet mask  Default gateway  DNS servers (preferred and alternate)

Verify Connectivity to Default Gateway 1. Open the command prompt, and ping the default gateway. 2. Verify that you get a reply. If you don’t get a reply, check the network settings and confirm a VLAN was assigned to the VM.

Configure Page Files Page files will be configured to be system-managed for all host machines. 1. In Control Panel, go to System | Advanced system settings. 2. In the System Properties dialog box, on the Advanced tab, under Performance, click Settings. 3. In the Performance Options dialog box, on the Advanced tab, under Virtual memory, click Change. 4. In the Virtual Memory dialog box, clear the Automatically manage paging file size for all drives checkbox. 5. Under Paging file size, choose drive C:\, select the System managed size checkbox, and then click Set. 6. Click OK on all open dialog boxes. 7. If prompted, choose to Restart Now.

Set End Point Antivirus Exceptions Configure your desktop anti-virus of choice installed on the VM to scan specific directories. For simplicity, use the same rules for all virtualized servers, you should exclude the following directories:  C:\Program Files\Microsoft Office Server  C:\inetpub

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions  C:\ProgramData\Microsoft\SharePoint  C:\windows\Microsoft.Net  C:\windows\temp  C:\Program Files\Microsoft SQL Server  E:\  F:\

Disable Recycle Bin 1. Right click the Recycle Bin icon on desktop, and then click Properties. 2. In the Recycle Bin Properties dialog box, for each drive, select the Don’t move files to the Recycle Bin check box. 3. Click OK.

Disable IE ESC 1. In the Server Manager, under Security Information, click Configure IE ESC. 2. Turn off for both Administrators and Users. 3. Click OK.

Disable User Account Control 1. In Control Panel, on the User Accounts page, click Change User Account Control Settings. 2. Change to Never Notify. 3. Click OK.

Disable Loopbackcheck 1. At the command prompt, run regedit.exe. 2. In the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control. 3. Right-click LSA, click New, and then click DWORD (32-bit) Value. 4. Name the new item DisableLoopbackCheck.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

5. Right-click DisableLoopbackCheck, and then click Modify. 6. In the Edit DWORD dialog box, set the Value data field to 1. 7. Click OK. 8. Restart the VM.

Configure Drives for SQL Server 1. Connect to the SQL Server machine. 2. Open Disk Management. 3. Right-click the D: drive and then select Format… 4. Name drive D: Data. 5. Right-click the E: drive and then select Format… 6. Name drive E: Logs.

Disable SSL 2.0 and 3.0 Support Topic Last Modified: 2014-05-06 To help harden the servers, by default we disable SSL 2.0 and SSL 3.0 support and allow only TLS 1.0. 1. At the command prompt, run regedit.exe 2. Navigate to: HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\SSL 2.0\Server 3. Right-click Server, click New, and then click DWORD (32-bit) Value. 4. Name the new item Enabled. 5. Right-click Enabled, and then click Modify. 6. In the Edit DWORD Value dialog box, set the data value to 00000000. 7. Click OK. 8. Navigate to: HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\SSL 3.0\Server 9. Right-click Server, click New, and then click DWORD (32-bit) Value. 10. Name the new item Enabled.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

11. Right-click Enabled, and then click Modify. 12. In the Edit DWORD Value dialog box, set the data value to 00000000. 13. Click OK. 14. Restart the VM.

Restrict SCHANNEL to FIPS Compliant Cipher Suites Only Topic Last Modified: 2014-05-06 We disable certain Ciphers for our secure channel. This setting applied to all VMs removes support for the following ciphers which are not FIPS compliant:  TLS_RSA_WITH_RC4_128_SHA  TLS_RSA_WITH_RC4_128_MD5  SSL_CK_RC4_128_WITH_MD5  SSL_CK_DES_192_EDE3_CBC_WITH_MD5  TLS_RSA_WITH_NULL_SHA  TLS_RSA_WITH_NULL_SHA256 The following ciphers which are not present by default in Windows but are added:  TLS_RSA_WITH_NULL_MD5  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521

1. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration | Administrative Templates | Network | SSL Configuration Settings. 2. Right-click SSL Cipher Suite Order, and then click Edit. 3. In the SSL Cipher Suite Order dialog box, select Enabled. 4. Under Options, in the SSL Cipher Suites text box, delete everything, and then copy and paste in the following text:

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_ED E_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_1 28_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH _AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDS A_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDH E_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_EC DHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS _WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CB C_WITH_MD5,TLS_RSA_WITH_NULL_MD5 5. Click OK.

Allow CredSSP Authentication Topic Last Modified: 2014-05-06 To assist with automation efforts, enable CredSSP on all machines (host and VMs). 1. In the Microsoft Management Console, navigate to Local Computer Policy | Computer Configuration | Administrative Templates | System | Credentials Delegation. 2. Right-click Allow Delegating Fresh Credentials, and then click Edit. 3. In the Allow Delegating Fresh Credentials dialog box, select the Enabled checkbox. 4. Under Options, click Show. 5. In the Show Contents dialog box, type the value WSMAN/*. 6. Click OK in all open dialog boxes. 7. In the MMC, navigate to Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Windows Remote Management | WinRM Client. 8. Right-click Allow CredSSP authentication, and then click Edit. 9. In the Allow CredSSP Authentication dialog box, select the Enabled checkbox. 10. Click OK. 11. In the MMC, navigate to Local Computer Policy | Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Remote Management | WinRM Service. 12. Right click Allow automatic configuration of listeners, and then click Edit. 13. In the Allow automatic configuration of listeners dialog box, select the Enabled checkbox. 14. Under Options: a. In the IPv4 filter box, type *.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

b. In the IPv6 filter box, type *. 15. Click OK. 16. In the MMC, navigate to Local Computer Policy | Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Remote Management | WinRM Service. 17. Right-click Allow CredSSP authentication, and then click Edit. 18. In the Allow CredSSP authentication dialog box, select the Enabled checkbox. 19. Click OK.

Modify WinRM Shell Property Settings Topic Last Modified: 2014-05-06 To improve performance, we modify the default WinRM Shell property settings. 1. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Windows Remote Shell 2. Right-click Specify maximum amount of memory in MB per Shell, and then click Edit. 3. In the Specify maximum amount of memory in MB per Shell dialog box, select the Enabled checkbox. 4. Under Options, in the MaxMemoryPerShellMB text box, enter 1024. 5. Click OK. 6. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Windows Remote Shell 7. Right-click Specify maximum number of process per Shell, and then click Edit. 8. In the Specify maximum number of processes per Shell dialog box, select the Enabled checkbox. 9. Under Options, in the MaxProcessesPerShell text box, enter 64. 10. Click OK. 11. In the MMC snap-in, navigate to Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Windows Remote Shell 12. Right-click Specify maximum number of remote shells per user, and then click Edit. 13. In the Specify maximum number of remote shells per user dialog box, select the Enabled checkbox.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

14. Under Options, in the MaxShellsPerUser text box, enter 16. 15. Click OK.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Configure Common Machine Settings Topic Last Modified: 2014-05-06

Change Time Zone Change the time zone on each machine to match the datacenter time zone: 1. On the desktop of the Host server, right-click the date stamp in the bottom-right tray, and then click Adjust date/time. 2. In the Date and Time dialog box, on the Date and Time tab, click Change Time Zone list. 3. In the Time Zone Settings dialog box, select the time zone in which the datacenter is located. 4. Click OK in all open dialog boxes.

Install .NET Framework 3.5 Perform the following steps on every server in the farm (web servers and SQL servers): 1. In your browser, navigate to the .NET 3.5 download site. 2. Download and install the .NET Framework 3.5. 3. Restart your computer.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Configure SQ Server Settings Topic Last Modified: 2014-05-06 Before you begin, establish a remote desktop connection to the SQ server.

Create Inbound Firewall Rules 1. In the Windows Firewall with Advanced Security tool, click Inbound Rules. 2. In the Actions pane, click New Rule: 3. In the New Inbound Rule Wizard, use the following settings:  Rule Type: Port  Protocol: TCP  Specific local Port: 1433  Action: Allow the Connection  Profile: Domain  Name: SQL Server 1433 4. Click Finish.

Configure Disk Layout for SQ Servers The VHDs have been created, but the disk layout is incomplete. Use this procedure to span and format the volumes. 1. In Server Manager, navigate to Storage | Disk Management | (C:). 2. Right click all disks and set to Online. 3. Create a spanned volume for Data drive: a. Right click Disk 1 | Initialize disk | select all available drives (1-3). b. Ensure format used is MBR. c. Right click Disk 1 | New Spanned Volume d. Select all 2 TB data drives e. Assign Drive Letter E f. Clear New Volume Name.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

4. Create and format Log Drive: a. Right click Disk 4 b. Click new Simple Volume c. Assign Drive Letter F d. Clear New Volume Name 5. Restart the VM.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Install SQL Server Topic Last Modified: 22-December-2015

Note: SQL Server should be installed on the following server roles: SQ, SS, BK, BS.

Check for .NET 4.0 1. Check to see if .NET 4.0 has been installed on the server. .NET 4.0 is not a prerequisite for SQL Server but it may be present. If .NET 4.0 is present, perform step 2. If not, skip step 2 and continue with the SQL Server installation. 2. Complete this step if .NET 4.0 has been installed on the server. 3. In order to install SQL Server from the network share, open an Administrative command prompt and execute the following after replacing the {BUILD} text with the build location you are using: %windir%\microsoft.net\framework64\v4.0.30319\caspol.exe -m -ag 1.2 -url file://{ BUILD}/* FullTrust Example: %windir%\microsoft.net\framework64\v4.0.30319\caspol.exe -m -ag 1.2 -url file://\\10.224.1.83/Releases/* FullTrust

Install SQL Server 2012 If not called out below, use default values for the SQL installation. 1. Browse to your SQL installation path (we recommend an ISO image mounted to the VM) and double-click setup.exe. 2. Navigate to Installation section and select New Installation or add features to an existing installation. 3. Use your product key or specify a trial. 4. On License Terms select I accept the license terms and clear Send features usage… checkboxes. 5. Complete Setup Support Files step. 6. On Setup Role choose SQL Server Feature Installation 7. On Feature Selection select the following components:  Database Engine Services

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 SQL Server Replication  Client Tools Connectivity  Client Tools Backwards Compatibility  Management Tools - Basic  Management Tools – Complete 8. On the Server Configuration page set SQL Server Agent startup type to Automatic, click Use the same account for all SQL services, and then enter managed\ms-svc-db and its password. 9. On the Database Engine Configuration page, on the Account Provisioning tab add the following with a SysAdmin role:  managed\ms-svc-db  mgmt\MGMT-GSG-SPO-SP2013FarmAdmins 10. On the Database Engine Configuration page navigate to Data Directories tab and set or confirm the following settings: Directory Name Value Data root directory E:\Program Files\Microsoft SQL Server\ User database directory E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA User Database log directory F:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA Temp DB directory E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data Temp DB log directory F:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data

1. On Error Reporting page clear Send Windows and SQL Server Error Reports… 2. Complete installation with default settings on the rest of the pages.

Install SQL Server Cumulative Updates 1. Download the SQL Server Cumulative Update. 2. Execute SQLServer2012-KB3072100-x64.exe and follow the instructions.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Configure Security and Trace Flags Two trace flag values are added 1222 (Return resources and types of locks participating in a deadlock) and 3226 (Suppress log backup entries in the SQL error log) as requested by the operations team. 1. In the SQL Server Configuration Manager, under SQL Server Network Configuration, right-click Protocols for MSSQLSERVER, and then click Properties 2. In the Protocols for MSSQLSERVER dialog box, set Hide Instance to Yes. 3. Click OK. 4. On the service storage group servers (SS01/SS02) only: a. Double-click Protocols for MSSQLSERVER. b. Right-click Named Pipes c. Select Enable. 5. In the tree view on the left, click SQL Server Services. 6. In the right pane, double-click SQL Server (MSSQLSERVER) 7. In the SQL Server Properties (MSSQLSERVER) dialog box, on the Advanced tab, click Startup Parameters. 8. Next to Startup Parameters, click the down arrow, and then add ;-T3226;-T1222 to the end of the parameters text. 9. For example, a modified Startup Parameters list might appear as follows: -dE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf; -eE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\LOG\ERRORLOG;- lE:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf; -T3226;-T1222 10. Click OK. 11. Right-click SQL Server (MSSQLSERVER), and then click Restart.

Allow Lock Pages in Memory Give SQL server process account rights to lock pages in memory. 1. In Control Panel go to Administrative Tools | Local Security Policy. 2. Expand Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

3. Select User Rights Assignment | double-click lock pages in memory policy | add user to group 4. Add the SQL Server security group mgd\mgd-dsg-sp2013-SQLaccts

Set Max Degree of Parallelism 1. In SQL Server Management Studio, connect to the local database server. 2. In the Code Editor window, enter the following Transact-SQL statement: sp_configure 'show advanced options', 1; GO RECONFIGURE WITH OVERRIDE; GO sp_configure 'max degree of parallelism', 1; GO RECONFIGURE WITH OVERRIDE; GO 3. Select Query, and then click Execute or press F5 to execute the query.

Configure SQLAgent Job History The SQLAgent Job History should have the following settings:  jobhistory_max_rows=50000  jobhistory_max_rows_per_job=10000 Use the following PowerShell script to do this. $null=[system.reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.Smo" ) $server=new-object Microsoft.SqlServer.Management.Smo.Server(".") $agent=$server.JobServer $agent.MaximumHistoryRows=50000 $agent.MaximumJobHistoryRows=10000 $agent.Alter()

Verify SQL Server is Working 1. In SQL Server Management Studio, confirm for each SQL instance that you can connect from another machine using the SQL Server Management Studio.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

2. If you fail to connect, check that the firewall rules to allow 1433 are in place.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Build Web Servers Topic Last Modified: 15-December-2015 Before you begin, establish a remote desktop connection to each FE, AP, AS and WC server in the farm. Each step in this chapter must be completed on each machine, unless otherwise noted.

Configure Inbound Firewall Rules Create the following new inbound firewall rules: 1. In the Windows Firewall with Advanced Security tool, right-click Inbound Rules, and then click New Rule. 2. In the New Inbound Rule Wizard, create a new rule with the following configuration:  Rule Type: Port  Protocol: TCP  Port: Specific | 443  Action: Allow the Connection  Profile: Select Domain  Name: SharePoint 443 3. Click Finish 4. Create another new rule with the following settings:  Rule Type: Port  Protocol: TCP  Port: Specific | 8888  Action: Allow the Connection  Profile: Select Domain  Name: Central Admin 8888 5. Click Finish. 6. Create another new rule with the following settings:  Rule Type: Port  Protocol: TCP  Port: Specific | 32843

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Action: Allow the Connection  Profile: Select Domain  Name: SharePoint 32843 7. Click Finish. 8. Create another new rule with the following settings:  Rule Type: Port  Protocol: TCP  Port: Specific | 32844  Action: Allow the Connection  Profile: Select Domain  Name: SharePoint 32844 9. Click Finish. 10. Create another new rule with the following settings:  Rule Type: Port  Protocol: TCP  Port: Specific | 32845  Action: Allow the Connection  Profile: Select Domain  Name: SharePoint 32845 11. Click Finish. 12. Open Windows Powershell and execute the following: #SharePoint Search rule netsh advfirewall firewall delete rule name="SharePoint Search Ports" netsh advfirewall firewall add rule name="SharePoint Search Ports" dir=in action=allow localport="17000-17009,808,16500-16509" protocol=TCP profile=domain #Rules for Distributed Cache netsh advfirewall firewall delete rule name="AppFabric Caching Ports" netsh advfirewall firewall add rule name="AppFabric Caching Ports" dir=in action=allow localport="22233,34-36" protocol=TCP profile=domain netsh advfirewall firewall set rule group="AppFabric Server: AppFabric Caching Service" new enable=Yes netsh advfirewall firewall set rule name="Remote Service Management (RPC)" new enable=Yes netsh advfirewall firewall set rule name="Remote Service Management (RPC- EPMAP)" new enable=Yes

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

netsh advfirewall firewall set rule name="Remote Service Management (NP- In)" new enable=Yes #Azure Workflow rule netsh advfirewall firewall delete rule name="Azure Workflow Ports" netsh advfirewall firewall add rule name="Azure Workflow Ports" dir=in action=allow localport="4446,5112,9000-9003,9354,12290" protocol=TCP profile=domain

Run the Prerequisite Installer

Important: Execute the steps in this section only on SharePoint FE, AP, and AS Servers (Common Steps)

Note: At this time, we do not recommend running the prerequisite installer in unattend mode. 1. Open the SharePoint installation folder. 2. Execute PrerequisiteInstaller.exe and follow the prompts to reboot the computer as needed. The prerequisite installer will automatically restart after each reboot. 3. Restart computer after prerequisite installer has completed.

Install IIS Advanced Logging SharePoint Online uses the features of IIS Advanced logging. This feature will need to be installed on all SharePoint FE, AP, and AS Servers.

Important: Execute the steps in this section only on SharePoint FE, AP, WC, and AS Servers (Common Steps) 1. Download the MSI file from http://www.microsoft.com/en-us/download/details.aspx?id=7211. 2. As administrator, execute advancedlogging64.msi.

Install Hotfixes A hotfix is available for the IIS Advanced logging that resolves a memory leak in application pools in Windows Server 2012.

Important: Execute the steps in this section only on SharePoint FE, AP, and AS Servers (Common Steps) 1. Download the MSI file from http://www.microsoft.com/en-us/download/details.aspx?id=41640

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

2. As administrator, execute advancedlogging_update_64.msp.

Configure Advanced Logging Complete all steps in this section on ALL FE, AP, AS and WC servers in the farm. 1. If IIS Manager is open, close and re-open it to see the new Advanced Logging components. 2. In Internet Information Services (IIS) Manager, click the server on which you have installed advanced logging. 3. In the middle pane, under IIS, double-click Advanced Logging. 4. On the Advanced Logging console, click Edit Logging Fields. 5. In the Edit Logging Fields dialog box, click Add Field. 6. In the Add Logging Field dialog box, set the following parameters:  Field ID: X-Forwarded-For  Category: Default  Source Type: Request Header  Source Name: X-Forwarded-For 7. Click OK in all open dialog boxes.

Prepare Office Web App Machines Complete the following step on each of the Office Web Apps machines (WC01, WC02, etc). 1. In PowerShell, run the following command to install required Windows Roles/Features: Add-WindowsFeature Web-Server,Net-Framework-45-Core, Net-Framework-45- ASPNET, Web-Asp-Net45, Web-Net-Ext45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web- Includes, Web-Windows-Auth, Web-Mgmt-Console, InkAndHandwritingServices - Restart

Delete Default IIS Sites and Application Pools Perform the following steps on all SharePoint (FE, AP, AS) and Office Web app (WC) servers in the farm 1. In the Internet Information Services (IIS) Manager, click Sites. 2. Under Default Web Site, delete any default Web sites. 3. Click Application Pools. 4. Remove all application pools.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Build the SharePoint Servers Topic Last Modified: 2014-05-30 Perform the following on each SharePoint Server in the farm

Install SharePoint 2013 To install the SharePoint 2013 Server: 1. In Windows Explorer, browse to the SharePoint 2013 installation folder and run setup.exe. 2. Type your product key. 3. Choose a Server Farm installation and Complete Server Type.

Important: Do NOT run the Configuration Wizard (PSConfig.exe) at this time.

Install Language Packs 1. Browse to the path that contains the language packs you wish to install and run the language pack. 2. Select the I accept the license terms check box, and then click Continue. 3. Follow the instructions in the wizard to install the language packs.

Install the Latest SharePoint Updates SharePoint SP1 1. Remove the server from rotation to stop incoming requests to the servers 2. In your browser, download the SharePoint June 2013 CU 3. Run officeserversp2013-kb2880552-fullfile-x64-en-us.exe 4. Reboot the server 5. Add the updated server back into the load-balancing rotation. When the installation is complete, the configuration database should be version 15.0.4569.1000 or higher when viewed in the SharePoint Configuration Wizard.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Install the App Fabric Cumulative Update

1. In your browser, download the App Fabric Cumulative Update 2. Run AppFabric1.1-RTM-KB2800726-x64-ENU.exe. Follow the instructions.

Manage SSL Certificates By default, Microsoft SharePoint Online Dedicated uses wildcard certificates for customer deployments. This process outlines how to create or export a wildcard SSL certificate. Complete Certificate Request When a response is returned by the CA, perform the following steps on the same machine used to request the certificate. This should be AP01. 1. In Internet Information Services (IIS) Manager, click the machine name, and then, under IIS, double-click Server Certificates. 2. In the Actions pane, click Complete Certificate Request. 3. In the Complete Certificate Request dialog box, enter the required values:  File Name: provide a path to the file that contains response from certificate authority  Friendly Name: *. Wildcard SSL certificate or SAN Certificate (For SAN certificate you cannot use a * but must use one of the DNS values like portal. 4. Click OK. Export Certificates After a certificate has been issued, it must be exported so that it can be installed on all other FE machines.

For SAN Certificates: If exporting a named (SAN) certificate, follow these directions (For First Machine) first. Only use these instructions if SAN certificates are required. If using wildcard certificates, go to Import Certificates.

Note: This procedure is for SAN certificates only. To export wildcard certificates, see the “For Wildcard Certificates” section later in this topic. To use a named certificate within the IIS7 interface, you must update the friendly name on the certificate. Follow these directions only for a named certificate.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

1. In the Microsoft Management Console, under Certificates (Local Computer) | Personal, click Certificates. 2. Right-click the SAN Certificate you want to export, and then click Properties. 3. In the Properties dialog box, edit the Friendly Name field so the name starts with an * instead of the host name. 4. Example: portal.contoso.com should be modified to *.contoso.com. 5. Click OK. Import SSL Certificates Once the new certificate has been received, Import the SSL certificate to all web servers for both SharePoint and Office Web Apps (AP, AS, FE, WC). 1. In the Microsoft Management Console, under Certificates (Local Computer) | Personal, right- click Certificates, click All Tasks, and then click Import. 2. In the Certificate Import Wizard, configure the following settings: a. File Name: provide path to the file for the exported pfx certificate. b. Password: provide password from previous step c. Mark this key as exportable: Uncheck 3. Once the import is completed, permanently delete the temporary pfx files.

Note: In the file listed in step 2a, there should be an entry for each URL that is added. This file will be different for new customers and existing customers. A new customer would typically have at least three URLs to begin with: , , and . An existing customer would have two URLs: AND . Import STS Certificate Obtain the new STS Certificates and import it to all web servers for SharePoint (AP, AS, FE) using the following steps. 1. In the Microsoft Management Console, under Certificates (Local Computer) | Trusted Root Certification, right-click Certificates, click All Tasks, and then click Import. 2. In the Certificate Import Wizard, configure the following settings: a. File Name: provide path to the file for the exported pfx certificate. b. Password: provide password from previous step c. Mark this key as exportable: Uncheck

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

3. Once the import is completed, permanently delete the temporary pfx files.

Update the Hosts File To update the Hosts file: 1. Navigate to C:\windows\system 32\drivers\etc, and then open the hosts file as an administrator. 2. Add records to the hosts file based on the following templates: # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com FE servers (PPE): # PPE My app URL 127.0.0.1 ppemy.contoso.com # PPE Team app URL 127.0.0.1 ppeteam.contoso.com # PPE Portal app URL 127.0.0.1 ppeportal.contoso.com # PPE Partners Access app URL 127.0.0.1 ppepartner.contoso.com # PPE Workflow service URL MGP_PPE_WFE_VIP ppeo365wfl.contoso.com # WAC service URL MGP_WAC_VIP o365wac.contoso.com # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com AP/AS servers (PPE): # PPE My app URL MGP_PPE_WFE_VIP ppemy.contoso.com # PPE Team app URL MGP_PPE_WFE_VIP ppeteam.contoso.com # PPE Portal app URL MGP_PPE_WFE_VIP ppeportal.contoso.com # PPE Partners Access app URL MGP_PPE_WFE_VIP ppepartner.contoso.com # WAC service URL MGP_WAC_VIP o365wac.contoso.com # PPE Workflow service URL MGP_PPE_WFE_VIP ppeo365wfl.contoso.com # Apps Management Site URL 127.0.0.1 monitor.ppe<<001d>>spoapp.com 3. Save and close the file.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Build the SharePoint Online 2013 Farm Topic Last Modified: 11-December-2015 Before you begin: Remote-desktop into the machine that will contain Central Admin (AP01).

Provision the Farm

Important: This step must be executed with PowerShell so that the server is not registered as a distributed cache host. Adding machines as distributed cache hosts occurs later in this document. 1. Open the SharePoint 2013 Management Shell, and then execute the following: $dbServer = "" $mgdDomain = "" $scaCred = Get-Credential "$mgdDomain\ms-svc-frm" New-SPConfigurationDatabase -DatabaseName "SharePoint_Config" - DatabaseServer $dbServer -AdministrationContentDatabaseName "SharePoint_Admin_Content" -FarmCredentials $scaCred -Passphrase (ConvertTo-SecureString "Password911!23" -AsPlainText -Force) - SkipRegisterAsDistributedCacheHost 2. Open the SharePoint 2013 Products Configuration Wizard. 3. Select Specify port number: 8888 4. Complete the wizard.

Join Servers to the Farm

Visual C# Note: This step must be executed with PowerShell so that the server is not registered as a distributed cache host. Adding machines as distributed cache hosts occurs later in this document. Before you can configure the farm, you must add the other AP, AS and FE servers to the farm: 1. Open the SharePoint 2013 Management Shell, and then edit and execute the following: $dbServer = "" $mgdDomain = "" $scaCred = Get-Credential "$mgdDomain\ms-svc-frm" Connect-SPConfigurationDatabase -DatabaseName "SharePoint_Config" - DatabaseServer $dbServer -Passphrase (ConvertTo-SecureString "Password911!23" -AsPlainText -Force) -SkipRegisterAsDistributedCacheHost 2. Open the SharePoint 2013 Products Configuration Wizard. 3. Complete the wizard

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Note: Repeat these steps for all other SharePoint Machines (AP, AS and FE). In the case of server expansion or rebuild, only run the wizard on the new machines.

Enable Licensing 1. Open the SharePoint 15 Management Shell, and edit and then execute the following: $allAuthUsers = New-SPClaimsPrincipal -Identity "NT Authority\Authenticated Users" -IdentityType WindowsSecurityGroupName New-SPUserLicenseMapping -Claim $allAuthUsers -License "<>" | Add-SPUserLicenseMapping Enable-SPUserLicensing

Register Managed Accounts 1. In Central Administration go to Security | Configure Managed Accounts 2. Ensure that the following accounts are registered.  managed/ms-svc-wap  managed/ms-svc-sa  managed/ms-svc-sbx

Configure Services (Generic) Topic Last Modified: 2014-05-06

Configure Distributed Cache Repeat the following on each FE server in the farm. 1. Open the SharePoint 15 Management Shell, and then edit and execute the following: Add-SPDistributedCacheServiceInstance

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Configure Other Services 1. In Central Administration, go to System Settings | Servers | Manage services on server

Note: A drop down at the top of the list allows you to switch from server to server, so all servers previously added to the farm can be configured from AP01. 2. Start the service on each machine as noted in the tables below. FE Machines (FE01, FE02, FE03, etc.) Service Status Access Database Service 2010 Started Access Services Started App Management Service Started Business Data Conectivity Service Started Central Administration Stopped Claims to Windows Token Services Stopped Distributed Cache Started Document Conversions Launcher Service Stopped Document Conversions Load Balancer Service Stopped Excel Calculation Services Started Lotus Notes Connector Stopped Machine Translation Service Stopped Managed Metadata Web Service Started Microsoft SharePoint Foundation Incoming E-Mail Started Microsoft SharePoint Foundation Sandboxed Started Code Service Microsoft SharePoint Foundation Subscription Started Settings Service Microsoft SharePoint Foundation Web Application Started Microsoft SharePoint Foundation Workflow Timer Started Service

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Service Status PerformancePoint Service Stopped PowerPoint Conversion Service Stopped Request Management Stopped Search Host Controller Service1 Started Search Query and Site Setting Service Started Secure Store Service Started SharePoint Server Search2 Started User Profile Service Started User Profile Synchronization Service3 Stopped Visio Graphics Service Started Word Automation Services Stopped Work Management Service Stopped 1This service will be started during the provisioning of the Search Service Application. 2This service will be started during the provisioning of the Search Service Application. 3Do not start the User Profile Synchronization Service now. It will be started later in this document. AP (Admin Service) (AP01 only) Service Status Central Administration Started AP (Admin Service) (AP01, AP02) Service Status Access Database Service 2010 Stopped Access Services Stopped App Management Service Stopped Business Data Connectivity Service Stopped Claims to Windows Token Service Stopped Document Conversions Launcher Service Stopped

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Service Status Document Conversions Load Balancer Service Stopped Excel Calculation Services Stopped Lotus Notes Connector Stopped Machine Translation Service Started Managed Metadata Web Service Stopped Microsoft SharePoint Foundation Incoming E-Mail Started Microsoft SharePoint Foundation Sandboxed Stopped Code Service Microsoft SharePoint Foundation Subscription Started Settings Service Microsoft SharePoint Foundation Web Application Started Microsoft SharePoint Foundation Workflow Timer Started Service PerformancePoint Service Stopped PowerPoint Conversion Service Stopped Request Management Stopped Search Host Controller Service4 Started Search Query and Site Setting Service Stopped Secure Store Service Stopped SharePoint Server Search5 Started User Profile Service Stopped User Profile Synchronization Service6 Stopped Visio Graphics Service Stopped Word Automation Services Stopped Work Management Service Started 4This service will be started during the provisioning of the Search Service Application. 5This service will be started during the provisioning of the Search Service Application.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

6Do not start the User Profile Synchronization Service now. It will be started later in this document. AS (Search) (AS01, AS02, AS03, etc.) Service Status Access Database Service 2010 Stopped Access Services Stopped App Management Service Stopped Business Data Connectivity Service Stopped Central Administration Stopped Claims to Windows Token Services Stopped Document Conversions Launcher Service Stopped Document Conversions Load Balancer Service Stopped Excel Calculation Services Stopped Lotus Notes Connector Stopped Machine Translation Service Stopped Managed Metadata Web Service Stopped Microsoft SharePoint Foundation Incoming E-mail Started Microsoft SharePoint Foundation Sandboxed Stopped Code Service Microsoft SharePoint Foundation Subscription Stopped Setting Service Microsoft SharePoint Foundation Web Application Started Microsoft SharePoint Foundation Workflow Timer Started Service PerformancePoint Service Stopped PowerPoint Conversion Service Stopped Request Management Stopped Search Host Controller Service7 Started Search Query and Site Setting Service Stopped

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Service Status Secure Store Service Stopped SharePoint Server Search8 Started User Profile Service Stopped User Profile Synchronization Service Stopped Visio Graphics Service Stopped Word Automation Services Stopped Work Management Service Stopped 7This service will be started during the provisioning of the Search Service Application. 8This service will be started during the provisioning of the Search Service Application.

Create Quota Templates Topic Last Modified: 2014-05-06 Create the quota templates before creating the web applications: 1. In Central Administration, go to Application Management | Site Collections | Specify quota templates. 2. Create 8 new quota templates using the [new blank template] as per the table below: Name Limit site Send warning Limit max Send warning storage to a email when site usage per day email when max of: collection to: usage per day storage reaches: reaches: 2GB 2000MB 1600MB 300 pt 100 pt 5GB 5000MB 4000MB 300 pt 100 pt 10GB 10000MB 8000MB 300 pt 100 pt 20GB 20000MB 16000MB 300 pt 100 pt 50GB 50000MB 40000MB 300 pt 100 pt 60GB 60000MB 48000MB 300 pt 100 pt

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Name Limit site Send warning Limit max Send warning storage to a email when site usage per day email when max of: collection to: usage per day storage reaches: reaches: 100GB 100000MB 80000MB 300 pt 100 pt 200GB 200000MB 160000MB 300 pt 100 pt 400GB 400000MB 320000MB 300 pt 100 pt Personal Site 1024MB 820MB 300 pt 100 pt

Configure Outgoing Email Topic Last Modified: 2014-05-06

Important: This procedure should be skipped if the customer does not subscribe to SPO. For non-SPO customers, SMTP configuration is not necessary. By default, email should be disabled. It should be configured in SFS. 1. In Central Administration, go to System Settings | E-Mail and Text Messages (SMS) | Configure outgoing e-mail settings. 2. Configure the following: a. Provide an outbound SMTP server address (either from the MGD or customer forest) that will accept routing requests from all SharePoint servers.

Note: The SMTP server address should be a fully qualified domain name. Do not use an IP address, even if it is an F5 VIP. b. Provide a From address: e.g., [email protected]. c. Provide a Reply-to address: e.g., [email protected].

Create Web Applications Topic Last Modified: 2014-05-06 We create web applications for customers using Central Administration. The following table outlines what web applications to create.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Note: Create all the web applications in all environments, with the following exception: the Partner Access web application is only created if the customer has purchased that option. 1. In Central Administration, go to Application Management | Web Applications | Manage Web Applications 2. For each of the specified web applications below, in the ribbon bar, click Contribute | New and then supply specified settings: Web Application Notes My Sites https://my.contoso.com Portal https://portal.contoso.com Team https://team.contoso.com Partner (optional) https://extranet.contoso.com Settings for Web Applications Claims Name Supplied by customer IIS Web Site : Port 443 IIS Web Site : Host Header Supplied by customer IIS Web Site : Path Security Configuration: Allow Anonymous No Security Configuration: Use Secure Sockets Layer Yes (SSL) Claims Authentication Types Enable Windows Authentication Integrated Windows Authentication (checked) 1. NTLM Public URL Application Pool Create a new app pool for each web application. Create a new application pool named <>. Use the managed/ms-svc-wap account. Database Name and Authentication: Database Primary SQL in content storage group (SQ01) Server

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Web Application Notes Database Name and Authentication: Database The default naming scheme for databases is Name _content_<##>. Failover Server Service Application Connections Customer Experience Improvement Program No

Create Web Application to Host SharePoint Apps To create an additional web application for hosting SharePoint applications, use the following settings. 1. In Central Administration, go to Application Management | Web Applications | Manage Web Applications 2. For each of the specified web applications below, in the ribbon bar, click Contribute | New and then supply specified settings: Settings for Web Claims Applications Name AppsManagementSite IIS Web Site : Port 443 IIS Web Site : Host

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Settings for Web Claims Applications Application Pool Create a new application pool named AppsManagementSite. Use the managed\ms-svc-wap account. Database Name and Primary SQL in content storage group (SQ01) Authentication: Database Server Database Name and AppsManagementSite_content_01 Authentication: Database Name Failover Server Service Application Connections Customer Experience No Improvement Program

Set Up People Picker for Each URL Topic Last Modified: 2014-04-02 SharePoint Online Dedicated service accounts are not automatically trusted by the customer Active Directory due to one-way trust. Please specify the following: 1. Start the SharePoint 2013 Management Shell. 2. Execute the following where the password is a KeyPhrase provided from the KeePass database located at: \\mgmt.msft.net\spo\Secured\000\000.kdbx: stsadm -o setapppassword - password ; 3. Repeat step 2 on all SharePoint machines. Ensure you have completed step 2 on all SharePoint machines before beginning step 4. 4. On AP01 in each farm, execute the following for all URLs including central admin. (Don’t run unless step 2 has completed): If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin"

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

$PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $pn = "peoplepicker-searchadForests" #Include customer forests/domains variables in the first line #For additional customer forests/domains remove the "#" in the second line and make additional copies of it as needed $pv = "DOMAIN:< Customer Domain>,,;" #$pv += "DOMAIN:,,;" #Include the management domain #Set the people picker on content web applications Get-SPWebApplication | % { stsadm -o setproperty -url $_.Url -pn $pn -pv $pv } #Include the managed domain for central admin $pv += "DOMAIN:< Management Domain FQDN>,,;" $pv = $pv + "DOMAIN:001d.mgd7.msft.net;" #Set the people picker on central admin web app Get-SPWebApplication -IncludeCentralAdministration | where { $_.DisplayName -like "SharePoint Central Administration*" } | % { stsadm -o setproperty -url $_.Url -pn $pn -pv $pv }

Configure Web Applications (Common Settings) Topic Last Modified: 2014-05-06 The following common settings must be applied to each content web application (My, Portal, Team, Partner Access).

General Settings 1. In Central Administration, go to Application Management | Web Applications | Manage web applications | General Settings 2. Configure the following settings:  Time Zone: As specified in the discovery documentation  Default Quota (My Web App): Personal Site  Default Quota (Other Web Apps): 2 GB

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Browser File Handling: Permissive  Security Validation: 60 minutes  Recycle Bin | Delete items in the Recycle Bin: after 35 days  Maximum Upload Size: 2047 MB 3. Repeat step 2 for each content web application (Team, Portal, My, and Partner Access).

Configure Managed Paths 1. In Central Administration, go to Application Management | Web Applications | Manage web applications | Managed Paths 2. Configure the following settings, delete any included paths not called out below:  Included Paths (My Web App): (root) - Explicit inclusion; personal – Wildcard inclusion  Included Paths (Other Web Apps): (root) – Explicit inclusion; sites – Wildcard inclusion 3. Repeat step 2 for each content web application.

Configure Blocked File Types Repeat the following for each web application. 1. In Central Administration, go to Application Management | Web Applications | Manage web applications 2. Select the web application row, then click Blocked File Types 3. Remove all of the existing file types. 4. Enter the following list of file types:  ashx  asmx  asp  aspq  axd  cshtm  cshtml  json  rem

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 shtm  shtml  soap  stm  svc  vbhtm  vbhtml  xamlx 5. Click OK.

Enable the BLOB Cache

Important: Do not make manual changes to the web.config files because manual changes will not be automatically applied to new servers brought in to the farm or when web applications are extended into new zones. By default, the disk-based BLOB cache is off and must be enabled on each content web application of each FE server and AP-01. 1. Open the SharePoint 2013 Management Shell and execute the following: Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue Write-Host "Updating the Blob Cache" [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $BlobCachePath = "configuration/SharePoint/BlobCache" $WebConfigModifications=@{"path"="(?:(^.{0,160}))\.(gif|jpg|jpeg|jpe|jfif|bmp| dib|tif|tiff|ico|png|wdp|hdp|css|js|asf|avi|flv|m4v|mov|mp3|mp4|mpeg|mpg|rm|rm vb|wma|wmv|ogg|ogv|oga|webm|xap)$"; "enabled"="true"}

$SPWebApps = Get-SPWebApplication $Method = [Microsoft.SharePoint.Administration.SPServiceCollection].GetMethod("GetValue" , [string]) $GenericMethod = $Method.MakeGenericMethod([Microsoft.SharePoint.Administration.SPWebService]) $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local foreach ($SPWebApp in $SPWebApps){ Write-Host "Modifying the Web App $($SPWebApp.Name)" foreach ($Key in $WebConfigModifications.Keys){ $SPWebConfigModification= new-object Microsoft.SharePoint.Administration.SPWebConfigModification

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

$SPWebConfigModification.Name= $Key $SPWebConfigModification.Owner= "SPO dedicated" $SPWebConfigModification.Path= $BlobCachePath $SPWebConfigModification.Type="EnsureAttribute" $SPWebConfigModification.Value=$WebConfigModifications[$Key] $SPWebApp.WebConfigModifications.Add($SPWebConfigModification) } $SPWebApp.Update() } $FarmService = $GenericMethod.Invoke($Farm.Services,"") $FarmService.ApplyWebConfigModifications() Write-Host "Updated the Blob cache successfully"

Apply Web App Policy and User Policy (Kiosk Worker)

Note: Skip this procedure if your organization does not employ kiosk workers. For customers that have purchased the kiosk worker USL option, it is necessary to create a web application policy to restrict the tasks that kiosk workers can perform in SharePoint. In addition to this web app policy, you must create a user policy to associate this web app policy with a Role Claim or AD Group. 1. In Central Administration, go to Application Management | Web Applications | Manage web applications | Permission Policy | Add Permission Policy Level 2. Configure the following settings:  Name: Kiosk Workers  Description: Deny policy for kiosk workers  Manage Lists: Deny  Override List Behaviors: Deny  Approve Items: Deny  Manage Permissions: Deny  View Web Analytics Data: Deny  Create Subsites: Deny  Manage Web Site: Deny  Add and Customize Pages: Deny  Apply Themes and Borders: Deny  Apply Style Sheets: Deny  Create Groups: Deny

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Use Self-Service Site Creation: Deny  Enumerate Permissions: Deny  Manage Alerts: Deny  Use Client Integration Features: Deny  Manage Personal Views: Deny  Add/Remove Personal Web Parts: Deny  Update Personal Web Parts: Deny 3. In Central Administration, go to Application Management | Web Applications | Manage web applications | User Policy | Add Users 4. Configure the following settings:  Zones: (All zones)  Users: Security group specified by the customer  Permissions: Kiosk Workers  Account operates as System: leave unchecked. 5. Repeat steps 1 through 4 for each content web application (Team, Portal, My, and Partner Access.

Set Up Super User and Super Reader Accounts Publishing sites depend on the object cache for maximum performance. This is also a required setting for claims authentication where the default users don’t resolve correctly and receive “Access Denied” error messages when navigating to the site. 1. Edit lines 2 and 4 of the script below with the Portal Super User account and the Portal Super Reader account. 2. Execute the script once on the AP01 server: # Create Object Cache Account Settings $SuperUserAccount = "mgd\ms-svc-psu" # Use $SuperReaderAccount = "mgd\ms-svc-psr" $superReaderPropertyString = "portalsuperreaderaccount" $superUserPropertyString = "portalsuperuseraccount" $FullReadRoleName = "Full Read" $FullControlRoleName = "Full Control" Get-SPWebApplication | %{ $Zone = $_.IISSettings.Item("Default")

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

if($Zone.UseClaimsAuthentication -eq $True){ $SuperUserPrincipal = New-SPClaimsPrincipal -Identity $SuperUserAccount - IdentityType WindowsSamAccountName $SuperUserAccountEncoded = $SuperUserPrincipal.ToEncodedString() $superReaderPrincipal = New-SPClaimsPrincipal -Identity $SuperReaderAccount - IdentityType WindowsSamAccountName $SuperReaderAccountEncoded = $superReaderPrincipal.ToEncodedString() } $SuperReaderPolicy = $_.Policies | WHERE {$_.DisplayName -eq "Object Cache Super Reader"} if ($SuperReaderPolicy -eq $Null){ $SuperReaderPolicy = $_.Policies.Add($SuperReaderAccountEncoded, "Object Cache Super Reader") } $Role = $_.PolicyRoles | where {$_.Name -like $FullReadRoleName}

$SuperReaderPolicy.PolicyRoleBindings.Add($Role) $_.Properties[$superReaderPropertyString] = [System.String]$SuperReaderAccountEncoded $SuperUserPolicy= $_.Policies | WHERE {$_.DisplayName -eq "Object Cache Super User"} if ($SuperUserPolicy -eq $Null){ $SuperUserPolicy = $_.Policies.Add($SuperUserAccountEncoded, "Object Cache Super User") } $Role = $_.PolicyRoles | where {$_.Name -like $fullControlRoleName} $SuperUserPolicy.PolicyRoleBindings.Add($Role) $_.Properties[$superUserPropertyString] = [System.String]$SuperUserAccountEncoded $_.Update() } #endregion

Add Administrators to Web App Policy To facilitate troubleshooting customer issues all admins are granted rights to all content in each of the web applications. This is done via a web app Policy set for each web application. 1. In Central Administration, go to Application Management | Web Applications | Manage Web Applications | Select a Content Web Application | User Policy | Add Users 2. Add the following user with Full Control:  Zones: (All zones)  Users: Add your SharePoint farm administrators group  Permissions: Full Control

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Account operates as System: leave unchecked. 3. Repeat steps 1 and 2 for each content web application (My, Portal, Team, Partner Access). 4. Repeat this procedure to add customer provided admin groups if available.

Configure List Throttle Settings To allow for large list operations and the need to administer large lists, configure “happy hour” settings. 1. In Central Administration, go to Application Management | Web Applications | Manage Web Applications | Select a Content Web Application | General Settings | Resource Throttling  ListView Threshold: 12  Daily Time Window for Large Queries  Enable a daily time window for large queries: enabled  Start Time: 6 pm 00  Duration: 6 hours 2. Repeat for each content web application (My, Portal, Team, and Partner Access)

Set Setup User Account as System Topic Last Modified: 2014-04-02

Important: The instructions for configuring services are organized to get the farm up and running as fast as possible. In order to ensure that nothing is missed it is recommended that each section relating to service configuration be performed in the order presented. Add your management account as system to mask your user name when content visible to end users is created: 1. In Central Administration, go to Application Management | Web Applications | Manage Web Applications | Select a Content Web Application | User Policy | Add Users  Zones: (All zones)  Users:  Permissions: Full Control  Account operates as System: Check this box. 2. Repeat for all content web applications (My, Team, and Portal).

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Create Site Collections Topic Last Modified: 2014-02-11 Site collections must be created at this stage to support creation of the Service Applications and to allow Self-Service Site Creation to be enabled. 1. In Central Administration, go to Application Management | Site Collections | Create site collections 2. Create root site collections for each web application using the parameters listed in the following table:

Parameter My Portal Team Partner Access Title My Site Portal Team Partner Access Web Provided by customer Provided Provided by Provided by Application by customer customer customer Template Enterprise | My Site Host Publishing Collaboration Collaboration | | Team Site | Team Site Publishing Portal Primary Provided Provided by Provided by Site by customer customer Collection customer Admin Secondary n/a Provided Provided by Provided by Site by customer customer Collection customer Admin Primary Provided Provided by Provided by Site by customer customer Collection customer

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Parameter My Portal Team Partner Access Admin on PPE Secondary n/a Provided Provided by Provided by Site by customer customer Collection customer Admin on PPE Quota No quota 100 GB 5 GB 5 GB Members All IW Users n/a n/a n/a Group Visitors NT n/a n/a n/a Group AUTHORITY\authenticated users

3. To support service applications, create a Content Hub site collection and a Broadcast Site site collection. The following table provides the required setting parameters:

Parameter Content Hub9 Search Center URL Team URL\sites\contenthub Team URL/sites/searchcenter Template Collaboration | Team Site Enterprise | Enterprise Search Center Primary Site Collection Admin Provided by customer Provided by customer Quota 5 GB 2 GB Members Group Set by Customer After Service Set by Customer After Service Ready Ready Visitors Group Set by Customer After Service NT Authority\Authenticated Ready Users

4. After creating the ContentHub site collection, navigate to the site collection and enable the Content Type Syndication Hub site collection feature.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Create Service Applications Topic Last Modified: 11-December-2015

Important: The instructions for configuring service applications are organized to get the farm up and running as fast as possible. In order to ensure that nothing is missed, we recommend that each section relating to service application configuration be performed in the order presented. Most service applications will use default settings. Below we will highlight when configuring the service application what settings to change. If this is a new customer, all settings will be default. If building out an existing customer, build out first with the defaults and the delta (based on change requests) will be applied afterwards The generic steps to create service applications are as follows:

Note: Only login as the Farm Administrator account when configuring the Sync service. 1. In Central Administration, go to Application Management |Service Applications | Manage service applications. 2. For each service click New and select Service Application 3. For Name choose the title of the type of Service Application (for example: Access Services Application) 4. All databases should be created on SQ01 and use the provided database name if the service application has an associated database (not all do). 5. All service applications should use the SharePoint Service Applications App Pool, created first for Access Services. 6. Use the following settings for each service application: Access Services Application  Name: Access Services Application  Application Pool: SharePoint Service Applications App Management Service  Name: App Management Service Application  Database Name: App_Management_DB  Application Pool: SharePoint Service Applications Business Data Connectivity Service  Name: Business Data Connectivity Service Application

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Database Name: BDC_Service_DB  Application Pool: SharePoint Service Applications Excel Service Application  Name: Excel Service Application  Application Pool: SharePoint Service Applications Machine Translation Service  Name: Machine Translation Service Application  Application pool: SharePoint Service Applications  Add to Default Proxy List: Checked  Database Name: Machine_Translation_Service_DB Manage Metadata Service Application  Name: Managed Metadata Service Application  Database Name: Managed_Metadata_DB  Application Pool: SharePoint Service Applications  Content Type Hub: Provided by the customer. User Profile Service Application  Name: User Profile Service Application  Application pool: SharePoint Service Applications  Profile database name: Profile_DB  Sync database name: Sync_DB  Social Tagging Database name: Social_DB  Profile Synchronization Instance: AP-01  My Site Host URL: https:///  My Site Managed Path: /personal  Site Naming Format: Domain and user name (will not have conflicts)  Additional Connection Permissions for User Profile Service Application: MGMT\ms- svc-orc Full Control Search Service Application –Do not provision at this time. Secure Store Service Application  Name: Secure Store Service Application

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Database name: Secure_Store_Service_DB  Application Pool: SharePoint Service Applications Visio Graphics Service Application  Name: Visio Graphics Service Application  Application Pool: SharePoint Service Applications Work Management Service Application 7. On AP01, open the SharePoint 2013 Management Shell and execute the following PowerShell script: Add-PSSnapin Microsoft.SharePoint.PowerShell # Remove existing Work Management Service Application $svc = Get-SPServiceApplication | ? { $_.TypeName -eq "Work Management Service Application" } $svcPxy = Get-SPServiceApplicationProxy | ? { $_.TypeName -eq "Work Management Service Application Proxy" }

#Find the web app app pool identity. Work management must use the same identity # as the web app so that it can aggregrate all the tasks for all web apps $webApp = Get-SPWebApplication | ? Name -ne AppsManagementSite | Select - First 1 $managedAccount = $webApp.ApplicationPool.ManagedAccount

if ($svc.ApplicationPool.ProcessAccountName -eq $managedAccount.Username) { Write-Host "No changes are required. Work Management service and web app identities are the same." } else {

if ($svcPxy) { Write-Host "Removing the Work Management Service Application Proxy..." - NoNewline $svcPxy | Remove-SPServiceApplicationProxy -Confirm:$false Write-Host "Done" -ForegroundColor Green } if ($svc) { Write-Host "Removing the Work Management Service Application..." -NoNewline $svc | Remove-SPServiceApplication -Confirm:$false Write-Host "Done" -ForegroundColor Green }

#Find the web app app pool identity. Work management must use the same identity # as the web app so that it can aggregrate all the tasks for all web

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

apps $webApp = Get-SPWebApplication | ? Name -ne AppsManagementSite | Select - First 1 $managedAccount = $webApp.ApplicationPool.ManagedAccount

#Create a new service app pool for work management $appPoolName = "Work Management Service Application" if (-not (Get-SPServiceApplicationPool | ? { $_.Name -eq $appPoolName } )) { Write-Host "Creating $appPoolName app pool..." -NoNewline New-SPServiceApplicationPool -Name $appPoolName -Account $managedAccount | Out-Null Write-Host "Done" -ForegroundColor Green } else { Write-Host "$appPoolName app pool already exists" }

#Create the Service Application using the new app pool if (-not (Get-SPServiceApplication | ? { $_.Name -eq "Work Management Service Application" } )) { Write-Host "Creating Work Management Service Application and Proxy..." - NoNewline New-SPWorkManagementServiceApplication -Name "Work Management Service Application" -ApplicationPool $appPoolName | Out-Null New-SPWorkManagementServiceApplicationProxy -Name "Work Management Service Application Proxy" -ServiceApplication "Work Management Service Application" -DefaultProxyGroup | Out-Null Write-Host "Done" -ForegroundColor Green } } 8. Subscription Settings Service Application On AP01, open the SharePoint 15 Management Shell and execute the following PowerShell script: If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $appPool = Get-SPServiceApplicationPool "SharePoint Service Applications" $appSubSvc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPool -Name "Subscription Settings Service Application" -DatabaseName "SubscriptionSettingsServiceDB" $proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy - ServiceApplication $appSubSvc

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

9. Start the State Service (via PowerShell) a. On AP-01, in the SharePoint 15 Management Shell, execute the following PowerShell script: If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } Try { $StateServiceDB = "SharePoint_State_Service" $StateServiceName = "State Service Application" $StateServiceProxyName = "State Service Application" $GetSPStateServiceApplication = Get-SPStateServiceApplication If ($GetSPStateServiceApplication -eq $Null) { Write-Host -ForegroundColor White " - Provisioning State Service Application..." New-SPStateServiceDatabase -Name $StateServiceDB | Out-Null New-SPStateServiceApplication -Name $StateServiceName -Database $StateServiceDB | Out-Null Get-SPStateServiceDatabase | Initialize-SPStateServiceDatabase | Out- Null Write-Host -ForegroundColor White " - Creating State Service Application Proxy..." Get-SPStateServiceApplication | New-SPStateServiceApplicationProxy -Name $StateServiceProxyName -DefaultProxyGroup | Out-Null Write-Host -ForegroundColor White " - Done creating State Service Application." } Else {Write-Host -ForegroundColor White " - State Service Application already provisioned."} } Catch { Write-Output $_ } 10. Configure the SharePoint Server ASP.Net Session State Service (via PowerShell) a. On AP-01, in the SharePoint 15 Management Shell, execute the following PowerShell script: If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null)

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

{ Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } Try { if ((Get-SPSessionStateService).SessionStateEnabled -eq $false) { Write-Host -ForegroundColor White " - Enabling SP Session State Service..." Enable-SPSessionStateService -DatabaseName "Session_State_Service" Write-Host -ForegroundColor White " - Done enabling SP Session State Service." } Else {Write-Host -ForegroundColor White " - SP Session State Service already enabled."} } Catch { Write-Output $_ }

Configure the App Management Service 1. Open the SharePoint 15 Management shell and execute: Set-SPAppDomain "<<999d>>spoapp.com" Set-SPAppSiteSubscriptionName -Name apps -Confirm:$false

Note: For PPE, the app domain must be set to ppe<<999d>>spoapp.com

Important: For AppsManagementSite, DO NOT perform step 2. 2. For each content web application (except for AppsManagementSite), in Central Administration, go to Apps | App Management | Manage App Catalog. 3. Select the web application from the drop down at the top of the page. 4. Select Create a new app catalog site. 5. Click OK. 6. Use the following settings:  Title: SharePoint App Catalog  Description: Catalog site for SharePoint applications  URL:  My Sites :/personal/appcatalog

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 All other Web Apps: /sites/appcatalog  Primary Site Collection Admin: Provided by the customer.  Secondary Site Collection Admin: Provided by the customer.  End Users: NT AUTHORITY\authenticated users  Quota Template: 5 GB 7. To verify configuration, attempt to navigate to /_layouts/_WCF/UploadService.svc/mex. The location should not render.

Create Host Header Site Collection for Monitoring Apps Management Site On AP01 server in each farm, execute the following PowerShell to create a host header site collection used for monitoring the apps web application: Add-PSSnapin Microsoft.SharePoint.PowerShell if (-not $cred) { $cred = Get-Credential (whoami) } $appDomain = Get-SPAppDomain $webAppName = "AppsManagementSite" if (-not $appDomain) { throw "Apps Domain is not properly set. Please following build guide steps for Set-SPAppDomain before continuing"; return; } $mgdDomainName = ((Get-SPFarm).DefaultServiceAccount).Name.Split("\")[0] $baseUrl = "https://monitor.$appDomain/" $webApp = Get-SPWebApplication $webAppName if (-not $webApp) { throw "Could not find web app $webAppName"; return; } New-SPSite $baseUrl -Template "STS#0" -OwnerAlias $webApp.ApplicationPool.Username -HostHeaderWebApplication $webApp

Configure Managed Metadata Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage Service Applications. 2. Highlight the row for the Managed Metadata Service Application Proxy 3. Click Properties

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

4. In the Service Connection dialog, select all of the check boxes. 5. Click OK.

Configure Excel Service Application 1. In Central Administration, go to Application Management | Service Applications | Manage Service Applications | Excel Services Application and then click Manage. 2. Click Trusted File Locations. 3. Hover the cursor over http:// and then click Edit. Change to https://. 4. Under Change Workbook Properties | Maximum Workbook Size, change from 10 to 250 (MB). 5. Navigate to Manage Excel Services Application, and then click Global Settings. 6. In the External Data section, set the Target Application ID to 101. 7. Click OK.

Configure InfoPath Forms Services 1. In Central Administration, go to General Application Settings | InfoPath Forms Services | Configure InfoPath Forms Services. 2. Select Allow cross-domain data access for user form templates that use connection settings in a data connection file.

Configure Machine Translation Service Permissions 1. In Central Administration, go to Application Management | Service Applications | Manage Service Applications 2. Select the row for the Machine Translation Service Application 3. Click the Sharing | Permissions button in the ribbon 4. Add the ms-svc-sa account and grant it Full Control 5. Click OK.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Configure Search Service Application On the AP01 machine, edit the first 18 lines of the PowerShell script below using Windows PowerShell ISE and then execute the script to provision the Search Service application and correctly configure the farm. Important: If needing redundancy for production or test, set $IsProduction = $true. $contactEmailAddress = "[email protected]" # The server that is going to host central admin $CAServer="AP01" # Farm Machines $AdminMachines = @("AP01") $FEMachines = @("FE01") # IMPORTANT: Specify these machines in order so that the index pairs will be provisioned on the correct servers $SearchMachines = @("AS01", "AS02") #Specify the name of the SQL server in the first services storage group $SQLServer = "SS01" # IMPORTANT: you must specify if this is a production installation. If $true, the search system will be configured with redundancy. $IsProduction = $false $AppPoolAccount = "MGD\ms-svc-sa" ### ------### # Don't Change anything after this line ### ------### If ((Get-PsSnapin |?{$_.Name -eq "Microsoft.SharePoint.PowerShell"})-eq $null) { Write-Host -ForegroundColor White " - Loading SharePoint Powershell Snapin" $PSSnapin = Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null } $CTSNodes = $SearchMachines $APENodes = $CTSNodes $CrawlNodes = $CTSNodes $IMSNodes = $FEMachines $AdminNodes = $AdminMachines $SearchNodes = ($SearchMachines + $FEMachines + $AdminMachines) | Select -Unique $searchAppName = "Search Service Application" $QueryNodes1stRow = @() $QueryNodes2ndRow = @() $estimatedMaxItemCount = $SearchMachines.Count * 10000000 $numCrawlDBs = $estimatedMaxItemCount / 20000000 $numLinkDbs = [System.Math]::Ceiling($estimatedMaxItemCount / 60000000) Write-Host "------" #Configure two search indexes per machine pair, each machine will host both a primary index # partition and a secondary index partition if ($IsProduction) {

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

if (($SearchMachines.Count % 2) -ne 0) { throw "You must supply an even number of search machines" }

0..($SearchMachines.Count/2 - 1) | % { $index = $_ * 2 $QueryNodes1stRow += $SearchMachines[$index] $QueryNodes2ndRow += $SearchMachines[$index + 1] $QueryNodes1stRow += $SearchMachines[$index + 1] $QueryNodes2ndRow += $SearchMachines[$index] } } else { $QueryNodes1stRow = $SearchMachines } #------# #Start the search services Write-Output "Start search service on all Servers" $SearchNodes | Start-SPEnterpriseSearchServiceInstance Write-Output "Wait for all Search service instances to be started" do {sleep 2; $serviceInstances = Get-SPEnterpriseSearchServiceInstance | where{$_.Status -eq "Provisioning"}; Write-Output ".";}while($serviceInstances - ne $null) Get-SPEnterpriseSearchServiceInstance | Select TypeName, Server, Status, ID | ft Write-Output "Start SearchQueryAndSiteSettings service on Query Servers" $IMSNodes |Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance Write-Output "Wait for all SearchQueryAndSiteSettings service instances to be started" do {sleep 2; $serviceInstances = Get- SPEnterpriseSearchQueryAndSiteSettingsServiceInstance | where{$_.Status -eq "Provisioning"}; Write-Output ".";}while($serviceInstances -ne $null) Get-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance | Select TypeName, Server, Status, ID | ft #------# #Create the service app Write-Output "Creating the Search service application" $appPoolName=$searchAppName + " AppPool" $managedAccount = get-SPManagedAccount -Identity $AppPoolAccount $appPool = Get-SPServiceApplicationPool -Identity $appPoolName -ErrorAction SilentlyContinue if ($appPool -eq $null) {$appPool = New-SPServiceApplicationPool -name $appPoolName -account $managedAccount.Username} $searchApp = Get-SPServiceApplication -Name $searchAppName if ($searchApp -eq $null) { $searchApp = New-SPEnterpriseSearchServiceApplication -Name $searchAppName - ApplicationPool $appPool -DatabaseServer $SQLServer } else { Write-Output "Search service application already exists" } foreach ($AdminNode in $AdminNodes) { Write-Output "Initializing the administration component on $AdminNode" $searchInstance = Get-SPEnterpriseSearchServiceInstance $AdminNode

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

$searchApp | Get-SPEnterpriseSearchAdministrationComponent | Set- SPEnterpriseSearchAdministrationComponent -SearchServiceInstance $searchInstance $admin = ($searchApp | Get-SPEnterpriseSearchAdministrationComponent) Write-Output "Waiting for the admin component to be initialized on $AdminNode" $timeoutTime=(Get-Date).AddMinutes(20) do {Write-Output .;Start-Sleep 10;} while ((-not $admin.Initialized) -and ($timeoutTime -ge (Get-Date))) if (-not $admin.Initialized) { throw 'Admin Component could not get initialized on $AdminNode'} Write-Output "Admin component is initialized on $AdminNode" } # # O15 Search topology # Write-Output "Creating O15 Search topology" $searchApp = Get-SPEnterpriseSearchServiceApplication ### Search topology $topology = New-SPEnterpriseSearchTopology -SearchApplication $searchApp # Admin foreach($s in $AdminNodes) { New-SPEnterpriseSearchAdminComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # Crawl foreach($s in $CrawlNodes) { New-SPEnterpriseSearchCrawlComponent -SearchTopology $topology -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $s) } # CTS foreach($s in $CTSNodes) {New-SPEnterpriseSearchContentProcessingComponent - SearchTopology $topology -SearchServiceInstance (Get- SPEnterpriseSearchServiceInstance $s) } # Analytics foreach($s in $APENodes) { New-SPEnterpriseSearchAnalyticsProcessingComponent - SearchTopology $topology -SearchServiceInstance (Get- SPEnterpriseSearchServiceInstance $s) } # IMS foreach($s in $IMSNodes) { New-SPEnterpriseSearchQueryProcessingComponent - SearchTopology $topology -SearchServiceInstance (Get- SPEnterpriseSearchServiceInstance $s) } # Index $i = 0 foreach($s in $QueryNodes1stRow) { New-SPEnterpriseSearchIndexComponent -SearchTopology $topology -IndexPartition $i -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $QueryNodes1stRow[$i]) if ($QueryNodes2ndRow.Count -gt 0) { New-SPEnterpriseSearchIndexComponent -SearchTopology $topology -IndexPartition $i -SearchServiceInstance (Get-SPEnterpriseSearchServiceInstance $QueryNodes2ndRow[$i]) } $i = $i + 1

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

} $topology.Activate() $timeoutTime=(Get-Date).AddMinutes(20) do {Write-Output .;Start-Sleep 10;} while (($searchApp.GetTopology($topology.TopologyId).State -ne "Active") -and ($timeoutTime -ge (Get-Date))) if ($searchApp.GetTopology($topology.TopologyId).State -ne "Active") { throw 'Could not activate the search topology'} Write-Output "Search topology activated" #Create additional crawl databases $existingCrawlDbCount = (Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp).Count for($i = $existingCrawlDbCount+1; $i -le $numCrawlDBs; $i++) { Write-Host "Creating Crawl DB #$i" New-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp -DatabaseName "Search_Service_Application_CrawlStore_0$i" -DatabaseServer $SQLServer } $existingLinkDbCount = (Get-SPEnterpriseSearchLinksDatabase -SearchApplication $searchApp).Count for($i = $existingLinkDbCount+1; $i -le $numLinkDBs; $i++) { Write-Host "Creating Link DB #$i" New-SPEnterpriseSearchLinksDatabase -SearchApplication $searchApp -DatabaseName "Search_Service_Application_LinksStore_0$i" -DatabaseServer $SQLServer } #Get-SPEnterpriseSearchCrawlDatabase -SearchApplication $searchApp | ? { $_.Name -eq $SQLServer } | Remove-SPEnterpriseSearchCrawlDatabase if ((Get-SPServiceApplicationProxy | ? { $_.Name -eq ($searchAppName+"_proxy") }) -eq $null) { Write-Output "Creating the Search application proxy" $searchAppProxy = New-SPEnterpriseSearchServiceApplicationProxy -name ($searchAppName+"_proxy") -SearchApplication $searchApp } else { Write-Output "Search application proxy already exists" } Write-Output "Search provisioning finished." Verify Search Service Application Topology When configured successfully, the search settings will appear as follows. The table below shows the search components that should be running on each role. The actual number of machines in each role will vary based on the environment being built. The number of Index Partitions will vary based on the number of search servers (AS role) in the farm. 1. In Central Administration, go to Application Management | Service Applications | Search Service Application. Server Role Admin Crawler Content Analytics Query Index Partition Processing Processing Processing

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Enable Search Crawling of the Profile Database

1. In Central Administration, go to Application Management | Service Applications | User Profile Service Application | Administrators. 2. Add managed\ms-svc-crl. 3. Ensure the Retrieve People Data for Search Crawlers permission is checked. 4. Click OK.

Start the User Profile Synchronization Service Topic Last Modified: 2014-05-06

Important: Do not start the User Profile Synchronization Service if the customer will be configured with direct User Profile Import.

Important: To set up profile synchronization, it is critical that the farm account (ms-svc-frm) have logon on locally rights with the AP01 server. To test this, try logging into the server (AP01) with that account prior to this step. 1. On AP01, add the ms-svc-frm account to the local administrators group of the server 2. In Central Administration, go to Application Management | Service Applications | Manage Services on server | AP01 | User Profile Synchronization Service | Start  Account Name: managed\ms-svc-frm  Password: < password for ms-svc-frm>

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

3. Forefront Identity Manager (FIM) can take a few minutes to set up. Wait until status changes from Starting to Started. 4. After the status changes to Started, remove the ms-svc-frm account from the local administrators group of the server.

Update WMI Control for Farm Account Topic Last Modified: 2014-04-02 Perform the following steps on each AP server in each Farm: 1. In the Microsoft Management Console, in the File menu, click Add/Remove Snap-In 2. In the Add or Remove Snap-ins dialog box, under Available snap-ins, click WMI Control and then click Add. 3. In the Change managed computer dialog box, select Local Computer, and then click Finish. 4. Click OK. 5. Right-click WMI Control in the left pane and then click Properties. 6. On the Security tab, click Root, and then click the Security button 7. In the Security for Root dialog box, under Group or user names, click Add 8. In the Select Users dialog box, enter the Farm Account and click OK 9. In the Security for Root dialog box, under Permissions for Authenticated Users, select Enable Account and Remote Enable in the Allow column 10. Click OK twice. 11. In a Windows PowerShell window, enter the following: Restart-Service sptimerV4

Grant User Profile Permissions to Service Apps Topic Last Modified: 2014-04-15 The Machine Translation Service requires Full Control permissions on the User Profile Service in order to correctly create OAuth credentials. Do the following: 1. In Central Administration, go to Application Management | Service Applications | Manage Service Applications. 2. Select the row for the User Profile Service Application.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

3. In the Ribbon, click Sharing | Permissions. 4. Add the ms-svc-sa account and grant it Full Control. 5. Click OK.

Manage User Permissions for the User Profile Service Application Topic Last Modified: 2014-05-07 Kiosk workers (KWs) are not allowed to create My Sites. You need to create the permission policy to grant the right to create a My Site to Information Workers (IWs) and revoke that right for KWs.

Note: If customers have no kiosk workers and all users should be able to create personal sites, use social features, and use personal features, then skip this section. This is the default, unless:  The customer has purchased kiosk worker licenses  The customer has purchased Partner Access 1. In Central Administration, go to Application Management | Manage Service Applications | User Profile Service Application | Manage | People | Manage User Permissions. 2. Remove permissions for NT Authority\Authenticated Users and All Authenticated Users. For kiosk workers: 3. Enter the name of the security group, and then click Add. If the customer has more than one role claim or group for Kiosk Workers, repeat this step to add each role claim or group. 4. Ensure the Security Group is selected in the box under Permissions for... 5. Make the following changes:  Create Personal Site (required for personal storage, newsfeed, and followed content): No  Follow People and Edit Profile: Yes  Use Tags and Notes: No For information workers: 6. Enter the name of the security group, and then click Add. If the customer has more than one role claim or group for Kiosk Workers, repeat this step to add each role claim or group. 7. Ensure the Security Group is selected in the box under Permissions for... 8. Make the following changes:  Create Personal Site (required for personal storage, newsfeed, and followed content): No

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

 Follow People and Edit Profile: Yes  Use Tags and Notes: No For partners: 9. In the box under Permissions for..., make the following changes:  Create Personal Site (required for personal storage, newsfeed, and followed content): No  Follow People and Edit Profile: Yes  Use Tags and Notes: Yes 10. Click OK.

Change Default ULS Log Retention Topic Last Modified: 2014-05-08 The default ULS log retention period is 14 days. This setting must be changed to 7 days. 1. In Central Administration, go to Monitoring | Reporting | Configure diagnostic logging Set Number of days to store log files from 14 to 7.

Configure Usage and Health Data Collection Service Topic Last Modified: 2014-05-08 1. In Central Administration, go to Monitoring | Reporting | Configure usage and health data collection. 2. Select Enable usage data collection. 3. Select Enable health data collection:  Database server:  Database Name: WSS_UsageApplication 4. Ensure the changes from Step 3 are complete and then, using the SharePoint 2013 Management Shell, configure database retention period using the following script: Get-SPUsageDefinition | Set-SPUsageDefinition -DaysRetained 31 5. Set the Page Requests usage definition to a larger value using the following script:

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Get-SPUsageDefinition "Page Requests" | Set-SPUsageDefinition - MaxTotalSizeInBytes 10000000000000

Modify SPHA Rules Topic Last Modified: 2014-02-05 Certain SPHA rules should be disabled or changed from their out of the box settings. Please reference the following table for the changes. Navigate to Central Administration | Monitoring | Health Analyzer | Review Rule Definitions:

Rule Change Security: The server farm account should not be Disable this rule used for other services. Performance: Databases used by SharePoint have Disable this rule fragmented indices Performance: Search - One or more crawl Disable this rule databases may have fragmented indices Configuration: Alternate access URLs have not Disable this rule been configured Configuration: Missing server side dependencies Disable this rule Availability: Drives are running out of free space Disable this rule Availability: Drives used for SQL databases are Disable this rule running out of free space Availability: One or more services have started or Disable this rule stopped unexpectedly

Disable Selected Site Templates Topic Last Modified: 2014-05-08 Perform the following procedures on all SharePoint machines.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Note: Records Center is no longer offered and customers should not be able to create My Site Hosts.

Disable Site Templates in the 14 Hive 1. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\1033\XML\webtempoffile.xml a. Modify the element containing ID=”1” and change to: 2. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\1033\XML\webtempsps.xml. b. Modify the element containing ID=”0” Title=”My Site Host” Configuration ID="0" Title="My Site Host" Type="0" RootWebOnly="TRUE" Hidden="TRUE" DisplayCategory="Enterprise" ImageUrl="../images/perstemp.gif" Description="A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details."> 3. If the customer has language packs installed, repeat steps 1 and 2 for each other locale. Just replace 1033 (English) with the locale for the other language packs. A reference for locale IDs can be found at the MSDN article Locale ID Chart.

Disable Site Templates in the 15 Hive 1. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\1033\XML\webtempoffile.xml a. Modify the element containing ID=”1” and change to:

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

VisibilityFeatureDependency="97A2485F-EF4B-401f-9167-FA4FE177C6F6" > 2. In Notepad, edit the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\1033\XML\webtempsps.xml a) Modify the element containing ID=”0” Title=”My Site Host” Configuration ID="0" Title="My Site Host" Type="0" RootWebOnly="TRUE" Hidden="TRUE" DisplayCategory="Enterprise" ImageUrl="../images/perstemp.gif" Description="A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details."> 3. If the customer has language packs installed, repeat steps 1 and 2 for each other locale. Just replace 1033 (English) with the locale for the other language packs. A reference for locale IDs can be found at the MSDN article Locale ID Chart.

Note: If a need arises to re-create the MySite host site collection, the following PowerShell command can be used. New-SPSite -Url "https://my.mmsxl.com" -OwnerAlias <>\ms-svc-wap - Template "SPSMSITEHOST#0" -Language 1033

Configure Settings for Sandboxed Code Topic Last Modified: 2014-04-02 We have changed the distribution/weighting of different metrics for resource point consumption to match the values being used by standard. The following PowerShell scripts will set the point values. 1. On AP01, open the SharePoint 2013Management Shell. 2. Execute the following script: [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $SPUserCode = [Microsoft.SharePoint.Administration.SPUserCodeService]::Local if ($SPUserCode -ne $null) { $SPUserCode.UseLocalServerOnly = $true $SPUserCode.Update() $SPUserCode.ResourceMeasures["AbnormalProcessTerminationCount"].ResourcesPe rPoint = "0.25" $SPUserCode.ResourceMeasures["AbnormalProcessTerminationCount"].Update() $SPUserCode.ResourceMeasures["CPUExecutionTime"].ResourcesPerPoint = "100"

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

$SPUserCode.ResourceMeasures["CPUExecutionTime"].Update() $SPUserCode.ResourceMeasures["ProcessCPUCycles"].ResourcesPerPoint = "40000000000" $SPUserCode.ResourceMeasures["ProcessCPUCycles"].Update() $SPUserCode.ResourceMeasures["UnhandledExceptionCount"].ResourcesPerPoint = "25" $SPUserCode.ResourceMeasures["UnhandledExceptionCount"].Update() }

Confirm or Modify Service Account Associations Topic Last Modified: 2014-02-05 Ensure that all services are correctly associated with the correct account. 1. In Central Administration, go to Security | General Security | Configure Service Accounts 2. Verify the following service account associations. Change any accounts that are incorrect: Detail Account Farm Account [ms-svc-frm] Windows Service - Claims to Windows Token [Local System] Service Windows Service – Distributed Cache [ms-svc-frm] Windows Service – Document Conversions [Local System] Launcher Service Windows Service – Document Conversions Load [Local Service] Balancer Service Windows Service - Microsoft SharePoint [ms-svc-sbx] Foundation Sandboxed Code Service Windows Service - Search Host Controller Service [ms-svc-frm] Windows Service - SharePoint Server Search [ms-svc-frm] Windows Service - User Profile Synchronization [ms-svc-frm] Service Web Application Pool - <>

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Detail Account Note: There will be one application pool per web application. Service Application Pool – Search Service [ms-svc-sa] Application AppPool Service Application pool - [ms-svc-frm] SecurityTokenServiceApplicationPool Service Application Pool - SharePoint Service [ms-svc-sa] Applications Service Application Pool - SharePoint Web [ms-svc-frm] Services System

Add Support for People Fields in Office Documents Topic Last Modified: 2014-02-05 The web.config files for all front-end Web servers must be modified to enable the People fields in Microsoft Office documents. 1. On AP01, in the SharePoint Management Shell, execute the following PowerShell command: Write-Host "Updating the web.config to add support for People Fields in Office Documents" [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") | Out-Null $modPath = "configuration/system.serviceModel/serviceHostingEnvironment" $modTemplate= '' $SPWebApps = Get-SPWebApplication | ? Name -ne "AppsManagementSite" $Method = [Microsoft.SharePoint.Administration.SPServiceCollection].GetMethod("GetVal ue", [string]) $GenericMethod = $Method.MakeGenericMethod([Microsoft.SharePoint.Administration.SPWebService ]) $Farm = [Microsoft.SharePoint.Administration.SPFarm]::Local foreach ($SPWebApp in $SPWebApps){ Write-Host "Modifying the Web App $($SPWebApp.Name)" $myModValue = $modTemplate -F $SPWebApp.Url #Write-Host $myModValue

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

$SPWebConfigModification= new-object Microsoft.SharePoint.Administration.SPWebConfigModification $SPWebConfigModification.Name = "baseAddressPrefixFilters" $SPWebConfigModification.Owner= "SPO dedicated" $SPWebConfigModification.Path= $modPath $SPWebConfigModification.Type="EnsureChildNode" $SPWebConfigModification.Value=$myModValue $SPWebApp.WebConfigModifications.Add($SPWebConfigModification) $SPWebApp.Update() } $FarmService = $GenericMethod.Invoke($Farm.Services,"") $FarmService.ApplyWebConfigModifications() Write-Host "Updated the web.config successfully" 2. Perform an IIS reset on all machines in the farm.

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Install and Configure Azure Workflow Server Topic Last Modified: 2015-12-08 Azure Workflow server is a new add-on component in the SharePoint 2013 architecture which supports enables SharePoint 2013 workflows.

Install Azure Workflow Server Execute the following steps on FE01. 1. Navigate to the installation page by clicking the Windows Azure Workflow Installer. This installs the Web Platform installer and automatically starts the Workflow Manager Client installer. 2. In the Prerequisites dialog box, accept the license agreement. 3. Once the Workflow Manager is installed, click Continue to start the Windows Azure Workflow Manager Client Configuration wizard. 4. After completing the configuration wizard, click Finish to end the installation.

Install Azure Workflow Client Execute the following steps on all AP, AS, and FE servers where Workflow Server is not installed. 1. Navigate to the installation page by clicking the Windows Azure Workflow Manager, and then execute WorkflowClient.exe to launch the Web Platform Installer. 2. Click Install, which will start the download and install of Workflow Manager Client 1.0 Cumulative Update 3. 3. Click I accept. 4. Click Finish.

Install Service Bus and Workflow Cumulative Updates Execute the following steps on FE01. 1. In your browser, go to the March 2013 Service Bus PU and download the update. 2. Execute ServiceBus-KB2799752-x64-EN.exe and follow the instructions. 3. Execute the following steps on all AP, AS and FE servers: a. In your browser, go to the March 2013 Workflow Manager PU and download the update

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

b. Execute WorkflowManager-KB2799754-x64-EN.exe and follow the instructions.

Pair the SharePoint Server farm with the Workflow Manager Client farm Determine whether you need to install the Workflow Manager Client on SharePoint Server prior to running the Register-SPWorkflowService cmdlet. See the Install Azure Workflow Client procedure earlier in this topic for more information. 1. Open the SharePoint Management Shell as an administrator. 2. Run the cmdlet Register-SPWorkflowService using the team site root URL and the Full Qualified domain name of the FE01 server. Example: Register-SPWorkflowService -SPSite "https://teamsites.contoso.com" -WorkflowHostUri "http://fe01.mgd-contoso.com:12291" -AllowOAuthHttp

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

Install Office Web Applications Topic Last Modified: 2014-05-08 In SharePoint 2013, Office Web Application Companions (WAC) is a stand-alone farm and is no longer part of the SharePoint binary installation.

Prerequisites 1. Make note of the WAC URL. This URL will be used in the installation steps below. 2. Install the relevant customer Wildcard/SAN certificates that include the WAC URL. 3. Copy the certificate request to all SharePoint VMs. 4. In the Microsoft Management Console, under Certificates (Local Computer) Personal, right- click Certificates, click All Tasks, and then click Import. 5. In the Certificate Import Wizard, configure the following settings:  File Name: provide path to the file for the exported pfx certificate.  Password: provide password from previous step 6. Do NOT click Mark this key as exportable... 7. Place the certificate in the Personal store (verification step only). 8. Click Finish.

Install Office Web Apps Server 1. In your browser, go to the Microsoft Download Center and download the Office Web Apps Server. 2. Log on to WC01, and then run setup.exe as administrator. 3. Click to accept the EULA and click Continue. 4. In the File Location window, click Install Now. 5. Click Close.

Create Office Web Apps Farm Perform the following procedure on each WC server. 1. On the WC01 server, open PowerShell and verify the Friendly name of the certificate being used for the WAC Farm by running the following command:

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises

gci Cert:\LocalMachine\my | fl dnsnamelist, friendlyname 2. In PowerShell, create the WAC Office Web Apps Farm by running the following command: Import-Module OfficeWebApps New-OfficeWebAppsFarm -InternalURL "o365wac.<< customer.com>>" - CertificateName "<>" -EditingEnabled

Note: replace <> with the name of the team web app. Verify that the name also appears in the certificate from step 1.

Connect the SharePoint Farm to the Web App Farm Perform the following steps once on one SharePoint 2013 server in the SharePoint Farm (server role does not matter.) 1. On the SharePoint Server (AP01), open a browser to the WAC discovery URL: https:///hosting/discovery and verify you get an XML response. 2. If you see a valid XML response, continue to step 3. 3. In the SharePoint Management Shell, run the following command to connect the SharePoint Farm to the WAC Farm: New-SPWOPIBinding -ServerName wac.contoso.com

Configure Office Web Apps Licensing Perform the following steps once on one SharePoint 2013 server in the SharePoint Farm (server role does not matter.) 1. In the SharePoint Management Shell, enter the following command. Be sure to edit the first command with the path to the customer WAC Editors group. $account = New-SPClaimsPrincipal -Identity "" - IdentityType WindowsSecurityGroupName 2. Enter the following command: Get-SPWebApplication | select Url | %{ New-SPUserLicenseMapping -Claim $account -License "OfficeWebAppsEdit" -WebApplication $_.Url | Add- SPUserLicenseMapping

Customer Build Guide SharePoint Online – Dedicated Office 365 for Enterprises