Separate Active Directory Directory Service Organization Unit Deployment

A new feature of Microsoft Windows SharePoint Services is account creation mode for Active Directory directory service. This feature replaces the local account creation feature in SharePoint Team Services 1.0 from Microsoft. Use Active Directory account creation mode when it is necessary to create new user accounts rather than using existing domain accounts. For example, an Internet service provider (ISP) might need the ability to allow SharePoint site owners the capability to create user accounts or invite users to collaborate on a Web site where existing domain accounts for those users do not already exist.

In order to run Windows SharePoint Services in Active Directory account creation mode, your Web servers must be members of a Microsoft Windows 2000 or Microsoft Windows Server 2003 domain.

 Note   Active Directory account creation mode is not supported when you install Windows SharePoint Services to a domain controller computer.

 Note   Prior to Service Pack 2 (SP2), Windows SharePoint Services configured IIS to use Integrated Windows Authentication (NTLM). Windows SharePoint Services SP2 no longer sets the authentication method and allows either NTLM or Kerberos authentication. When using a Configurable security account with Kerberos authentication, additional steps might be required to set the Service Principal Name (SPN) for the account. For additional information, see Installation Considerations for Windows SharePoint Services, What's New In Windows SharePoint Services Service Pack 2, and the Microsoft Knowledge base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication.

Hosting Mode Options

There are two modes that you can choose from when you install and configure Windows SharePoint Services with a separate Microsoft Active Directory directory service organizational unit:

  • Traditional IIS hosting mode    Uses one virtual server per top-level site. For example, http://www.adatum.com and http://www.adventure-works.com are hosted on two different IIS virtual servers. This is the typical hosting mode for Internet Information Server 6.0 and supports the advanced extranet features in Windows SharePoint Services SP2.
  • Scalable hosting mode    An advanced configuration where a single virtual server is configured to host many host-named sites. For example, http://site1.adatum.com, http://site2.adatum.com, or any host name mapped to the IP address of the Web server. Advanced extranet features are not supported in this mode. The domain controller must reside on a separate server.

To configure either mode, you perform the following tasks on the domain controller, SQL Server computer, and Web server in the order listed.

Prepare the domain controller:

  1. Create a domain controller account for Windows SharePoint Services processes.

 Note   If you will use Kerberos authentication and the security account is not network service, configure the accounts as Service Principal Name (SPN).

  1. Create an organizational unit (OU) for the user accounts.
  2. Delegate permissions to the organizational unit.

Prepare the SQL Server:

  1. Enable Integrated Windows Authentication for SQL Server.
  2. Grant database creation rights in SQL Sever.

Prepare the Web server computers:

  1. Install Windows SharePoint Services with the Server Farm option.
  2. Create the administration virtual server application pool.
  3. Create the configuration database and specify the Active Directory account creation mode.
    • For traditional IIS hosting, use HTML Administration Pages.
    • For scalable IIS hosting, use the command line utility stsadm.exe.
  4. Specify the e-mail server settings.
  5. Extend a virtual server.
  6. Specify the host name for the first site (scalable hosting mode only).
  7. Create a site.

The steps for preparing the domain controller and SQL Server are the same for either mode. The steps for preparing the Web server computers differ slightly. When you are using scalable hosting mode you must be sure to use the hh parameter (only available from the command line) when you create the configuration database, which is covered in Configuring Windows SharePoint Services for Scalable Hosting Mode.

You must have at least one member Web server with SQL Server 2000 Service Pack 3 or later or SQL Server 2005 installed and at least one domain controller to be able to configure Windows SharePoint Services in Active Directory account creation mode following the steps below.

Preparing the Domain Controller

Whether you are planning a smaller installation of Windows SharePoint Services (traditional IIS hosting mode) or a large server farm (scalable hosting mode), you follow the same steps to prepare your domain controller computer.

Create a domain account for Windows SharePoint Services processes
  1. On the domain controller, create an account that will be used by Windows SharePoint Services to create new domain accounts.

For example, create a new account called SharePoint_admin.

  1. Configure the account such that the password does not need to be changed at the next logon and does not expire.
  2. If you will use Kerberos authentication and the security account is not network service, configure the accounts as Service Principal Name (SPN).

 Note   Information about configuring a security account as a Service Principal Name (SPN) is available in the Microsoft Knowledge base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication.

The account must be a member of the Domain Users group, which is the default group for new accounts. For more information about creating an account on your domain controller, see the Windows Server 2003 Help system.

After the domain controller account has been created, you need to define an organizational unit within which Windows SharePoint Services can create new user accounts. You must use the same organizational unit for all user accounts for Windows SharePoint Services within a server farm.

When configuring your server in Active Directory account creation mode, it is recommended that the server administrator account is not in the same organizational unit as the one used for creating accounts. The application pool identities associated with each virtual server must have permissions to change account properties in the defined organizational unit. This configuration allows site collection administrators to have the right to change some properties (such as the password) in that organizational unit. Because of this, it is strongly recommended that you do not add any accounts in the defined Windows SharePoint Services account creation organizational unit, and only allow the accounts that Windows SharePoint Services creates.

Create an organizational unit (OU) for the user accounts
  1. On your Active Directory server, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the Active Directory domain name, click New, and then click Organizational Unit.
  3. Type a name for the organizational unit.

For example, name the organizational unit "sharepoint_ou" for simplicity.

  1. Click OK.

 Note   Windows SharePoint Services also supports nested OUs, such as sharepoint_ou as a child of the parent OU SharePoint.

For more information about creating an organizational unit, see the Windows Server 2003 Help system.

In order for Windows SharePoint Services to have permissions to create accounts in the sharepoint_ou organizational unit, the domain controller account must have the correct permissions delegated to it.

 Note   The steps below reflect the user interface for Windows Server 2003 and may vary from a Windows 2000 domain controller. For more information about delegating permissions to an organizational unit, see the Help system for Windows Server 2003 or Windows 2000.

Delegate permissions to the organizational unit
  1. On your Active Directory server, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the new organizational unit, and then click Delegate control.
  3. In the Welcome pane, click Next.
  4. In the Users and Groups pane, click Add.
  5. In the Enter the object names to select box, type the user name that you are planning to use for the administration application pool identity, and then click OK.
  6. Click Next.
  7. In the Tasks to Delegate pane, select the Create, delete, and manage user accounts check box and the Read all user information check box, and then click Next.
  8. Click Finish.

Preparing SQL Server

You must configure your SQL Server installation to work with Windows SharePoint Services. For Windows SharePoint Services to be able to connect to your SQL Server database, it is recommended that you configure the SQL Server database to use Windows authentication.

The steps for configuring SQL Server differ between SQL Server 2000 or SQL Server 2005.

Enable Windows authentication for SQL Server 2000
  1. On your server computer, click Start, point to All Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
  2. In Enterprise Manager, click the plus sign (+) next to Microsoft SQL Servers.
  3. Click the plus sign (+) next to SQL Server Group.
  4. Right-click the SQL Server name, and then click Properties.
  5. In the Properties dialog box, click the Security tab.
  6. Under Authentication, select Windows only, and then click OK.

If you have used a domain account that does not already have database creation rights in SQL Server, you can give the account this access using SQL Server Enterprise Manager. This is a one-time-only change. Once you have granted database creation permissions to the account used by the Windows SharePoint Services administration virtual server, this account can create databases for any subsequent virtual servers.

Proceed to Grant database creation rights in SQL Server 2000.

Enable Windows authentication for SQL Server 2005
  1. On your server computer, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. On the Connect to Server screen, select the name of the local server from the Server name drop-down list.
  3. Select Windows Authentication from the Authentication drop-down list and then click Connect.
  4. In Object Explorer, right-click the server name and then click Properties.
  5. On the Server Properties - <Servername> screen, in the Select a page section, click Security.
  6. In the Server authentication section, select Windows Authentication mode, and then click OK.

If you have used a domain account that does not already have database creation rights in SQL Server, you can give the account this access using SQL Server Management Studio. This is a one-time-only change. After you have granted database creation rights to the account used by the Windows SharePoint Services administration virtual server, this account can create databases for any subsequent virtual servers. Proceed to Grant database creation rights in SQL Server 2005.

Grant database creation rights in SQL Server 2000
  1. On your server computer, click Start, point to All Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
  2. In Enterprise Manager, click the plus sign (+) next to Microsoft SQL Servers, click the plus sign (+) next to SQL Server Group, and then click the plus sign (+) next to your SQL Server computer.
  3. Click the plus sign (+) next to Security, and then right-click Logins, and click New Login.
  4. In the Name box, type the account in the form DOMAIN\name.
  5. Click the Server Roles tab.
  6. In the Server Role list, select the Security Administrators and Database Creators check boxes, and then click OK.

Proceed to Configuring the Web Server Computers.

Grant database creation rights in SQL Server 2005
  1. On your server computer, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. On the Connect to Server screen, select the name of the local server from the Server name drop-down list.
  3. Select Windows Authentication from the Authentication drop-down list and then click Connect.
  4. In Object Explorer, click the plus sign (+) next to Security.
  5. Right-click Logins, and then click New Login.
  6. In the Login – New screen, in the Login name box, type the account in the form of DOMAIN\accountname.
  7. In the Select a page section, click Server Roles.
  8. In the Server roles list, select the securityadmin and dbcreator check boxes, and then click OK.

Configuring the Web Server Computers

To use Active Directory account creation mode, you must install Windows SharePoint Services without installing WMSDE. To do so, you use the Server Farm option. Note that the Server Farm option is used even if your SQL Server installation is on the same computer.

 Note   The following procedures assume that each server on which you are installing Windows SharePoint Services is running IIS and ASP.NET, and has been configured for use with Windows SharePoint Services . For detailed information about preparing your front-end Web servers, see Preparing your Front-end Web Servers for Windows SharePoint Services.

The installation steps vary depending on whether you are installing Windows SharePoint Services on Windows Server 2003 R2 or a prior version of Windows Server 2003.

Installing Windows SharePoint Services on Windows Server 2003 R2

Perform the following procedure to install Windows SharePoint Services on Windows Server 2003 R2 with SQL Server as the database.

 Notes 

  • Windows Server 2003 R2 includes Windows SharePoint Services SP2 as a role in the Configure Your Server Wizard and in Manage Your Server (located on CD 2). However, to use SQL Server 2000 or later as your database, rather than WMSDE, you must use Add/Remove Windows Components to install Windows SharePoint Services.
  • Windows Server 2003 R2 does not install ASP.NET 2.0 by default. You can install either ASP.NET 2.0 or ASP.NET 1.1 and then register with IIS. For more information, see Installing and Configuring ASP.NET
Install Windows SharePoint Services with SQL Server 2000 or SQL Server 2005
  1. Click Start, point to Control Panel, and then click Add or Remove Programs.
  2. Click Add/Remove Windows Components.
  3. In the Windows Components dialog box, scroll down and locate Windows SharePoint Services, select its check box, and then click Next to begin installation.
  4. When prompted, insert the Windows Server 2003 R2 CD 2 and browse to %drive%\cmpnents\r2\setupsts.exe, where %drive% is the drive letter of your CD drive.

 Note   You can optionally browse to a network location where Setupsts.exe is located.

  1. Click Open, and then click OK.
  2. When the Installation Screen appears, click Server Farm, and then click Next.
  3. On the Summary page, verify that only Windows SharePoint Services will be installed, and then click Install.

When installation is complete, your browser opens the Configure Administrative Virtual Server page.

  1. Choose to either use an existing application pool or create a new application pool.
  2. Select either a predefined security account or a configurable security account.

 Note   You must use the account you created earlier on the Active Directory domain controller.

  1. Choose either NTLM or Kerberos authentication in the Security configuration section.

 Note   Choosing Kerberos authentication will require additional steps if you are using a domain account. The account must be configured as a Service Principal Name (SPN). You must have domain administrator rights to configure a Service Principal Name (SPN). Refer to the Microsoft Knowledge Base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication for additional information.

  1. Click OK.
  2. When the Application Pool Changed page appears, click Start, and then click Run.
  3. Type iisreset, and then click OK.
  4. When the command completes, click OK.

 Note   If you are configuring Windows SharePoint Services for scalable hosting mode, do not perform steps 15 through 21 because scalable hosting mode requires setting the configuration data base using the command line utility stsadm.exe. To configure Windows SharePoint Services for scalable hosting mode, proceed to Configuring Windows SharePoint Services for Scalable Hosting Mode. Otherwise, to configure Windows SharePoint Services for Traditional IIS hosting mode, complete steps 15 through 21.

The Set Configuration Database Server page appears.

  1. Type the NETBIOS name of the server running SQL Server 2000.
  2. Type the SQL Server database name or click the check box to use an existing configuration data base.
  3. Select the connection type to use either Integrated Windows or SQL authentication.
  4. Select the automatically create Active Directory Account for this site.

 Note   This mode cannot be changed at a later time without uninstalling and reinstalling Windows SharePoint Services.

  1. Enter the Active directory domain and Organizational Unit.
  2. Click OK.

The Windows SharePoint Services Central Administration page appears.

  1. Minimize or close this page and click Finish.

Proceed to Extending a virtual server.

Installing Windows SharePoint Services on Windows Server 2003

Perform the following procedure to install Windows SharePoint Services on Windows Server 2003 with SQL Server as the database.

Install Windows SharePoint Services with SQL Server 2000 or SQL Server 2005
  1. Download STSV2.exe to your computer.

You can download STSV2.exe from the Microsoft Web site.

  1. Run STSV2.exe to extract the installation files.

This will begin the Windows SharePoint Services installation.

  1. On the End-User License Agreement page, review the terms, and then select the I accept the terms in the License Agreement check box, and then click Next.
  2. On the Type of Installation page, click Server Farm, and then click Next.
  3. On the Summary page, verify that only Windows SharePoint Services will be installed, and then click Install.

Setup installs Windows SharePoint Services. When installation is complete, your browser opens the Configure Administrative Virtual Server page.

  1. Choose to either use an existing application pool or create a new application pool.
  2. Select either a predefined security account or a configurable security account.

 Note   You must use the account you created earlier on the Active Directory domain controller.

  1. Choose either NTLM or Kerberos authentication in the Security configuration section.

 Note   Choosing Kerberos authentication will require additional steps if you are using a domain account. The account must be configured as a Service Principal Name (SPN). You must have domain administrator rights to configure a Service Principal Name (SPN). Refer to the Microsoft Knowledge Base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication for additional information.

  1. Click OK.
  2. When the Application Pool Changed page appears, click Start, and then click Run.
  3. Type iisreset, and then click OK.
  4. When the command completes, click OK.

 Note   If you are configuring Windows SharePoint Services for scalable hosting mode, do not perform steps 14 through 20 because scalable hosting mode requires setting the configuration data base using the command line utility stsadm.exe. To configure Windows SharePoint Services for scalable hosting mode, proceed to Configuring Windows SharePoint Services for Scalable Hosting Mode. Otherwise, to configure Windows SharePoint Services for Traditional IIS hosting mode, complete steps 14 through 20.

The Set Configuration Database Server page appears.

  1. Type the NETBIOS name of the server running SQL Server 2000 or SQL Server 2005.
  2. Type the SQL Server database name or click the check box to use an existing configuration data base.
  3. Select the connection type to use either Integrated Windows or SQL authentication.
  4. Click Automatically create Active Directory Account for this site.

 Note   This mode cannot be changed at a later time without uninstalling and reinstalling Windows SharePoint Services.

  1. Enter the Active directory domain and Organizational Unit.
  2. Click OK.

The Windows SharePoint Services Central Administration page appears.

  1. Minimize or close this page and click Finish.

Configuring Windows SharePoint Services for Scalable Hosting Mode

To configure Windows SharePoint Services for scalable hosting mode, you must use the stsadm.exe utility at the command line. The stsadm.exe utility is available at the following path: %drive%\program files\Microsoft Shared\web server extensions\60\bin, where %drive% is the drive on which you installed Windows SharePoint Services.

For a complete list of operations and parameters for the stsadm.exe utility, see Command-Line Operations and Command-Line Parameters.

Create the configuration database and specify Active Directory account creation mode by using the command line

When you create the configuration database, you specify that Windows SharePoint Services uses Active Directory account creation mode. If you are using scalable hosting mode, you must also use the hh parameter with the setconfigdb operation.

To create the configuration database in traditional IIS hosting mode, use the following syntax:

Stsadm.exe -o setconfigdb -ds <database server name> -dn <sts_config> 
  -adcreation -addomain <domain_name> -adou <sharepoint_ou>

 Note   When using nested OUs the correct syntax to use is:

Stsadm.exe -o setconfigdb -ds <server name> -dn <configdatabase> 
  -adcreation -addomain <DOMAIN\account> -adou <"ChildOU,OU=ParentOU">

For example, if your Child OU is SharepointOU and your Parent OU is Sharepoint, you would use "SharepointOU,OU=Sharepoint" as the value of the adou parameter.

 Note   Be sure to use the NETBIOS name of your server for the Active Directory domain, not the fully-qualified domain name. For example, use the form server_name_test, not server_name_test.adatum.com.

To create the configuration database in scalable hosting mode, use the following syntax:

Stsadm.exe -o setconfigdb -ds <database server name> -dn <sts_config> 
  -hh -adcreation -addomain <domain_name> -adou <sharepoint_ou>
         
Specify the e-mail server settings

You must specify an SMTP server to use in order for invitation e-mail to work in Active Directory account creation mode. To specify an e-mail server, you use the email operation.

stsadm.exe -o email -outsmtpserver <SMTP server> 
  -fromaddress <someone@example.com> -replytoaddress <someone@example.com> 
  -codepage <codepage>

Extending a virtual server

After you set up the connection to your SQL Server computer, you are ready to extend the virtual servers on your Web server computer with Windows SharePoint Services. When you extend a virtual server, Windows SharePoint Services is applied to a virtual server and a top-level Web site is created. For either mode, you must extend the virtual server without creating a site. You use the donotcreatesite parameter with the extendvs operation to extend a virtual server without creating a site.

Extend a virtual server

To extend the virtual server without creating the default top-level Web site use the following syntax:

Stsadm.exe -o extendvs -url <http://server_name.domain>
-ownerlogin <domain\name> -owneremail <someone@example.com> -exclusivelyusentlm <yes/no>
[-ds <sqlservername>]
[-dn <sts_content>]
[-donotcreatesite]
[-apcreatenew]
[-apidname <stscontent>]
[-apidtype <configurableid>]
[-apidlogin <DOMAIN\account>]
[-apidpwd <app pool password>] [-exclusivelyusentlm]          

For the apidlogin parameter, enter a domain account in the format DOMAIN\account. It is recommended that you use a different account than the account you used for the application pool for the administration virtual server.

 Note   This account must also have the correct permissions delegated to it. This account must be able to create, delete, and manage accounts in the organizational unit for Windows SharePoint Services.

Setting up a test environment

If you are setting up the multiple host names model for your server farm, you need to create the mapping for the sites you will create for users. The following example shows one way to set up a test environment with multiple host named sites. In a real deployment, you would map the host names in the Domain Name System (DNS).

Add host names for the IP address and create sites
  1. Open the c:\WINNT\system32\drivers\etc\hosts file.
  2. Add the IP address for the virtual server that will host your sites, and then add the host names to use. By default, the IP address assigned to your server will be the IP address you enter into the hosts file. You can get this IP address by opening a command prompt window and running the IPCONFIG command.

For example, if the IP address of your server is 111.11.111.11, you could add the following entries to the hosts file:

111.11.111.11 site1.myserver.com

111.11.111.11 user2.myserver.com

111.11.111.11 site2.myserver.com

111.11.111.11 team1.myserver.com

 Notes 

  • The IP address must be in the first column and the host name must be separated by at least one space.
  • For testing purposes, you may have to remove any proxy server setting in Internet Explorer.
  1. Save and close the hosts file.

The server must be restarted for the host file to take effect. After restarting the server, you can verify your host file entries are correct by pinging the host name. If you ping site1.myserver.com, for example, it should return the IP address of the server.

Create a site

You can create a site in either scalable or traditional IIS hosting mode by using the createsite operation with the following syntax:

stsadm -o createsite -url <http://www.adatum.com> 
  -owneremail <someone@example.com>

 Note   In Active Directory account creation mode, the -ownnerlogin parameter is not required. A new account will be created based on the -owneremail parameter

Be sure to use a valid e-mail address for the owneremail address. This address will be used to send account credentials to new users who access the site.

 
 
Applies to:
Deployment Center 2003