MIM LAB 2: Preparing the first MIM server

This post is part of a series. The chapter index is located here.

In this post we:

• Create the first MIM VM and join it to AD
• Install prerequisites
• Set Local security policies
• Change IIS authentication mode
• Install SQL Server
• Install and configure Sharepoint Foundation Services 2013

Create a VM and join it to Active Directory

VM: IM01

This server has to be a member of Active Directory, preferably in the domain you created in step 1.

• Create a VM. It should have at least 2 cores and 8GiB of RAM.
• Give the server fixed IP addresses, both v4 and v6 (if you are using IPv6).
• Join ad: Add-Computer MIM.local –OUPath “OU=Computers,OU=MIM,OU=Services,DC=mim,DC=local”

Install prerequisites

There are some prerequisite roles and features that has to be installed. The script in the guide does not work on Win 2016 at the time of writing, because the Application-Server role has been removed from Win2016. I followed a work-around from stackexchange related to sharepoint on Win2016. The first line adds what I understand is what used to be the Application-Server role, and maybe some other stuff as well. The second line is the one from the guide sans the Application-Server role. I also removed the reboot clause and the sxs link, as the gpo we create below lets us install from Windows Update instead. There may be some overlap between the two commands, but I did not want to change to much.

• Enable download of feature source files from Windows Update:

• Create a GPO and link it to the OU containing your server.
• Enable “Specify settings for optional component…”, see the image below for details.
• 
• Run gpupdate /force
• Disable Internet Explorer Enhanced Security.
• Add prerequisite roles and features using powershell. Remember that these prerequisites has to be installed on all MIM portal servers, which includes password reset servers.

Add-WindowsFeature NET-HTTP-Activation,NET-Non-HTTP-Activ,NET-WCF-Pipe-Activation45,NET-WCF-HTTP-Activation45,Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-Asp-Net,Web-Asp-Net45,Web-Net-Ext,Web-Net-Ext45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Filtering,Web-Digest-Auth,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,WAS,WAS-Process-Model,WAS-NET-Environment,WAS-Config-APIs,Web-Lgcy-Scripting,Windows-Identity-Foundation,Xps-Viewer -verbose

Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature

• Reboot your server
• Run Windows Update (PSWindowsUpdate recommended)

Set local security policies

I have not found a simple way of scripting this yet, so you have to do it manually. Please leave a comment if you find a way to automate this that does not require three page scripts, custom modules or software not installed in Windows 2016 by default. You set these policies using the Local security policy management console. You could also create a GPO, but I chose to set them locally as they are specific to the one server we are using. I suspect some of these will be set by the installers automatically as well, but best to follow the guide as closely as possible.

• First, open the Local Security policies console.
• Navigate to User Rights Assignment

• Open properties for Log on as a service
• Add the following accounts (created in the previous post):

• MIMSync
• MIMMA
• MIMService
• Sharepoint
• SQLEngine
• SQLAgent
• MIMSSPR
• Paste friendly version:

MIM\MIMSync; MIM\MIMMA; MIM\MIMService; MIM\Sharepoint; MIM\SQLEngine; MIM\SQLAgent; MIM\MIMSSPR

• Open properties for Deny access to this computer from the network
• Add the following accounts:

• MIMSync
• MIMService

• Open properties for Deny log on locally
• Add the following accounts:

• MIMSync
• MIMService
• Close the Local Security Policy console

Change the IIS Authentication mode

There is a nifty script for this, run it in powershell or CMD:

 

iisreset /STOP
C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost
iisreset /START

 

Install SQL Server 2016

The SQL Server should of course be located on a separate VM of physical cluster, but as this is a LAB I decided to follow the guide and install it on the same VM as MIM, namely IM01. I decided to try SQL Server 2016, as it is supported by MIM 2016 SP1. The guide specifies SQL Server 2014. Also, be aware that this is a very simplified SQL Server setup. If you are going to run a production system, get some help from a DBA to configure backups, integrity checks, drive mappings, HA and such.

• Get hold of a SQL Server 2016 Standard Edtition ISO-file.
• Mount it as a drive on the VM.
• Launch an administrative cmd.exe shell or powershell. You have to be a local admin on the vm to do this. You do not need to be a domain admin as specified in the guide.
• Change to the mounted drive, usually D:
• Build and execute a setup.exe command.

• /Q – Quiet install
• /IACCEPTSQLSERVERLICENSETERMS – Accept the license agreement
• /ACTION=install – We are installing of course
• /FEATURES=SQL – Install SQL server main components (SSMS is a separate install in 2016, more on this later)
• /INSTANCENAME=MSSQLSERVER – Use the default instance name.
• /SQLSVCACCOUNT=”MIM\SQLEngine” – Use MIM\SQLEngine as the SQL Server service account
• /SQLSVCPASSWORD=”xxxx” – Specify the password for the service account
• /AGTSVCACCOUNT=”MIM\SQLAgent” – Specify the password for the SQL Agent service account
• /AGTSVCPASSWORD=”xxxx” – Specify the password for the SQL Agent service account
• /AGTSVCSTARTUPTYPE=Automatic – Enable the SQL Agent (disabled by default for some stupid reason).
• /SQLSYSADMINACCOUNTS=”MIM\Administrator” – The account you want to use as a SQL Server admin account. Should be your own account.
• Sample below

setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION=install /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /SQLSVCACCOUNT="MIM\SQLEngine" /SQLSVCPASSWORD="xxx" /AGTSVCACCOUNT="MIM\SQLAgent" /AGTSVCPASSWORD=”xxxx”  /AGTSVCSTARTUPTYPE=Automatic /SQLSYSADMINACCOUNTS="MIM\Admin"

• Run the SQL Server setup
• Monitor for five minutes. If no error has occurred yet, you have time for a break while you wait for setup to complete.
• Check the summary log located at C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log. The overall summary should look something like this:

 

• It is not unlikely that the log will include a message about missing reboots. This is normal, and if you receive such a message, reboot before you continue.
• Install SQL Server Management Studio. This is a separate install file for SQL Server 2016.
• Cap the SQL Server memory pool at say 2000MiB. This value should of course be higher in production. If your SQL server becomes very slow, increase the memory allocation for both the VM and the SQL Server.

 

Install SharePoint Foundation 2013 with SP1

Prerequisites

• Download the installer an copy it to the VM.
• Create a new directory and extract the installer

• Start the prerequisite installer wizard from an administrative command shell. If you do not use an administrative shell, you will get download errors and the wizard will fail.

• Complete the “Install software prerequisites” wizard.

• Restart the VM.

Feature installation

• Fix .net framwork 4.5 hardcoding (solution courtesy of  https://support.microsoft.com/en-ca/help/3087184/sharepoint-2013-or-project-server-2013-setup-error-if-the–net-framewo)

• First you have to download https://download.microsoft.com/download/3/6/2/362c4a9c-4afe-425e-825f-369d34d64f4e/wsssetup_15-0-4709-1000_x64.zip
• Open the .zip file and extract the wsssetup.dll into the updates folder under your extracted Sharepoint installation. (C:\download\Sharepoint\updates) if you have replicated my folder structure.
• 

 

• Start the Sharepoint installer from an administrative command shell.
• 

 

• Select the Complete server type
• 

 

Configuration Wizards

When the installation wizard completes successfully it starts the Sharepoint Products Configuration wizard, which is the next leg of this lengthy adventure.

• Select “Create a new server farm”

• Specify SQL Server connection settings

• Create a Sharepoint farm security passphrase.

• Follow the rest of the wizard, accepting defaults. Make a note of the Central Admin URL  as it contains a random port number.

• Wait for the wizard to finish. This may take some time…
• When the wizard is done, it opens the Sharepoint Central Administration, Initial Farm Configuration web app.

 

• Select the existing management account and click next.

 

• This could take some time, contrary to the text displayed on the screen…
• Skip creating a site collection
• Then finish the wizard.

Configure Sharepoint for MIM

• Start the Sharepoint Management Shell with run as admin
• If you get the error message: “The local farm is not accessible”, add your account to the Sharepoint_Shell_Access role under the Sharepoint_Config database.

Create a new web application, slow command

$dbManagedAccount = Get-SPManagedAccount -Identity MIM\SharePoint
New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 82 -URL http://portal.mim.local

Create a new Site collection connected to the new web application.

$t = Get-SPWebTemplate -compatibilityLevel 14 -Identity "STS#1"
$w = Get-SPWebApplication http://portal.mim.local:82
New-SPSite -Url $w.Url -Template $t -OwnerAlias MIM\JKLAdmin -CompatibilityLevel 14 -Name "MIM Portal" -SecondaryOwnerAlias MIM\BackupAdmin
$s = SpSite($w.Url)
$s.AllowSelfServiceUpgrade = $false
$s.CompatibilityLevel

Disable SharePoint Server-Side Viewstate and the SharePoint task “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)”

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();
Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

Make sure that you can log into the empty portal as MIM\Administrator

It should look something like this:

 

 

The end of MIM LAB 2

This post is part of a series, and the chapter index is located here. In the next chapter, we will look at installing the MIM Sync service.