The Welcome page (shown in Figure 5-4) explains the information you will need to provide during the configuration.
Figure 5-4: Configuration Wizard Welcome page
When you click Next, a warning dialog box is displayed explaining that some services will need to be restarted during the configuration. This does not present issues if you are working with a new, dedicated Web server. However, if your server is currently serving other Web sites, restarting the Web services will disrupt services, which might be unacceptable during certain time periods. If this is the case, you'll need to perform this action during off-hours. Also, it is highly recommended that you check network connectivity and DNS resolution from the server to the SQL server prior to running the wizard.
Farm membership is defined by servers that are registered with the same configuration database. To join an existing farm, the server must use the same configuration database that the other servers are using. (See Figure 5-5.) If you want to set up a new farm, you need to create a new configuration database. You also need to know the SQL service account and password to join it to the farm. As was discussed earlier, in most instances this will be a domain account.
Figure 5-5: Farm connection choices
|Best Practices|| |
Best practice is to always use domain accounts to install, configure, and secure your SharePoint deployment. If you use local server accounts and then later want to move to a domain environment, all your accounts in the farm and the Web applications need to be reassigned to domain accounts. This can be a challenging activity that can be avoided by simply using domain accounts initially.
When you configure a new farm, you must specify a SQL Server instance and a new configuration database name. (See Figure 5-6.) At this point, you should have a naming convention in place not only for the configuration databases, but also for the other databases that will be configured later. You also need the SQL account username and password that has db_creator and db_security admin permissions on your SQL server. If this is your first SharePoint deployment, you need to ensure this account is also a member of the local Administrator's group on the SharePoint server. (See Table 5-2.)
Figure 5-6: Specify Configuration Database Settings page
The username being requested on this page also will be used by the application pool in the Central Administration Web site. This is the same application pool account that was discussed earlier that has the appropriate rights on the SQL server and on all members of the farm. This is the security context for central administrative functions in SQL. In other words, all the system calls between the SharePoint servers and the SQL server will be committed within the security context of the Central Administration application pool account.
Remember that in SharePoint, user accounts should always be entered as domainname\username to distinguish them from local accounts.
On the next page (shown in Figure 5-7), you instruct setup to create the Central Administration Web application. On this page, you can use the randomly generated port number or specify your own port number. In addition, you can choose if you want the Central Administration Web site to use Kerberos or NTLM authentication.
Figure 5-7: Configuration page for the Central Administration Web application
Choose your port number carefully. You cannot change the port number for Central Administration after SharePoint is installed.
The choice between Kerberos and NTLM authentication is important. In most cases, you will use NTLM because even though Kerberos authentication is more secure and more efficient, it must be supported throughout your environment. The Kerberos option will require you to configure service principal names (SPNs) for your accounts used as application pool identities. The Negotiate (Kerberos) option will allow IIS to authenticate users with Kerberos or NTLM authentication if the user's machine cannot access the KDC (Key Distribution Center) or has an unsynchronized clock.
Kerberos authentication requires special configuration. When creating a Central Administration Web application, choose Kerberos as your authentication mechanism and configure an SPN for your Web application pool process account identity by using the setspn.exe tool from Support.cab in the Support folder of your server install CD or the Windows Server Resource Kit. Enter the following at a command prompt:
setspn.exe -A HTTP/ServerName Contoso\UserName
In this example, ServerName is your IIS system name, Contoso is the name of our Active Directory Domain, and UserName is the identity of the Web application's application pool.
For more information about configuring Kerberos, see Microsoft Knowledge Base article 832769, "How to Configure Windows SharePoint Services to Use Kerberos Authentication," found at http://support.microsoft.com/default.aspx/kb/832769.
At this point, the Configuration Wizard has sufficient information to begin. Review the accuracy of the information (shown in Figure 5-8) before you click Next. If necessary, back up and make changes.
Figure 5-8: Completing the wizard
Once you click Next, a progress screen displays while the following actions are taken:
Initialize SharePoint products and technologies configuration.
Create configuration database.
Install Help collections.
Secure SharePoint resources.
Install and register SharePoint services.
Install and register SharePoint features.
Provision the SharePoint Central Administration Web application.
Install Web application files.
Finalize SharePoint products and technologies configuration, followed by IIS reset.
When the installation has been successfully completed, the wizard presents a report on its actions. When you click Finish, you are directed to the SharePoint Central Administration Web page. To open the Central Administration page, you need to add it to your Trusted Sites zone in Internet Explorer. The default settings of Internet Explorer require authentication for all Trusted Sites. To pass through your current logon credentials, you need to either modify the settings for Trusted Sites zone in Internet Explorer or add the Web site to the Local Intranet zone using the Sites button. If you are using a proxy server to access the Internet, ensure that your local sites are listed as local addresses in the Bypass Proxy Server For Local Servers dialog box.