Installing SharePoint 2010 using Least Privilege Service Accounts

SharePoint 2010 is definitely generating a lot of buzz out there in the community, especially amongst partners and customers and with the official launch only a day away, I thought it would be ideal to update my installation which I first blogged about here using all the RTM bits.  For those of you that aren’t aware, SharePoint 2010 and SQL 2008 R2 are now available for download via TechNet or MSDN and will be available to Volume Licensing customers post launch, 12 May 2010.

The below setup will be based on SharePoint 2007 best practices and SharePoint 2010 TechNet documentation on “proposed” best practices with this setup utilising the least privilege model for our SharePoint service accounts.  Before delving into the setup which will form the basis of all future blog posts on SharePoint 2010, I have provided the below summary of the environment that I will be working with.

Environment

• Windows 2008 R2 server running Active Directory Domain Services
• Windows 2008 R2 server running SQL 2008 R2
• Windows 2008 R2 server running SharePoint 2010 RTM
• Windows 2008 R2 server running Exchange 2010 RTM
• Windows 7 client running Office 2010 RTM

The Preparation

Before we delve into the actual installation, let’s begin to talk about what service accounts are required for the new SharePoint Farm setup. TechNet has a great article on the service accounts required and their respective privileges which you can read in some detail here.  In summary, these are not much different to the SharePoint 2007 best practices for utilising the Least Privilege model for service accounts and goes as follows;

1. SQL Server Service Account
   This should be a standard domain user account which will be used to run the MSSQLSERVER and SQLSERVERAGENT services on your SQL server.
   e.g. DOMAIN\sp_sql
2. SharePoint Setup User Account
   This should be a standard domain user account that will be used as the logged in user when installing SharePoint and for when running the SharePoint Products Configuration Wizard.  This account must be a member of the Local Administrators group for each server where SharePoint 2010 will be installed.  You will also need to create a SQL server login with the following SQL server security roles; “securityadmin” and “dbcreator”.  Instructions below.
   e.g. DOMAIN\sp_admin
3. Server Farm/Database Access Account
   You guessed it, this should also be a standard domain user account, however we do not need to grant any necessary permissions to this account as this is handled by the SharePoint Setup User Account during the SharePoint Products Configuration Wizard.  This is the account that we nominate as the “Database Access” account during the SharePoint Configuration Wizard.  This account will be applied against the SharePoint Foundation Workflow Timer Service and the SharePoint Central Administration Web Site Application Pool.
   e.g. DOMAIN\sp_farm

It’s imperative that these accounts are created and provisioned before attempting any installation of the SharePoint 2010 bits.  This article is assuming that SQL 2008 R2 has already been installed in your environment using the SQL server service account.

Firstly, have your Active Directory Administrator create the above accounts in Active Directory as standard domain users.   Then navigate to each server in which you will install SharePoint 2010 and add the DOMAIN\sp_admin account (SharePoint Setup User Account) to the Local Administrator’s group of that respective server.

Navigate to Start / Administrative Tools / Server Manager / Local Users and Groups and then click on the Groups folder.

Add the DOMAIN\sp_admin user to the Administrator’s group.

We next venture to our SQL 2008 R2 server to configure our sp_admin account as a SQL server login.

Launch the SQL 2008 R2 Management Console and navigate to Security / Logins.

Right click on Logins and select New Login;

Search for the newly created sp_admin domain account

Click on Server Roles and select dbcreator and securityadmin as your server roles.  Public will be selected by default.

Now that our environment is prepped up with your service accounts, we can now proceed with the installation, so let the *games* begin!!

The Install

Launch the SharePoint 2010 splash installation screen and ensure you have met the necessary hardware and software requirements.  You can find more details in the following TechNet article. It’s important that you download and install the WCF hotfix listed in the above TechNet article.   This hotfix is specific to the OS version that you are installing SharePoint 2010 on.

Run the Install software prerequisites first! This preparation tool will actually install the majority of the prerequisites listed in the TechNet article.

Click Next

Accept the terms of the License Agreement

The preparation tool begins installing the pre-requisites. It’s imperative that your SharePoint server has an internet connection as it will connect to the internet during the preparation and download the necessary software listed above.

After the installation of the prerequisites is complete, you will be asked to re-start your computer.

After your server has restarted, the preparation tool should pick up from where it last left and finalise any further configuration that is required. You should then receive a successful completed installation dialog window as per the below.

Click Finish.

You will then be required to re-launch the install splash screen and this time round click on Install SharePoint Server.

Enter your product key

Accept the Microsoft Software License Terms.

Select Server Farm (we all know not to select Standalone right?! Big no no in production)

Again, don’t be fooled into selecting the Stand-alone option which is identical to the Stand-alone option in the previous screen.  Be sure to select Complete and click Next to proceed with the installation.

Once SharePoint has copied it’s files, the Run Configuration Wizard window will appear.

Click Close

The SharePoint Products Configuration Wizard will then launch

Click Next

Click Yes on the following warning.

Select “Create a new server farm”

Click Next

Enter the name of your SQL 208 R2 server and keep the default database name for SharePoint 2010 Configuration database.  Then enter the SharePoint Farm account as the Database Access Account.  i.e. DOMAIN\sp_farm.

Click Next

Enter a Passphrase. As mentioned below, this designated passphrase is configured to ensure that no other SharePoint servers can join this farm unless the passphrase is provided.  The passphrase must meet the following requirements;

• Contains at least eight characters
• Contains at least three of the following four character groups:
• English uppercase characters (from A through Z)
• English lowercase characters (from a through z)
• Numerals (from 0 through 9)
• Nonalphabetic characters (such as !, $, #, %)

Configure your SharePoint Central Administration Web Application settings. I always like to change the default port number to something that is easier to remember.

You are also presented with the authentication provider options for your CA Web Application in which it is usually best practice to utilise Kerberos for your SharePoint Web Sites, however NTLM will suffice for your SharePoint CA Web Application.

Click Next

Click Next.

The infamous performing configuration task screen is displayed.  All we can do now is cross our fingers and wait…

Upon completion you should receive the following confirmation that the configuration was a success.

Click Finish

The SharePoint 2010 Central Administration website that was just created should launch.

The Customer Experience Improvement Program which is available with most Microsoft products will pop up in a separate Window.

After answering Yes or No the Customer Experience Improvement Program the Configure your SharePoint farm wizard option will appear.  We will click Cancel and go through the configuration of our service applications in subsequent future articles.

That’s all that is to it.  Before signing out, let’s venture into a couple of key areas to confirm the details of our farm configuration and then venture across to our SQL server and launch SQL Management Studio to determine what databases are created by default.

Let’s begin by navigating to Central Administration / System Settings / Manage servers in this farm.  After confirming the server listing as per our installation, navigate to your SQL 2008 R2 server and launch SQL Management studio. Browse to databases to see our SharePoint 2010 Databases listed, namely the SharePoint config database and the SharePoint Central Administration Database.

I hope this article has some shed some light with your SharePoint 2010 deployment and we will continue our focus in near future articles in configuring our SharePoint farm and focusing on the service applications that are on offer.

Subscribe to this blog and join our Facebook page and Twitter Page to keep up to date and be notified of our latest articles.

If you require any assistance with your SharePoint or other IT needs, the team at GKM2 are happy to assist.  You can contact us via info@gkm2.com.au or 1300 797 288 within Australia.

Resources

Administrative and service accounts required for initial deployment (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/ee662513%28office.14%29.aspx