Little important thing to note when evaluating SharePoint Online "Wave 15": SharePoint Online does not have the components to enable View audit log reports.
What does this mean to me you ask... Well, within the View Auditing Reports screen, there is a link named 'Content viewing' (see below).
In full-instance of SharePoint, this would give you a report basically containing who clicked what and when. In SharePoint Online you will always get "Report contains no data." (see below for example).
For more information see: View audit log reports, under the 'Events available for audit log reports' section, 'Opened and downloaded documents, viewed items in lists, or viewed item properties' bullet.
Suggestion to Microsoft, hide that report in SharePoint Online. Having that link visible fairly misleading.
With the full GA release of Office 365 Wave "15", I thought it was about time I started to really see what I could do with this platform. I have been an avid SkyDrive and Outlook.com user for my personal email for sometime now, so why not see what else I can do with the cloud & Office 365 with my little experimental company. I should also mentioned that my little company is a Microsoft registered partner and I have enrolled in the Cloud Essentials program to make this endeavour a bit more cost effective.
My objectives for this experiment:
- Enable Office 365 for my company and federate authentication with my on-premise Active Directory
- Federate my on-premise Active Directory with Azure Active Directory
- Leverage Windows Intune to decommission my on-premise System Center deployment
My primary reason behind federating with Azure Active Directory for is really for the challenge - just to see if I can do it. However, secondary to that is that I am normally working remotely and of course, I would not be very happy if my my company internet connection was down and I could not log into my Office 365 account. I am aware that I could use the Access Control Services that come with Office 365 and DirSync, but realistically my company may want to authenticate more than just Office 365 against my on-premise Active Directory.
Here is a nice video that explains how this federation works.
Here is a little diagram of my current state:
And here is one of my end-state goal:
I'll be honest - I think this plan is going to work based on what I have read, but I really don't know fore sure. I will continue to update this post with my full experience as I plug away at this experiment.
Update 1 (March 6, 2013 8:55 AM MT):
Currently provisioning an new Windows Server 2012 VM using Hyper-V. I will be adding the Active Directory role to this server and joining it to my existing domain. This server will be used to federate with Azure Active Directory for authentication.
Office 365 account is setup and running with my domain. Just waiting to finish with Active Directory before adding user accounts.
Update 2 (March 6, 2013 10:50 AM MT):
Server 2012 deployed with Active Directory and Active Directory Federated Services running. Server is joined to my existing domain and has been promoted to a domain controller. ADFS has been configured and after getting myself a trial SSL certificate, I have been able to add it to my Azure Active Directory service. This part was surprisingly easy, just ran through the wizards that came with Server 2012 and it appears to be working. Don't forget that ADFS has to have port 443 open on your firewall.
Next steps: Prove that my Azure AD is working / provide authentication services and figure out how to connect it to Office 365.
Update 3 (March 6, 2013 1:45 PM MT):
There seems to be a very distinct difference between the 'Active Directory' service you can use via https://manage.windowsazure.com and the Active Directory that is found at https://activedirectory.windowsazure.com. As far as I can tell, they are both based on the same under-lying service - ACS - but they both seem to offer very different interfaces.
Best I can figure right now, federation was not the correct route. I should have gone down the DirectorySync (DirSync) route from the bigging. Now to demote my newly promoted DC and turn it into a DirSync box. More info here.
And a good article on demoting a Server 2012 Domain Controller.
Update 4 (March 6, 2013 3:20 PM MT):
Directory Sync is up and running... and syncing all my user accounts and service accounts. Given that this is really an experimental Active Directory, there are a lot of service accounts. DirSync really wasn't too bad to get going. Just took time reading through the guides and waiting for components to install.
Next tasks: Try to filter the user accounts that are sync'd via DirSync and take another crack at SSO.
One good thing to remember: DirSync cannot be on a Domain Control or server running ADFS.
Update 5 (March 6, 2013 9:10 PM MT):
After lots of research and testing, I have determined that because I signed up for Windows Intune, I am stuck on an Office 365 Wave 14 tenant for the time being. Service request is open with Microsoft to see if I can do anything about this. Haven't found a way to force an upgrade yet either.
Still working on SSO.
Update 6 (March 6, 2013 10:10 PM MT):
"If you're running Office 365 with the federated identity + directory synchronization option, you're already running a hybrid Active Directory where your user's on-premises AD identity is authenticated to Office 365 via federation and their accounts are provisioned or de-provisioned in your own little cloud AD via the dirsync process."
I may need to take a closer look at using an Azure VM if I want to achieve this type of authentication distribution as highlighted in this StackOverflow post.
Update 7 (March 11, 2013 7:30 PM MT):
Well, this sure is proving to be an adventure. After 5 days, numerous emails and phone conversations, the closest I am on getting my tenant either upgraded to Wave 15 from Wave 14 or just simply getting it deleted so I can associate a new tenant with my partner account is being told to contact the partner support group. I did attempt that today. Tried giving them a call at 6:00 PM PT - the referral I got said that their hours were until 6:30 PM PT time - no luck.
Will update again soon.
Update 8 (March 12, 2013 10:10 AM MT):
Success! If you are registering as a Microsoft Partner and did not have a Wave 15 tenant - deal with partner support. I had to end up giving up my original onmicrosoft.com domain, but I also had nothing in my tenant so it didn't really matter to me. If you don't want to give up your onmicrosoft.com domain or you have content that you don't want to lose, you have to wait for the upgrade email.
On to doing what I started!
Update 9 (May 17, 2013 12:30 PM MT):
Well, I have managed to get a Wave 15 tenant all set up (got busy of course and this little initiative has taken a bit of a backseat). I have spend some time researching cloud authentication strategies and I *think* password sync with Azure Active Directory is possible, but only with Windows Server 2012 Essentials. Here is my current evidence for this. Hopefully I have more time in the coming weeks to to dig more into this.
On the flip side, I do have DirSync running and only synchronizing a subset of my user accounts (have lots of service accounts that certainly don't need to be in Azure AD). That was fairly easy to set up. Haven't gone for SSO yet due to the high risk of auth failures if my on-prem connection is down. Going to take another look at the VPN options from Azure VMs as well.
- If you're going to integrate Office 365 with your on-premise environment, start here.
- If using Azure Connect to an on-premise DC, be sure to populate the Azure VM's IPv6 DNS address with your on-prem machines Azure Connect IPv6 address.
- Good introduction to Active Directory On-Premise to Cloud integration options by Keith Mayer can be found here.
- Configure filtering for directory synchronization
- Upgrading SharePoint Online to Wave 15
- Provisioning a Windows Azure Active Directory Tenant as an Identity Provider in an ACS Namespace
- Single Sign On with Windows Azure Active Directory: a Deep Dive
- Azure Networking: http://www.windowsazure.com/en-us/develop/net/fundamentals/networking/#Connect
- Joining a Domain via Azure Connect
Now that SharePoint Conference 2012 is just a couple days away, I am sure everyone is busy selecting all the sessions they are wanting to attend via MySPC. As I was admiring my completed calendar, I began to wonder: How I am I going to get this on my phone. I attempted to import it into my corporate Outlook but that was futile as my iTunes is not on my company laptop. Back to the drawing board... What about outlook.com??? Eureka! I can add a public calendar to my Outlook.com! *Update: Gmail instructions follow Outlook.com instructions.
Here's how to do it:
- Log into your MySPC - probably easiest with IE.
- On your Calendar, click Export.
- In the little Do you want to allow... window, Copy the Address value to your clipboard.
- Log into your Outlook.com account and navigate to your calendars.
- Click on the Subscribe link.
- Complete the form:
- Make sure that 'Subscribe to a public calendar is selected.
- Paste the Url from your clipboard in 'Calendar URL'
- Give this calendar a name. I used MySPC.
- Click 'Subscribe to calendar'
- Now you should have your MySPC calendar connected to your Outlook.com. To sync it with my phone, all I had to do was refresh my calendars associated to my Outlook.com account, but you may have to disconnect and reconnect your calendar sync.
A few things to make note of:
- Pre-req is that you have your Outlook.com account connected to your phone.
- Calender is read-only - just a one way sync is possible.
- Calendar appears to only refresh every 24 hours in your Outlook.com. This could be problematic if you're changing sessions a lot on the fly, but it's still better than having to carry around a print out.
Gmail: You must be using an Exchange profile on iPhone or ActiveSync on other devices.
To Sync with Gmail:
- Follow steps 1-3 from above.
- Log into your Gmail and open your calenders
- Under Other Calendars, click Add by URL
- Once the calendar is added, you can use the edit menu on it to change the name.
- On your device connected to Gmail by Exchange / ActiveSync, navigate to http://m.google.com/sync (cannot be on a computer).
- Select the device you want to configure.
- Under Shared Calendars, select the calendar you added in Step 3.
- Click Save.
- Now you should have your MySPC calendar connected to your Gmail. To sync it with your phone, try refreshing your calendars associated to your Gmail account, but you may have to disconnect and reconnect your calendar sync.
A few things to make note of:
- Pre-req is that you have your Gmail account connected to your phone.
- Calender is read-only - just a one way sync is possible.
- Calendar appears to only refresh every 24 hours in your Gmail. This could be problematic if you're changing sessions a lot on the fly, but it's still better than having to carry around a print out.
Happy SharePoint Conference Everyone!!
This will be a collection of articles or tools I find useful when it comes to potential deployment issues in a SharePoint 2010 environment. I'll continually update it as I find new things!
- Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint: http://support.microsoft.com/kb/952167
- SharePoint Dispose Checker Tool: http://archive.msdn.microsoft.com/SPDisposeCheck
- Monitoring and Maintaining SharePoint Server 2010: http://technet.microsoft.com/en-us/library/ff758658.aspx
- Designing pages for quicker downloads: http://technet.microsoft.com/en-us/library/hh206324.aspx
- SQL Database '<contentDBName>' on SQL Server instance '<SQLServer>' not found. Additional error information from SQL Server is included below. Cannot open database "<contentDBName>" requested by the login. The login failed. Login failed for user '<excelServicesAppProcessAccount>'.: http://support.microsoft.com/kb/981293
Another month means another CalSPUG meeting! (Web site should be up soon... sorry for the dead link.)
This meeting should be a good one - and a non-developer topic as well. However... most developers should be interested in this!
Keep Your Portal Governance Simple!
Doors open at 5:00pm. Presentation starts at 5:30pm.
*Note: Elevators up will lock at 6:00pm if you arrive late.
Dan McCleary (@DanMcCleary)
Many people seem to dread the word governance. Dread of the amount of work involved. Dread of not knowing how to proceed. Dread of unnecessary bureaucracy. Unfortunately, this hesitance is what kills a lot of good portal governance planning. Yet, if some basic elements are put in place, a model can be built that can be understood by all portal users and is relatively easy to maintain.
Dan McCleary has worked in the internet industry for over 15 years holding many positions including designer, developer, project manager and instructor. Between 2006 and 2010 Dan held the position of Consulting Director at Ideaca, one of Canada's leading IT and Management Consulting companies, in charge of the consulting staff for their largest office. He has recently ventured back into the consulting world, focusing his efforts on portals, collaboration and social media. A goal of his management consulting approach is to provide clarity by striving for simplicity.
Food and drinks provided. SharePint location TBD.
Location & Registration
One of the many problems when developing for SharePoint 2007 is database growth. This can be especially troublesome when your production environment has caching and auditing enabled. Here are some tricks to dealing with the growth.
- Disable Auditing when restoring your production environment in a development environment. This is highly important as the content database can very quickly grow far beyond the capacity of your development server. This does have to be done on a per site collection basis and can be found at _layouts/AuditSettings.aspx in each.
- Dump the tempdb. This is most easily achieved by restarting the offending SQL service in SQL Management Studio.
- Convert the offending database recover mode to Simple.
- Set up a detail maintenance plan and make sure that a Shrink Databases operation is in that plan.
- Trim the audit log. This is done with the trimauditlog stsadm command. An example for its use is "stsadm -o trimauditlog -date 20110930 -url http://locahost:8080" Depending on how out of control the growth is, you may have to run this in small date ranges and then restart SQL after to dump the tempdb (suggestion 2).
- Dump the eventcache history. This suggestion deals directly with the DB which is a no-no in the Microsoft SharePoint world, however this is a development server and if things go sideways a new restore is a very valid option. Here are some queries to help out:
- Use this to figure out which tables are the largest (in terns of number of rows):
- Use this to figure out which event types in the eventcache table have the most occurrences:
- Use this to clear the offending event types from the eventcache table (source):
- Shrink the database files themselves. This can be done in SQL Management Stuido. Often it's best to set the space just slightly above the suggestion Management Studio gives you.
- Create a batch file that restarts the offending SQL service nightly. This will help manage the growth of your tempdb.
GO SELECT OBJECT_NAME(OBJECT_ID) TableName, st.row_count FROM sys.dm_db_partition_stats st WHERE index_id > 2 ORDER BY st.row_count DESC GO
GO SELECT EventType, COUNT(*) as Total FROM [databasename].[dbo].[EventCache] GROUP BY EventType ORDER BY Total DESC GO
GO While exists (SELECT TOP 1 * FROM eventcache where eventtype In(8192,8194,1048576) AND EventTime < DATEADD(day, -5, GETUTCDATE())) BEGIN DELETE eventcache FROM (SELECT TOP 100000 * FROM eventcache where eventtype In(8192,8194,1048576) AND EventTime < DATEADD(day, -5, GETUTCDATE()) ) AS e1 WHERE eventcache.id = e1.id End GO
I recently had a request of me to hide the 'Category:' text on a List View web part in a MOSS 2007 farm. As I have now had this request a few times and each time have to go figure out how to do it again, I thought that meant it was time for a quick blog post! I found the original source here. It's a great write up, but there are a few enhancements mentioned in the comments that were never incorporated into the script code of the article. So here is the code with the changes incorporated:
Recently I came across the dreaded error below while restoring a production backup into a development / test environment using stsadm.exe -o restore.
"The site collection could not be restored. If this problem persists, please make sure the content databases are available and have sufficient free space."
First a bit of background on the backup package: it was a measly 1.34GB in total size. Not even what I would consider to be medium when it comes to SharePoint site collections. The target environment was 3 servers with one dedicated SQL server (running SQL Server 2008 R2), an app server and WFE (MOSS 2007 build 126.96.36.19929). Database storage volume on the SQL server was 100GB with 80GB free. I thought this should be plenty.
So, when I first ran across the above error I did the simple things:
- Checked the hard disk space on the SQL server - all volumes
- Verified that the target content database was available
- Checked the hard disk space on the remainder of the farm servers
When none of those proved fruitful I did what all SharePoint folks do - consulted Google! I found many interesting suggestions, some of which probably work(ed) in other situations, but failed for me:
- I found stopping / restarting Windows SharePoint Services Timer service & iisreset here
- The not-so-helpful KB926061 article
- Monitoring various disks for growth during the restore from here and this prompted me to look into disk I/O which was ultimately the cause
After watching all my disks (on db, app, and wfe), I decided to start looking into disk I/O on the SQL box. I noted that it was high, with an average disk queue length running around 70, I decided to flip on SQL profiler to watch for errors. Low and behold: Error: 1222, Severity: 16, State: 18 - Database Deadlocks!! And lots of them right before stsadm threw that dreaded error.
Solving the problem was a bit more tricky. My SQL server is virtualized - definitely not recommended for production, but this also wasn't production with a quarterly user load of about 10. Very difficult to justify a physical box. So, I started shutting down services that would be accessing the DB server during the restore - in particular: search! After that and consolidating the mdb files (there were three because of how production is set up) I was able to complete a restore for the first time in months!
Now on to handing this environment to a db admin to do some performance tuning and to the virtual server team to see if we can find a faster disk for the database drive!
While trying to compact a vhd that had been (unbeknownst to me) generating huge quantities of log files I recently ran across the rather strange "Unable to Compact a VHD Due to a File System Limitation" error:
I found a couple things to try thanks to Google:
- vssadmin delete shadows /all
Once again - a long time since I have posted. Perhaps I should just end trying to post at a pre-defined frequency and aim for something a bit more natural?
At lot has changed for me of the last several months, especially since starting this blog. One of those things in particular was my decision to move to Calgary, Alberta, Canada. I was previously living in Toronto, Ontario, Canada - and had been for 4 years - but decided it was time to try out a new city. So, I transferred with Ideaca and have taken up residence in the heart of Calgary.
With some of the time I have saved commuting around the Toronto area, I have joined CalSPUG (Calgary SharePoint User Group - www.calspug.org). I must admit, it's very rewarding becoming more involved with the SharePoint community as a whole - but especially on the eve of the release of SharePoint 2010. As such, I would like to highlight, for those in the Calgary area, that we're having our next meeting on April 22, 2010. Jason Kaczor is our presenter and the topic is Use SharePoint 2010 and Visual Studio 2010 to boost Productivity. The meeting will begin sharply at 5:30 PM MDT with a SharePint to follow at the James Joyce (map) at approximately 8:30 PM MDT. Anyone is welcome. It's completely free of charge and pizza and beverages are provided. Registration is available here.
For those of you whom are unable to attend Thursday evening's presentation. Jason will also be presenting this topic on April 19, 2010 at 8:30 AM MDT (breakfast provided) as part of Microsoft's DevTech Breakfast and User Group tour.