Tag Archives: local policy

SharePoint Search Content Source Crawl Log Access Denied

I have the following issue when setting up SharePoint 2013 Search Service Application.

Whenever I started full crawling my content sources, after certain time (usually the next day). Content Sources page and Crawl Log will give Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
search service application content source access denied

Checking Search Instance Server’s Application Log and you can see the following error

The Execute method of job definition Microsoft.Office.Server.Search.Administration.IndexingScheduleJobDefinition (ID e611e95c-dc0a-40ee-a3a3-c58f2099c2d1) threw an exception. More information is included below.

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Event ID 6398

Subsequently go to Central Administration page > Timer Jobs to look for the respective Timer

Found “Indexing Schedule Manager on xxxServerNamexxx” failed miserably, for every 5 minutes.

It was then found that some user has this issue previously which has got something to do with TASKS folder in your C:\WINDOWS

sharepoint search windows task access denied issue

In case if you do not have the history of your Domain GPO, this particular folder was previously a target for Conficker Worm virus. Refer here. MS recommended to actually change the permission of this folder which then conflict the requirement for SharePoint Search Service.

If you are interest in checking your own GPO setting, you can simply run “rsop.msc” in your server’s RUN command. And you should be able to see the settings made as per below

sharepoint search windows task access denied issue conflicker

 

Workaround

In order to solve the issue, you have to get your AD GPO team to remove this setting from your sharepoint servers. Explicitly for this requirement or else your search cannot crawl.

For temp solution, you have to change the Owner of this TASKS folder and grant

WSS_WPG with minimum “Read” and “Write” access.

Finger Crossed

How to check my CPU Temperature using PowerShell Remotely

Thought it would be helpful to share how to remotely check your Computer temperature especially when you have a computer at home and you want to track if it is HOT. Just in case you don’t want to burn your computer etc etc, for whatsoever reason.

Well. Steps below show you how to do that! Make sure your client machine (the one that you are using) has PowerShell version 2.0 and above (well most of the Windows nowadays has it already). Just do a Search in your program menu and you should see it

  1. First of all, ensure your target computer (the one sitting at home that you want to check) has Firewall Turn off (not recommended). Alternatively, set Exception rules for WMI rules.
    Very briefly, go to “wf.msc” – Windows Firewall of the target computer and enable Inbound Rules for “Windows Management Instrumentation (WMI-In)” – Profile: Domain.
    remotely check cpu temperature - 1
    See detail steps here 
  2. Once firewall is cleared, make sure you have local administrator rights account that can query the CPU temperature in the target computer. (this one is simple) Fire “lusrmgr.msc” in the Run command.
    Check the “Administrators” group and make sure your account is the member.
  3. In order for you to be able to remotely check your computer temperature, you must have connectivity to your target computer. I believe there could have many way you can have connectivity to your target computer. Of what I know, the below three should be enough to fulfill the task
    1. One that I always like to use is Teamviewer. With this, you can easily establish VPN or remotely login to run the script mention in Step 4. (without specifying the -Computer and -Credential).
      Make sure when you install the Teamviewer, you have the VPN Driver installation option ticked.
    2. Allowing RDP to your target computer from public IP. In this option, you need to configure your Home Router to allow port 3389 to hit your target computer. Please go to your router admin page (usually ends of 192.168.0.1 or  192.168.1.1 depending on which is your subnet) and configure port forwarding to your private IP.
      In this way, you will be doing the same steps as option 1 where the only difference is you remotely accessing your home computer and run the script directly onto the target computer. Again, without specifying the -Computer and -Credential parameter in step 4)
    3. Option 3 is kinda most complete one and if you want to learn a little bit deeper for WMI. In this option, you will be granting DCOM port (135) and a fixed port (24158) port forwarding to your remote compute (which is accessible via public IP like what you’ve done in option 2). Refer here for how to fix WMI port.Screen shot example on how I configured the WMI to fixed port. (please pardon the typo)
      configure WMI to fixed port
      At the end of the day, your target computer but be accessible via DCOM port and WMI port from public IP.
  4. Open PowerShell via Administrator rights and run the following PS command

    Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace “root/wmi” -ComputerName “<IP of your target computer>” -Credential (Get-Credential)

    You will be prompted to specify the credential, use the account that you have administrator rights mentioned in step 2 above.
  5. You should be expecting response like screen below
    remotely check cpu temperature - 3
  6. Look for “CurrentTemperature” and the value is in Celsius

How to enable Remote Desktop for your Computer/Server

To most of the IT guys out there, I believe this is quite a common thing that you may have bumped into this and believe me, sometimes you thought you have done it right and still did not able to get it working.

Let me note that all the steps that you need to do in order to allow RDP to your Server (from some machine within the same Network).

Most people already know the step 1 and 2. What’s lacking here that you may not know is the step 3 (Fire Wall!)

FIRE~~~~ Wall FIRE~~~~ Wall

Photo credits to www.clker.com

Step 1: Allow remote connections to this computer and grant login for RDP

  1. Open RUN and enter “sysdm.cpl” and click “Remote” tabs.
    Alternatively, go to Explorer (Windows + E), right click anywhere, select Properties and click “Remote Settings” on the left panel.
  2. You should see System properties panel as shown below.
    remote desktop allow remote connections
  3. Check “Allow remote connections to this computer“.  Refer to here for option “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”
  4. Click “Select Users” and add in any users that you want to allow remote connection. If it is for your own usage, you may just leave this empty. In scenario where you need to allow multiple users to access your computer using different account, you need to create local user and add them here. In a even more common scenario where your computer/server is joined to a domain, you can add in the domain users account here for remote access.

Step 2: Security Policy

  1. At times, your server may need to join to a domain. Some domain policy may have configure the security policy to harden all domain servers. In this case, please check your local security policy and see if the Allow log on through Remote Desktop Services has included the login that you are gonna use. For simplicity, unless otherwise, use Administrator group of users which by default, granted permission to RDP.
  2. To check, open RUN and fire “secpol.msc
  3. Navigate the left panel to “Security Settings” > “Local Policies” > “User Rights Assignment”
  4. Look for “Allow log on through Remote Desktop Services” and see if your remote login is in this value. If not, “Please contact your server administrator” lol!

 

Step 3: Firewall!

  1. Open RUN and enter “wf.msc” (shortcut to Windows Firewall).
  2. Click “Inbound Rules” from the left panel
  3. Look for “Remote Desktop – User Mode (TCP-In)” and “Remote Desktop – User Mode (UDP-In)” and make sure they are both enabled. If not, please right click and hit “Enable Rule”

 

Once the steps above are done, open Remote Desktop Connection program (or “mstsc” in RUN), specify the computer/server IP and start RDP!

 

Setting up a Single-box SharePoint 2013 Virtual Machine.

First thing first, below are some files which you would need in order to setup your own SP2013 Environment. VMware Workstation 9 – here SharePoint 2013 – here SQL 2012 – here Windows 2012 Server – here Visual Studio 2012 – here Here we go.

VMWare Workstation

  1. Install VMWare Workstation on to your local PC, Ensure that your local PC has got at least 8 gb RAM. You would need to allocate some of the RAM to your 2012 server later.
  2. Once completed the Workstation installation (i would not go through how you install software as it is simple), create a “New virtual machine“, choose Typical installation, PLEASE select option “I will install the operating system later“, else you will encounter error later. Then click Next until the vm files are created in your document folder “Documents\Virtual Machines\Windows Server 2012”
  3. Before powering on your vm, please map your Windows Server 2012 ISO file to boot up and install.

Windows Server 2012

  1. There is nothing much critical to explain here. Just follow the setup wizard.
  2. Once completed, you will be asked to enter the administrator password bla bla bla.
  3. Remember to rename your windows name to something meaningful.. NOT Something like win-is2xx92243d which is totally making no sense. To configure this, go to Server Manager > Local Server > Click Computer Name > Change > Rename your server and click OK.Configure Windows 2012 Computer Name
  4. Restart your computer.
  5. Next, it is always good to set your Server IP address. Though this is not actually required for a Single Box Setup. But good to learn? =) Configure Server IP Windows 2012 1 then Configure Server IP Windows 2012 2
  6. Next is to setup Active Director Domain Services (AD DS), this is required for you to create services account for sharepoint and sql later on. Note! dcpromo.exe is deprecated for windows 2012. Sadly.
  7. Kindly go to Server Manager > Dashboard > Add Roles and Features
  8. Select Role-based or Feature-based installation
  9. Select your server from the Server Pool list and click “Next”
  10. Check on “Active Director Domain Services” check box, a prompt up will be displayed. Click “Add Feature”.
  11. Now, click NEXT all the way down until the installation completed.

Promote Windows 2012 to a Domain Controller

  1. Once your server 2012 added AD DS, you have to promote your server to a domain controller.
  2. In the Server Manager, you may notice this Alert icon. Click on it and click on “promote this server to a domain controller”. Configure Domain Controller Windows 2012 1
  3. In the “Active Director Domain Services Configuration Wizard”, Select Add a new forest, put your favorite name. Configure Domain Controller Windows 2012 1
  4. Click Next, leave the rest default and specify your DSRM Password Configure Domain Controller Windows 2012 2
  5. Click Next all the way down until you see “Install” button. Kindly ignore those warning message. Click Install. Reboot and  you are done with DC Promo.

Service Account

  1. Now that your DC is up, you would need FEW accounts to setup your SharePoint 2013 environment. Note that i did not mention how many account required, because, ultimately, it depends on how segregated you want your farm to be. For Single Box solution and Less Error Prone. You may only need 3 accounts.
    1. Setup user account
    2. Server farm account or database access account
    3. SQL Server service account.
  2. Refer here  and here for the detail account.
  3. Open Run (Windows + R) then enter “dsa.msc” to open Active Director Users and Computers.
  4. Right Click  your Domain and add a new OU (this is my usual practice to park my sp account into an OU) Configure Service Account 1
  5. Add those 3 accounts.

SQL 2012

  1. Map your “SQLServer2012SP1-FullSlipstream-ENU-x64.iso” file to vm
  2. Run the ISO file in your VM, Select Installation Tab on the left and click New SQL Server stand-alone installation or add features to an existing installation.
  3. Click OK after the Setup Support Rules is completed, enter your product key (if you don’t have, use evaluation =D ), click OK. Include SQL Product Updates. Click OK~ These are pretty boring. Configure SQL 2012 2
  4. Next, select Role Mode. For evaluation purpose, i select All features with default.
  5. Name your SQL Instance
  6. Specify your services account. In my case, i use “SQL Server service account” that i have created previously. Configure SQL 2012 4
  7. Specify the Admin Account using the same SQL Server service account. account. (Well, this is for evaluation, you can still opt to use other account) Configure SQL 2012 5
  8. Analysis Configuration – Specify the same service account.
  9. Distributed Replay Controller – Specify the same service account and the Controller Name as your Server Name
  10. Click NEXT, NEXT, NEXT to install.. go get a coffee and come back after 30 mins…
  11. ..
  12. OK~ Next thing is to get setup the SharePoint Setup Account permission. Base on the article here. You have to grant the account (In my case “spsetup”) with DBCreator and SecurityAdmin permission.
  13. At this time, your server only allow Windows Authentication mode to access to your Database Engine. Please kindly Grant the SQLService account with Local Administrator right temporary. Log Off and switch to this account.
  14. Open your SQL Management Studio, Login via Windows Authentication, Right click on the “Login” node and “New Login”
    Configure SQL 2012 5.5
  15. Select the SharePoint Setup Account “spsetup” and go to Server Roles. Check the 2 server roles “dbcreator” and “securityadmin”
    Configure SQL 2012 6
  16. Click OK to proceed.
  17. For SharePoint 2013, there is one additional step is to change the Max Degree of parallelism to 1. Go to Database Engine, Right Click and Select Property. Under Advanced panel. Change the value to 1.
    Configure SQL 2012 7
  18. Click OK to proceed. Once this is completed, you may Switch User back to SharePoint Setup Account now (via Alt + Del + Insert)Note: Remove the SQLService account from local admin group once you are done with setting up the permissions.

SharePoint 2013

  1. Map your SP2013 iso file to your virtual machine (if you haven’t)
  2. Go into your vm and install SP2013 pre-requisites. The next few steps are for Offline Pre-requisite installation.
  3. Run Powershell with Administrator rights. Ensure you have executed the following command before Set-ExecutionPolicy RemoteSigned
  4. Run the following command. Make sure the path is where you store the pre-requisite files. Also, copy the “prerequisiteinstaller.exe” from your SP2013 iso to the same folder where your script is located.
    $SharePoint2013Path = "C:\Prerequisite"
    Start-Process "$SharePoint2013Path\PrerequisiteInstaller.exe" –ArgumentList "/SQLNCli:$SharePoint2013Path\PrerequisiteInstallerFiles\sqlncli.msi /IDFX:$SharePoint2013Path\PrerequisiteInstallerFiles\Windows6.1-KB974405-x64.msu /IDFX11:$SharePoint2013Path\PrerequisiteInstallerFiles\MicrosoftIdentityExtensions-64.msi /Sync:$SharePoint2013Path\PrerequisiteInstallerFiles\Synchronization.msi /AppFabric:$SharePoint2013Path\PrerequisiteInstallerFiles\WindowsServerAppFabricSetup_x64.exe /KB2671763:$SharePoint2013Path\PrerequisiteInstallerFiles\AppFabric1.1-RTM-KB2671763-x64-ENU.exe /MSIPCClient:$SharePoint2013Path\PrerequisiteInstallerFiles\setup_msipc_x64.msi /WCFDataServices:$SharePoint2013Path\PrerequisiteInstallerFiles\WcfDataServices.exe"
    
  5. After running the script, i encountered the following error “The tool was unable to install Application Server Role, Web Server (IIS) Role
  6. After 2 rounds of rebooting. The pre-requisite installation is finally done.
  7. Open the SharePoint Installer Splash Screen and hit Install SharePoint Server.
  8. Put in the Evaluation Product Key. NQTMW-K63MQ-39G6H-B2CH9-FRDWJ
  9. Click Next  until the installation is completed (yawn..)
  10. Once the installation is completed, leave the check box default “Run SharePoint Products Configuration Wizard”. Close your installation wizard.
  11. In the SharePoint Configuration Wizard, click Next.
  12. System will prompt you to stop the 3 services account, IIS, SP Admin Service, SP Timer Service, click Yes to continue.
  13. Select “Create a new server farm” and click OK.
  14. At this point, you may want to setup an ALIAS for SQL connection. (Good practice!)
  15. Fire Up “Run” and enter “cliconfg”.
  16. Under Alias tab, enter “sql” name and select “TCP/IP” and your sql server name (basically the same server since we are setting up a single box server.)
    Configure SharePoint 1
  17. Click OK and exit the CliConfg.
  18. Back to the SharePoint Product Configuration Wizard, enter the ALIAS that you just created as the SQL name.
  19. Next, specify the Login ID for “Server farm account or database access account” created earlier. (In my case “spfarm”).
    Configure SharePoint 2
  20. Specify the passphrase and click Next
  21. Specify the Central Admin port number and the authentication mode. Use NTLM for simplicity.
    Configure SharePoint 3
  22. Click Next to start configuring. Again you can go get some drink and come back like 20 mins time
  23. Tada~
    Configure SharePoint 4
  24. If you open your Task Manager, you will noticed that there is one new windows services running “AppFabric Service” which took you 300++mb of RAM. You may actually reduce the RAM usage to make room for other services. Refer here on how to reduce the AppFabric Memory Usage
  25. Once you close the Product Configuration Wizard, IE will be fired up to performance Configuration. Select all services if you like. Also, you may use a separate service account for the services that you intend to add. I would not recommend turning on Search Service Application as this will take up A LOT OF YOUR MEMORY!!!! Please note. Do it only if you have a lot of RAM in your VM Host.
  26. The Configuration may take quite some time. It happened to me before that it stuck forever. In case the screen doesn’t refresh or whatsoever, try to open the Central Admin again. The Services will still be created at the backend.

Configure SharePoint 5

Create Site Collection

  1. Once the Central Admin is done, you may proceed to create a Site Collection for your primary Web Application – 80
  2. Click on “Create Site Collection” under Application Management tab.
  3. Ensure the Web Application is selected correctly. Put in the Name and select your Site Template
    Configure SharePoint 6
  4. Specify the Primary Site Collection Admin – AHCHENG\spsetup
  5. Click OK!!! and Welcome to SharePoint 2013!

 

Note: If Newsfeed or MySite is having this “We’re almost ready!” error, please kindly check here to add your server as part of cache cluster

FAST Search for SharePoint – First Search Slow

Problem

First search, after system idle for a while,  takes a long long time to return results.  This happens not only after IISReset (of course IISRESET does cause this issue, however, that’s not my case). Subsequent searches are much much faster. This happens after server idle for a certain period (which i do not know – Hopefully any expert can enlighten me on this =). Windows tried to retrieve a current list of root certificates to verify the validity of the certificate with updated information.Apparently, based on this KB, the problem arises due to verification on the Root Certificate of SharePoint (SPCertificateValidator.Validate).

Resolution

You refer to the KB for the steps. I should not duplicate the content as that’s not the point here. What my point is to compare the two approaches.

My recommendation is to follow Step 1 which is to manually add the SharePoint Root Certificate into your SharePoint Trust Root Certification store.

Why? Adding the root certification in anyway will help the performance of your SharePoint application. When it comes to intranet application, the web server does not have access to the Internet (don’t be surprise!). What you will get is just a connection failure and do mind that there is Times Out request which will halt and slow down your application.

Why not Step 2 – Disable the automatic update of root certificates on the SharePoint Servers? This step requires you to edit the local policy setting and you may need to submit a request on such modification (for audit purposes). If your SharePoint server is joint to an existing Domain, the policy is pushed down by AD and that adds more difficulty in requesting for a change in existing policy setting. My Sincere two cents from vendor point of view.

NTLM Authentication failed despite login id and password is correct.

NTLM (NT Lan Manager) is a form of authentication protocol provided by Microsoft [Check NTLM -Wikipedia for details]. Though it is no longer recommended by Microsoft, some corporates are still using this authentication protocol for intranet system.

This issue risen when a hardened server (it is Windows 2003 for my case) trying to establish a NTLM authentication to Web front end server running SharePoint Application (Windows 2008 R2). The Standard NTLM successfully prompts for login and password. However, upon inserting the correct login id and password, the authentication got rejected. Further attempts led to a blank screen with no ERROR message. (which is what usually IIS will return)

Having checking on the Local Security Policy, it was found that the following configuration : Network Security : LAN Manager authentication level was set to “Send LM & NTLM – use NTLM v2 session security if negotiated

Set the setting to “Send NTLMv2 response only/refuse LM“.

and the authentication  is now WORKING!