3112021 BUILDING A HYBRID SHAREPOINT ENVIRONMENT 1 Paul
3/11/2021 BUILDING A HYBRID SHAREPOINT ENVIRONMENT 1
Paul Papanek Stork Principal Architect Author Developer’s Guide to WSS 3. 0 MOSS 2007 Best Practices Blue Chip Consulting Group http: //www. bluechip-llc. com Microsoft Community Contributor Technet Forums MSDN Forums Yammer Groups MCTS: WSS 3. 0 Configuration Study Guide (70 -631) Share. Point 2010 Development for Office 365 Contact Information Email: Paul. Stork@bluechip-llc. com Blog: http: //dont. Panic. com/blog Twitter: @PStork
3/11/2021 AGENDA • Why Companies Need Hybrid? • What is Available in Hybrid • Models for Hybrid Search • Federated (Inbound/Outbound) Hybrid Search • Hybrid Cloud Search Service Application
3/11/2021 WHY HYBRID? To replace network Home shares with “Free” storage in One. Drive for Business To access On-premises legacy data from the Cloud To search Exchange Online from On-premises Share. Point To move “commodity” workloads to the Cloud To provide easier external sharing To replace third party file sharing like Non-corporate - like One. Drive and Dropbox Corporate - like Google Docs and Box To smooth lengthy transition to the Cloud
3/11/2021 WHAT’S AVAILABLE IN HYBRID? One. Drive Redirect – redirect All links for One. Drive and profiles to the cloud Followed Sites – Share. Point Home for on-premises and O 365 followed sites Extensible App Launcher – Add Office 365 Delve, Video, and custom O 365 tiles Extranet B 2 B Sites - Configure Share. Point Online sites for extranet business-to -business collaboration with admin-managed partner users Auditing (Preview) - get visibility to users' file access activities in your Share. Point 2016 On-premises environment Replicated Taxonomy (Preview) –replicate Managed Metadata from the cloud to on-premises Search – Search Cloud and on-premises at the same time 5
6 3/11/2021 DIFFERENT KINDS OF HYBRID SEARCH “Federated” Hybrid Search - original New Name for Inbound/Outbound Hybrid Search Inbound Hybrid – Search On-Premises from O 365 Outbound Hybrid – Search O 365 from On-Premises Results in Two Result Blocks Cloud Hybrid Search - new New Cloud Hybrid Search Service After February 2016 CU for Share. Point 2013 Checkbox when creating a Search Service Application Can be done with Two Power. Shell Scripts Create. Cloud. SSA. ps 1 – same as Checkbox when creating SSA Onboard-Cloud. Hybrid. Search 1. ps 1 – hooks Cloud. SSA to Office 365
3/11/2021 CURRENT HYBRID “FEDERATED” WORKLOADS Inbound/Outbound Search Redirected On-premises My. Sites/User Profiles Inbound/Outbound Business Connectivity Services Duet Enterprise Online Access SAP on-premises from the cloud
3/11/2021 HYBRID “FEDERATED” SEARCH TOPOLOGY
3/11/2021 HYBRID CLOUD SEARCH TOPOLOGY
3/11/2021 DEMO 1: VIEWING HYBRID RESULTS
3/11/2021 “FEDERATED” OUTBOUND SEARCH THE CLOUD FROM ON-PREMISES 11
3/11/2021 OUTBOUND WALKTHROUGH Four Steps to Configure Outbound Hybrid Search 1. Install Infrastructure Pre-Requisites 2. Synchronize Identities 3. Establish S 2 S Trust with Azure ACS 4. Configure Share. Point On-Premises Search
3/11/2021 PREREQUISITES Power. Shell access to Share. Point, O 365, and Azure AD (Global/Farm Admin) Synchronize Identity between AD and Azure AD Add Corporate DNS Domain to Office 365 Service Applications to support security trimming and authentication One or more Publicly accessible Certificate(s) Active Directory Federation Services (ADFS) if using Server 2012 r 2 proxy On-Premises patched to May 2014 CU
3/11/2021 INFRASTRUCTURE PREREQUISITES Required Software – Installed on Share. Point Server • Microsoft Online Services Sign-In Assistant • Azure Active Directory Module for Windows Power. Shell • Share. Point Online Management Shell Custom Domain – Normally done by Identity team • AD domain name must be added to Office 365 and Verified
3/11/2021 REQUIRED SERVICE APPLICATIONS • Outbound (in On-premises) • App Management Service • Search Service • Subscription Settings Service • User Profile Service • Inbound (in O 365) • Search Service • Secure Store • User Profile Service
3/11/2021 IDENTITY SYNCHRONIZATION Normally an Identity Management project Several possible methods Dir. Sync - obsolete Azure AD Connect Forefront Identity Management (FIM) or Microsoft Identity Management (MIM)
3/11/2021 ESTABLISH S 2 S TRUST Uses Server to Server OAUTH like high trust Apps 1. Replace the On-Premises STS Certificate • Self-Signed Cert – Demo or Dev • Public Cert - Production 2. Register the On-Premises STS as a Service Principal in Office 365 3. Establish a trust between the On-Premises farm and Azure ACS
3/11/2021 Add-Ps. Snapin Microsoft. Share. Point. Power. Shell Import-Module Microsoft. Power. Shell. Utility Import-Module MSOnline -force Import-Module MSOnline. Extended -force Import-Module Microsoft. Online. Share. Point. Power. Shell -force Enable-PSRemoting New-PSSession $Credentials = Get-Credential Connect-Msol. Service -Credential $Credentials $Root. Domain = "*. acmeman. com" $Root. Site = Get-SPSite "http: //hybridsearch 02. acmeman. com" $Site = Get-SPSite $Root. Site $SPOApp. Id = "00000003 -0000 -0 ff 1 -ce 00 -000000" $PFXCertificate = "C: Installstscert. pfx" $CERCertificate = "C: Installstscert. cer" $PFXCertificate. Password = "P@ssw 0 rd" $SPOContext. Id = (Get-Msol. Company. Information). Object. ID
3/11/2021 #-- Setup On-prem STS Cert $STSCertificate = New-Object System. Security. Cryptography. X 509 Certificates. X 509 Certificate 2 $PFXCertificate, $PFXCertificate. Password, 20 Set-SPSecurity. Token. Service. Config -Import. Signing. Certificate $STSCertificate certutil -addstore -enterprise -f -v root $sts. Certificate iisreset NET STOP SPTimer. V 4 NET START SPTimer. V 4 #----- Convert Cert to BASE 64 $STSCertificate = New-Object System. Security. Cryptography. X 509 Certificates. X 509 Certificate 2 -Argument. List $PFXCertificate, $PFXCertificate. Password $PFXCertificate. Bin = $STSCertificate. Get. Raw. Cert. Data() $Certificate = New-Object System. Security. Cryptography. X 509 Certificates. X 509 Certificate 2 $Certificate. Import($CERCertificate) $CERCertificate. Bin = $Certificate. Get. Raw. Cert. Data() $Credential. Value = [System. Convert]: : To. Base 64 String($CERCertificate. Bin)
3/11/2021 #------- Add SPO Principal New-Msol. Service. Principal. Credential -App. Principal. Id $SPOApp. Id -Type asymmetric -Usage Verify -Value $Credential. Value ` -Start. Date $certificate. Not. Before -End. Date $certificate. Not. After $Share. Point = Get-Msol. Service. Principal -App. Principal. Id $SPOApp. Id $Service. Principal. Name = $Share. Point. Service. Principal. Names $Service. Principal. Name. Add("$SPOApp. Id/$Root. Domain") Set-Msol. Service. Principal -App. Principal. Id $SPOApp. Id -Service. Principal. Names $Service. Principal. Name #---- Setup On-Prem $SPOContext. Id = (Get-Msol. Company. Information). Object. ID $metadata. Endpoint = "https: //accounts. accesscontrol. windows. net/" + $SPOContext. Id + "/metadata/json/1" $SPOApp. Principal. Id = (Get-Msol. Service. Principal -Service. Principal. Name $SPOApp. Id). Object. ID $SPOName. Identifier = "$SPOApp. Principal. Id@$SPOContext. Id" $App. Principal = Register-SPApp. Principal -site $Site. Root. Web -name. Identifier $SPOName. Identifier -display. Name "SPOnline“ #---- Setup Azure ACS Set-SPAuthentication. Realm -realm $SPOContext. Id New-SPAzure. Access. Control. Service. Application. Proxy -Name "ACS" -Metadata. Service. Endpoint. Uri $metadata. Endpoint ` -Default. Proxy. Group New-SPTrusted. Security. Token. Issuer -Metadata. Endpoint $metadata. Endpoint -Is. Trust. Broker: $true -Name "ACS"
3/11/2021 POTENTIAL ISSUES User doesn’t have an email address Can’t re-hydrate Identity for Security trimming Can’t install Azure Active Directory Module for Windows Power. Shell Change version build number in Registry till after install – see http: //tinyurl. com/hu 5 pj 9 c On-Premises site is HTTP: // - must allow OAuth. Over. Http $STSconfig = Get-SPSecurity. Token. Service. Config $STSconfig. Allow. Metadata. Over. Http = $true $STSconfig. Allow. OAuth. Over. Http= $true $STSconfig. Update()
3/11/2021 CONFIGURE ON-PREMISES SEARCH Create Custom Result Source Protocol = Remote Share. Point Remote Service URL = Address of Published Site on Reverse Proxy Credentials = Default Authentication Create Query Rule with Promoted Result Block Context = All Sources Result Block – Add Above other Results
3/11/2021 DEMO 2: CONFIGURE OUTBOUND SEARCH
3/11/2021 “FEDERATED” INBOUND SEARCH THE CLOUD FROM ON-PREMISES 24
3/11/2021 INBOUND WALKTHROUGH Three Steps to Configure Outbound Hybrid Search 1. Install Reverse Proxy 2. Configure Secure Store 3. Configure Share. Point On-Line Search
3/11/2021 SUPPORTED REVERSE PROXIES Forefront Threat Management Gateway – Obsolete Windows Server 2012 R 2 Web Application Proxy – Free Requires ADFS server F 5 Reverse Proxy Server Cisco Reverse Proxy Server
3/11/2021 #Configure Server 2012 r 2 - WAP $External. Url = https: //shpt. acmeman. com $Backend. Url= https: //shpt. acmeman. com $PFXCertificate = "C: Installstscert. pfx" #Get the thumbprint of the external URL certificate $externalcert = Get-pfx. Certificate -File. Path $PFXCertificate #Get the thumbprint of the client pre-authentication certificate $clientcert = Get-pfx. Certificate -File. Path $PFXCertificate Add-Web. Application. Proxy. Application -Name "Hybrid Inbound Rule" -Backend. Server. Url $Backend. Url ` -External. Url $External. Url -External. Certificate. Thumbprint $externalcert. Thumbprint ` -External. Preauthentication "Client. Certificate" -Client. Certificate. Preauthentication. Thumbprint $clientcert. Thumbprint
3/11/2021 SECURE STORE Group Target Application Two Fields Certificate Password Members Everyone who will use Search
3/11/2021 CONFIGURE ON-LINE SEARCH Almost same configuration as On-premises Create Custom Result Source Protocol = Remote Share. Point Remote Service URL = Address of Published Site on Reverse Proxy Credentials = SSO Id set to App. Id in Secure Store Create Query Rule with Promoted Result Block Context = All Sources Result Block – Add Above other Results
3/11/2021 DEMO 3: CONFIGURE INBOUND SEARCH
3/11/2021 HYBRID CLOUD SEARCH SERVICE A UNIFIED SEARCH EXPERIENCE 31
3/11/2021 CLOUD SEARCH SERVICE APPLICATION Crawl and parse on-premises content and then process and index it in Office 365 Content is encrypted while in transit from the on-premises crawler through to the content processing stages in Office 365 Search results from both on-premises and Office 365 content Crawling configuration, including the Search service application, content sources, crawl rules etc. is carried out in the onpremises environment Modification to search experiences, for example search schema changes, are performed at the Office 365 level
3/11/2021 GETTING STARTED WITH CLOUD SEARCH Mandatory Configuration Steps 1. Sync users and groups to Azure AD 2. Create Cloud Search service Application (on-premises) 3. Install onboarding pre-requisites 4. Execute onboarding script 5. Create on-premises content sources 6. Configure outbound query federation 7. Configure Share. Point Online search vertical New-SPEnterprise. Search. Service. Application –Name “Cloud Search Service” -Application. Pool “Cloud Search App Pool” -Database. Server “Some. DBAlias” -Cloud. Index $true (Get-SPEnterprise. Search. Service. Application). Cloud. Index True
3/11/2021 HYBRID SITES AND ONEDRIVE THE TOTAL EXPERIENCE 34
3/11/2021 HYBRID PICKER OVERVIEW Enables quick and easy server-to-server trust for hybrid scenarios Requires Global Administrator rights in Office 365, and Farm Administrator rights in on-premises Share. Point Farm Must be run from an on-premises Share. Point server Invokes the “click to run” installer Takes about 5 minutes Doesn’t configure the Hybrid Search workload
3/11/2021 SO HOW DO I PICK HYBRIDS?
3/11/2021 RUNNING THE HYBRID PICKER 37
3/11/2021 ENABLING THE HYBRID APP LAUNCHER Requires July 2016 CU Install and Enable Hidden Feature with Power. Shell Install-SPFeature Suite. Nav Enable-SPFeature suitenav -url <Site. Collection. URL> 38
3/11/2021 DEMO 4: HYBRID SITES, ONEDRIVE, & APP LAUNCHER
3/11/2021 ADDITIONAL RESOURCES Bill Baer e. Book http: //hybrid. office. com/img/Share. Point_Book_2016. pdf Full Walkthrough http: //tinyurl. com/Hybrid. How. To Hybrid Picker Article http: //tinyurl. com/hybrid. Picker Plan Share. Point Server 2013 hybrid http: //tinyurl. com/hybrid. Roadmap Hybrid Resources Center http: //hybrid. office. com/
3/11/2021 CONTACT INFORMATION Email: Paul. Stork@bluechip-llc. com Blog: http: //dont. Panic. com/blog Twitter: @PStork
- Slides: 41