SpinPlate » PlateSpinner

Antivirus Exclusions for SharePoint 2010 and SQL Server 2008 R2

PlateSpinner — Thu, 16 Feb 2012 16:21:15 +0000

This comes up all of the time for me and it is high time that I created a single place for me to see every antivirus exclusion that is necessary for production SharePoint 2010 and SQL 2008 R2 servers to run efficiently. If you don’t configure antivirus exclusions on your servers you can expect to see performance problems and mysterious errors at some point, especially when load starts getting high.

After the break, there’s a full table that lists out all of the necessary antivirus exclusions that should be configured for Windows servers that are running SharePoint 2010 and/or SQL 2008 R2:

(I’m sorry in advance for how unreadable this may be with the CSS I have right now. I don’t have time to fix it…)

Product	Description	Exclusion Type	Location	Comments
Windows Server 2008 R2	Windows Update Datastore	Folder	%windir%\SoftwareDistribution\ Datastore
	Windows Update Logs	File	The following files located in %windir%\SoftwareDistribution\Datastore\Logs: Res.log, Res.jrs, Edb.chk, Tmp.edb	For the files with the wildcared * character, there may be several files in that folder that fit the criteria.
	Windows Security Files	File	The following files located in %windir%\Security\Database: .edb, .sdb, .log, .chk, *.jrs	From Microsoft: "If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files."
	Windows Group Policy Files	File	%allusersprofile%\NTUser.pol And %Systemroot%\System32\GroupPolicy\Registry.pol
	Domain Controllers	Files and Folders	See Comments	SharePoint and SQL Server should not be installed on a domain controller but this is sometimes necessary to build development environments. If your SharePoint server is a domain controller, additional AD related antivirus exclusion are listed here: MS Support KB822158
SharePoint Foundation 2010	Core Files	Folder	Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions	Can optionally just do ".\14\Logs" and ".\14\Data\Applications"
	.NET Temp	Folder	Drive:\Windows\Microsoft.NET\ Framework64\v2.0.50727\Temporary ASP.NET Files
	WebTemp	Folder	Drive: \Users\service account\AppData\Local\ Temp\WebTempDir
		Folder	Drive:\ProgramData\ Microsoft\SharePoint\
		Folder	Drive:\Users\the account that the search service is running as\AppData\Local\Temp	The search account creates a folder in the "gthrsvc_spsearch4 Temp" folder to which it periodically needs to write.
	Log Files	Folder	Drive:\WINDOWS\system32\LogFiles And/Or Drive:\Windows\Syswow64\LogFiles	On 64 Bit Windows 2008 Server with 64 Bit Product, the location is Drive:\Windows\ Syswow64\LogFiles
	Service Account Temp Files	Folder	Drive:\Users\Each App Pool Service Account\AppData\Local\Temp And Drive:\Users\Default\AppData\ Local\Temp
SharePoint Server 2010 (in addition to the above)	Index and Query Files	Folder	Drive:\Program Files\Microsoft Office Servers\14.0\Data	This folder is used for the indexing and/or query process. If the Index files are configured to reside in a different folder, you also have to exclude that location.
	Enterprise Services Logs	Folder	Drive:\Program Files\Microsoft Office Servers\14.0\Logs
	Enterprise Services Binaries	Folder	Drive:\Program Files\Microsoft Office Servers\14.0\Bin
	FIM for User Profile Service	Folder	Drive:\Program Files\Microsoft Office Servers\14.0\Synchronization Service
	RBS BLOB Store	Folder	Any location where BLOB data is stored	See this TechNet link for more info: MS Office Library on SharePoint BLOB storage
SQL 2008 R2	Data Files	Extension	.mdf, .ldf, .ndf
	Backup Files	Extension	.bak, .trn
	Full-Text Catalog Files	Folder	Default instance: Drive:\Program Files\Microsoft SQL Server\MSSQL\FTDATA Or… Named instance: Drive:\Program Files\Microsoft SQL Server\ MSSQL$instancename\FTDATA
	Trace Files	Extension	.trc
	SQL Audit Files	Extension	.sqlaudit	For more info see: MSDN SQLAudit Info
	SQL Query Files	Extension	.sql
	SSAS Data and Temp Folder	Folder	Default: Drive:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data	This could be different and in separate places based on the configuration.
	SSAS Backup Folder	Folder	Default: Drive:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup	This could be different based on the configuration.
	SSAS Log Folder	Folder	Default: Drive:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log	This could be different based on the configuration.
	SSAS additional folders	Folder	Any extra folders added for SSAS in addition to what’s above.
	SQL Server Database Engine	Process	%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.\MSSQL\Binn\SQLServr.exe
	SQL Server Reporting Services	Process	%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.\Reporting Services\ReportServer\ Bin\ReportingServicesService.exe
	SQL Server Analysis Services	Process	%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.\OLAP\Bin\MSMDSrv.exe
	SQL Clustering	Folder	Q:\ (Your Quorum Drive) C:\Windows\Cluster	If you’re running antivirus on a SQL cluster, make sure the Antivirus product and version is cluster-aware.

References:

Microsoft Support KB822158 – "Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows": http://support.microsoft.com/kb/822158
Microsoft Support KB952167 – "Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint": http://support.microsoft.com/kb/952167
Microsoft Support KB309422 – "How to choose antivirus software to run on computers that are running SQL Server": http://support.microsoft.com/kb/309422

Technorati Tags: Antivirus, performance, SharePoint, SQL Server

Can you run the Configuration Wizard on multiple SharePoint 2010 farm hosts at once?

PlateSpinner — Thu, 17 Nov 2011 17:28:26 +0000

Simply put, no.

Take for example, you install the bits for the service pack 1 upgrade. The first thing, of course, is that you need to finish installing those bits on all of the servers in your farm. But then after that you need to run the SharePoint Products Configuration Wizard (or run psconfig.exe) to upgrade the installation. I recommend running the wizard first on the app server that serves your Central Administration site. But you really need to wait until it’s finished before running the config wizard on your next server. If you do rush ahead, it won’t let you. I tried it just to see what would happen. When I started the second config wizard in the process, the screen stayed just like this until the first server was finished with the wizard.

So it looks like there is a flag that is checked before it starts. And if one server already is locking up the configuration, the next one will not start until the first is finished.

Technorati Tags: Install, psconfig, SharePoint

A SharePoint Consultant’s list of scope-growing factors

PlateSpinner — Thu, 10 Nov 2011 18:44:49 +0000

As I’m preparing to start work on building a single-server SharePoint 2010 pilot rig for a client, I was listing things to check for before I would be willing to shoot off my mouth about how easy the installation will be.

For those that may find it interesting, here is a list of scope-growing factors that can add major complexity to a simple SharePoint implementation:

Incoming email functionality
Non-AD profile sync connections
Write-to AD functionality for profile-sync (as opposed to reading from Active Directory only)
Forms based authentication or claims authentication (instead of old-school Windows auth)
Search content sources other than the local SharePoint content
FAST Search (instead of regular SharePoint search)
PowerPivot
Project Server
Team Foundation Server
SQL Reporting Services
Migration or upgrading of content from other SharePoint farms
Publishing service applications to other SharePoint farms
3rd party add-ons

Technorati Tags: consulting, SharePoint

Forefront UAG install fails – Event ID 11406, Error 1406

PlateSpinner — Thu, 29 Sep 2011 19:21:50 +0000

I had four clean Windows 2008 R2 installed servers all in a row fail when installing Forefront Unified Access Gateway with the same error:

Log Name:      Application
Source:        MsiInstaller
Date:          9/29/2011 1:10:10 PM
Event ID:      11406
Task Category: None
Level:         Error
Keywords:      Classic
User:          DOMAIN\#ServiceAccount
Computer:      localcomputername
Description:
Product: Microsoft Forefront Threat Management Gateway — Error 1406.Could not write value InstalledBy to key \SOFTWARE\Microsoft\Updates\Microsoft Forefront Threat Management Gateway\7.0.8108\Service Pack 1. System error . Verify that you have sufficient access to that key, or contact your support personnel.

There was nothing out there helping me. I finally found in Microsoft KB969865 saying: “When you run .NET Framework 3.5 SP1 setup with a user account whose name begins with a ‘#’ character, the installation will fail.” and then it gives the error, which is the exact same as the one I got. In the cause section, it explains that the install tries to write a registry value with the “InstalledBy” username. But the ‘#’ character just happens to be a special prefix character in registry values.

So I tried it again with a different account and the install finishes with no problems at all.

Technorati Tags: Install, TMG, UAG

Can’t use PSconfig to create SharePoint 2010 configdb

PlateSpinner — Mon, 01 Aug 2011 17:59:51 +0000

On a client’s site today I was having a horrible time trying to use psconfig to create a configdb. The reason I was doing it is because the client wanted every SharePoint database to have a certain prefix on the database name. You can use the configuration wizard to customize the name of the configdb but it doesn’t let you customize the name of the Central Admin site’s content database. To do that, you need to use PSconfig.exe. No problem, I’ve done this before; sometimes for this exact reason.

But this time I had a horrible time doing it. I don’t know if these factors had anything to do with it but my situation included the following noteworthy factors:

Brand new SQL 2008 R2 CU7 Active/Passive clustered SQL environment with a named instance
SQL is configured to use dynamic ports only on TCP/IP
My SharePoint 2010 hosts is configured to connect to use SQL client aliases to connect
SharePoint 2010 was installed with media that was slipstreamed with service pack 1 and the June 2011 CU

Here is the command I was trying to use:

psconfig.exe -cmd configdb -create -server MYSQLAliasName -database FancyPrefix_SharePoint_Config -dbuser Domain\SPfarm -dbpassword SomePassword -user Domain\spadmin -password SomePassword -admincontentdatabase SP_FTIAP_Admin_Content –passphrase MY_passphrase

The error I got in command-prompt window was:

The configdb command is invalid or a failure has been encountered.
Cannot connect to database master at SQL server at MYSQLAliasName. The database might not
exist, or the current user does not have permission to connect to it.

Not helpful. After verifying that I was able to connect I turned to look at the database server. But on the SQL server there was a more descriptive error in the SQL Logs:

Error: 18456, Severity: 14, State: 6.

Message
Login failed for user ‘Domain\SPfarm’. Reason: Attempting to use an NT account name with SQL Server Authentication.

So at first, I tried to configure SQL to accept Windows Authentication only. That didn’t help, after restarting the services, future attempt got me this error:

Error: 18456, Severity: 14, State: 58.

Message
Login failed for user ‘Domain\SPfarm’. Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only.

So no dice. I kept searching and trying variations. Including altering my syntax to use the “username@domain.local” style but nothing worked.

I never did figure out how to get past the problem. I ran out of time and decided to go around the issue. I created the farm using the configuration wizard and then followed Cuban Pete’s instructions to change the name of the Admin Content database, which is simply the PowerShell commands needed to change the name in SharePoint and then when to go into SQL Server Managment Studio and change the actual database name.

Technorati Tags: command-line, psconfig, SharePoint

Well hello, Dolly

PlateSpinner — Wed, 20 Apr 2011 19:03:56 +0000

After running WordPress for several years, I just today activated the Hello Dolly plugin.

I have to say, it really does lighten the mood… as advertised.

Technorati Tags: Internet

Searching Through Active Directory

PlateSpinner — Tue, 22 Mar 2011 21:19:35 +0000

There used to be a time when it was easy to search for Active Directory users or security groups or computer names. Back in Windows 2000 it was easy but now you need a dozen clicks to get XP or Windows 7 to let you search Active Directory. Lucky for you you can make a quick shortcut to get you there.

Create a new shortcut and make the destination:
%windir%\system32\rundll32.exe dsquery.dll,OpenQueryWindow

Give it a memorable name like “Active Directory Search” and consider changing it to a snappier icon and boom, there ya go. Now you can search through all of the users, contacts, groups and even containers if you use the advanced tab.

Technorati Tags: Active Directory, command-line, Search

Memoirs of a SharePoint 2010 pilot install

PlateSpinner — Thu, 10 Feb 2011 16:36:34 +0000

I had a one-day quick gig yesterday where the client had a blanked VM ready and an existing SQL server. He wants to show his users and stakeholders what SharePoint 2010 looks like but doesn’t really know what his or their needs are. I assumed that, like all unplanned and undocumented installations, there would be some unforeseen roadblock and I would need more than the one day I was given. Also, I assumed that if the client wanted to drive or backseat drive the install that it would take much longer.

I was wrong. It went well. And he had a working 2010 farm with all the basic service apps in under 2 hours.

Here are some points to remember when doing a pilot (or any kind of) install:

Create all of your service accounts ahead of time. (You DO use service accounts, right??)
Give the setup account admin rights on the SQL servers too and not just the SharePoint servers (this wasn’t necessary for MOSS). If it’s SQL 2008, make the setup account a sysadmin in SQL. (The farm account still just needs “secadmin” and “dbcreator” roles in SQL.)
Remember to turn off the “Default Web Site” in IIS. Also change the bindings so that the port is something other than 80.
Get a static IP
Don’t forget to disable the loopback check.
If your SQL server hosts multiple projects and not just your SharePoint farm, consider using some kind of prefix in front of the database names as you are setting up SharePoint. For example, if you put “SP2010_” at the beginning of all the SQL databases you use, your SharePoint databases will be nicely bunched together when you use SQL Management Studio
When setting up profile synchronization to Active Directory, try to only select OUs that have actual user accounts in them. Avoid the OUs or containers that have service accounts. Nobody wants to store 150+ profiles for service accounts.

Technorati Tags: consulting, IIS, security, SharePoint, working

I’m not dead yet. I’m feeling happyyyyyy.

PlateSpinner — Wed, 22 Dec 2010 19:19:00 +0000

Merry holiday dear readers and search engine bots!

My employer is assigning me away from my long standing project (2.5 years) after this week. Starting in January, I’ll be working on…. something else. I don’t even know what, yet. But it doesn’t matter.

What this means for you is that I will have more freedom and time to develop my career and knowledge and that means MORE BLOG POSTING. (yay!)

Stay tuned…

Technorati Tags: working

How to disable SSL 2.0 and force SSL 3.0 and TLS 1.0 in IIS

PlateSpinner — Mon, 23 Aug 2010 09:02:00 +0000

I lot of places want to disable weaker encryption levels and require more secure encryption levels. There isn’t a lot of clear procedures out there that explain how this is done. So for the greater good, I’m posting it here.

Follow these steps to make the change manually:

Back up your registry (outside link)
Disable SSL 2.0:
1. Browse to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0" key.
2. There is probably a key there called "Client". If there is not also a key under there called "Server", create it.
3. Create a DWORD for the "SSL 2.0\Client" sub-key called "Enabled" and set it to "0".
4. Create a DWORD value for the "SSL 2.0\Server" subkey and set it to "0", too. (This will disable SSL version 2.0)
Enable SSL 3.0:
1. Browse to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\" key.
2. If there is not a key under there called "SSL 3.0", create it.
3. Under "SSL 3.0", create a key called "Client" and a key called "Server".
4. For both "Client" and "Server", add a DWORD value to each called "Enabled" and set it to "1" (This will enable SSL 3.0).
Enable TLS 1.0:
1. Browse to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\" key.
2. If there is not a key under there called "TLS 1.0", create it.
3. Under "TLS 1.0", create a key called "Client" and a key called "Server".
4. For both "Client" and "Server", add a DWORD value to each called "Enabled" and set it to "1" (This will enable TLS 1.0).
Add support for the RC2, RC4, and 3DES ciphers:
1. Browse to this key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
2. Under "Ciphers" you will add three keys. The first is called "RC2 128/128". The second is called "RC4 128/128". The third is called "Triple DES 168/168".
3. Do not add any values or keys under the three new keys.
Restart the server.

Or you could just run these commands from an administrative command-line:

REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC2 128/128" REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128" REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168"

Further Reference:

How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (Microsoft Support)
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (Microsoft Support)

Technorati Tags: command-line, IIS, security