With SharePoint 2010 RTM looming, I’ve stumbled across an architectural change that may surprise some people – namely, that SharePoint 2010 no longer supports multiple-server farms without a domain infrastructure. In SharePoint 2007 it was possible to create SharePoint farms in a Workgroup, so long as all of the user accounts for the services and application pool identities were named the same and had the same password. You could even manage users with an Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) LDAP directory (albeit with some fairly limiting restrictions). However, it was possible to use these farms for testing or when an Active Directory infrastructure was undesirable (as some people see it in a DMZ). Now, it is still possible to do a Simple installation on a single server without full domain services, but it is no longer supported on multiple servers, and the Simple installation comes with its own planning considerations, to which I’ll return in a bit. First, there’s another wrinkle regarding the single server Complete installation.
When I initially created our SharePoint 2010 beta development environments, I built them in a Workgroup, for many of the reasons that I chose to do so in 2007 (see the Workgroup Development section in Part II of my series on SharePoint development environments). Now, the SharePoint 2010 Configuration Wizard (psconfigui) throws an error when choosing the Complete install option in a Workgroup. I was able to get past this error by following the suggestions on the Microsoft From the Field blog, but a few weeks down the road we’ve pinned down two issues (as confirmed by Neil, the author of that post).
- Search will crawl successfully in this configuration, but the query role will never initiate. Queries from web applications that consume this Service Application will produce an error, which you will be able to trace to an application event log 6398 error and the key event in ULS, “The SDDL string contains an invalid sid or a sid that cannot be translated.” As Victor Magidson from Microsoft puts it on this Technet thread, this error occurs when a, “topology activation job is trying to create a propagation file share.” In short, the query role never finishes initialising so it will never serve queries. This only occurs on the single server Complete installation and deleting/re-creating the Service Application yields the same result.
- The User Profile service application will also be useless*, but it always would have been since you couldn’t import users from the local user database in 2007 either. However, this has wider implications in SharePoint 2010 because of the social computing features, which developers probably won’t be able to live without.
All this means that I need to consider rebuilding our development environments in a domain or we need to use the Simple installation. In the past I always avoided the Simple installation because it uses system accounts like Network Service for application pool identities, so it took some re-acquaintance to identify some of its limitations. It has no configuration options (thus the use of local system accounts), the User Profile Service Application does not start (presumably per Forefront Identity Manager 2010 installation issues as seen in other topologies) and it uses SQL Server Express (which developers aren’t very fond of), so we’re unlikely to pursue this option. Accordingly, we’re reviewing the ways that we can re-create the development environment in a domain.
Why don’t I just make the development machine a domain controller? This isn’t clear-cut and there are benefits to the simplicity of it, but ultimately I think it’s a bad idea because:
- Domain Controller security is bad for development. It means developers will be coding as Domain Admins and they will be doing so on a machine with Domain Controller security policies. This is just a mess.
- SQL doesn’t like to run on a DC.
- Running a DC, SQL and SharePoint on the same machine creates a massive load of service start-up contention and sometimes the environment will start from an unstable point because dependent services will not be ready when a depending service tries to start.
- This also increases start-up time considerably, which is a big concern when using Hyper-V on a laptop, where we don’t have Sleep/Hibernate.
- Adding Visual Studio to this mix causes known performance issues. The machine simply can’t keep up with doing all of this.
Why won’t we use a central development domain? Because then we can’t clone the VMs. We don’t just clone standard builds, we also use the same VM for each developer/consultant/architect on a single project. We may opt for this approach eventually, but I think the investment in automation is pretty considerable for it to be efficient with our team development requirements.
So I’m probably going to separate the DC on to a different server for now. I’m unlikely to add a third server for SQL, as even though it might be faster, I think the complexity of managing networking and snapshots across three servers is undesirable for developers, if we can get by with two.
All of this underlines the reasons why I didn’t publish any SharePoint 2010 build guidance yet. Some things don’t become clear until you get your hands dirty. I’ll revisit this topic as soon as I feel comfortable that we’re pinning things down, but for now we’re still adapting our methods.
*I’ll note that I haven’t properly tested Claims Based Authentication against a single server complete installation, so it’s conceivable that you could import non-A/D users in to this configuration, but you’d still need to live without Search.
Tristan, you CAN set up a SP2010 installation WITHOUT AD. Simply run the SP installer, then DO NOT run the wizard but create the Config and AdminContent databases with this PowerShell command (http://technet.microsoft.com/en-us/library/ff607838.aspx, sample at the bottom), and when you then run the Wizard choose “Do not disconnect from this farm”. You can even add further Managed Accounts with this command (http://technet.microsoft.com/en-us/library/ff607831.aspx).
HTH
Jennifer
Hi Jennifer. Yeah, the New-SPConfigurationDatabase is the command that Neil Hodgkinson suggests in the From the Field blog that I linked to above. The upshot of this post was to identify the domain requirements for the User Profile and Search Service Applications (as of the Beta release), as well as SQL Express in Simple Mode. I realise some things have changed in RTM but we quickly found it untenable to try to develop for SP2010 for pretty much anything but WCM sites without User Profiles.
Have you tested that Search works in a Workgroup as of RTM, out of curiosity? I would have expected that SDDL string error to get fixed for RTM and I haven’t seen anyone mention that it’s still a problem.
Hi Tristan, I’ve just wasted 2 days with the RTM version …the problems you described still exist. The search error showed on both a fresh “complete” install of SSX10 as well as on an upgrade of an SPF10 installation. In the end I settled on a “Standalone” installation 😐
I think the only workable setup right now for a complete install is using two VMs, with the AD being separated that way from the Dev VM. My current laptop doesn’t have enough RAM for that though. I guess I’ll have to get a new one.
The RTM of SSX10 also has other problems. Health status reports that the version is about to expire and the Secure Store does indeed expire.
Yeah, I’ve gone to a DC with 600MB (may be able to get away with less) and the SharePoint Server/SQL VM with 5GB. Seems to be working OK. I haven’t used SSX yet simply because we’re focused on the full version of SharePoint Server. Have you seen this TechNet article? http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/73a8c9b0-88bf-4214-bf64-a9934af7be80. Really not a good idea but as they say there, maybe acceptable for a demo?
Thanks for the link. I think that SSX got stitched with a hot needle, but in general the 2010 release strikes me as better than the 2007 release …at least a trend!
I think you can go a bit lower with AD, as Wictor writes: http://www.wictorwilen.se/Post/My-SharePoint-2010-development-rigs.aspx, but you probably won’t see any difference on your other VMs if you add that 100MB you gain.
I am doing product development for SSX and need to have a test machine that has the “Standalone” configuration anyway (as I assume that many people actually do use it). All our other servers are hosted in a domain environment, so no problem otherwise.
Enjoy your day!
Hey Jennifer,
I just re-read your comments here and thought you might be interested in something I stumbled across the other day. I was watching Ben Armstrong (Virtual PC Guy)’s TechEd video on the forthcoming Dynamic Memory for Hyper-V in Windows Server 2008 R2 SP1 and he said that as soon as he turned it on his Domain Controllers started consuming upwards of 1GB memory, although he had never seen any indications that this was necessary before. It will be interesting to see how our assumptions about VM memory allocation change once this comes out.
Cheers,
Tristan
Hi Tristan,
you must have been reading my mind… I actually caught up on Server 2008 R2 SP1 a few days ago myself 🙂 BUT, I didn’t get to see Ben’s video. So, thanks for letting me know about this “side-effect” on using Dynamic Memory. I do hope they’ll fix that for RTM because it certainly is not only counter-productive but also bad for Hyper-V’s otherwise near perfect image in the market.
In general though Microsoft is still hesitant to recommend virtualizing AD (and SQL Server), as can be read here:
http://technet.microsoft.com/en-us/library/ff607811.aspx
I am however solely convinced that the advantages outweigh the risks, especially as we’ve had virtualized AD, SQL and ISA servers for over 2 years with no problems at all.
Sunny greetings from Barcelona
Jennifer
Hey Jennifer,
It’s not so much a side effect as an indication that (Ben’s) DCs were hungrier for memory than he realised. It may be that his home infrastructure generates a lot more demand on his DCs than a single SharePoint/SQL box. But one way or the other you can still set the maximum memory for the DC where it was, I was just thinking that we may find out that a lot of what we assume we know about VMs might be proved wrong. It’s a really fundamental change to memory management.
Agreed, re: virtualisation. We’ve started virtualising production (hosted) SQL with our new website project and are going to see how it goes. Fingers crossed!
Cheers,
Tristan
Fingers crossed and thumbs pressed 😉
Thanks btw also on the write-up of Ben’s video …that just saved me 75 mins of my weekend 🙂
No worries. Can’t wait to get my grimy mits on the SP1 beta.
Hey Jennifer,
I just stumbled across these comments again, which brought to mind some recent findings. I’ve recently been testing an environment with two DCs, one Windows 7 machine and one Windows Server 2008 Server which is generating all the load. This is on Windows Server 2008 R2 SP1 Beta with Enterpise guests. The DCs occasionally blip above 600MB even in this limited configuration – they go as high as 620MB. I suspect once Dynamic Memory becomes the norm people will settle on something like 512MB-1024MB for DCs. But I thought it interesting that I occasionally did start to consume more than 600MB, and this is without anything as intense as SharePoint 2010.
Cheers,
Tristan