SharePoint 2010... Multi-tenancy Support for Hosters - It is there if you want it.
To avoid overdose of Exchange, this weekend, I took some time to look at SharePoint 2010 and just to see how much has changed since the SharePoint version we used in HMC 4.5.
In HMC 4.5, we used Windows SharePoint Services 3.0 SP1. I blogged about this back in January 2009. It is here if you are interested, HMC 4.5 and Windows SharePoint Services 3.0 SP1 (http://blogs.technet.com/b/provtest/archive/2009/01/14/hmc-4-5-and-windows-sharepoint-services-3-0-sp1.aspx). In that article, I spoke about 3 main things that HMC did to introduce multi-tenancy support in WSS 3.0. The 3 main things are,
- Site Isolation - Each company should only be allowed to see and access their own site. It must able to cater for different domain-named sites, such as http://sharepoint.alpineskihouse.com, http://teamsite.contoso.com instead of everyone having a common site name like http://www.serviceprovider.com/sites/<sitename
- Site Administration Isolation - Each company should only be allowed to manage their own site
- User Isolation - Each company should only see their own users.
At the end of the article, as you could see, unlike Hosted Exchange, there were really very little HMC needs to do to change WSS to provide multi-tenancy support in SharePoint. Of course, there were many things could have been done much better but in a nutshell, WSS 3.0 itself is capable of multi-tenant support already without much customization.
In my earlier post, I recommended those who are interested in to take a look at the diagram as posted by Microsoft. It is here in case you missed it, Hosting Environment for SharePoint 2010 Products? (http://blogs.technet.com/b/provtest/archive/2010/06/24/hosting-environment-for-sharepoint-2010-products.aspx). Now, there are also another set of documents that you should look at, they are the Dynamic Data Center Toolkit for Hosters. The link is here,
Dynamic Data Center Toolkit for Hosters (http://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=ddc&ReleaseId=4297)
The above, you will find the document very similar to those in the HMC walk through but for SharePoint 2010 and it will have steps and scripts (primarily Powershell) on how you create site isolation, site administration isolation and user isolation.
Of course, it does more than that. It provides better explanation also described various way you can deploy customer sites to a SharePoint farm. Such as you can do the following,
- Dedicated application pool and Web application
- Shared application pool and dedicated Web application
- Shared Web application
- Authenticated sites
- Unauthenticated sites
It also provided better guideline such as,
- Use a dedicated Application Pool per customer only if needed to satisfy requirements for isolation.
- Use dedicated Web applications for tenants that require customizations that affect resources that are shared across a Web application, such as the Web.config file.
- When combining multiple tenants in a single Web application, use a dedicated Web application for all authenticated content and a separate dedicated Web application for all anonymous published-content. This will require two separate subscriptions IDs for tenants with both types of content. This will also simplify licensing.
- Do not allow full-trust code to be deployed to sites. Do not allow customizations that affect shared resources, such as the Web.config file.
- Use host-named site collections to create multiple root-level site collections (domain-named sites) within a Web application.
- If any tenant must span to more than 1 database, they must be the ONLY tenant in all those databases (so dedicated databases.
- If any tenant must span to more than 1 database, they must be the ONLY tenant in all those databases (so dedicated databases)
It provides architecture option you can choose for your hosting environment. It also provides architecture guideline on how to scale out a hosted environment for your Services farm, Search farm and Tenant content farms. It provides information how one should design their Active Directory and SharePoint 2010 also introduces some new concept like managed accounts, proxy groups, business data catalog and etc. The underlining tenant provisioning hasn't changed much though. It still uses host header concept and for people picker, it still uses user account directory path concept. The Powershell script works pretty well for me for most parts, it even included some stuff that you don't really need in production environment such as putting some entries in the HOST file.
Here is the summary of multi-tenant setup steps (which I am not going to go into each of them in detail because the document has all the needed explanations). It is assumed that the server has been installed and setup,
- Setting up the multi-tenant environment
- Step 1: Create Managed Account
- Step 2: Create Proxy Group
- Step 3: Create Site Subscription
- Step 4: Create Site Subscription Feature Packs
- Step 5: Create Managed Metadata
- Step 6: Create User Profile
- Step 7: Create Business Data Catalog
- Step 8: Create Secure Store
- Step 9: Create Search Application
- Tenant Provisioning
- Step A: Create New Site Subscription
- Step B: Assign Feature Pack to Site Subscription
- Step C: Create Site Collection
- Step D: Set Site User Account Directory Path
Follow the above through, you should be able to create a SharePoint Site for your tenant organization like me like the following,
And the Admin site for your tenant organization,
The above are pretty straightforward. There is really one thing I like to highlight here which is Step D: Set Site User Account Directory Path. In this step, you are supposed to set the path to the Tenant organization OU. In the SharePoint document, you will find they recommended the AD to be designed in the following,
Doesn't the above look familiar? Now, the question comes in is that what happen when I introduce Exchange Server 2010 SP1 into the mix? Exchange itself provision the organization OU into a specific OU, which is, OU=Microsoft Exchange Hosted Organizations like the following,
Well, it means, if you are providing both Hosted Exchange and Hosted SharePoint, you may want to first create the OU using the Exchange cmdlet first and then when you perform Step D, just set it to the appropriate path like the following,
stsadm -o setsiteuseraccountdirectorypath -path "OU=ProvTest, OU=Microsoft Exchange Hosted Organizations,DC=FABRIKAM,DC=com" -url http://intranet.
I strongly recommend you to download the documents, go through the steps, the Powershell and get yourself familiarized with it. The concept hasn't changed tremendously from WSS 3.0 but obviously, the product has grown much more matured and it is being developed, like Exchange Server 2010 SP1, with hosters in mind.