Overview of On-Demand Assessment for SharePoint Server - Unified

Prerequisites

How to prepare for your On-Demand Assessment for SharePoint Server The Tools machine is used to connect to each of the servers in your environment and retrieves information from them, communicating over Remote Procedure Call (RPC), Server Message Block (SMB), Lightweight Directory Access Protocol (LDAP) and Distributed Component Object Model (DCOM). Once the data is collected and the operational interview is completed, the Offline Assessment tool will analyze the data locally.

A checklist of prerequisite actions follows. Each item links to any additional software required for the tools machine, and detailed steps included later in this document.

Machine Requirements and Account Rights

1. Hardware and Software:

Server-class or high-end workstation computer equipped with the following:

• Minimum single 2Ghz processor — Recommended dual-core/multi-core 2Ghz or higher processors.

• Minimum 4 GB RAM—Recommended 12 GB RAM.

• Minimum 5 GB of free disk space.

• High End Workstation: Windows 11, Windows 10

• Server: Windows Server 2022, Windows Server 2019, Windows Server 2016

  • Can be 32-bit or 64-bit operating system.

• At least a 1024x768 screen resolution (higher preferred).

• Microsoft Office (Word, Excel and PowerPoint) for report creation.

• Must be a member of the same domain as the SharePoint farm that is being analyzed.

• Microsoft® .NET Framework 4.8 — https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48

  NOTE: If the SharePoint Server has a higher version of .NET installed than 4.6.2 than the version installed on the Tools machine must be equal to or higher than installed on the Target SharePoint Server.

• Windows PowerShell 5.0 or higher

  • PowerShell 5.0 is part of the Windows Management Framework 3.0: https://support.microsoft.com/kb/2506143
  • Windows PowerShell System Requirements
  • The execution policy for PowerShell should be set to remotesigned on both the tools machine and the servers
  • The execution policy settings can be verified using “get-executionpolicy –list” in a PowerShell command window

• Networked “Documents” or redirected “Documents” folders are not supported. Local “Documents” folder on the data collection machine is required.

• IIS Management Tools (IIS 7 Administration components)

• Firewall exception for Remote Administration( RPC) – Dynamic Port Range

2. Accounts Rights

A domain account with the following:

• Member of the local Administrators group on all servers in the SharePoint environment
• Full Control to all Service Applications.
• Member of the “SysAdmin” group on SQL instances hosting SharePoint databases
• Unrestricted network access from the Tools machine to all servers
• Member of SharePoint Farm Administrators group
• Unrestricted network access from the Tools machine to all servers

Ability to run PowerShell scripts on the machine running the Offline Assessment Client. The Windows PowerShell execution policy must be set to RemoteSigned or a policy that provides an equivalent ability to run local scripts — https://technet.microsoft.com/library/hh847748.aspx

WARNING: Do not use the “Run As” feature to start the client toolset as the discovery process and collectors might fail. The account starting the client toolset must sign in to the local machine.

A Microsoft Account is required to activate and sign in to the Premier Proactive Assessment Services portal (https://services.premier.microsoft.com). This is the RAP as a Service portal where you will activate your access token, download the toolset.

• If you don’t have one, you can create one at https://login.live.com.
• Contact your CSAM if the token in your Welcome Email has expired or can no longer be activated. Tokens expire after ten days. Your CSAM can provide new activation tokens for additional people.

3. Network and Remote Access

Ensure that the browser on the Tools machine or the machine from where you activate, download and submit data has JavaScript enabled. Follow the steps listed at How to enable scripting in your browser.

Internet Explorer is the recommended browser for a better experience with the portal. Ensure Internet Explorer Enhanced Security Configuration (ESC) is not blocking JavaScript on sites. A workaround would be to temporary disable Internet Explorer ESC when accessing the https://services.premier.microsoft.com portal.

Unrestricted network access from the Tools machine to all servers. This means access through any firewalls and router ACLs that might be limiting traffic to any of the servers. This includes remote access to:

• DCOM
• Remote Registry service
• Windows Management Instrumentation (WMI) services
• Default administrative shares (C$, D$, IPC$).

Ports and Protocol access requirements:

Ensure that the machine you use to collect data has the following:

• Complete TCP/UDP access, including RPC access to all servers.
• Access over ports 135, and 139 or 445 is also required.
• Windows Remote Management (WinRM) uses Ports 5985 for HTTP. Communication between the Tools machine and the SharePoint server that is targeted for the data collection on port 5985 has to be enabled as PowerShell commands will be executed remotely via this port.

Note: When you execute the Remote PowerShell and CredSSP configuration steps in section 6 of this document you will be prompted to allow port 5985 to be opened as part of the configuration, please select yes to allow the port to be opened when prompted.

Configure the servers firewall to ensure all servers running Windows Server 2016 and later have Remote Event Log Management enabled:

Offline client might be unable to collect event log information from a Windows Server 2016 or later if Remote Event Log Management has not been allowed. When Remote Management is enabled, the following services must be started on the target servers:

• WMI
• Remote Registry service
• Server service
• Workstation service
• File and Printer Sharing service
• Automatic Updates service

Configure the server firewall to ensure all servers running Windows Server 2016 and higher have “Remote Event Log Management” enabled:

Offline Assessment Client might be unable to collect event log information from a Windows Server 2016 or later if “Remote Event Log Management” has not been allowed. When “Remote Management” is enabled, the rules that allow Remote Event Log Management are also enabled.

To test if the tool will be able to collect event log data from a Windows Server host, you can try to connect to the Windows Server server using eventvwr.msc. If you are able to connect, collecting event log data is possible. If the remote connection is unsuccessful, you may need to enable the Windows built-in firewall to allow “Remote Event Log Management”.

Connectivity Testing

• Event Log: To test if the tool will be able to collect event log data from a Windows Server, you can try using eventvwr.msc. If you are able to connect, collecting event log data is possible. If the remote connection is unsuccessful, you may need to enable the Windows built-in firewall to allow “Remote Event Log Management”.
• Registry: Use regedit.exe to test remote registry connectivity to the target servers (File > Connect Network Registry).
• File: Connect to the C$ and Admin$ shares on the target servers to verify file access.

4. Additional requirements for Windows Server 2016 or later:

A. Log into the chosen data collection machine to identify its current IP address using IPConfig.exe from the command prompt. An example output is as follows:

C:\>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
Link-local IPv6 Address . . . . . : fe80::X:X:X:X%13
IPv4 Address. . . . . . . . . . . : X.X.X.X
Subnet Mask . . . . . . . . . . . : X.X.X.X
Default Gateway . . . . . . . . . : X.X.X.X

• Make a note of the IPv4 address of your machine. The final step in the configuration will use this address to ensure only the data collection machine can communicate with the Windows Update Agent on the SharePoint server farm.

B. Create, configure, and link a group policy object to the SharePoint Servers OU in the domain of the servers.

Create a new GPO

Make sure the GPO applies to the SharePoint Servers organizational unit.

Note: If other servers outside the scope are present in the OU, then security group filtering can be used to restrict the application of group policy to only the SharePoint Servers.

• Within the GPO open: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\ Windows Firewall with Advanced Security.
• Right-click Inbound Rules and then click New Rule.
• The rule you create will be merged with the rules that already enabled on the SharePoint Servers’ through local policy and/or other group policy objects that have inbound rules defined.
• On the New Inbound Rule Wizard, on the Rule Type page click Custom, and then click Next.
• On the Program tab, choose This Program Path and insert the following path without the quotes:
• “%SystemRoot%\system32\dllhost.exe” as shown in the below graphic and choose next.

On the Protocol and Ports Page Select “TCP” for the Protocol Type and “RPC Dynamic Ports” for Local Ports and select next as shown in the following graphic.

• On the scope page, select These IP Addresses under “which remote IP addresses does this rule apply to”, then click Add. Insert the IP address of the data collection machine identified in the first step. Click OK, then Next on the scope page.
• Choose Allow the Connection on the Action page and select Next.
• Leave the default profiles checked on the Profile page, then on the Name page, give the rule a name that describes what it allows, similar to “Allow Inbound to WUA from x.x.x.x” and finish the rule creation wizard to commit the rule to the firewall policy.
• Once the rule applies, it can be confirmed as active through Windows Firewall with Advanced Security MMC (WF.MSC) monitoring navigation node or by interrogating the output of the following PowerShell command “Get-NetFirewallRule -Enabled true -policystore ActiveStore” and confirming the created rule shows up.

5. Remote PowerShell and CredSSP Configuration (Tools Machine)

On the Tools Machine, launch PowerShell Prompt with the option “Run as Administrator”. And run the following commands (see important note below before running the below commands)

Enable-WSManCredSSP -Role client -DelegateComputer <SharePointServer FQDN>

Note:

• The “SharePointServer FQDN” in the above command is the “Target Server” to which the “Tools Machine” connects to when collecting data. You must use the FQDN for the SharePoint server and not just the host name.
• The WinRM service needs to be running for this command to succeed.

6. Remote PowerShell and CredSSP Configuration (Target Farm Server)

On the Target Server (see the first page and the fourth page of this document to learn about Target Server), launch PowerShell Prompt with the option “Run as Administrator”. And run the following commands (see important note below before running the below commands)

winrm quickconfig
Enable-WSManCredSSP -Role server

Note

SharePoint 2013, SharePoint 2016 and SharePoint 2019 farms supported only at this time. On-Demand Assessment for SharePoint Server does not support SharePoint Server 2010 or earlier.

On-Demand Assessment for SharePoint Server supports SharePoint farms backed by SQL servers running SQL - Server 2014, SQL Server 2012. Earlier versions of SQL Server are not supported.

7. Remote PowerShell and CredSSP Configuration

As part of the assessment, most of the SharePoint information is gathered by executing PowerShell scripts remotely from the Tools Machine. It is very important for the CredSSP delegation to be configured correctly so that the PowerShell scripts can be executed remotely on the Target Server. The below script helps in knowing if the CredSSP is configured correctly by connecting and executing the script on the Target Server. Run the below script from the Tools Machine.

Executing the below snippet should output the list of all SharePoint Content databases of your SharePoint farm.

$farm = Get-Credential
$s = New-PSSession -ComputerName [FQDN of Target Server] -Authentication CredSSP -Credential $farm
Invoke-Command -Session $s -ScriptBlock { add-pssnapin Microsoft.SharePoint.PowerShell -ea 0 }
Invoke-Command -Session $s -ScriptBlock { get-spfarm }
Invoke-Command -Session $s -ScriptBlock { get-spcontentdatabase }
Get-PSSession | Remove-PSSession

Note

The “FQDN of Target Server” is the SharePoint server on which the CredSSP is enabled (see the first page and the fourth page of this document to learn about Target Server).

** If the above test fails, DO NOT proceed with the assessment and reach out the CSAM for further assistance.

Data Collection Methods

Appendix: Data Collection Methods

On-Demand Assessment for SharePoint Server uses multiple data collection methods to collect information. This section describes the methods used to collect data from a SharePoint environment. No VB scripts are used to collect data. Data collection uses workflows and collectors. The collectors are:

• Registry Collectors
• SharePoint PowerShell Scripts
• Event Log Collector
• SQL Queries
• IIS information
• File Data Collector
• WMI

Registry Collectors:

Registry keys and values are read from the On-Demand Assessment for SharePoint Server data collection machine (a.k.a Tools Machine) and all SharePoint Servers including SQL servers. They include items such as:

• SQL Alias information from HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo

This allows the assessment to determine if the SharePoint servers are using SQL alias to connect to the SQL server that is hosting the SharePoint databases.

Operating System information from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

This allows to determine Operation System information such as Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, Windows Server 2016.

SharePoint PowerShell Scripts:

Majority of the SharePoint data is gathered via running the SharePoint PowerShell scripts. For example, the information pertaining to Large list views, Alternate Access mappings, SharePoint services, ULS information, SharePoint Lists information, SharePoint Search, Timer Jobs etc., are all gathered using SharePoint PowerShell scripts.

These scripts are executed remotely from the Tools Machine by connecting to the Target Machine. For more information about Tools Machine and Target Machines, see 1st page and 4th page of this document.

Event Log Collector:

Collects event logs from all the SharePoint Servers including SQL servers. Offline Assessment collects the last 7 days of Warnings and Errors from the Application and System logs.

SQL Queries:

Some of the information pertaining to the SQL databases that are hosted by the SharePoint SQL instance are gathered via SQL scripts. For example, the information related to the SQL data and log files (for example, the size and next growth size), SQL instance properties (for example, if using Integrated Security, if the instance is clustered), Index Fragmentation, Statistics information etc., are all gathered via SQL Scripts.

IIS Information:

The details of the IIS web sites and App Pool configurations are gathered using .NET code and workflows.

File Data Collector

Enumerates files in a folder on a remote machine, and optionally retrieves those files. For example, web.config files, IIS Log files, App Host config files etc.,

Windows Management Instrumentation (WMI):

WMI is used to collect various information such as:

• WIN32_Volume: Collects information on Volume Settings for each server in the SharePoint environment. The information is used for instance to determine the system volume and drive letter which allows Offline Assessment for SharePoint to collect information on files located on the system drive.

• Win32_Process: Collect information on the processes running on each server in the SharePoint environment. The information provides insight in processes that consume a large amount of threads, memory or have a large page file usage.

• Win32_LogicalDisk: Used to collect information on the logical disks. We use the information to determine the amount of free space on the disk where the database or log files are located.