了解 SharePoint Server 2013 中的多重租用Understanding multi-tenancy in SharePoint Server 2013

摘要:了解 SharePoint Server 2013 中的多重租用功能以及與多重租用相關的基礎元件和服務。Summary: Learn about the multi-tenancy feature and the underlying components and services related to multi-tenancy in SharePoint Server 2013.

本文說明 SharePoint Server 2013 中多重租用的相關元件和服務,也提供結構、安全、作業和管理指引,協助服務提供者了解 SharePoint Server 2013 中的多重租用,來規劃、設計、建置以及管理多承租人 SharePoint Server 2013 主控平台。This article describes the components and services related to multi-tenancy in SharePoint Server 2013 and also provides architectural, security, operational, and management guidance to help service providers in gaining an understanding of multi-tenancy in SharePoint Server 2013 for planning, designing, building, and managing a multi-tenant SharePoint Server 2013 hosting platform.

注意

[!附註] 商務用 OneDrive 與 Yammer 整合不適用於內部部署的多重租用或分割服務應用程式。OneDrive for Business with Yammer integration doesn't work for multi-tenancy or partitioned service applications for on-premises deployments.

開始之前Before you begin

SharePoint Server 2013 中的多重租用簡介Introduction to multi-tenancy in SharePoint Server 2013

什麼是多重租用?What is multi-tenancy?

介紹 SharePoint Server 2013 中的多重租用功能之前,您應該了解多重租用的一般概念和其相關特性;如此可協助您進行規劃、設計、操作和管理多承租人 SharePoint Server 2013 主控平台的適當決策。Before we introduce the multi-tenancy functionality in SharePoint Server 2013, you should understand the general concept of multi-tenancy and its related characteristics; doing this will help you make the appropriate decisions for planning, designing, operating, and managing your multi-tenant SharePoint Server 2013 hosting platform.

多重租用指的是管理和分割網站以及共用服務或軟體之資料的能力,以容納多個承租人。這與執行多個服務執行個體或設定不同硬體相反。在 Microsoft 產品和技術中,服務的多重租用會建立伺服器陣列資源最大化的主控環境。了解主控環境之前,請務必先了解服務架構。Multi-tenancy refers to the ability to manage and partition data of sites and otherwise shared services or software in order to accommodate multiple tenants. This is in contrast to running multiple instances of a service, or setting up separate hardware. In Microsoft products and technologies, multi-tenancy of services creates a hosting environment wherein server farm resources are maximized. Before learning about hosting environments, it is important to understand the services architecture.

啟用 SharePoint Server 2013 中多重租用的重要元件和服務Key components and services for enabling multi-tenancy in SharePoint Server 2013

本節說明啟用 SharePoint Server 2013 中多重租用的重要元件和服務。This section describes key components and services for enabling multi-tenancy in SharePoint Server 2013.

Web 應用程式Web application

SharePoint 2013 Web 應用程式包含一個 Internet Information Services (IIS) 網站,做為所建立網站集合之管理和安全的邏輯單位。每個 Web 應用程式都是以使用唯一或共用應用程式集區的不同 IIS 網站來呈現。建立 Web 應用程式時,也可以建立內容資料庫,以及定義用來連線至資料庫的驗證方法。A SharePoint 2013 web application is composed of an Internet Information Services (IIS) web site that acts as a logical unit of management and security for the site collections that you create. Each web application is represented by a different IIS website that uses a unique or shared application pool. When you create a web application, you also create a content database and define the authentication method that is used to connect to the database(s).

主機命名型網站集合Host-named site collection

主機命名型網站集合可讓您指派專屬 DNS 名稱給網站集合。例如,您可以將它們的位址寫成 http://TeamA.contoso.com and http://TeamB.fabrikam.com。這可讓您在同一個 Web 應用程式中,部署許多使用專屬 DNS 名稱的網站。它也可讓服務提供者將環境延伸到許多客戶。如果不使用主機命名型網站集合,SharePoint Web 應用程式將包含許多具有相同主機名稱 (DNS 名稱) 的路徑型網站集合。例如,小組 A 具有位址為共用 http://contoso.com/sites/teamA 的網站集合,而小組 B 具有位址為 http://fabrikam.com/sites/teamB 的網站集合。Host-named site collections enable you to assign a unique DNS name to site collections. For example, you can address them as http://TeamA.contoso.com and http://TeamB.fabrikam.com. This lets you deploy many sites that use unique DNS names in the same web application. It also enables service providers to scale an environment to many customers. If you do not use host-named site collections, the SharePoint web application will contain many path-based site collections that share the same host name (DNS name). For example, Team A would have a site collection at http://contoso.com/sites/teamA and Team B would have a site collection at http://fabrikam.com/sites/teamB.

主機命名型網站集合基本上是延伸多重租用環境的唯一方法,並提供所使用 URL 命名空間的最大彈性。如果搭配使用路徑型網站與多重租用,則很快就會達到受管理路徑的軟體界限。Host Named Site Collections are fundamentally the only way to scale for multi-tenancy environments, and provide ultimate flexibility with respect to the URL namespace used. If using path-based sites with multi-tenancy the software boundary for managed paths will be reached extremely quickly.

如需有關如何規劃 SharePoint Server 2013 的主機命名型網站集合的詳細資訊,請參閱主機命名型網站集合架構與部署 (SharePoint 2013)For additional information about how to plan for host-named site collections for SharePoint Server 2013, see Host-named site collection architecture and deployment (SharePoint 2013).

服務群組 (Proxy 群組)Service groups (proxy groups)

服務群組」 也稱為proxy 群組,是一組的服務應用程式使用所選 web 應用程式。A service group , also known as proxy group , is a group of service applications that are selected for use by a web application.

除非在建立服務應用程式時指定另一個群組,否則預設群組中預設會包括所有服務應用程式。您隨時都可以新增和移除預設群組中的服務應用程式。建立 Web 應用程式時,您可以選取預設群組,也可以建立一組自訂的服務。只選取想要 Web 應用程式使用的服務應用程式,即可建立一組自訂的服務。By default, all service applications are included in the default group unless another group is specified at the time that the service application is created. You can add and remove service applications from the default group at any time. When you create a web application, you can select the default group, or you can create a custom group of services. You create a custom group of services by selecting only the service applications that you want the web application to use.

自訂群組不可在多個 Web 應用程式中重複使用。每次在建立 Web 應用程式時選取 [自訂],只會選取供所建立 Web 應用程式使用的服務。Custom groups are not reusable across multiple web applications. Each time that you select "custom" when you create a web application, you are selecting services only for the web application that you are creating.

服務 ProxyService proxy

建立服務應用程式時,同時會建立服務應用程式的 Proxy。Proxy 是將 Web 應用程式連線至服務應用程式的虛擬實體。Proxy 會列在 SharePoint 管理中心網站 的 [管理服務應用程式] 頁面中。When you create a service application, a proxy for the service application is created at the same time. A proxy is a virtual entity that connects web applications to service applications. Proxies are listed on the Manage Service Applications page in the SharePoint Central Administration website.

如果您使用 管理中心 或 SharePoint 2016 產品設定精靈 建立服務應用程式,則會自動建立 Proxy。如果您使用 Microsoft PowerShell 建立服務應用程式,則一律不會自動建立 Proxy,因此必須使用 Microsoft PowerShell 予以建立。Proxies are automatically created if you use Central Administration or the SharePoint 2016 Products Configuration Wizard to create service applications. If you use Microsoft PowerShell to create service applications, proxies are not always automatically created and must be created by using Microsoft PowerShell.

部分 Proxy 可能包括可變更的設定。例如,如果 Web 應用程式連線至 Managed Metadata 服務的多個執行個體,則您必須指出連線至主要服務應用程式 (其主控公司分類) 的 Proxy。一般而言,使用多重租用時,這些設定會移到承租人層級設定。Some proxies might include settings that can be changed. For example, if a web application is connected to multiple instances of the managed metadata service, you must indicate the proxies that are connected to the primary service application that hosts the corporate taxonomy. Generally speaking these settings move to tenant level configuration when using multi-tenancy.

服務應用程式Service applications

服務應用程式會以邏輯方式呈現指定服務,以及其安全和管理設定 (定義其作業行為)。範例包括 Managed Metadata 和 User Profiles。不同的服務應用程式會以不同的方式進行實作,而這會影響多承租人方案的設計。A service application is a logical representation of a given service, and its security and management configuration which defines its operational behavior. Examples include Managed Metadata and User Profiles. Different service applications are implemented in different ways and this will influence the design of multi-tenant solutions.

若要判定 SharePoint Server 2013 中可用的服務應用程式清單以及其在 SharePoint 版本 (含多重租用功能) 中的可用性,請參閱 給主機服務提供者的 SharePoint Server 2013 一般指引中的 服務和功能 一節。To determine the list of service applications that is available in SharePoint Server 2013 and their availability across SharePoint editions with multi-tenancy feature, see the Services and Functionalities section in General guidance for hosters in SharePoint Server 2013

功能套件和授權Feature packs and licensing

SharePoint 中的功能套件是將一組網站範圍或 Web 範圍功能群組在一起的方式。SharePoint 功能在群組之後,就可以與網站訂閱 (即承租人) 相關聯。該網站訂閱 (承租人) 中的所有網站集合都只能使用屬於功能套件一部分的網站範圍或 Web 範圍功能。此功能可讓服務提供者根據不同組的功能來提供分層服務方案。A feature pack in SharePoint is a way to group a set of site-scoped or web-scoped features together. Once the SharePoint features are grouped, they can be associated with a site subscription (i.e., tenant). All site collections in that site subscription (tenant) can use only the site-scoped or web-scoped features that are part of the feature pack. This capability enables service providers to provide tiered service offerings based on different sets of features.

在 SharePoint Server 2013 中,已新增一項功能,以根據使用者指派不同的 SharePoint 授權。它也開啟執行階段的 SharePoint 授權檢查。此功能提供額外的彈性,讓服務提供者在簡化的部署模型中建置不同的服務方案。在舊版 SharePoint 中,服務提供者必須為每個 SharePoint 版本建置不同的 SharePoint 部署模型。如需 SharePoint 功能的其他資訊,請參閱下列文章中的內部部署方案中的 SharePoint feature availability across on-premises solutions 小節:< SharePoint 線上服務說明>。In SharePoint Server 2013, a new feature has been added for assigning different SharePoint licenses on a per-user basis. It also turns on SharePoint license checks at run time. This feature provides additional flexibility for a service provider to build different service offerings throughout a simplified deployment model. In previous SharePoint versions, service providers had to build different SharePoint deployment models for each SharePoint version. For additional information about SharePoint features, see the SharePoint feature availability across on-premises solutions section of the following article: SharePoint Online Service Description.

資訊版權管理Information Rights Management

SharePoint Server 2013 中的資訊版權管理整合新增多重租用支援,其啟用管理承租人層級資訊版權管理設定的能力。Information Rights Management integration in SharePoint Server 2013 adds support for multi-tenancy, which enables the ability to manage tenant-level Information Rights Management settings.

架構設計考量Architecture design considerations

本節說明架構多重租用 SharePoint Server 2013 環境的各種考量。如本文件前面所述,多重租用在架構和設計 SharePoint Server 2013 環境時需要考慮一些唯一特性。您需要根據需求來衡量那些因素,以便制定適當決策。This section describes various considerations for architecting a multi-tenancy SharePoint Server 2013 environment. As described earlier in the document, multi-tenancy brings some unique characteristics to consider when architecting and designing your SharePoint Server 2013 environment. You have to weigh those factors based on your requirements to make the appropriate decisions.

了解 SharePoint Server 2013 的界限及限制Understand boundaries and limits in SharePoint Server 2013

軟體界限及限制的 SharePoint Server 2013 了解可協助您決定右選取多重租用 SharePoint 環境的適當的架構。內容資料庫和網站集合的主要的界限及限制的其他資訊的它們套用至 SharePoint Server 2013 的多重租賃環境,請參閱SharePoint Server 2016 的軟體界限及限制軟體SharePoint Server 2016 的界限及限制Understanding the software boundaries and limits of SharePoint Server 2013 will help you make the right decisions for selecting the appropriate architecture for a multi-tenancy SharePoint environment. For additional information about key boundaries and limits for a content database and site collection as they apply to a multi-tenancy environment of SharePoint Server 2013, see Software boundaries and limits for SharePoint Server 2016 and Software boundaries and limits for SharePoint Server 2016.

共用伺服器陣列與專用伺服器陣列Shared farm vs. dedicated farm

使用共用伺服器陣列在單一 Web 應用程式上主控多承租人網站集合,所提供的延展性優於每個承租人都使用專用 Web 應用程式。Using a shared farm to host multi-tenant site collections on a single web application provides better scalability compared to using a dedicated web application per tenant.

只有在需要滿足隔離需求時,每個客戶才需要使用專用 Web 應用程式和應用程式集區。Use a dedicated web application and application pool per customer only if you need to satisfy requirements for isolation.

不允許在網站中部署完全信任程式碼。Do not allow full-trust code to be deployed to sites.

不允許影響共用資源 (例如 web.config 檔案) 的自訂。Do not allow customizations that affect shared resources, such as the web.config file.

使用主機命名型網站集合,在整個 Web 應用程式中建立多個根層級網站集合 (網域命名型網站)。Use host-named site collections to create multiple, root-level site collections (domain-named sites) throughout a web application.

一個 Web 應用程式與多個 Web 應用程式One web application vs. multiple web applications

針對需要進行影響資源之自訂的承租人,請使用專用 Web 應用程式,而資源是在 Web 應用程式中共用 (例如 web.config 檔案)。Use dedicated web applications for tenants that require customizations affecting resources that are shared across a web application, such as the web.config file.

在單一伺服器陣列中合併多個承租人時,請針對所有已驗證內容使用專用 SharePoint Web 應用程式,並針對所有匿名內容使用不同的專用 Web 應用程式。對於具有這兩種內容類型的承租人而言,這需要兩個不同訂閱識別碼。這也會簡化授權。When combining multiple tenants in a single farm, use a dedicated SharePoint web application for all authenticated content and a separate dedicated web application for all anonymous content. This will require two separate subscriptions IDs for tenants with both types of content. This will also simplify licensing.

部分 SharePoint 功能繫結至 Web 應用程式層級 (例如「自助網站集合架設」設定)。開啟它之後,相同 Web 應用程式下的所有承租人都將可以建立網站集合。Some SharePoint features are bound to web application level, such as the Self-Service Site Collection Creation setting. After it's turned on, all tenants under the same web application will be able to create site collections.

單一伺服器陣列環境設計Single farm environment design

在隔離承租人資料和管理的多組織主控環境中,分割和共用服務的設定十分重要。此範例提供分割服務的實際實作,也提供如何部署客戶網站的建議。In a multi-organization hosting environment in which tenant data and administration are isolated, the configuration of partitioned and shared services is very important. This example provides a practical implementation of partitioned services and also provides recommendations about how to deploy customer sites.

此範例詳述可用來將客戶網站部署至伺服器陣列的下列方式:This example details the following ways in which customer sites can be deployed in a farm:

  • 專用應用程式集區和 Web 應用程式Dedicated application pool and web application

  • 共用應用程式集區和專用 Web 應用程式Shared application pool and dedicated web application

  • 共用 Web 應用程式Shared web application

    • 已驗證網站Authenticated sites

    • 未驗證網站Unauthenticated sites

只有在需要滿足隔離需求時,每個客戶才需要使用專用應用程式集區。針對需要進行影響資源之自訂的承租人,請使用專用 Web 應用程式,而資源是在 Web 應用程式中共用 (例如 web.config 檔案)。Use a dedicated application pool per customer only if you need to satisfy requirements for isolation. Use dedicated web applications for tenants that require customizations affecting resources that are shared across a web application, such as the web.config file.

在單一 Web 應用程式中合併多個承租人時,請針對所有已驗證內容使用專用 Web 應用程式,並針對所有匿名內容使用不同的專用 Web 應用程式。對於具有這兩種內容類型的承租人而言,這需要兩個不同訂閱識別碼。這也會簡化授權。When combining multiple tenants in a single web application, use a dedicated web application for all authenticated content and a separate dedicated web application for all anonymous content. This will require two separate subscriptions IDs for tenants with both types of content. This will also simplify licensing.

不允許在網站中部署完全信任程式碼。Do not allow full-trust code to be deployed to sites.

不允許影響共用資源 (例如 web.config 檔案) 的自訂。Do not allow customizations that affect shared resources, such as the web.config file.

在下列範例 (已驗證網站) 中,每個公司都會使用不同的主機命名型網站集合。公司 C 包括兩個不同的主機命名型網站集合。在每個最上層主機命名型網站集合下,受管理路徑是用來建立網站之最上層網站集合的第二層 (例如小組網站、我的網站、已發佈內部網路內容或不同的部門網站)。In the following example (authenticated sites), a different host-named site collection is used for each company. Company C includes two different host-named site collections. Beneath each top-level host-named site collection, a managed path is used to create a second tier of top-level site collections for sites such as team sites, My Sites, published intranet content, or separate divisional sites.

分層環境設計Tiered environment design

如前所述,規劃多承租人 SharePoint Server 2013 主控平台時需要考慮許多事項,其中這些因素是成本、簡化管理、資源隔離、效能和延展性。As described earlier, there are many things to consider when you plan your multi-tenant SharePoint Server 2013 hosting platform, among these factors are cost, simplified management, resource isolation, performance, and scalability.

隨著客戶群規模日益成長,您會發現很難符合單一環境中所有客戶的所有需求。此時,為了讓那些因素取得平衡,就需要進行特定取捨。As your customer base grows, you may find it difficult to meet all of the requirements of all of your customers in a single environment. At that point, certain tradeoffs would have to occur when you seek to balance those factors.

如果是這種情況,則可能會想要考慮使用的替代方式就是分層環境設計,其中有多個 SharePoint 環境符合您客戶的各種需要。每個環境都著重在服務方案的不同層面,例如,低成本、高密度、更高的資源隔離,以及成本較高的更佳服務品質 (QoS) 等。In a case such as this, an alternative that you might want to consider is a tiered-environment design in which multiple SharePoint environments meet the various needs of your customers. Each environment would focus on different aspects of your service offerings, such as low cost, high density, higher resource isolation, and better quality of services (QoS) with higher costs, and so on.

此分層環境設計方式可以提供不同的服務等級協定供客戶使用。因此,您可以為更多客戶提供服務、簡化管理和作業、降低管理成本,以及提升利潤率。This tiered-environment design approach could provide different service level agreements to your customers. As a result, you could serve a broader range of customers, simplify your management and operations, lower your management costs, and increase your profit margins.

安全考量Security considerations

本節討論規劃和設計多承租人 SharePoint Server 2013 主控平台的各種安全考量。從現在開始,談論人員選擇設定的任何各節 (例如<組織單位 (OU)>小節) 只在未進行其他 Windows 驗證自訂時才能運作。This section discusses various security considerations for planning and designing a multi-tenant SharePoint Server 2013 hosting platform. From this point forward, any section, such as the Organization Unit (OU) section, that talks about people picker configuration only works without additional customization with Windows authentication.

SharePoint Server 2013 支援下列驗證類型的許多驗證方法和驗證提供者:SharePoint Server 2013 supports many authentication methods and authentication providers for the following authentication types:

  • Windows 驗證Windows authentication

  • 表單型驗證Forms-based authentication

  • SAML Token 型驗證SAML token-based authentication

Windows 驗證類型利用現有的 Windows 驗證提供者及 Windows 網域環境用來驗證連線用戶端之認證的驗證通訊協定。宣告式驗證和傳統模式使用的 Windows 驗證方法包括:The Windows authentication type takes advantage of your existing Windows authentication provider and the authentication protocols that a Windows domain environment uses to validate the credentials of connecting clients. Windows authentication methods, which are used by both claims-based authentication and classic mode, include the following:

  • NTLMNTLM

  • KerberosKerberos

  • 摘要Digest

  • 基本Basic

表單型驗證 (FBA) 是宣告式身分識別管理系統,以 ASP.NET 成員資格與角色提供者驗證為基礎。您可以對儲存在下列驗證提供者的認證使用宣告式驗證:Forms-based authentication is a claims-based identity management system that is based on ASP.NET membership and role provider authentication. Forms-based authentication can be used against credentials that are stored in an authentication provider, such as the following:

  • Active Directory 網域服務 (AD DS)Active Directory Domain Services (AD DS)

  • 資料庫 (例如 SQL Server 資料庫)A database such as a SQL Server database

  • 輕量型目錄存取通訊協定 (LDAP) 資料存放區 (例如 Novell eDirectory、Novell Directory Services (NDS) 或 Sun ONE)A Lightweight Directory Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS), or Sun ONE

表單型驗證會根據使用者以登入表單形式 (通常為網頁) 輸入的認證來驗證使用者。未經驗證的要求會重新導向至登入頁面,使用者必須在該頁面提供有效認證再送出表單。系統會發出驗證要求的 Cookie,包含用於重新建立較新要求之身分識別的金鑰。Forms-based authentication validates users based on credentials that users enter into a logon form (typically a webpage). Unauthenticated requests are redirected to a logon page, where a user must provide valid credentials and submit the form. The system issues a cookie for authenticated requests that contains a key for reestablishing the identity for later requests.

若在使用表單型驗證時,根據不是以 Windows 為基礎的身分識別管理系統或外部身分識別管理系統來驗證使用者,則必須在數個 web.config 檔案中登錄成員資格提供者及角色管理員。SharePoint Server 2013 使用標準 ASP.NET 角色管理員介面,收集目前使用者的群組資訊。SharePoint Server 2013 的授權程序會將每一個 ASP.NET 角色視為一個網域群組。在 web.config 檔案登錄角色管理員的方法,與登錄用於驗證之成員資格提供者的方法完全相同。To use forms-based authentication to authenticate users against an identity management system that is not based on Windows or one that is external, you must register the membership provider and role manager in several web.config files. SharePoint Server 2013 uses the standard ASP.NET role manager interface to collect group information about the current user. Each ASP.NET role is treated as a domain group by the authorization process in SharePoint Server 2013. You register a role manager in a web.config file exactly as you register a membership provider for authentication.

若要從管理中心網站管理成員資格使用者或角色,您必須在 web.config 檔案中為管理中心網站登錄成員資格提供者及角色管理員。您還必須在主控內容之 Web 應用程式的 web.config 檔案以及 Security Token Service 的 web.config 檔案中登錄成員資格提供者及角色管理員。If you want to manage membership users or roles from the Central Administration website, you must register the membership provider and the role manager in the web.config file of the Central Administration website. You must also register the membership provider and the role manager in the web.config file of the web application that hosts the content and in the web.config file of the Security Token Service.

SharePoint Server 2013 的 SAML Token 型驗證使用 SAML 1.1 通訊協定和 WS-同盟被動式要求者設定檔 (WS-F PRP),需與宣告式環境 (無論是貴組織本身內部環境或是合作夥伴環境) 的管理員進行協調。如果使用 Active Directory Federation Services (AD FS) 2.0,則會具有 SAML Token 型驗證環境。SAML token-based authentication in SharePoint Server 2013 uses the SAML 1.1 protocol and the WS-Federation Passive Requestor Profile (WS-F PRP). It requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment. If you use Active Directory Federation Services (AD FS) 2.0, you have a SAML token-based authentication environment.

針對使用宣告式驗證的 Web 應用程式,人員選擇是 SharePoint Server 2013 內提供的一種控制項。人員選擇控制項使用宣告提供者來列出、解析、搜尋以及判斷使用者、群組和宣告的「好記」顯示。如需人員選擇設定的其他資訊,請參閱人員選擇與宣告提供者概觀For web applications that use claims-based authentication, People Picker is a control that is available within SharePoint Server 2013. The People Picker control uses claims providers to list, resolve, search, and determine the "friendly" display of users, groups, and claims. For additional information about people picker configuration, see People Picker and claims providers overview.

區域代表不同的邏輯路徑來存取 web 應用程式中相同的網站。每個 web 應用程式可以包含多達五個區域。當您建立 web 應用程式時,管理中心會建立名為預設的區域。若要建立其他區域,擴充的 web 應用程式並選取下列其中一個的其餘的區域名稱:內部網路外部網路Internet、 或CustomZones represent different logical paths to gain access to the same sites in a web application. Each web application can include as many as five zones. When you create a web application, Central Administration creates the zone named Default. To create additional zones, extend the web application and select one of the remaining zone names: Intranet, Extranet, Internet, or Custom.

組織單位Organizational Units

組織單位 (OU) 組織 Active Directory 環境中的使用者和電腦物件。基於主控目的,則能以如下圖所示組織組織單位結構。Organizational Units (OUs) organize users and computers objects in the Active Directory environment. For purposes of hosting, the Organizational Unit structure could be organized as shown in the following diagram.

This diagram shows the Organization unit structure for a hosting environment

您至少會想要將群組原則連結至網域根目錄、網域控制器 OU、SharePoint Server OU 和客戶 OU。At a minimum you'll want to link a Group Policy to the Domain root, Domain Controllers OU, SharePoint Servers OU, and Customers OU.

網域根目錄Domain Root

套用至整個網域的安全性已套用到網域原則。這些設定包含在套用至整個網域的群組原則物件 (GPO) 中。Security that will apply to the whole domain is applied in the Domain Policy. These settings are contained in Group Policy Objects (GPOs) that apply to the whole domain.

網域控制器 OUDomain Controllers OU

網域控制器保留組織中的最機密資料 (即控制安全設定本身的資料)。此層級所套用的 GPO 是用來設定和保護網域中的網域控制器。Domain controllers hold the most sensitive data in your organization, data that controls the security configuration itself. GPOs applied at this level are used to configure and protect the domain controllers in the domain.

SharePoint Server OUSharePoint Servers OU

SharePoint 伺服器具有的唯一 角色未包括在目錄的其他伺服器中。將這些伺服器放在其專屬 OU,可將唯一原則套用至這些伺服器。它們也可以與目錄中的其他伺服器隔離。需要建立不同 GPO (例如匿名存取內容伺服器與已驗證內容伺服器) 時,可以建立子 OU。The SharePoint servers have a unique role not included in other servers in the directory. Putting these servers in their own OU allow unique policies to be applied to these servers. They can also be segregated from other servers in the directory. Sub OUs can be created when different GPOs have to be created (such as anonymous access content servers versus authenticated content servers).

客戶 OUCustomers OU

這個最上層 OU 可隔離所有使用者帳戶與目錄的其餘部分。OU 的下一個層級包含客戶 OU。一個客戶會有一個 OU。這可以隔離客戶與其他客戶的所有使用者帳戶和電腦帳戶。此外,這是支援多承租人部署中 User Profile Synchronization 的必要 OU 結構。This top-level OU lets all user accounts to be segregated from the rest of the directory. The next level of OUs contains the customer OUs. There is one OU for each customer. This lets all user accounts and computer accounts of a customer to be segregated from those of other customers. Furthermore this is the required OU structure to support User Profile Synchronization in multi-tenant deployments.

為了讓使用者認為他們登入其專屬自訂網域,請使用 Active Directory Service Interfaces Editor (ADSI Edit) 或另一個 AD 工具來編輯每個客戶 OU 的 uPNSuffixes 屬性 (如下圖所示)To give the users the impression they are logging into their own custom domain, use the Active Directory Service Interfaces Editor (ADSI Edit) or another AD tool to edit the uPNSuffixes attribute of each Customer OU as shown in the following diagram.

This diagram shows the ADSI Property Editor Dialog for the uPNSuffixes attribute

設定客戶 OU 的 uPNSuffixes 屬性之後,它的值將可以與該客戶 OU 內的使用者帳戶相關聯 (如下圖所示)。Once the uPNSuffixes attribute of a Customer OU is configured, its value will be available to associate with a user account within that Customer OU, as shown in the following diagram.

This diagram shows the new object dialog which lets you create a new user

使用者驗證User authentication

使用者驗證是針對是目錄或資料庫中包含使用者的認證驗證提供者的使用者身分識別驗證及可確認使用者送出其正確。驗證提供者的範例是 Active Directory 網域服務 (AD DS)。驗證提供者的其他一般名稱是使用者目錄屬性存放區User authentication is the validation of a user's identity against an authentication provider, which is a directory or database that contains the user's credentials and can confirm the user submitted them correctly. An example of an authentication provider is Active Directory Domain Services (AD DS). Other common names for an authentication provider are user directory and attribute store .

驗證方法是帳戶認證與宣告使用者身分識別之其他資訊的特定交換。驗證方法的結果是驗證提供者驗證使用者的證明,通常使用包含宣告的權杖格式。An authentication method is a specific exchange of account credentials and other information that assert a user's identity. The result of the authentication method is proof, typically in the form of a token that contains claims, that an authentication provider has authenticated a user.

驗證類型是根據一或多個驗證提供者驗證認證的特定方式,有時會使用業界標準通訊協定。一種驗證類型可以使用多種驗證方法。An authentication type is a specific way of validating credentials against one or more authentication providers, sometimes using an industry standard protocol. An authentication type can use multiple authentication methods.

確認使用者身分識別之後,授權程序即可決定使用者所能存取的網站、內容及其他功能。After a user's identity is validated, the authorization process determines the sites, content, and other features the user can access.

規劃使用者驗證類型和方法時應該決定下列事項:Planning for user authentication types and methods should determine the following items:

  • 每個 Web 應用程式和區域的使用者驗證類型和方法。The user authentication types and methods for each web application and zone.

  • 支援決定使用之驗證類型和方法所需的驗證基礎結構。The authentication infrastructure needed to support the determined authentication types and methods.

  • 如何將目前使用傳統模式驗證的 Web 應用程式和區域移轉為使用宣告式驗證。How to migrate your current web applications and zones that use classic mode authentication to use claims-based authentication.

Active Directory Federation Services (AD FS)Active Directory Federation Services (AD FS)

SharePoint Server 2013 支援宣告式驗證。Active Directory Federation Services (AD FS) 可以設定成做為 SharePoint Server 2013 Web 應用程式的身分識別提供者 Security Token Service (IP-STS)。在此設定中,AD FS 發出包含宣告的 SAML 安全性 Token,讓用戶端電腦可以存取使用宣告式驗證的 Web 應用程式。您可以使用非 AD FS 的替代身份識別提供者。但是必須支援 WS-Federation 標準。同時,使用 AD FS 設定,需要有自訂程式碼。SharePoint Server 2013 supports claims-based authentication. Active Directory Federation Services (AD FS) can be configured to act as an Identity Provider Security Token Service (IP-STS) for a SharePoint Server 2013 web application. In this configuration, AD FS issues SAML-based security tokens consisting of claims so that client computers can access web applications that use claims-based authentication. You can use an alternative identity provider than AD FS. But it must support the WS-Federation standard. Also using AD FS configuration, custom code is required.

如需如何設定 SAML型宣告驗證與 AD FS for SharePoint Server 2013 的其他資訊,請參閱Configure SAML-based claims authentication with AD FS in SharePoint ServerFor additional information about how to configure SAML-based claims authentication with AD FS for SharePoint Server 2013, see Configure SAML-based claims authentication with AD FS in SharePoint Server.

管理和作業考量Management and operational considerations

本節討論多承租人 SharePoint Server 2013 環境的各種管理和作業考量。This section discusses various management and operational considerations for a multi-tenant SharePoint Server 2013 environment.

容量管理Capacity management

因為內容及使用不會停歇,所以「內容管理」這項程序也會持續不斷地進行。您必須規劃成長與變更,讓 SharePoint Server 2013 環境能夠一直提供有效率的商務方案。如需 SharePoint Server 2013 中容量管理的其他資訊,請參閱Capacity management and sizing overview for SharePoint Server 2013Capacity management is an ongoing process because no implementation remains static about content and usage. You have to plan for growth and change so that the SharePoint Server 2013 environment can continue to deliver an effective business solution. For additional information about capacity management in SharePoint Server 2013, see Capacity management and sizing overview for SharePoint Server 2013.

應用程式管理App management

SharePoint 應用程式有新方法可以將特定的資料或功能傳送給 SharePoint 網站。SharePoint 相關應用程式是一支小型的獨立應用程式,用法十分簡單,可以滿足某些特殊使用者或商務的需求。網站擁有者可以在公用的 SharePoint 市集或組織內容的應用程式目錄探索及下載 SharePoint 應用程式,再將其安裝到自己的 SharePoint 網站。這些 SharePoint 應用程式集結了多項網路功能,可以讓 SharePoint Server 2013 如虎添翼。這些功能不會取代 SharePoint 功能與解決方案套件,而只會自訂或增加 SharePoint 網站。不同於需要伺服器陣列或網站集合管理員安裝的功能與解決方案,SharePoint 應用程式是獨立的應用程式,網站擁有者只需要將其加入 SharePoint 網站即可。SharePoint 應用程式的流程十分簡單,網站擁有者可以安裝、升級及取消安裝。The apps for SharePoint provide a new method to deliver specific information or functionality to a SharePoint site. An app for SharePoint is a small, easy-to-use, stand-alone app that solves a specific end-user or business need. Site owners can discover and download apps for SharePoint from a public SharePoint Store or from their organization's internal App Catalog and install them on their SharePoint sites. These apps for SharePoint integrate the best of the web with SharePoint Server 2013. They do not replace SharePoint features and solution packages, which customize or increase SharePoint sites. Unlike features and solutions, which farm or site collection administrators have to install, apps for SharePoint are stand-alone applications that owners of sites can add to their SharePoint sites. The apps for SharePoint have a simple life-cycle: they can be installed, upgraded, and uninstalled by site owners.

SharePoint Server 2013 中的 App Management Service 具有多重租用功能。大部分應用程式設定和管理功能是透過承租人管理網站公開,並允許每個承租人管理員設定其個別設定。The App Management Service in SharePoint Server 2013 is multi-tenancy aware. Most of app configuration and management functionality is exposed through the Tenant Administration site and allows each tenant administrator to configure their individual settings.

備份和還原Backup and restore

在多承租人 SharePoint Server 2013 主控平台上執行與承租人無關的備份和還原作業時,您可以遵循在 SharePoint Server 2013 環境上執行備份和還原作業的一般指引,請參閱SharePoint Server 的備份與還原When performing tenant-agnostic backup and restore operations on a multi-tenant SharePoint Server 2013 hosting platform, you can follow the general guidance for performing backup and restore operations on SharePoint Server 2013 environments, see Backup and restore in SharePoint Server.

請注意,在 SharePoint Server 2013 中,Workflow 平台與 SharePoint 平台不同。因此,Workflow Manager 上的備份和還原作業應該與 SharePoint 備份和還原作業一致,確保兩者同步。如需如何規劃 Workflow Service Manager 之備份和還原作業的其他指引,請參閱<Workflow Manager 1.0 中的災害復原和範圍還原>。Notice that in SharePoint Server 2013, the Workflow platform is separate from the SharePoint platform. Therefore, backup and restore operations on the Workflow Manager should be coordinated with SharePoint backup and restore operations to ensure both remain in sync with one another. For additional guidance about how to plan backup and restore operations for Workflow Service Manager, see Disaster Recovery and Scope Restore in Workflow Manager 1.0

在多承租人 SharePoint Server 2013 主控平台上執行承租人特定備份和還原作業時,您可能需要將下列具有承租人功能的元件與另一個元件同步:服務應用程式、工作流程、內容資料庫和網站集合。When you perform tenant-specific backup and restore operations on a multi-tenant SharePoint Server 2013 hosting platform, you might have to keep the following tenant-aware components in sync with one another: service applications, workflow, content databases, and site collections.

服務應用程式Service applications

以分割模式設定的服務應用程式會有一或多個含有承租人特定資料的相關聯資料庫。同時在應用程式和資料庫層級對這些服務應用程式執行一般備份和還原作業時,具有有限的命令,可對這些服務應用程式或其資料庫執行承租人特定詳細備份和還原作業。Service applications that are configured in Partition Mode have one or more associated databases that contain tenant-specific data. While you can perform general backup and restore operations on these service applications at both the application and database levels, limited commands exist to perform tenant-specific detailed backup and restore operations on these service applications or their databases.

服務應用程式考量Service application considerations

App Management ServiceApp Management Service

App Management Service 是用於管理 SharePoint Server 2013 中所引進 SharePoint 相關應用程式 功能的服務應用程式。SharePoint 應用程式有新方法可以將特定的資料或功能傳送給 SharePoint 網站。SharePoint 相關應用程式是一支小型的獨立應用程式,用法十分簡單,可以滿足某些特殊使用者或商務的需求。App Management Service 不支援分割模式,不過,它原本具有網站訂閱功能。在多承租人 SharePoint 環境中,大部分 App Management 功能 (即 [管理 應用程式目錄]、[管理應用程式授權]、[應用程式權限] 等) 的取得是使用承租人管理網站。The App Management service is the service application used for managing the app for SharePoint feature that is introduced in SharePoint Server 2013. The apps for SharePoint provide a new method to deliver specific information or functionality to a SharePoint site. An app for SharePoint is a small, easy-to-use, stand-alone app that solves a specific end-user or business need. The App Management Service does not support Partition Mode, however it is natively Site Subscription aware. In the multi-tenant SharePoint environment, most of App Management functionality (that is, Manage App Catalog, Manage App Licenses, App Permissions, and so on.) is obtained by using the Tenant Administration Site.

下圖顯示承租人管理網站上的 App Management。The following diagram shows App Management on the Tenant Administration Site.

The diagram shows the Tenant Administration Site for App Management

Business Data Connectivity ServiceBusiness Data Connectivity service

以分割模式設定之後,Business Data Connectivity Service 的所有設定都會移到承租人管理。不過,承租人管理網站範本不包括此頁面的連結 (其可以使用<擴充承租人管理網站範本>一節中的自訂技術予以新增)。Once configured in partition mode, all configuration of the Business Data Connectivity service moves to tenant administration. However the Tenant Administration site template does not include the link to this page, which can be added using the customization technique in the Extending the Tenant Administration site template section

Secure Store ServiceSecure Store service

以分割模式設定之後,加密金鑰的產生還是會透過管理中心或 Windows PowerShell 執行伺服器陣列層級設定。Secure Store Service 設定的其餘部分會移到承租人管理。不過,承租人管理網站範本不包括此頁面的連結 (其可以使用<擴充承租人管理網站範本>一節中的自訂技術予以新增)。Once configured in partition mode, the generation of encryption keys remains a farm level configuration performed either via Central Administration or Windows PowerShell. The remainder of the Secure Store service configuration moves to tenant administration. However the Tenant Administration site template does not include the link to this page, which can be added using the customization technique in the Extending the Tenant Administration site template section.

Managed Metadata ServiceManaged metadata service

以分割模式設定之後,所有設定都會移到承租人管理,而且預設會啟用內容類型發佈。Once configured in partition mode, all configuration moves to tenant administration, and Content Type publishing is enabled by default.

Search ServiceSearch service

承租人管理網站中會公開許多承租人特定搜尋設定相關功能 (如下圖所示)。Many tenant-specific search configuration related functions are exposed in the Tenant Administration site as shown by the following diagram.

This diagram shows the Search Administration features located on the Tenant Administration site

注意

[!附註] 許多 *.EnterpriseSearch* Microsoft PowerShell Cmdlet 現在都具有分割功能,而且可以用來自動化承租人管理網站中公開的一些設定和管理功能。Many of the *.EnterpriseSearch* Microsoft PowerShell cmdlets are now partition-aware and can be used to automate some configuration and management functions exposed in the Tenant Administration site.

User Profile ServiceUser Profile service

大量的設定元素會移到承租人管理,不過,Profile Synchronization 的大部分設定都會保持在伺服器陣列層級,而且適用於所有承租人 (如下圖所示)。A large number of configuration elements move to tenant administration, however much of the configuration for Profile Synchronization remains at a farm level and is applicable to all tenants as illustrated in the following figure.

This figure illustrates the User Profile configuration

工作流程Workflow

如前所述,在 SharePoint Server 2013 中,Workflow 平台與 SharePoint 平台不同。Workflow 平台本身使用一或多個資料庫。您可以對這些資料庫執行一般資料庫層級備份和還原作業時,沒有命令或公用程式可以對這些 Workflow 資料庫執行承租人特定備份和還原作業。As noted previously, in SharePoint Server 2013 the Workflow platform is separate from the SharePoint platform. The Workflow platform itself uses one or more databases. While you can perform general database-level backup and restore operations on these databases, there exist no commands or utilities to perform tenant-specific backup and restore operations on these Workflow databases.

內容資料庫Content databases

如果承租人具有一或多個專用內容資料庫的專用使用權,則您可以對這些資料庫執行一般資料庫層級備份和還原作業。If a tenant has exclusive use of one or more dedicated content databases, you can perform general database-level backup and restore operations on these databases.

注意

[!附註] 使用標準產品功能 (例如,自助網站架設) 無法達成具有一或多個專用內容資料庫的專用使用權。這是符合特定服務層級方案時需要自訂的範例。Having an exclusive use of one or more dedicated content databases can't be achieved by using standard product features, for example, self-service site creation. This is an example of where customization is required in order to meet a particular service level offering.

下列 Microsoft PowerShell 指令碼顯示如何對承租人內容資料庫執行初始備份動作。The following Microsoft PowerShell script shows how to perform an initial backup action on a tenant content database.

Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue
Backup-SPFarm -Directory "c:\backups\alpha" -Item "HostingFarm_Content_Hosting" -BackupMethod Full
Write-Host "Tenant Content Database Backup Script Completed!"
The following Windows PowerShell script shows how to perform a restore operation on a tenant site collection:
Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue
Restore-SPFarm -Directory "c:\backups\alpha" -Item "HostingFarm_Content_Hosting" -RestoreMethod Overwrite
Write-Host "Tenant Content Database Restore Script Completed!"

網站集合Site collections

您可以對承租人網站集合執行特定備份和還原作業。您選擇使用的工具取決於網站集合本身的大小。Microsoft PowerShell Cmdlet 是小到中型網站集合的適當選擇。You can perform specific backup and restore operations on a tenant site collection. The tool that you choose to use depends on the size of the site collection itself. Microsoft PowerShell cmdlets are an appropriate choice for small- to medium-sized site collections.

下列 Microsoft PowerShell 指令碼顯示如何對承租人網站集合執行備份動作。The following Microsoft PowerShell script shows how to perform a backup action on a tenant site collection.

Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue
Backup-SPSite -Identity "http://alpha.contoso.com" -Path "c:\backups\alpha\root.bak" -UseSqlSnapshot
Write-Host "Tenant Site Collection Backup Script Completed!"
The following script shows how to perform a restore operation on a tenant site collection:
Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue
Restore-SPSite -Identity "http://alpha.contoso.com" -Path "c:\backups\alpha\root.bak" -DatabaseServer "SQLServer01" -DatabaseName "HostingFarm_Content_Hosting" -HostHeaderWebApplication "http://$ENV:COMPUTERNAME" -GradualDelete - Confirm: $false -Force
Write-Host "Tenant Site Collection Restore Script Completed!"

監視Monitoring

有許多工具可讓您監視 SharePoint Server 2013 和疑難排解問題。不同的工具針對環境的不同方面,不過其中有許多重疊的部分。請仔細思考哪些工具可以徹底發揮監視的用途。如需如何規劃 SharePoint Server 2013 之監視的其他指引,請參閱監視 SharePoint Server 中的計劃There are many tools that allow you to monitor SharePoint Server 2013 and troubleshoot problems. Different tools cover different aspects of the environment, although there may be overlapping areas. Consider which tools can maximize your monitoring benefits. For additional guidance about how to plan monitoring for SharePoint Server 2013, see Plan for monitoring in SharePoint Server.

功能套件管理Feature pack management

如前所述,功能套件可用於將不同的功能分組,以及建立它們與網站訂閱 (即承租人) 的關聯性。該網站訂閱 (承租人) 中的所有網站集合都只能使用屬於功能套件一部分的網站範圍或 Web 範圍功能。此功能可讓服務提供者根據不同組的功能來提供分層服務方案。建立的功能套件是使用 New-SPSiteSubscriptionFeaturePack Cmdlet 來建立功能套件容器,以及使用 Add-SPSiteSubscriptionFeaturePackMember Cmdlet 將個別功能新增至該容器。As described earlier, a feature pack can be used for grouping different features together and associating them with a site subscription (that is, tenant). All site collections in the site subscription (tenant) can use only the site-scoped or web-scoped features that are part of the feature pack. This capability enables service providers to provide tiered service offerings based on different sets of features. Feature packs are created that use the New-SPSiteSubscriptionFeaturePack cmdlet to create the feature pack container and the Add-SPSiteSubscriptionFeaturePackMember cmdlet to add the individual features to the container.

下列 Microsoft PowerShell 指令碼顯示如何建立可代表 SharePoint Foundation 2013 功能的承租人層級功能套件,以及在伺服器陣列屬性包中儲存功能套件 ID。The following Microsoft PowerShell script shows how to create a tenant-level feature pack representing SharePoint Foundation 2013 features, and stores the Feature Pack ID in the farm's property bag.

注意

[!附註] 必須要有 Subscription Settings Service 應用程式,才能執行與功能套件搭配使用的指令碼。The Subscription Settings service application must be present before executing scripts which work with Feature Packs.

<#
   Feature Packs.ps1
    Creates a new Feature Pack comprised of SharePoint Foundation 2013 Features
    Adds the Feature Pack ID with a friendly name to the Farm's Property Bag for future use.

#>
asnp Microsoft.SharePoint.PowerShell
# Create an alias for Add-SPSiteSubscriptionFeaturePackMember 
Set-Alias AddFeature Add-SPSiteSubscriptionFeaturePackMember
# create a new feature pack, and store it in the Farm's Property Bag
$ffp = New-SPSiteSubscriptionFeaturePack
$farm = Get-SPFarm
$farm.Properties.Add("Foundation_FeaturePack", $ffp.Id);
$farm.Update();
# add foundation features to the feature pack
# web scoped features...
AddFeature -identity $ffp -FeatureDefinition  XmlFormLibrary
AddFeature -identity $ffp -FeatureDefinition  LinksList
AddFeature -identity $ffp -FeatureDefinition  WorkflowProcessList
AddFeature -identity $ffp -FeatureDefinition  GridList
AddFeature -identity $ffp -FeatureDefinition  WorkflowHistoryList
AddFeature -identity $ffp -FeatureDefinition  TeamCollab
AddFeature -identity $ffp -FeatureDefinition  GanttTasksList
AddFeature -identity $ffp -FeatureDefinition  PictureLibrary
AddFeature -identity $ffp -FeatureDefinition  IssuesList
AddFeature -identity $ffp -FeatureDefinition  DiscussionsList
AddFeature -identity $ffp -FeatureDefinition  ContactsList
AddFeature -identity $ffp -FeatureDefinition  ExternalList
AddFeature -identity $ffp -FeatureDefinition  TasksList
AddFeature -identity $ffp -FeatureDefinition  WebPageLibrary
AddFeature -identity $ffp -FeatureDefinition  AnnouncementsList
AddFeature -identity $ffp -FeatureDefinition  WikiPageHomePage
AddFeature -identity $ffp -FeatureDefinition  CustomList
AddFeature -identity $ffp -FeatureDefinition  DocumentLibrary
AddFeature -identity $ffp -FeatureDefinition  SurveysList
AddFeature -identity $ffp -FeatureDefinition  EventsList
AddFeature -identity $ffp -FeatureDefinition  DataSourceLibrary
AddFeature -identity $ffp -FeatureDefinition  NoCodeWorkflowLibrary
AddFeature -identity $ffp -FeatureDefinition  OsrvLinks
AddFeature -identity $ffp -FeatureDefinition  FCGroupsList
AddFeature -identity $ffp -FeatureDefinition  TenantAdminBDC
AddFeature -identity $ffp -FeatureDefinition  OssNavigation
AddFeature -identity $ffp -FeatureDefinition  IMEDicList
AddFeature -identity $ffp -FeatureDefinition  CallTrackList
AddFeature -identity $ffp -FeatureDefinition  SSSvcAdmin
AddFeature -identity $ffp -FeatureDefinition  MpsWebParts
AddFeature -identity $ffp -FeatureDefinition  GBWWebParts
AddFeature -identity $ffp -FeatureDefinition  FacilityList
AddFeature -identity $ffp -FeatureDefinition  ScheduleList
AddFeature -identity $ffp -FeatureDefinition  ObaProfilePages
AddFeature -identity $ffp -FeatureDefinition  GBWProvision
AddFeature -identity $ffp -FeatureDefinition  OSSSearchSearchCenterUrlFeature
AddFeature -identity $ffp -FeatureDefinition  WikiWelcome
AddFeature -identity $ffp -FeatureDefinition  MaintenanceLogs
AddFeature -identity $ffp -FeatureDefinition  TenantAdminLinks
AddFeature -identity $ffp -FeatureDefinition  HolidaysList
AddFeature -identity $ffp -FeatureDefinition  GroupWork
AddFeature -identity $ffp -FeatureDefinition  WhereaboutsList
AddFeature -identity $ffp -FeatureDefinition  CirculationList
AddFeature -identity $ffp -FeatureDefinition  TenantAdminSecureStore
AddFeature -identity $ffp -FeatureDefinition  SearchAdminWebParts
AddFeature -identity $ffp -FeatureDefinition  ObaSimpleSolution
AddFeature -identity $ffp -FeatureDefinition  TimecardList
AddFeature -identity $ffp -FeatureDefinition  WhatsNewList
AddFeature -identity $ffp -FeatureDefinition  MobilityRedirect
AddFeature -identity $ffp -FeatureDefinition  AdminLinks
AddFeature -identity $ffp -FeatureDefinition  SearchCenterLiteFiles
AddFeature -identity $ffp -FeatureDefinition  CorporateCatalog
AddFeature -identity $ffp -FeatureDefinition  BlogContent
AddFeature -identity $ffp -FeatureDefinition  PromotedLinksList
AddFeature -identity $ffp -FeatureDefinition  AppLockdown
AddFeature -identity $ffp -FeatureDefinition  AppRequestsList
AddFeature -identity $ffp -FeatureDefinition  SearchCenterUpgrade
AddFeature -identity $ffp -FeatureDefinition  SearchConfigFields
AddFeature -identity $ffp -FeatureDefinition  PhonePNSubscriber
AddFeature -identity $ffp -FeatureDefinition  SearchConfigContentType
AddFeature -identity $ffp -FeatureDefinition  GettingStarted
AddFeature -identity $ffp -FeatureDefinition  GettingStartedWithAppCatalogSite
AddFeature -identity $ffp -FeatureDefinition  ExternalSubscription
AddFeature -identity $ffp -FeatureDefinition  SearchCenterFiles
AddFeature -identity $ffp -FeatureDefinition  BcsEvents
AddFeature -identity $ffp -FeatureDefinition  OfficeExtensionCatalog
AddFeature -identity $ffp -FeatureDefinition  MDSFeature
AddFeature -identity $ffp -FeatureDefinition  TenantSearchAdmin
AddFeature -identity $ffp -FeatureDefinition  SiteAssets
AddFeature -identity $ffp -FeatureDefinition  PremiumSearchVerticals
AddFeature -identity $ffp -FeatureDefinition  AccessRequests
AddFeature -identity $ffp -FeatureDefinition  SearchConfigList
AddFeature -identity $ffp -FeatureDefinition  ReportAndDataSearch
AddFeature -identity $ffp -FeatureDefinition  MBrowserRedirect
AddFeature -identity $ffp -FeatureDefinition  BlogHomePage
AddFeature -identity $ffp -FeatureDefinition  SearchConfigListTemplate
AddFeature -identity $ffp -FeatureDefinition  SiteNotebook
AddFeature -identity $ffp -FeatureDefinition  HierarchyTasksList
AddFeature -identity $ffp -FeatureDefinition  BlogSiteTemplate
AddFeature -identity $ffp -FeatureDefinition  SearchCenterLiteUpgrade
# Site Scoped features...                                                                                                                                                                                               
AddFeature -identity $ffp -FeatureDefinition  BasicWebParts
AddFeature -identity $ffp -FeatureDefinition  OSSSearchEndUserHelpFeature
AddFeature -identity $ffp -FeatureDefinition  HelpLibrary
AddFeature -identity $ffp -FeatureDefinition  OfficeWebApps
AddFeature -identity $ffp -FeatureDefinition  WordServerViewing
AddFeature -identity $ffp -FeatureDefinition  OnenoteServerViewing
AddFeature -identity $ffp -FeatureDefinition  SiteHelp
AddFeature -identity $ffp -FeatureDefinition  ctypes
AddFeature -identity $ffp -FeatureDefinition  OSSSearchSearchCenterUrlSiteFeature
AddFeature -identity $ffp -FeatureDefinition  OpenInClient
AddFeature -identity $ffp -FeatureDefinition  ExcelServerEdit
AddFeature -identity $ffp -FeatureDefinition  AdminReportCore
AddFeature -identity $ffp -FeatureDefinition  fields
AddFeature -identity $ffp -FeatureDefinition  SearchServerWizardFeature
AddFeature -identity $ffp -FeatureDefinition  OSearchHealthReports
AddFeature -identity $ffp -FeatureDefinition  SearchWebParts
AddFeature -identity $ffp -FeatureDefinition  IssueTrackingWorkflow
AddFeature -identity $ffp -FeatureDefinition  ShareWithEveryone
AddFeature -identity $ffp -FeatureDefinition  MonitoredApps
AddFeature -identity $ffp -FeatureDefinition  SearchTaxonomyRefinementWebParts
AddFeature -identity $ffp -FeatureDefinition  SearchTaxonomyRefinementWebPartsHtml
AddFeature -identity $ffp -FeatureDefinition  SearchMaster
AddFeature -identity $ffp -FeatureDefinition  EnableAppSideLoading
AddFeature -identity $ffp -FeatureDefinition  Developer
AddFeature -identity $ffp -FeatureDefinition  AutohostedAppLicensing
AddFeature -identity $ffp -FeatureDefinition  AppRegistration
Write-Host "Feature Pack Created! " + $ffp.ID

授權管理Licensing management

在 SharePoint Server 2013 中,已新增授權管理功能。伺服器陣列管理員現在可以將授權指派給使用者並啟用執行階段授權檢查。使用此新功能,即可確保只有具有適當授權的使用者才能使用特定功能。此功能也會簡化部署模型,因為您不再需要為 SharePoint Server 標準和企業版建置不同的伺服器陣列。In SharePoint Server 2013, a new licensing management capability has been added. Farm administrators can now assign licenses to users and enable runtime license checks. By using this new functionality, you can ensure that only users who have the appropriate license can use a specific feature. The functionality also simplifies the deployment model because you no longer have to build separate farms for standard and enterprise editions of SharePoint Server.

將宣告對應到已知的授權類型,即可指派使用者授權。例如,假設宣告是 Active Directory 網域服務 (AD DS) 安全性群組。將 ContosoFinanceDept 安全性群組對應到企業版授權,就可以將企業版授權有效率地指派給該群組的所有成員。如果使用者無權使用特定功能,則登入 SharePoint Server 的使用者可獲指派宣告。SharePoint Server 會檢查使用者的宣告以判定其授權。SharePoint 將會在執行階段封鎖對該功能的存取。User licenses are assigned by mapping claims to a known type of license. For example, a claim can be an Active Directory Domain Services (AD DS) Security group. By mapping the ContosoFinanceDept security group to an Enterprise license, you effectively assign an Enterprise license to all members of that group. Users who log on to SharePoint Server are assigned claims. SharePoint Server examines the claims of users to determine their license, if a user does not have a license to use a particular feature, SharePoint will block access to that feature at run time.

這個 SharePoint Server 2013 授權實作方式是透過使用新的 Microsoft PowerShell Cmdlet 來管理。SharePoint Server 預設停用授權。不過,管理員可以選擇使用 Microsoft PowerShell 來開啟它。如需如何在 SharePoint Server 2013 中設定授權的其他資訊,請參閱Configure licensing in SharePoint ServerThis SharePoint Server 2013 license implementation is managed by using new Microsoft PowerShell cmdlets. By default, licensing is disabled in SharePoint Server. However administrators can opt to turn it on by using Microsoft PowerShell. For additional information about how to configure licensing in SharePoint Server 2013, see Configure licensing in SharePoint Server.

生命週期管理Lifecycle management

此白皮書概述設計多承租人 SharePoint 2013 方案時的重要基礎結構考量,而且提供作業生命週期整體管理重要設定的基準指令碼。例如,自訂承租人管理、取消佈建訂閱、封存、使用者管理、自助密碼重設和數量都是一般區塊,其需要某個其他 Windows PowerShell 和自訂作業的組合,才能提供完整服務方案。每個服務提供者都有此領域的不同需求,因此確保這些需求屬於基礎結構平台的初始範圍和設計工作極為重要。Whilst this white paper outlines the key infrastructure considerations when designing a multi-tenant SharePoint 2013 solution and it provides baseline scripts for configuration the overall management of the lifecycle of operations is imperative. For example custom tenant administration, de-provisioning of subscriptions, archiving, user management, self-service password reset and quotas are all common areas which require some combination of additional Windows PowerShell and customization effort in order to deliver a complete service offering. Each service provider will have different requirements in this sphere and it is incredibly important to ensure that these requirements are part of the initial scoping and design work for the infrastructure platform.

安裝和設定Setup and configuration

本節概述安裝和設定多承租人主控 SharePoint Server 2013 平台的一般步驟。This section outlines the general steps for setting up and configuring a multi-tenant hosting SharePoint Server 2013 platform.

致謝Acknowledgements

本節提供詳細資料,並包含示範如何建立和設定各種元件的 PowerShell 指令碼。提供這些指令碼的目的通常是要示範多重租用的設定需求,因此不會呈現最佳佈建順序,不過,可以做為開發專屬自訂端對端指令碼方案的基礎。This section provides details and contains PowerShell scripts that demonstrate the creation and configuration of various components. These scripts are generally provided to demonstrate the configuration requirements for multi-tenancy and therefore do not represent the optimal provisioning order, however they can serve as the basis for developing your own customized end-to-end scripting solution.

下列子小節中所含的 Microsoft PowerShell 指令碼是全部或局部根據 Spencer Harbar (http://www.harbar.net),並自行在這裡重新產生。請參閱其原始工作的下列文件。The Microsoft PowerShell scripts contained in the following sub-sections are based (either whole or in part) on the work of Spencer Harbar (http://www.harbar.net) and are reproduced here with his gracious consent. Please refer to the following documents for his original work.

提供的 PowerShell 指令碼包括多個變數,您應該可以修改這些變數以符合環境。The PowerShell scripts provided include variables, which should be modified to suit your environment.

部署範例Deployment example

本節所呈現的部署範例使用利用主機命名型網站集合和主機標頭受管理路徑的單一主控 Web 應用程式。基於簡化原因,它是部署於單一伺服器,這是多重租用 (含 SharePoint 2013) 的預定設計模型,而且可以擴充到在多個電腦中接合服務執行個體角色的部署。此部署範例針對 Web 應用程式使用 HTTP。在實際部署中,應該使用 SSL 來保護與 SharePoint 應用程式和其他 OAuth2 相關服務 (例如 Workflow Manager) 搭配使用之登入、內容和授權 Token 的 SSL。This section presents a deployment example which makes use of a single hosting web application using host named site collections and host header managed paths. It is deployed on a single server for the sake of simplicity, this is the intended design model for multi-tenancy with SharePoint 2013 and can be extended to a deployment where service instance roles are articulated across multiple computers. The deployment example uses HTTP for the web application. In a real deployment SSL should be used to protect sign-in, content and the authorization tokens used with SharePoint Apps and other OAuth2 related services such as Workflow Manager.

DNS 設定DNS configuration

因為主機命名型網站集合將會用於多承租人 SharePoint 環境,您必須設定您的 DNS (也就是建立適當的 DNS 記錄中等等) 據以根據您計劃。如需如何規劃 SharePoint Server 2013 的主機命名型網站集合的其他指導,請參閱主機命名型網站集合架構與部署 (SharePoint 2013)Because host-named site collections will be used for a multi-tenant SharePoint environment, you must configure your DNS (that is, create appropriate DNS records, etc.) accordingly based on your plan. For additional guidance about how to plan host-named site collections for SharePoint Server 2013, see Host-named site collection architecture and deployment (SharePoint 2013).

如果您也想要支援 SharePoint 應用程式,則也必須設定 DNS 支援您的環境。如需如何設定 SharePoint Server 2013 之應用程式環境的其他資訊,請參閱設定 SharePoint Server 相關應用程式的環境If you also plan to support apps for SharePoint, you must also configure DNS to support your environment. For additional information about how to configure an apps environment for SharePoint Server 2013, see Configure an environment for apps for SharePoint Server.

Active Directory 設定Active Directory configuration

如前所述,若要支援 SharePoint 中的多重租用,必須建立階層組織單位結構正確地建構 Active Directory 以支援每個訂閱的 User Profile Synchronization。您也需要為環境建立適當的服務帳戶。如需如何規劃 SharePoint Server 2013 之服務帳戶的其他資訊,請參閱規劃 SharePoint Server 中的管理及服務帳戶。在此部署範例中,使用下列三個服務帳戶:As described earlier, to support multi-tenancy in SharePoint, Active Directory must be correctly structured by creating a hierarchical Organization Unit structure to support User Profile Synchronization for each subscription. You also have to create appropriate service accounts for your environment. For additional information about how to plan service accounts for SharePoint Server 2013, see Plan for administrative and service accounts in SharePoint Server. In this deployment example, the following three service accounts are used:

  • SPFarm - SharePoint 伺服器陣列帳戶SPFarm - the SharePoint Farm Account

  • SPServices - 可主控服務應用程式端點的應用程式集區身份識別SPServices - the Application Pool identity which hosts Service Application endpoints

  • SPContent - 可主控內容 Web 應用程式的應用程式集區身份識別SPContent - the Application Pool identity which hosts the Content Web Application

SharePoint 伺服器陣列 建立和設定SharePoint farm creation and configuration

下列 Microsoft PowerShell 指令碼顯示如何建立 SharePoint 伺服器陣列。The following Microsoft PowerShell script shows how to create a SharePoint farm.

<#
    1. Farm Creation.ps1
    Creates a new SharePoint Farm
    Creates Central Administration on Port 8080
    Update initial variables as needed to reflect your environment
    Script will prompt for the password of the farm account
#>
asnp Microsoft.SharePoint.PowerShell
$databaseServer = "SQLSP1"
$configDatabase = "HostingFarm_Config"
$adminContentDB = "HostingFarm_Content_Admin"
$passphrase = "Password1"
$farmAccountName = "FABRIKAM\spfarm"

$farmAccount = Get-Credential $farmAccountName
$passphrase = (ConvertTo-SecureString $passphrase -AsPlainText -force)
Write-Host "Creating Configuration Database and Central Admin Content Database..."
New-SPConfigurationDatabase -DatabaseServer $databaseServer -DatabaseName $configDatabase `
    -AdministrationContentDatabaseName $adminContentDB `
    -Passphrase $passphrase -FarmCredentials $farmAccount

$spfarm = Get-SPFarm -ErrorAction SilentlyContinue -ErrorVariable err        
if ($spfarm -eq $null -or $err) {
   throw "Unable to verify farm creation."
}
Write-Host "ACLing SharePoint Resources..."
Initialize-SPResourceSecurity
Write-Host "Installing Services ..."
Install-SPService   
Write-Host "Installing Features..."
Install-SPFeature -AllExistingFeatures
Write-Host "Creating Central Administration..."              
New-SPCentralAdministration -Port 8080 -WindowsAuthProvider NTLM
Write-Host "Installing Help..."
Install-SPHelpCollection -All        
Write-Host "Installing Application Content..."
Install-SPApplicationContent
Write-Host "Farm Creation Done!" 

Proxy 群組、主控 Web 應用程式和受管理路徑Proxy Group, Hosting Web Application and Managed Paths

一開始,受管理帳戶是針對可主控內容 Web 應用程式的應用程式集區所建立。接著會建立後接 Web 應用程式的新 Proxy 群組。最後,設定 Web 應用程式以允許架設自助網站以及建立共用受管理路徑。在主控 Web 應用程式中建立「根」網站集合極為重要,即使使用者不會存取此網站集合也是一樣。這是 SharePoint 2013 的支援性和正確作業行為的必要項目。Initially a Managed Account is created for the application pool hosting the content web application. A new proxy group is created, followed by the web application. Finally, configuration of the Web Application to allow self-service site creation and the creation of shared managed paths is performed. It is extremely important to create a "root" site collection in the hosting web application even though this site collection will not be accessed by end users. This is required for supportability and correct operational behavior of SharePoint 2013.

注意

[!附註] 此範例針對 Web 應用程式使用 HTTP。This example uses HTTP for the web application.

<#
    2. Proxy Group, Web Application &amp; Farm Settings.ps1
    Creates a new Managed Account
    Creates a new Proxy Group
    Creates a new Web Application for HNSC, in a new Application Pool, in the new Proxy Group
    Creates an empty root Site Collection
    Enables Self Service Site Creation
    Creates Managed Paths for HNSC

    Update initial variables as needed to reflect your environment
    Update the Managed Paths section to use the paths you need
    Script will prompt for the password of the App Pool account used for the Web App
    You will need to configure the SSL certificate manually or via IIS PowerShell
#>
asnp Microsoft.SharePoint.PowerShell
## UPDATE THESE VARS ##
$waAppPoolUserName = "FABRIKAM\spcontent"
$waAppPoolName = "SharePoint Hosting"
$proxyGroupName = "Hosting Proxy Group"
$waUrl = "http://$ENV:COMPUTERNAME"
$webAppName = "SharePoint Hosting"
$contentDBName = "HostingFarm_Content_Hosting"
$ownerEmail = "administrator@contoso.com"
$ownerAlias = "FABRIKAM\administrator"
## END VARS ##
# Create Managed Account
Write-Host "Please supply the password for the $waAppPoolUserName Account..."
$appPoolCred = Get-Credential $waAppPoolUserName
Write-Host "Creating Managed Account..."
$waAppPoolAccount = New-SPManagedAccount -Credential $appPoolCred
# Create a new Proxy Group
Write-Host "Creating Proxy Group..."
$proxyGroup = New-SPServiceApplicationProxyGroup -Name $proxyGroupName
# Create a new Web App in the new Proxy Group using Windows Claims on Port 80 with no host header
Write-Host "Creating Web Application..."
# SSL example, not used
#$webApp = New-SPWebApplication -ApplicationPool $waAppPoolName -ApplicationPoolAccount $waAppPoolAccount -Name $webAppName -Port 443 -SecureSocketsLayer:$true -AuthenticationProvider (New-SPAuthenticationProvider) -DatabaseName $contentDBName -ServiceApplicationProxyGroup $proxyGroup
# following line is to use port 80
$webApp = New-SPWebApplication -ApplicationPool $waAppPoolName -ApplicationPoolAccount $waAppPoolAccount -Name $webAppName -Port 80 -AuthenticationProvider (New-SPAuthenticationProvider) -DatabaseName $contentDBName -ServiceApplicationProxyGroup $proxyGroup 
# Create a empty root Site Collection, required for support and SSSC
Write-Host "Creating empty root Site Collection..."
New-SPSite -Url $waUrl -owneralias $ownerAlias -ownerEmail $ownerEmail
# Enable Self Service Site Creation 
Write-Host "Enabling Self Service Site Creation..."
$webApp.SelfServiceSiteCreationEnabled = $true
$webApp.RequireContactForSelfServiceSiteCreation = $false
$webApp.Update()
# Create Managed Paths for all 2013 Tenancy capabilities (remove the ones you don't want)
# the default /sites path is removed to prevent creation of sites from CA
Write-Host "Creating HNSC Managed Paths..."
Remove-SPManagedPath "sites" -WebApplication $webApp -Confirm:$false
New-SPManagedPath "admin" -HostHeader -Explicit # Tenant Administration
New-SPManagedPath "apps" -HostHeader -Explicit  # App Catalog
New-SPManagedPath "cthub" -HostHeader -Explicit # Content Type Hub
New-SPManagedPath "my" -HostHeader -Explicit    # MySite Host
New-SPManagedPath "my/sites" -HostHeader        # MySites
New-SPManagedPath "edisc" -HostHeader -Explicit # E-Discovery Hub
Write-Host "Proxy Group and Web Application done!"

非分割服務Non-partitioned services

在此階段,可以建立非分割服務應用程式。在伺服器陣列中,標準作業需要這些服務應用程式 (例如 State Service),或不需要分割這些服務應用程式即可支援多重租用,因為它們不會儲存任何資料。若要這麼做,需要另一個受管理帳戶,接著會建立每個服務應用程式。At this stage the non-partitioned service applications can be created. These service applications are either required in the farm for normal operations (for example the State Service) or do not require to be partitioned in order to support multi-tenancy as they do not store any data. To do this another managed account is required, and then each service application is created in turn.

下列 Microsoft PowerShell 指令碼顯示如何建立非分割服務應用程式。The following Microsoft PowerShell script shows how to create the non-partitioned service applications.

<#
    3. Non Partitioned Services.ps1
    Creates a new Managed Account
    Creates a new Service Application Pool

    Starts the Service Instances for and creates non partitioned Service Applications and Proxies:
        State Service
        Usage and Health Data Collection Service
        Subscription Settings Service
        App Management Service
        Work Management Service
    ...in the new Proxy Group 
    Adds any configured Workflow Service Proxy to the new Proxy Group
    Update initial variables as needed to reflect your environment
    Script will prompt for the password of the Service Application Pool account

#>
asnp Microsoft.SharePoint.PowerShell
## UPDATE THESE VARS ##
$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$saAppPoolUserName = "FABRIKAM\spservices"
# Service Application and DB names
$stateName = "State Service"
$stateDBName = "HostingFarm_StateService"
$usageName = "Usage and Health Data Collection Service"
$usageDBName = "HostingFarm_Usage"
$subsName = "Subscription Settings Service"
$subsDBName = "HostingFarm_SubscriptionSettings"
$appsName = "App Management Service"
$appsDBName = "HostingFarm_AppManagement"
$wmsName = "Work Management Service"
$pasName = "PowerPoint Automation Service"
## END VARS ##
# Create Managed Account and App Pool for Service App Endpoints
Write-Host "Please supply the password for the $saAppPoolUserName Account..."
$appPoolCred = Get-Credential $saAppPoolUserName
Write-Host "Creating Managed Account..."
$saAppPoolAccount = New-SPManagedAccount -Credential $appPoolCred
Write-Host "Creating Service Application Pool..."
$saAppPool = New-SPServiceApplicationPool -Name $saAppPoolName -Account $saAppPoolAccount
# Grab the Proxy Group
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Create State Service Application and Proxy, add to Proxy Group
Write-Host "Creating $stateName Application and Proxy..."
$stateDB = New-SPStateServiceDatabase -Name $stateDBName
$state = New-SPStateServiceApplication -Name $stateName -Database $stateDB
$proxy = New-SPStateServiceApplicationProxy -Name "$stateName Proxy" -ServiceApplication $state
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Create Usage Service Application and Proxy, add to Proxy Group, and provision it's Proxy
Write-Host "Creating $usageName Application and Proxy..."
$serviceInstance = Get-SPUsageService
New-SPUsageApplication -Name $usageName -DatabaseName $usageDBName -UsageService $serviceInstance
$proxy = Get-SPServiceApplicationProxy | ? { $_.TypeName -eq "Usage and Health Data Collection Proxy" }
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
$proxy.Provision();
# Start the Subscription Settings Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $subsName Application and Proxy..."
Get-SPServiceInstance | where { $_.TypeName -eq "Microsoft SharePoint Foundation Subscription Settings Service" } | Start-SPServiceInstance
$subs = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $saAppPool -Name $subsName -DatabaseName $subsDBName
$proxy = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $subs 
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Start the App Management Service Instance, create the  Service Application and Proxy, add to Proxy Group
Write-Host "Creating $appsName Application and Proxy..."
Get-SPServiceInstance | where { $_.TypeName -eq "App Management Service"} | Start-SPServiceInstance
$apps = New-SPAppManagementServiceApplication -ApplicationPool $saAppPool -Name $appsName -DatabaseName $appsDBName
$proxy = New-SPAppManagementServiceApplicationProxy -ServiceApplication $apps -Name "$appsName Proxy"
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Start the Work Management Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $wmsName Application and Proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "Work Management Service" } | Start-SPServiceInstance
$wms = New-SPWorkManagementServiceApplication -ApplicationPool $saAppPool -Name $wmsName
$proxy = New-SPWorkManagementServiceApplicationProxy -ServiceApplication $wms -Name "$wmsName Proxy"
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Start the PowerPoint Automation Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $pasName Application and Proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "PowerPoint Conversion Service" } | Start-SPServiceInstance
$pas = New-SPPowerPointConversionServiceApplication -ApplicationPool $saAppPool -Name $pasName
$proxy = New-SPPowerPointConversionServiceApplicationProxy -ServiceApplication $pas -Name "$pasName Proxy"
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Adds any Workflow Service proxy to the Proxy Group (if it exists)
$wfProxy = Get-SPServiceApplicationProxy | ? {$_.TypeName -like "*Workflow Service*" }
if ($wfProxy -ne $null) {
    Write-Host "Adding Workflow Service Proxy to Proxy Group..."
    # should probably remove from the default group as well
    Add-SPServiceApplicationProxyGroupMember -Identity $proxyGroup -Member $wfProxy
}
Write-Host "Non Partitioned Service Applications done!"

分割服務應用程式的建立和設定Partitioned Service applications creation and configuration

下列小節說明建立和設定每個支援分割之服務應用程式所需的 Microsoft PowerShell 程序。相同的一般模式適用於每個服務應用程式,但 Search 和 User Profile 例外。不過,與服務應用程式 Proxy 相關的差異會有些許不同。The following sections describe the Microsoft PowerShell procedures necessary to create and configure each service application which supports partitioning. The same general pattern applies to each service application with the exception of Search and User Profiles. However there are small differences related to the service application proxies.

Business Data Connectivity ServiceBusiness Data Connectivity service

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 Business Data Connectivity Service 應用程式,以及將它新增至自訂服務 Proxy 群組。The following Microsoft PowerShell script displays how to create the Business Data Connectivity service application in Partition Mode and add it to a custom Service Proxy group.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$bcsName = "Business Data Connectivity Service"
$bcsDBName = "HostingFarm_BusinessDataConnectivity"
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start Business Data Connectivity Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $bcsName Application and Proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "Business Data Connectivity Service" } | Start-SPServiceInstance
$bcs = New-SPBusinessDataCatalogServiceApplication -PartitionMode -Name $bcsName -ApplicationPool $saAppPool -DatabaseName $bcsDBName 
$proxy = Get-SPServiceApplicationProxy | ? { $_.Name -eq "$bcsName" }
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy

Managed Metadata ServiceManaged metadata service

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 Managed Metadata Service 應用程式,以及將它新增至自訂服務 Proxy 群組。The following Microsoft PowerShell script displays how to create the managed metadata service application in Partition Mode and add it to a custom Service Proxy group.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$mmsName = "Managed Metadata Service"
$mmsDBName = "HostingFarm_ManagedMetadata"
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start the Managed Metadata Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $mmsName Application and Proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "Managed Metadata Web Service" } | Start-SPServiceInstance
$mms = New-SPMetadataServiceApplication -PartitionMode -Name $mmsName -ApplicationPool $saAppPool -DatabaseName $mmsDBName
$proxy = New-SPMetadataServiceApplicationProxy -PartitionMode -Name "$mmsName Proxy" -ServiceApplication $mms
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy

Machine Translation ServiceMachine Translation service

Machine Translation Service 支援多重租用,方法是以分割模式建立其服務應用程式。在伺服器陣列層級未管理任何承租人特定設定和服務。其資料庫有效地做為佇列,因此,而且具有分割/承租人功能。The Machine Translation service supports multi-tenancy by creating its service application in Partition Mode. There is no tenant-specific configuration and the service is managed at the farm level. Its database is effectively acting as a queue and therefore has to be partition/tenant aware.

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 Machine Translation Service 應用程式。The following Microsoft PowerShell script shows how to create the Machine Translation service application in Partition Mode.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$mtsName = "Machine Translation Service"
$mtsDBName = "HostingFarm_MachineTranslation"
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start Machine Translation Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $mtsName Application &amp; proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "Machine Translation Service" } | Start-SPServiceInstance
$mts = New-SPTranslationServiceApplication -PartitionMode -Name $mtsName -ApplicationPool $saAppPool -DatabaseName $mtsDBName
Get-SPServiceApplicationProxy | ? {$_.Name -eq $mtsName} | Remove-SPServiceApplicationProxy -Confirm:$false
$proxy = New-SPTranslationServiceApplicationProxy -PartitionMode -Name "$mtsName Proxy" -ServiceApplication $mts
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy

Secure Store ServiceSecure Store service

以分割模式設定之後,加密金鑰的產生還是會透過管理中心或 Windows PowerShell 執行伺服器陣列層級設定。Secure Store Service 設定的其餘部分會移到承租人管理。不過,承租人管理網站範本不包括此頁面的連結 (其可以使用<擴充承租人管理網站範本>小節中的自訂技術予以新增)。Once configured in partition mode, the generation of encryption keys remains a farm level configuration performed either via Central Administration or Windows PowerShell. The remainder of the Secure Store service configuration moves to tenant administration. However the Tenant Administration site template does not include the link to this page, which can be added using the customization technique in the Extending the Tenant Administration site template section.

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 Secure Store Service 應用程式,以及將它新增至自訂服務 Proxy 群組。The following Microsoft PowerShell script shows how to create the Secure Store Service application in Partition Mode and add it to a custom Service Proxy group.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$sssName = "Secure Store Service"
$sssDBName = "HostingFarm_SecureStore"
$sssAuditing = $false
$sssSharing = $false
$sssAuditLogMaxSize = ""
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start Secure Store Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $sssName Application &amp; Proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "Secure Store Service" } | Start-SPServiceInstance
$sss = New-SPSecureStoreServiceApplication -PartitionMode -Name $sssName -ApplicationPool $saAppPool -DatabaseName $sssDBName -auditingEnabled:$sssAuditing -AuditlogMaxSize $sssAuditLogMaxSize -Sharing:$sssSharing
$proxy = New-SPSecureStoreServiceApplicationProxy -Name "$sssName Proxy" -ServiceApplication $sss
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy 

Search ServiceSearch service

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 Search Service 應用程式。The following Microsoft PowerShell script shows how to create the Search service application in Partition Mode.

注意

[!附註] 此服務應用程式的指令碼使用 Partitioned 參數,而非 PartitionMode 參數。The script for this service application uses the Partitioned parameter rather than PartitionMode parameter.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$searchServerName = "$ENV:COMPUTERNAME" 
$searchName = "Search Service"
$searchDBName = "HostingFarm_Search"
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start Search Service Instances, create the Service Application and Proxy, add to Proxy Group, configure Topology
Write-Host "Starting Search Service Instances..."
Start-SPEnterpriseSearchServiceInstance $searchServerName
Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance $searchServerName
Write-Host "Creating Search Service Application and Proxy..."
$search = New-SPEnterpriseSearchServiceApplication -Partitioned -Name $searchName -ApplicationPool $saAppPool -DatabaseName $searchDBName
$proxy = New-SPEnterpriseSearchServiceApplicationProxy -Partitioned -Name "$searchName Proxy" -SearchApplication $search
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Clone the default Topology (which is empty) and create a new one and then activate it
Write-Host "Configuring Search Component Topology..."
$clone = $search.ActiveTopology.Clone()
$searchServiceInstance = Get-SPEnterpriseSearchServiceInstance
New-SPEnterpriseSearchAdminComponent -SearchTopology $clone -SearchServiceInstance $searchServiceInstance
New-SPEnterpriseSearchContentProcessingComponent -SearchTopology $clone -SearchServiceInstance $searchServiceInstance
New-SPEnterpriseSearchAnalyticsProcessingComponent -SearchTopology $clone -SearchServiceInstance $searchServiceInstance 
New-SPEnterpriseSearchCrawlComponent -SearchTopology $clone -SearchServiceInstance $searchServiceInstance 
New-SPEnterpriseSearchIndexComponent -SearchTopology $clone -SearchServiceInstance $searchServiceInstance
New-SPEnterpriseSearchQueryProcessingComponent -SearchTopology $clone -SearchServiceInstance $searchServiceInstance
$clone.Activate()
Write-Host "Search complete!"

Word Automation ServicesWord Automation Services

Word Automation Services 服務應用程式支援分割模式。沒有 Cmdlet 可以建立 Proxy。The Word Automation Services service application supports Partition Mode. There is no cmdlet for creating a proxy.

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 Word Automation Services 服務應用程式。The following Microsoft PowerShell script shows how to create the Word Automation Services service application in Partition Mode.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$wasName = "Word Automation Service"
$wasDBName = "HostingFarm_WordAutomation"
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start Word Automation Service Instance, create the Service Application and Proxy, add to Proxy Group
Write-Host "Creating $wasName Application &amp; Proxy..."
Get-SPServiceInstance | ? { $_.TypeName -eq "Word Automation Services" } | Start-SPServiceInstance
$was = New-SPWordConversionServiceApplication -PartitionMode -Name $wasName -ApplicationPool $saAppPool -DatabaseName $wasDBName 
# we cannot change the name of this proxy as there is no New-SPWordConversionServiceApplicationProxy
$proxy = Get-SPServiceApplicationProxy | ? { $_.Name -eq $wasName }
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy 

User Profile ServiceUser Profile Service

如果未以 SharePoint 伺服器陣列帳戶的身分執行 Windows PowerShell,則以分割模式佈建時需要使用 PowerShell 建立 User Profile Service 十分具有挑戰。為了暫時解決這個問題,以及為了順利啟動 User Profile Synchronization Service,我們利用 Start-Process Cmdlet,並以伺服器陣列帳戶的身分模擬執行指令碼。The creation of the User Profile Service by using PowerShell as required when provisioning in partitioned mode presents a challenge when not running the Windows PowerShell as the SharePoint Farm account. In order to work around this, and in order to successfully start the User Profile Synchronization service, we leverage the Start-Process cmdlet and simulate executing the script as the farm account.

需要兩個指令碼:第一個指令碼會建立 UPA,第二個指令碼則呼叫第一個指令碼。Two scripts are required, the first script creates the UPA and the second script calls the first script.

下列 Microsoft PowerShell 指令碼顯示如何以分割模式建立 User Profile Service 應用程式,以及將它新增至自訂服務 Proxy 群組。The following Microsoft PowerShell script shows how to create the User Profile Service application in Partition Mode and add it to a custom Service Proxy group…

注意

[!附註] 應該直接執行此指令碼,否則會無法啟動 User Profile Synchronization Service 執行個體。此指令碼應該儲存在本機以及其記下的位置中。This script should NOT be run directly otherwise it will be impossible to start the User Profile Synchronization service instance. This script should be saved locally and its location noted.

<#
    partitionedUPAcreation.ps1
    External dependency to create UPA under farm account creds

#>
asnp Microsoft.SharePoint.PowerShell
$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$upaName = "User Profile Service"
$upaProfileDBName = "HostingFarm_UserProfile_Profile"
$upaSocialDBName = "HostingFarm_UserProfile_Social"
$upaSyncDBName = "HostingFarm_UserProfile_Sync"
# Grab the Proxy Group
$proxyGroup = Get-SPServiceApplicationProxyGroup -Identity $mtProxyName
# Grab the Appplication Pool for Service Application Endpoint
$saAppPool = Get-SPServiceApplicationPool $saAppPoolName
<# Creates UPA Service Application &amp; Proxy, and User Profile Service Instance
     If omitted, -ProfileSyncDBServer, -SocialDBServer &amp; -ProfileDBServer are the SharePoint Default DB Server
     If omitted, -SyncInstanceMachine is the local machine 
#>
Write-Host "Creating $upaName Application &amp; Proxy..."
$upa = New-SPProfileServiceApplication -PartitionMode -Name $upaName -ApplicationPool $saAppPoolName -ProfileDBName $upaProfileDBName -SocialDBName $upaSocialDBName -ProfileSyncDBName $upaSyncDBName
$proxy = New-SPProfileServiceApplicationProxy -PartitionMode -Name "$upaName Proxy" -ServiceApplication $upa
$proxyGroup | Add-SPServiceApplicationProxyGroupMember -Member $proxy
# Check it worked
Get-SPServiceApplication | ? {$_.Name -eq $upaName} 

下面的第二個指令碼執行呼叫 UPA 建立指令碼以及啟動必要服務執行個體的必要工作。應該更新 $upaScriptFile 變數中的 UPA 建立指令碼位置。此外,部分必要權限設定於 UPA 上。The second script below performs the necessary work to call the UPA creation script and start the required service instances. The location of the UPA creation script should be updated in the $upaScriptFile variable. Additionally some required permissions are set on the UPA.

$proxyGroupName = "Hosting Proxy Group"
$saAppPoolName = "SharePoint Web Services Default"
$upaScriptfile = "c:\partitionedUPAcreation.ps1"
$upaName = "User Profile Service"
$user = "FABRIKAM\Administrator"
$serviceUser = "FABRIKAM\spservices"
# Grab the Service Application Pool and Proxy Group
Write-Host "Getting Service Application Pool and Proxy Group..."
$saAppPool = $saAppPoolName | Get-SPServiceApplicationPool
$proxyGroup = Get-SPServiceApplicationProxyGroup $proxyGroupName
# Start User Profile Service Instance
Write-Host "Starting User Profile Service Instance..."
Get-SPServiceInstance | ? { $_.TypeName -eq "User Profile Service" } | Start-SPServiceInstance
Write-Host "Restarting SPTimerV4..."
Restart-Service SPTimerV4
# Grab the Farm Account credentials
Write-Host "Please enter the Farm Account Password:"
$farmAcct = (Get-SPFarm).DefaultServiceAccount
$cred = Get-Credential $farmAcct.Name
# Create a new process to initiate User Profile Service Application creation under UAC elevation
Write-Host "Creating new process for UPA creation..."
Start-Process $PSHOME\powershell.exe -Credential $cred -ArgumentList "-Command Start-Process $PSHOME\powershell.exe -ArgumentList `"'$upaScriptfile'`" -Verb Runas" -Wait
Get-Date
Write-Host "UPA Created!"
# Start the User Profile Synchronization Service Instance
Write-Host "Starting the UPS Service Instance..."
Get-Date
$upa = Get-SPServiceApplication | where-object {$_.Name -eq $upaName}
$upsInstanceName = "User Profile Synchronization Service"
[String]$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password)); 
Get-SPServiceInstance | where-object {$_.TypeName -eq $upsInstanceName} | % {
    $_.Status = [Microsoft.SharePoint.Administration.SPObjectStatus]::Provisioning
    $_.IsProvisioned = $false
    $_.UserProfileApplicationGuid = $upa.Id
    $_.Update()
    $upa.SetSynchronizationMachine($_.Server.Address, $_.Id, $cred.UserName, $password) # this can cause update conflicts
    Start-SPServiceInstance $_
}
Write-Host "Waiting on $upsInstanceName to provision..."
Write-Host "Baseline time is 130 seconds"
[int]$time = 0
$ups = Get-SPServiceInstance | where-object {$_.TypeName -eq $upsInstanceName}
while(-not ($ups.Status -eq "Online")){
   sleep 10;
    Write-Host "Still waiting... ($time seconds elapsed)"
    $ups = Get-SPServiceInstance | where-object {$_.TypeName -eq $upsInstanceName}
    $time = $time + 10
  }
Write-Host "$upsInstanceName provisioned, it took $time seconds."
Get-Date
Write-Host "UPS Service Instance Started"
# UPA Settings and Permissions, do this after UPS SI Started and Get it again to prevent update conflicts
Write-Host "Configuring NETBios Domain Names and UPA Permissions..."
$upa = Get-SPServiceApplication | where-object {$_.Name -eq $upaName}
$upa.NetBIOSDomainNamesEnabled=1
$upa.Update()   
function Grant-ServiceAppPermission($app, $user, $perm, $admin) {
    $sec = $app | Get-SPServiceApplicationSecurity -Admin:$admin
    $claim = New-SPClaimsPrincipal -Identity $user -IdentityType WindowsSamAccountName
    $sec | Grant-SPObjectSecurity -Principal $claim -Rights $perm
    $app | Set-SPServiceApplicationSecurity -ObjectSecurity $sec -Admin:$admin
}
Grant-ServiceAppPermission $upa $user "Full Control" $false
Grant-ServiceAppPermission $upa $serviceUser "Full Control" $false

資訊版權管理設定Information Rights Management configuration

使用 SharePoint 管理中心網站 或已更新的 Microsoft PowerShell Cmdlet 可以開啟多重租用的資訊版權管理支援。Information Rights Management support for multi-tenancy can be turned on by using the the SharePoint Central Administration website or the updated Microsoft PowerShell cmdlets.

使用 管理中心 開啟資訊版權管理Turn on Information Rights Management by using Central Administration

  1. 檢查執行此程序的使用者帳戶是否為「伺服器陣列管理員」SharePoint 群組與執行管理中心之電腦的管理員群組的成員。Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group and the Administrators group on the computer that is running Central Administration.

  2. 從 [管理中心] 網站移至 [安全性From the Central Administration website, go to Security.

  3. 在 [安全性] 頁面上,移至 [設定資訊版權管理On the Security page, go to Configure information rights management

  4. 在 [資訊版權管理] 頁面上按一下 [使用此 RMS 伺服器On the Information Rights Management page, click Use this RMS Server.

  5. 請務必檢查名為] 核取此方塊中,允許承租人設定承租人等級的 IRM 設定多承租人設定] 核取方塊。Make sure to place a check in the check box named Check this box in multi-tenant configurations to allow tenants to configure tenant level IRM settings.

    使用 Microsoft PowerShell 開啟資訊版權管理Turn on Information Rights Management by using Microsoft PowerShell

  6. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server 2013 Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2013 cmdlets.

      注意

      [!附註] 如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  7. 開啟 [ SharePoint 管理命令介面]Open the SharePoint Management Shell.

  8. 在 PowerShell 命令提示字元處,輸入下列命令:At the PowerShell command prompt, type the following command:

    Set-SPIRMSettings -IrmEnabled -UseActiveDirectoryDiscovery -SubscriptionScopeSettingsEnabled
    

承租人管理網站內沒有 IRM 的內建設定選項。若要套用設定,請使用 Set-SPSiteSubscriptionIRMConfig Cmdlet (如下列指令碼所示):There are no built-in configuration options for IRM within the Tenant Administration site. To apply the configuration, use the Set-SPSiteSubscriptionIRMConfig cmdlet as shown in the following script:

$subscription=Get-SPSiteSubscription "http://www.contoso.com"
Set-SPSiteSubscriptionIRMConfig -identity $subscription -IrmEnabled -CertificateServerUrl "http://rms.contoso.com" 

通常這類設定是在佈建承租人時執行。Generally such configuration is performed as part of tenant provisioning.

承租人佈建和管理Tenant provisioning and management

本節說明佈建承租人以及自訂多承租人環境的程序和方式。This section describes the processes and approaches for provisioning tenants and customizing the multi-tenant environment.

承租人佈建Tenant provisioning

若要建立承租人,請依照表格中的步驟進行。To create a tenant, follow the steps in the table.

TasksTasks
StepsSteps
1. 建立網站訂閱。1. Create a site subscription.
在 Microsoft PowerShell 命令提示字元處,輸入下列語法:At the Microsoft PowerShell command prompt, type the following syntax:
$sub = New-SPSiteSubscription
2. 將功能套件指派給網站訂閱,以及使用人員選擇來設定自訂 OU。2. Assign a feature pack to the site subscription and configure custom OU by using People Picker.
在 Microsoft PowerShell 命令提示字元處,輸入下列語法:At the Microsoft PowerShell command prompt, type the following syntax:
Set-SPSiteSubscriptionConfig -id $sub -FeaturePack $customerFeatures -UserAccountDirectoryPath "OU=$customerName,OU=Customers,DC=contoso,DC=com"
3. 建立要指派給網站訂閱的一或多個網站集合。3. Create one or more site collections to be assigned to the site subscription.
在 Microsoft PowerShell 命令提示字元處,輸入下列語法:At the Microsoft PowerShell command prompt, type the following syntax:
Write-Host "Creating Member Site..." New-SPSite -url "http://$customerName.contoso.com" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template sts#0 -ContentDatabase $contentDBName``````# create Tenant Admin site Write-Host "Creating Tenant Admin site..." New-SPSite -url "http://$customerName.contoso.com/admin" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template tenantadmin#0 -AdministrationSiteType TenantAdministration -ContentDatabase $contentDBName``````Write-Host "Creating My Site Host..." New-SPSite -url "http://$customerName.contoso.com/mysites" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template SPSMSITEHOST#0 -ContentDatabase $contentDBName

下列 PowerShell 指令碼顯示如何建立使用 TENANTADMIN#0 範本的承租人管理網站。如果承租人設定成使用 Enterprise Feature Pack,則 Microsoft PowerShell 指令碼會執行其他作業 (亦即,建立 我的網站 集合)。The following PowerShell script shows how to create a tenant admin site that uses the TENANTADMIN#0 template. If the tenant is configured to use an Enterprise Feature Pack, the Microsoft PowerShell script performs additional operations, that is, it creates the My Sites collection.

Add-PSSnapin Microsoft.SharePoint.Powershell -EA 0  

# farm details (update to reflect your environment) 
$hostingMainURL = "http://$ENV:COMPUTERNAME"
$upaProxyName = "Tenant User Profile Service Proxy" 
$mmsProxyName = "Tenant Managed Metadata Service" 
$contentDBName = "HostingFarm_Content_Hosting" 
$farm = Get-SPFarm
$foundationFeaturePack = $farm.Properties.Foundation_FeaturePack
#$standardFeaturePack = $farm.Properties.Standard_FeaturePack
#$enterpriseFeaturePack = $farm.Properties.Enterprise_FeaturePack
# tenant-specific information (vary by tenant)
$customerName = "Customer A" 
$customerTenantAdmin = "CONTOSO\customerA-Admin"
$customerTenantAdminEmail = "admin@customerA.com"
$customerFeatures = $enterpriseFeatures
# Note: 
# this script assumes that the Content Web App and necessary Managed Paths exist. 
# grab the web app 
$webApp = Get-SPWebApplication $hostingMainURL 

# create new Site Subscription 
Write-Host "Creating Site Subscription..." 
$sub = New-SPSiteSubscription 

# assign feature pack and set the OU to be used by the People 
Write-Host "Assigning Feature Pack and configuring People Picker..." 
Set-SPSiteSubscriptionConfig -id $sub -FeaturePack $customerFeatures -UserAccountDirectoryPath "OU=$customerName,OU=Customers,DC=contoso,DC=com" 

# create the "main" member site (we need a site at the root to use Host Headers and Managed Paths in the following cmdlets) 
Write-Host "Creating Member Site..." 
New-SPSite -url "http://$customerName.contoso.com" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template sts#0 -ContentDatabase $contentDBName

# create Tenant Admin site  
Write-Host "Creating Tenant Admin site..." 
New-SPSite -url "http://$customerName.contoso.com/admin" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template tenantadmin#0 -AdministrationSiteType TenantAdministration -ContentDatabase $contentDBName

# everything else needs standard 
if (!($customerFeatures -eq $foundationFeatures)) 
{ 
    Write-Host "Tenant has SharePoint Server features" 
    # create a mysite host 
    Write-Host "Creating My Site Host..." 
    New-SPSite -url "http://$customerName.contoso.com/mysites" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template SPSMSITEHOST#0 -ContentDatabase $contentDBName
    # configure the MySites host, MySites path, Naming Resolution and Profile Sync OU for the Subscription 
    Write-Host "Configuring Tenant Profile Config..." 
    $upaProxy = Get-SPServiceApplicationProxy | where-object {$_.DisplayName -eq $upaProxyName} 
    Add-SPSiteSubscriptionProfileConfig -id $sub -SynchronizationOU $customerName -MySiteHostLocation "http://$customerName.contoso.com/mysites" -MySiteManagedPath "/mysites/personal" -SiteNamingConflictResolution "None" -ProfileServiceApplicationProxy $upaProxy 

    # create a site for the Content Type Gallery 
    Write-Host "Creating Content Type Gallery..." 
    New-SPSite -url "http://$customerName.contoso.com/cthub" -SiteSubscription $sub -HostHeaderWebApplication $webApp -owneralias $customerTenantAdmin -owneremail $customerTenantAdminEmail -template sts#0 -ContentDatabase $contentDBName

    # configure the Content Type Gallery for the Subscription 
    Write-Host "Configuring Tenant Content Type Gallery..." 
    $mmsProxy = Get-SPServiceApplicationProxy | where-object {$_.DisplayName -eq $mmsProxyName} 
    # ContentTypeHub feature activation may fail - if so activate manually 
    Set-SPSiteSubscriptionMetadataConfig -identity $sub -serviceProxy $mmsProxy -huburi "http://$customerName.contoso.com/cthub" -SyndicationErrorReportEnabled 
    Write-Host "Activating Content Type Hub..." 
    Enable-SPFeature -Identity ContentTypeHub -url "http://$customerName.contoso.com/cthub" 
} 

Write-Host "Tenant Provisioning Script Completed!"  

此方式可以進一步自訂成包含 Workflow、Apps 和 IRM 這項項目的其他承租人設定。這類指令碼通常會封裝成函數或自訂 Cmdlet,以針對未來的承租人重複執行。This approach can be further customized to contain other tenant configuration such as for Workflow, Apps and IRM. Generally such script is encapsulated into a function or custom cmdlets which enables it to be run repeatedly for future tenants.

Workflow ServiceWorkflow service

SharePoint Server 2013 為工作流程帶來主要進展,包括完整宣告撰寫、REST 及服務匯流排傳訊、彈入延展性及受管理的服務可靠性等企業功能。SharePoint 2013 可以使用以 .NET Framework 4.5 之 Windows Workflow Foundation 元件為基礎的新工作流程服務。新的服務稱為 Workflow Manager,其設計目的是扮演企業的核心角色。SharePoint Server 2013 brings a major advancement to workflow, including enterprise features such as fully declarative authoring, REST and Service Bus messaging, elastic scalability, and managed service reliability. SharePoint 2013 can use a new workflow service built on the Windows Workflow Foundation components of the .NET Framework 4.5. The new service is called Workflow Manager and it is designed to play a central role in the enterprise.

只有在下載並安裝新的 Workflow Manager Service,並設定它與 SharePoint Server 2013 伺服器陣列通訊之後,您與您的工具才能使用 SharePoint 2013 Workflow 平台。如需如何安裝和設定 SharePoint 2013 適用之 Workflow Manager Service 的其他資訊,請參閱安裝及設定 SharePoint Server 2013 工作流程The SharePoint 2013 Workflow platform becomes available to you, and your tools, only after you download and install the new Workflow Manager Service and configure it to communicate with the SharePoint Server 2013 farm. For additional information about how to install and configure the Workflow Manager Service for SharePoint 2013, see Install and configure workflow for SharePoint Server.

若要設定 Workflow Service,請使用 Register-SPWorkflowService Cmdlet,以向處於分割模式的 Workflow Service Manager 登錄伺服器陣列。在這樣做時,使用 SPSite 參數從伺服器陣列傳遞任何現有承租人網站集合的 URL,以及使用 ScopeName 參數定義伺服器陣列的具名工作流程範圍。To configure the Workflow Service, use the Register-SPWorkflowService cmdlet to register the farm with the Workflow Service Manager in Partition Mode. In doing this, use the SPSite parameter to pass the URL of any existing tenant site collection from your Farm and use the ScopeName parameter to define a named workflow scope for your farm.

下列 Windows PowerShell 指令碼顯示如何向處於分割模式的 Workflow Service Manager 登錄 SharePoint 伺服器陣列。The following Windows PowerShell script shows how to register the SharePoint farm with the Workflow Service Manager in Partition Mode.

Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue 
# Register the Farm with the Workflow Service and create a workflow scope
# Note: any tenant site will suffice
Register-SPWorkflowService -SPSite "http://tenant.contoso.com" -WorkflowHostUri "http://WFSvr01:12291" -PartitionMode -AllowOAuthHttp -Force -ScopeName "HostingFarm"

Write-Host "Farm Workflow Registration Script Completed!"

若要啟用 SharePoint Workflow 的特定承租人,您必須設定工作流程服務 Proxy。在這樣做時,會取得承租人根網站集合的參照,並向工作流程服務 Proxy 登錄它。To enable a specific tenant for SharePoint Workflow, you must configure the workflow service proxy. In doing this, obtain a reference to the root site collection of the tenant and register it with the workflow service proxy.

下列 PowerShell 指令碼顯示如何啟用 SharePoint Workflow 的承租人。The following PowerShell script shows how to enable a tenant for SharePoint Workflow.

Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue 
#Get the Workflow Service Application Proxy
$wfProxy  = Get-SPWorkflowServiceApplicationProxy
#Create a credential object
$user = New-Object System.Net.NetworkCredential ("domain\Admin", "Password")
#Get the SPSite object of the root site collection of the tenant
$site = Get-SPSite http://tenant.domain.com
#Set the Workflow address for the tenant site (reference our workflow scope)
$wfProxy.SetWorkflowServiceAddress($site,"http://WFSvr01:12291/HostingFarm")
#Register the proxy with tenant site collection
$wfProxy.Register($site,$user)
#Connect the tenant site collection to the proxy
$wfProxy.Connect($site)  
Write-Host "Tenant Workflow Registration Script Completed!" 

承租人設定成使用 Workflow Service Manager 之後,您就可以使用 SharePoint Designer,以使用 SharePoint 2013 Workflow 選項來建立工作流程 (如下圖所示)。After the tenant is configured to use Workflow Service Manager, you are then able to use SharePoint Designer to create workflows using the SharePoint 2013 Workflow option as shown in the following diagram.

This diagram shows the SharePoint 2013 Workflow option in SharePoint Designer

擴充承租人管理網站範本Extending the Tenant Administration site template

使用 [自訂動作定義結構描述],新增和移除承租人管理網站之主要頁面上的連結。Use the Custom Action Definition Schema to add and remove links on the main page of the Tenant Administration site.

下列功能定義顯示如何新增群組、數個連結,以及移除 [管理網站集合] 頁面的連結。The following feature definition shows how to add a new group, several links, and remove the link to the Manage Site Collections page.

<Elements xmlns="http://schemas.microsoft.com/sharepoint/">
  <CustomActionGroup
       Id="TenantAdmin_HostingUserAccounts"
       Location="Microsoft.SharePoint.TenantAdministration"
       Title="User Accounts"
       Sequence="90"
       ImageUrl="_layouts/images/SiteSettings_UsersAndPermissions_48x48.png">
    <UrlAction
        Url="" />
  </CustomActionGroup>
  <CustomAction
      Id="TenantAdmin_HostingUserAccounts_AddUser"
      GroupId="TenantAdmin_HostingUserAccounts"
      Location="Microsoft.SharePoint.TenantAdministration"
      Sequence="10"
      Title="Create User">
    <UrlAction
        Url="_layouts/UserAccountsWebParts/UA_AddUsers.aspx" />
  </CustomAction>
  <CustomAction
      Id="TenantAdmin_HostingUserAccounts_ManageUsers"
      GroupId="TenantAdmin_HostingUserAccounts"
      Location="Microsoft.SharePoint.TenantAdministration"
      Sequence="30"
      Title="Manage Users">
    <UrlAction
        Url="_layouts/UserAccountsWebParts/UA_ManageUsers.aspx" />
  </CustomAction>
  <HideCustomAction
    GroupId = "TenantAdmin_Sites"
    HideActionId = "TenantAdmin_Sites_ManageSiteCollections" 
    Location="Microsoft.SharePoint.TenantAdministration" />
</Elements>

如需自訂動作 (例如內建連結的預設識別碼) 的其他資訊,請參閱<自訂動作定義結構描述>。For additional information about custom actions, such as the default IDs for built-in links, see Custom Action Definition Schema.

自訂功能區Customizing the ribbon

使用 [伺服器] 功能區 XML 和 ECMAScript (JavaScript、JScript),可以自訂 SharePoint Server 2013 中的 [伺服器] 功能區。XML 定義功能區上的控制項。ECMAScript 執行頁面上或頁面上物件的動作。您可以使用存在於 SharePoint FoundationECMAScript 物件模型或內建 ECMAScript 函數中的 ECMAScript。您也可以將專屬 ECMAScript 新增至頁面,並使用它與功能區互動。The Server ribbon in SharePoint Server 2013 can be customized by using Server ribbon XML and ECMAScript (JavaScript, JScript). The XML defines the controls on the ribbon. The ECMAScript performs actions on a page or an object on the page. You can use ECMAScript that exists in the SharePoint FoundationECMAScript object model or built-in ECMAScript functions. You can also add your own ECMAScript to the page and use it to interact with the ribbon.

自訂 [伺服器] 功能區時,您可以新增、取代以及移除控制項、群組和索引標籤。功能區自訂是使用功能中的 [伺服器] 功能區 XML 所定義,而且可以部署於方案套件 (.wsp 檔案) 中。可以使用 RegistrationIdRegistrationType 屬性,將功能區自訂的範圍設為特定清單類型。也可以在 Feature.xml 檔案中使用 Scope 屬性,將自訂的範圍設為網站或特定 Web 應用程式。When customizing the Server ribbon, you can add, replace, and remove controls, groups, and tabs. Customizations to the ribbon are defined by using Server ribbon XML in a feature and can be deployed in a solution package (.wsp file). Ribbon customizations can be scoped to a particular list type by using the RegistrationId and RegistrationType attributes. Customizations can also be scoped to a site or to a particular web application by using the Scope attribute in the Feature.xml file.

下列 XML 顯示如何取代 [管理網站集合] 頁面上的 [磁碟配額] 按鈕的功能。The following XML shows how to replace the functionality of the Disk Quota button on the Manage Site Collections page.

<Elements xmlns="http://schemas.microsoft.com/sharepoint/" >
  <CustomAction Id="Ribbon.Library.Actions.ReplacementButton"
      Location="CommandUI.Ribbon"
      Title="Replace a Ribbon Button">
    <CommandUIExtension>
      <CommandUIDefinitions>
        <CommandUIDefinition
          Location="Ribbon.SiteCollections.Manage.DiskQuota">
          <Button Id="Ribbon.SiteCollections.Manage.DiskQuota.Replacement"
            Command="ReplacementButtonCommand"
            Image32by32="/_layouts/1033/images/formatmap32x32.png?vk=4536"
                  Image32by32Left="-256"
                  Image32by32Top="-224"
            LabelText="Disk Quota"
            TemplateAlias="o1" />
        </CommandUIDefinition>
      </CommandUIDefinitions>
      <CommandUIHandlers>
        <CommandUIHandler
          Command="ReplacementButtonCommand"
          CommandAction="javascript: 
         function demoCallback(dialogResult, returnValue)  
          {  
          }  
              var options = {               
                url: 'HostingTenantAdmin/DiskQuota.aspx', 
                tite: 'Manage Disk Quota', 
                allowMaximize: true, 
                showClose: true, 
                width: 610, 
                height: 450,
            dialogReturnValueCallback: demoCallback  }; 
              SP.UI.ModalDialog.showModalDialog(options);" />
      </CommandUIHandlers>
    </CommandUIExtension>
  </CustomAction>
</Elements>

如需如何自訂 [伺服器] 功能區的其他資訊,請參閱自訂伺服器功能區For additional information about how to customize the Server ribbon, see Customizing the Server Ribbon.

使用自訂屬性擴充網站訂閱Extending a site subscription using custom properties

Site Subscription Service 應用程式可以儲存管理自訂屬性和承租人自訂屬性。支援的屬性類型包括下列值:The Site Subscription Service Application can store both administrative custom properties and tenant custom properties. Supported property types include the following values:

  • stringstring

  • intint

  • longlong

  • boolbool

  • GuidGuid

  • 日期時間DateTime

您可以使用自訂屬性來擴充承租人管理功能 (例如承租人配額管理)。You can use custom properties to extend tenant management functionality, such as tenant quota management.

下列 PowerShell 指令碼顯示如何存取自訂屬性。The following PowerShell script shows how to access custom properties.

Add-PSSnapin microsoft.sharepoint.powershell -ea SilentlyContinue
#-----------------------------------------------------
# Load Assemblies
#-----------------------------------------------------
[void] [Reflection.Assembly]::Load("Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c")
#-----------------------------------------------------
# Functions
#-----------------------------------------------------
function GetSPSiteSubscription([string]$url)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = Get-SPSiteSubscription $url;

    return $sub;
}
function GetSiteSubAdminProperties([string]$url)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetAdminProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    return $props; 
}
function AddOrSetSiteSubAdminProperty([string]$url, [string]$theKey, $theValue)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetAdminProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    if ($props.ContainsKey($theKey) -eq $true)
    {
        $props.SetValue($theKey, $theValue);
    }
    else
    {
        $props.Add($theKey, $theValue);
    }
    $props.Update(); 
}
function GetSiteSubAdminProperty([string]$url, [string]$theKey)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetAdminProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    $theValue = "";
    if ($props.ContainsKey($theKey) -eq $true)
    {
        foreach ($prop in $props)
        {
            if ($prop.Key -eq $theKey) 
            {
                $theValue = $prop.Value;
                break;
            }
        }
        return $theValue;
    }
    else 
    {
        return $null;
    }
}
function RemoveSiteSubAdminProperty([string]$url, [string]$theKey)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetAdminProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    if ($props.ContainsKey($theKey) -eq $true)
    {
        $props.Remove($theKey);
        $props.Update();
    }
}
function GetSiteSubTenantProperties($url)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }

    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    return $props; 
}
function AddOrSetSiteSubTenantProperty([string]$url, [string]$theKey, $theValue)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    if ($props.ContainsKey($theKey) -eq $true)
    {
        $props.SetValue($theKey, $theValue);
    }
    else
    {
        $props.Add($theKey, $theValue);
    }
    $props.Update(); 
}
function GetSiteSubTenantProperty([string]$url, [string]$theKey)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    $theValue = "";
    if ($props.ContainsKey($theKey) -eq $true)
    {
        foreach ($prop in $props)
        {
            if ($prop.Key -eq $theKey) 
            {
                $theValue = $prop.Value;
                break;
            }
        }
        return $theValue;
    }
    else 
    {
        return $null;
    }
}
function RemoveSiteSubTenantProperty([string]$url, [string]$theKey)
{
    [Microsoft.SharePoint.SPSiteSubscription]$sub = GetSPSiteSubscription -url $url;
    [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager] $manager =  [Microsoft.SharePoint.SPSiteSubscriptionSettingsManager]::Local;
    if ($manager -eq $null)
    {
        throw("Bad Manager!");
    }
    [Microsoft.SharePoint.SPSiteSubscriptionPropertyCollection]$props = $manager.GetProperties($sub);
    if ($props -eq $null)
    {
        throw("Bad Props!");
    }
    if ($props.ContainsKey($theKey) -eq $true)
    {
        $props.Remove($theKey);
        $props.Update();
    }

另請參閱See also

概念Concepts

給主機服務提供者的 SharePoint Server 2013 一般指引General guidance for hosters in SharePoint Server 2013