Planning a SharePoint 2016 Beta 2 Installation: … 1 Technical deep-dive Planning a SharePoint 2016 Beta 2 Installation: Service Accounts Audience: Windows Server And SharePoint IT

Page 1

Technical deep-dive

Planning a SharePoint 2016 Beta 2 Installation: Service Accounts

Audience: Windows Server And SharePoint IT Professionals

Level: Deep Technical

Summary:

SharePoint 2016 beta 2 is here! If you want to install a new SharePoint 2016 beta 2 farm in a proper way,

there are many aspects to consider. One dimension is to plan the service accounts that SharePoint

needs. There is some guidance available from Microsoft at

https://technet.microsoft.com/en-us/library/cc303422%28v=office.16%29.aspx

However, when it comes to time to start planning your installation you may be left with some concrete

questions on which options to choose. So we have gone through the about 300 pages of Technet

documentation and combined this with our project experience. This in order to build a concrete

recommendation of how to prepare for a new model SharePoint 2016 beta 2 farm.

We welcome any comments.

https://technet.microsoft.com/en-us/library/cc303422%28v=office.16%29.aspx

Page 2

Context

Though this guide is generic and should apply for both MinRole and Custom deployments, we have only

tested the guide with a Custom deployment at this time. We have also focused on the base SharePoint

installation, excluding external servers such as Office Online Server Preview (this is the next version of

Office Web Apps Server) and Workflow Manager. We have included service accounts best practices for

these excluded services, but these are based strictly on SharePoint 2013.

Page 3

Before we start

Use different Service Accounts

To deploy a SharePoint 2016 beta 2 server farm, you must create several different service accounts in

Active Directory. This document describes the accounts that are used to install and configure SharePoint

2016 beta 2.

Maximum length of Service Account names

The maximum length of DOMAIN NAME\Service Account name cannot exceed 19 characters!!!

So DOMAIN1\SharePoint setup is 26 characters and NOT supported. In this guide you will see

recommended service account names. For every account that you are about to create, first check the total

length.

Use password never expires

All service accounts should be set to “Password never expires” in Active Directory because if they expire in

future after installation of SP2016 it would be an issue for the continued operations of SharePoint.

Where possible configure Managed Accounts in SharePoint. SharePoint will automatically change the

password in AD for managed accounts on a regular schedule.

Place all service accounts in one Active Directory OU

This placement allows system administrators to easily locate and view service accounts, group them in one

Active Directory OU.

No Single Label Domain Support

SharePoint Server 2016 Beta 2, like previous versions, does not support single label domain names. So if

your forest + domain name equals “MyCorp” instead of “Sales.MyCorp” or “Ops.MyCorp” you will not be

able to (properly) install SharePoint.

Avoid special characters in Service Account Names

Do not use service account names that contain the symbol $.

Page 4

Service accounts for SQL Server

0.1.1 SQL Server Setup account: DOMAIN\SPSQL_Setup

Account Description:

For SharePoint 2016 beta 2.

This account is used to install SQL Server.

Account Type:

Domain user account

Account Permissions:

Account is in the Local Administrators group on the Sql server machine

Remarks:

This account is not used for running MSSQLSERVER Engine nor MSSQLSERVER Agent.

0.1.2 SQL Server Engine service account: DOMAIN\SPSQL_ENG



The SQL Server Engine service account is used to run SQL Server. It is the service account for the following

SQL Server services:

MSSQLSERVER

If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown

as the following:

MSSQL<InstanceName>

Account Type:

Domain Account


If you plan to back up to or restore from an external resource, permissions to the external resource must be

granted to this account.

Page 5

0.1.3 SQL Server Agent service account: DOMAIN\SPSQL_Age



The SQL Server Agent service account is used to run a specific service of SQL Server. It is the service account for

the following SQL Server services:

o MSSQLSERVER Agent

If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown

as the following:

o SQLAgent<InstanceName>

Account Type:

Domain Account


If you plan to back up to or restore from an external resource, permissions to the external resource must be

granted to this account.

Service accounts for SharePoint

0.1.4 SharePoint Setup user account: DOMAIN\SP_Setup



The Setup user account is used to

Install SharePoint

Run the following: Setup SharePoint Products Configuration Wizard

Account Type:

Domain user account.


1. Member of the Administrators group on each server on which SharePoint Setup is run.

2. SQL Server login on the computer that runs SQL Server.

3. Member of the following SQL Server roles:

a. securityadmin fixed server role

b. dbcreator fixed server role

Page 6

4. If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the

db_owner fixed database role for the database.

Notes: Never delete this account in your Active Directory. You will need it if you want to modify the SharePoint

installation at a later date. If you have deleted this account, and you recreate it with the same name, it will not

work.

0.1.5 SharePoint Server farm account DOMAIN\SP_Farm



The Server farm account or database access account

The server farm account is used to configure and manage the server farm.

And performs the following tasks:

Acts as the application pool identity for the SharePoint Central Administration Web site.

Runs the Microsoft SharePoint Foundation Workflow Timer Service.

Note that SharePoint Foundation itself is no longer available in the SharePoint Server 2016 release.

Account Type:



1. Additional permissions are automatically granted for the server farm account on Web servers and

application servers that are joined to a server farm.

2. The server farm account is automatically added as a SQL Server login on the computer that runs SQL

Server. The account is added to the following SQL Server security roles:

dbcreator fixed server role

securityadmin fixed server role

db_owner fixed database role for all SharePoint databases in the server farm

Remarks:

Use this account on the following screen:

Page 7

0.1.6 SharePoint App pool for content web apps DOMAIN\SP_CWAP

Description:


This account is used for Content Web Application.

Account Type:



None unless using Office Web Apps. Then must give access to content databases manually.

0.1.7 SharePoint Service Application pool account DOMAIN\SP_SAP

Description:


This account is used for Service Application Pool.

Account Type:



Must be a member of the Farm Administrators group.

0.1.8 SharePoint Default content access account for Search Crawling DOMAIN\SP_SCRD

Description:


This account is used for default content access account for Search Crawling.

Account Type:



1. The default content access account must be a domain user account that has read access to external

or secure content sources that you want to crawl by using this account.

2. For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this

account full read permissions to the web applications that host the sites.

Page 8

3. This account must not be a member of the Farm Administrators group.

0.1.9 SharePoint Content Access account for Search Crawling DOMAIN\SP_SCRA1



This account is used for accessing external content sources by Search Crawling. This type of account is

optional, and you can configure it when you create a new crawl rule. For example, external content (such as a

file share) might require this separate content access account.

Account Type:



1. The content access account must have read access to external or secure content sources that this

account is configured to access.

2. For SharePoint Server sites that are not part of the server farm, you have to explicitly grant this

account full read permissions to the web applications that host the sites.

0.1.10 SharePoint My Sites application pool account DOMAIN\SP_MS



This account is used for My Site Application Pool.

Account Type:



This account must not be a member of the Administrators group on any computer in the server farm.

0.1.11 SharePoint Other Application pool account DOMAIN\SP_OAP

Description:


This account is used for Other Service Application Pools.

Page 9

Account Type:



This account must not be a member of the Administrators group on any computer in the server farm.

0.1.12 SharePoint User Profile Synchronization Connection Account: DOMAIN\SP_UPSC

From here on down the accounts are still from SharePoint 2013, not yet adapted for SharePoint 2016

Description:

For SharePoint 2013

This is the account used to perform synchronization with the remote directory service.

There can be one account per synchronization connection.

Permissions:

1. Domain user account

2. Replicating Directory Changes permissions on the domains being synchronized.

Replicating Directory Changes permissions on the configuration partition of the domains being synchronized

if the NetBIOS and fully qualified domain name (FQDN) names do not match.

0.1.13 SharePoint User Profile Synchronization Account: DOMAIN\SP_UPSS

Description:

For SharePoint 2013: This account is used for Windows service account for the User Profile Synchronization

Service.

Permissions:

1. Must be a member in the Farm Administrators group.

2. Requires Log on Locally permission on the computer running the instance of the User Profile

Synchronization Service.

3. Requires Local Administrator permissions on the server running the instance of the User Profile

Synchronization Service.

0.1.14 SharePoint Search service account DOMAIN\SP_SRH

Description:

For SharePoint 2013: This account is used for Search Service.

Page 10

Permissions:


2. This setting applies to all Search service applications in the farm. You can change this account at any

time by clicking Configure service accounts in the Security section on the Central Administration

home page.

0.1.15 SharePoint Search Admin Web Service application pool account DOMAIN\SP_SAW

Description:

For SharePoint 2013: This account is used for Search Admin Web Service application pool.

Permissions:


2. You can use the same credentials that you specified for the Search service. Or, you can assign

different credentials to each account according to the principle of least-privilege administration

0.1.16 SharePoint Search Query and Site Settings Web Service application pool account DOMAIN\SP_SQS

Description:

For SharePoint 2013: This account is used for Search Query Web Service application pool.

Permissions:


2. You can use the same credentials that you specified for the Search service. Or, you can assign

different credentials to each account according to the principle of least-privilege administration

0.1.17 SharePoint App Fabric Account DOMAIN\SP_APF

Description:

SharePoint 2013: This account is use for App Fabric Account.

Permissions:


0.1.18 SharePoint Search Host Account DOMAIN\SP_SH

Description:

For SharePoint 2013: This account is used for Search Host.

Permissions:

Domain user account

Page 11

0.1.19 SharePoint Cache Super User Account DOMAIN\SP_CSU

Description:

For SharePoint 2013: This account is use for Cache Super User. Part of the object cache accounts.

Special Permissions:

The object cache accounts are user accounts that are given FullControl and FullRead privileges on

WebApplications so items can be cached by ASP.Net to improve performance.

These accounts should not have any special Active Directory privileges other than Domain User membership

0.1.20 SharePoint Cache Super Reader Account DOMAIN\SP_CSR

Description:

For SharePoint 2013: This account is used for Cache Super Reader.

Permissions:

The object cache accounts are user accounts that are given FullControl and FullRead privileges on

WebApplications so items can be cached by ASP.Net to improve performance.

These accounts should not have any special Active Directory privileges other than Domain User membership

0.1.21 SharePoint Performance Point Service Account DOMAIN\SP_PP

Description:

SharePoint 2013: This account is used for Performance Point Service.

Permissions:


Page 12

Required Special Permissions in AD domain for one account: For SharePoint 2013

How to give DOMAIN\SP_UPSC account permission in AD.

Account Name and Purpose Requirements

User Profile

Synchronization

Connection

Service Account

DOMAIN \SP_UPSC

This is the account used to

perform synchronization with

the remote directory service.

There can be one account per

synchronization connection.

Replicating Directory Changes

permissions on the domains being

synchronized.

Replicating Directory Changes

permissions on the configuration

partition of the domains being

synchronized if the NetBIOS and fully

qualified domain name (FQDN) names

do not match.

Follow these steps:

To grant Replicate Directory Changes permission on a domain

1. On the domain controller, click Start, click Administrative Tools, and then click Active

Directory Users and Computers.

2. In Active Directory Users and Computers, right-click the domain, and then click Delegate

Control.

3. On the first page of the Delegation of Control Wizard, click Next.

4. On the Users or Groups page, click Add.

5. Type the name of the synchronization account, and then click OK.

6. Click Next.

7. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.

Page 13

8. On the Active Directory Object Type page, select This folder, existing objects in this folder,

and creation of new objects in this folder, and then click Next.

9. On the Permissions page, in the Permissions box, select Replicating Directory

Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.

10. Click Finish.

Grant Create Child Objects and Write permission

Use this procedure to grant Create Child Objects and Write permission to an account.

To grant Create Child Objects and Write permission

1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.

2. If the Default naming context node is not already present, do the following:

a. In the navigation pane, click ADSI Edit.

b. On the Action menu, click Connect to.

c. In the Connection Point area of the Connection Settings dialog box, click Select a

well know Naming Context, select Default naming context from the drop-down list,

and then click OK.

3. In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=... node,

right-click the OU to which you want to grant permission, and then clickProperties.

4. On the Security tab of the Properties dialog box, click Advanced.

5. In the Advanced Security Settings dialog box, select the row whose value in the Name column

is the synchronization account and whose value in the Inherited From column is<not

inherited>, and then click Edit. If this row is not present, click Add, click Locations,

select Entire Directory, click OK, type the synchronization account, and then click OK. This adds

the appropriate row, which you can now select.

Page 14

Note:

Do not select the row for the synchronization account that is inherited from another location. Doing so would

only enable you to apply the permissions to the OU and not to the contents of the OU.

6. In the Permission Entry dialog box, select This object and all descendant objects from

the Apply to box, (select This object and all child objects on Windows Server 2003), select

the Allow check box in the rows for the Write all properties and Create all child

objects properties, and then click OK.

7. Click OK to close the Advanced Security Settings dialog box.

8. Click OK to close the Properties dialog box.

9. Repeat steps 3 through 8 to grant permissions on any additional OUs.

Documents

Planning a SharePoint 2016 Beta 2 Installation: … 1 Technical deep-dive Planning a SharePoint 2016 Beta 2 Installation: Service Accounts Audience: Windows Server And SharePoint IT