152 ❘ CHAPTER 6 UsiNg the NeW ceNtral admiNistratioN The Manage farm solutions link is the SharePoint 2010 equivalent of the Solution management link from SharePoint 2007. Also known as the Solution Store, this is where any installed solution pack- ages that have been added to the farm are stored. From here, you can deploy or retract solutions using a GUI interface. If you prefer using STSADM or PowerShell, you can also deploy and retract solutions from a command prompt. Any user-submitted solutions can be managed with the Manage user solutions link. This screen offers administrators the option to block any solutions they wish. To block a solution from running in the farm, simply browse for the solution file and optionally provide a message informing users that their request is being blocked. You can also set how SharePoint handles multi-server scenarios and solutions. You can allow solutions to run only on the server on which the request was made, or on other servers running the User Code Service. The Configure privacy options link is simply a page where you can specify whether you would like to send information to Microsoft regarding the SharePoint farm. You can opt in or out of the Customer Experience Improvement Program, as well as decide if you’d like to automatically send any errors related to Microsoft. Finally, you can choose whether you’d like to display help from the locally installed help files or whether you’d like to use the online help from Microsoft. Lastly, administrators can use the Configure cross firewall access zone link to enable SharePoint to send externally accessible URLs in alerts. This is useful if the site is being set up with SSL. Choose the web application, and then choose the zone that will be used as the cross firewall access zone from the drop-down list. Monitoring Monitoring in SharePoint 2010 has been improved, offering more insight into the state of your farm. The Monitoring category contains three subsections: Health Analyzer, Timer Jobs, and Reporting (see Figure 6-8). This section is meant only as a primer and the real meat on these topics is presented in Chapter 15. FIGURE 68 Health Analyzer SharePoint 2010 introduces a new feature called the Health Analyzer (sometimes called the Best Practices Analyzer). This rule-based tool periodically scans the farm, checking various components and settings of SharePoint and comparing them to a rule bank. Central Administration Categories ❘ 153 If any settings are found that don’t match the rule, the Health Analyzer will display a prominent notice on the home page of Central Administration, as shown in Figure 6-9. This alerts administra- tors to potential issues they should be aware of: A yellow bar indicates that the Health Analyzer has found items that may need attention, while a red bar indicates more serious issues. FIGURE 69 This section covers the Health Analyzer only briefl y. To learn more about this and other monitoring capabilities, see Chapter 15. In the Health Analyzer subcategory, you can take a look at any issues that have been detected during the various scans performed on the farm. If you have received a notice about any issues on the home page of Central Administration, you can also click the link within the notice to access this same page. On the Review problems and solutions page, you can scan through the various reports, which are divided by category. Out of the box, the Health Analyzer uses more than 50 rules, spread out among four different categories. Also indicated is which server is causing the error, and even which service is triggering the Health Analyzer. Clicking the name of an issue will open a pop-up window with more detailed information about the rule. Some rules even provide an option to allow SharePoint to automatically correct the problem. If you have already corrected the issue that SharePoint is com- plaining about, you can use the Reanalyze Now button in the pop-up’s Ribbon to rescan the farm for that rule ahead of its scheduled scan. But what about the rules themselves? The second link in the Health Analyzer subcategory, Review rule defi nitions, is for actually seeing what rules the Health Analyzer is using to compare the farm settings. You can manually launch a scan with any rule by clicking the rule name and choosing Scan Now from the Ribbon in the pop-up window that opens. This screen also lets you adjust the settings and schedule of the rules. You can even disable rules you fi nd to be incessantly irritating by setting their schedule to OnDemandOnly. This way, SharePoint won’t automatically scan the farm with that rule. For instance, you may have set up a single-server test farm, and every week a warning message appears informing you that databases exist on servers running SharePoint Foundation. In this case, such behavior is expected and required, so you could open the rule, click Edit Item in the Ribbon, change the schedule drop-down to OnDemandOnly, and then save the rule. 154 ❘ CHAPTER 6 UsiNg the NeW ceNtral admiNistratioN Timer Jobs Timer jobs are somewhat similar to the Health Analyzer in that they run periodically, but their func- tion is to keep the farm up and running, not to scan for issues. Each of these small scheduled jobs has a particular task to accomplish according to a schedule, which you can look at by clicking the Review job definitions option under the Timer Jobs subcategory. From this screen, you get view the schedule for each job, as well as the web application(s) some jobs are associated with. Clicking on a job’s title gives you more information about the function of the job, and you can set the schedule for the job. There is even an option to run the job immediately if needed, as well as a button to disable the job completely. Generally, you probably won’t need to change the default schedule settings for the timer jobs, unless you need to adjust them for troubleshooting purposes. Note that you can’t change what each timer job does; you can only set its schedule. You can also check the status and history of timer jobs with the Check job status link. Scroll through the page to look at the various timer jobs and their states. The report displays jobs that are scheduled, jobs that are currently running, and jobs that have run. If something in the farm seems to be hung up, checking this page can indicate whether the problem is being caused by a timer job. Reporting In the Reporting subcategory, you can check out a variety of different reports that SharePoint auto- matically compiles. Clicking the View administrative reports opens a library that houses performance reports. For example, you can look at several search-related charts to see how the search function is performing. Clicking the Configure diagnostic logging link enables you to customize the logging for SharePoint events to the Windows Event Log and trace logs. You can drill down through the various categories of events and change the settings for a specific component by checking the box next to its name, then setting the drop-downs below the category list. Any category that has been modified will appear in bold text. This can help you troubleshoot if you know you are only logging errors, or you can turn on verbose logging to get more information about what a particular component is doing. Remember, however, that enabling verbose logging on services can create larger log files, so you may want to temporarily change the logging type, and then reset the logging levels to their defaults. Below the Event Throttling section on the Diagnostic Logging page, you can toggle Event Log Flood Protection (EVFP). EVFP is designed to keep your logs from becoming cluttered with hundreds or thousands of the same events repeating every couple of seconds if a server component begins to have issues. If SharePoint detects that the same event has been logged five times in two minutes or less, EVFP kicks in and stops logging that event for another two minutes. This can help manage the size of the log files significantly. Speaking of log files, below the EVFP toggle is a section where you can set the location of the SharePoint trace logs. Because the trace logs can eventually grow rather large, it’s recommended that you set up a location on a drive other than C: for the log files. You can set the number of days that log files should be kept, and even set the amount of disk space they should be allowed to consume, which helps you keep logs under control if you don’t move them from the C: drive. Also in the Reporting subcategory is a link for viewing health reports. These reports can give admin- istrators a good snapshot of who is using the farm and how pages in the farm are performing. Select Central Administration Categories ❘ 155 the Slowest Pages report from the Quick Launch menu on the left to see which pages in the farm suffer from the slowest performance. This can be helpful for finding any performance issues with pages or Web Parts in the site. In addition to viewing the health reports, you can also configure the usage and health reports by click- ing the Configure usage and health data collection link. This screen enables you to configure whether or not SharePoint should collect site usage information and health information. Ideally, you want to ensure you’re collecting this information to better understand how the site is being utilized, what pages are most popular, and who is using the site. You can also configure what types of events are logged. By default, all types of events are logged, but you may want to consider logging only spe- cific events you really care about. Like the trace logs, you can specify where the log files should be kept, and how much disk space they should be allowed to take up. An important note about both trace logs and usage logs is that if you choose to change the log file location, you must select a location that exists on every SharePoint server in the farm. For example, if you decide that the logs should reside on F:\SharePointLogs, then every server in the farm needs to have an F:\SharePointLogs folder so that the log files are written to the same location on each server. The usage and health monitoring configuration page also lets you choose whether to log health data collection or not; and it provides links to modify the health logging schedule and the log collection schedule, which are simply timer jobs. Last in the Monitoring category is the Web Analytics Report. This informative page shows you the running total for the number of page views for each of the web applications in the farm, the total number of unique visitors per day, and the number of search queries performed. Clicking a web appli- cation’s name opens a more detailed view of the usage for that web application. You can also modify the date range by clicking the Change Settings link in the blue Date Range bar and selecting one of the preset date ranges, or setting your own custom date range from the More drop-down in the Ribbon. Backup and Restore Chapter 12 is dedicated to SharePoint backup and recovery, so this section will serve more as a gen- eral overview of using Central Administration as a backup and recovery tool. Figure 6-10 shows the backup and restore tasks that you can perform through the Central Administration interface (see Figure 6-10). FIGURE 610 A new and welcome addition to SharePoint 2010 is the capability to perform more granular backup and recovery. Instead of only being able to back up content databases or the entire farm, as you were limited to in the SharePoint 2007 Central Administration backup, you can now back up site collec- tions, subsites, and even lists from this interface. Previously, restoring any content smaller than a content database from a backup generally meant having to set up a separate recovery farm, restore 156 ❘ CHAPTER 6 UsiNg the NeW ceNtral admiNistratioN the content database, then export the content from the recovery farm using STSADM.EXE and import it back into the production farm. Now, this can all be done from the Central Administration inter- face. In addition, SharePoint databases and database snapshots that aren’t even attached to the farm can be used to browse and recover content from within Central Administration. The Backup and Restore category is divided into two subcategories: Farm Backup and Restore, and Granular Backup. The Farm Backup and Restore subcategory enables you to perform high-level backups of the entire farm or individual Web Applications, as well as recover from these backups. Conversely, the Granular Backup subcategory is where you perform your backups and exports of site collections, webs, and lists. If the backup and restore functionality in Central Administration has you frothing at the mouth, wait until you read Chapter 12, which is all about backups and high availability. It’ll drive you wild. Security The Security category, shown in Figure 6-11, is all about … well, security! From this page, you can manage user security to the farm and set web application user policies, configure the farm’s managed accounts, block file types, and set up information rights management. FIGURE 611 Users Let’s start with the Users subcategory. Your SharePoint farm always needs at least one administra- tor. The account used to run the SharePoint 2010 Products Configuration Wizard is automatically added to the farm administrators group, as is the local server administrator. If you need to add specific users in your organization to the farm administrators group, you can do so here. One thing to consider, however, is that anyone in this group essentially has rights to anything and everything contained in the farm. That’s important to keep in mind when determining who should get what permissions. Consider whether a user could accomplish the tasks he or she needs with fewer permis- sions, such as to a Web Application or a site collection. It’s generally considered best practice to not go wild and give a large number of people farm administrator access if you can avoid it. The Approve or reject distribution groups link opens a list from which you can manage the dis- tribution groups used for incoming e-mail. This can be useful if your users have created so many Central Administration Categories ❘ 157 distribution groups within e-mail-enabled document libraries that the number has become unwieldy. This is actually nothing more than a SharePoint list, which makes it easy to manage. The Specify web application user policy link opens the Policy for Web Application page, which enables you to add users and groups to the Web Applications in the farm. Select a web application and you can manage the users already associated with it, or add users. This can be used as an alternative to giving users full Farm Administrator access if they need access to multiple web applications. You can choose one of four permission policies for users and groups for the web applications: full control, full read, deny write, and deny all. Keep in mind that these policies affect the entire web application, so any setting made for a user or group here applies to all site collections contained in that web application. Notice that the account used to run search crawling is automatically given full read permissions to the site. You also have the option to make an account operate as a system account, whereby any changes made to SharePoint will register as being made with the name System Account, rather than the user who actually made the change. It’s worthwhile to note that this is the only place in SharePoint where you can deny someone access in SharePoint. General Security Moving on to the General Security subcategory, you’ll find items pertaining to the overall security and accounts used in the farm. The first two links, Configure managed accounts and Configure ser- vice accounts, sound fairly similar, but their function is different. The Configure managed accounts link is where you can register domain accounts with SharePoint so that SharePoint is responsible for them (as described earlier in the section “Managed Accounts”), whereas the Configure service accounts link opens a page from which you can manage existing account associations with the various services on the farm. You can have the passwords of managed accounts registered with SharePoint automatically changed to comply with the organization’s policies, and a few settings related to changing passwords can be found in the link Configure password change settings. Despite the name, this page doesn’t actually allow you to set the passwords for your accounts; it simply allows you to configure notifications and set a timer for the password change. You can configure how many days prior to the change the noti- fication will be sent out (the default is 10 days), and how many days prior to the change the e-mail should be sent out. In the last section on the Password Management Settings page, you can adjust the amount of time SharePoint waits to change the password after notifying the services that new pass- words are about to be applied. This time window is necessary for the services to finish up any running tasks before their managed accounts receive a new password. The default is 45 seconds. You can also adjust how many times SharePoint should attempt to change a password before failing. Next up is the link Specify authentication providers. Here you can see a list of the various authenti- cation zones and provider names. Clicking on the zone name will enable you to edit the authentica- tion for that zone. Several common configuration options are available here, including the capability to enable or disable client integration for the Office clients, and enabling or disabling anonymous access for the site. Like many settings in Central Administration, these are also configured per web application. Additional settings that can be made include the authentication type and IIS authentica- tion method, and whether or not users should be required to have Use Remote Interfaces Permission. 158 ❘ CHAPTER 6 UsiNg the NeW ceNtral admiNistratioN In the General Security subcategory, you can also manage inter-farm trusts and the associated root certificates. This page employs light use of the Ribbon, allowing you to create new trusts or edit existing trusts. Clicking an existing trust name will open the options Edit and Delete in the Ribbon. Creating a new trust involves giving the trust a name and pointing SharePoint to the root authority certificate. All trusts require a root authority certificate. If you are setting up a trust to provide trust to another farm, you need to provide SharePoint with a token issuer certificate. Once you have configured your trust, you can return to them later to edit the settings if desired. You can manage how an antivirus program interacts with SharePoint by clicking the Manage anti- virus settings link. You can set how the antivirus scanner will treat documents that are uploaded and downloaded, and whether or not it should attempt to clean any infected documents it discovers. You can also adjust the length of time the scanner runs before it times out, as well as the number of threads used for scanning. Depending on your server performance when running scans, you may want to adjust these numbers. Another important security practice SharePoint employs is to limit the types of files that can be uploaded. You can find the list of blocked files by clicking the Define blocked file types link. SharePoint 2007 also had a blocked file list, and it’s largely the same in SharePoint 2010. Out of the box, SharePoint 2010 blocks nearly 100 file types, but you can add your own to the list by entering the extension of the file type. This is configured per web application, so if you have more than one web application you can have a different set of files blocked for each. The last major link in the General Security subcategory is Manage web part security. This page enables you to configure how users are allowed to interact with aspects of Web Parts. As in previ- ous SharePoint versions, Web Parts are still one of the building blocks for providing information on a SharePoint page; and also like previous versions, many of those Web Parts can be connected to provide and consume data from one another, allowing for dynamic presentation of content. You can choose to disable the Web Part connections option (its default is enabled), and specify whether or not they are allowed to access the Online Web Part Gallery, which contains Web Parts developed by Microsoft and potentially other third-party vendors. If you choose to allow users to access the Online Web Part Gallery, you may need to modify the web.config file to allow the server access to outside galleries. Finally, on this page you can allow your users to edit scriptable Web Parts; and you can restore the default settings if necessary. Again, these settings can be changed per web application. The General Security subcategory also provides another link to configuring self-site creation, which can be accessed from a number of other areas in Central Administration as well. Information Policy The Information Policy subcategory lets you configure information rights management (IRM) for the farm by clicking the Configure information rights management link. By default, IRM is turned off, but you have the option to use the default server running Windows Rights Management Services listed in Active directory, or specify your own server running RMS. Once IRM has been enabled, you can set the IRM policies for the farm by clicking Configure Information Rights Management Policy. Out of the box, SharePoint 2010 comes with four preconfigured policies: Labels, Barcodes, Central Administration Categories ❘ 159 Auditing, and Retention. Clicking the policy name enables you to edit the settings for that policy, such as whether or not the policy should be decommissioned or remain active. Decommissioning a policy doesn’t remove it from any document libraries and lists that currently use it, but it will pre- vent new libraries and lists from being able to consume it. Upgrade and Migration As shown in Figure 6-12, the Upgrade and Migration category only has one subcategory, Upgrade and Patch Management. This subcategory contains only a handful of links. FIGURE 612 This is where you will find links to convert your SharePoint license type (for example, from a trial version to a licensed version), as well as select which feature set to use if you’ve recently activated an enterprise license. To activate a license, simply click Convert farm license type and type or paste your license in the field and click OK. Once you’ve done that, you can head over to the Enable Enterprise Features link to switch the set of features from the standard set to the Enterprise set. Once you turn on Enterprise features, you can’t undo it. If you’ve been running SharePoint 2010 for a while and have created several sites, and you then upgrade your license type, the newly available Enterprise features may not be activated in your existing sites. You can use the Enable Features on Existing Sites link to push down the newly activated set of fea- tures to any sites that were created before the license conversion. Any sites made after the license conversion will already have the new feature sets. The Check product and patch installation status option provides a report of all the various com- ponents and products on the server, including their current patch level. This can be useful in deter- mining what version of a particular product you’re running. This is a nice centralized place to find version information, especially if you are running a larger farm with many services running on the various servers. You can show all the products installed on the farm, or view the list filtered by indi- vidual servers. Selecting View database status provides another report of all the various databases connected to the farm, and what type of database they are (content database, metadata service database, configura- tion database, etc.). Finally, if you are upgrading from SharePoint 2007 to SharePoint 2010 using the database attach method (which you learned about in Chapter 5), the Check upgrade status link will become a good friend of yours. Once you add a SharePoint 2007 database to the farm, you will see any active and previous upgrade sessions (see Figure 6-13). The page refreshes periodically during the upgrade pro- cess, keeping you informed of the status, and reports any errors encountered during the upgrade. Refer back to Chapter 5 for more information on using this page during the upgrade process. . SharePoint 2007 also had a blocked file list, and it’s largely the same in SharePoint 2010. Out of the box, SharePoint 2010 blocks nearly 100 file types, but you can add your own to the list by. subcategory is Manage web part security. This page enables you to configure how users are allowed to interact with aspects of Web Parts. As in previ- ous SharePoint versions, Web Parts are still one. Web Part connections option (its default is enabled), and specify whether or not they are allowed to access the Online Web Part Gallery, which contains Web Parts developed by Microsoft and potentially