Overview of On-Demand Assessment for SharePoint Server Getting Started

Prerequisites

How to prepare for your On-Demand Assessment for SharePoint Server The Tools machine is used to connect to each of the servers in your environment and retrieves information from them, communicating over Remote Procedure Call (RPC), Server Message Block (SMB), Lightweight Directory Access Protocol (LDAP) and Distributed Component Object Model (DCOM). Once the data is collected and the operational interview is completed, the Offline Assessment tool will analyze the data locally.

A checklist of prerequisite actions follows. Each item links to any additional software required for the tools machine, and detailed steps included later in this document.

Machine Requirements and Account Rights

Hardware and Software

Server-class or high-end workstation computer equipped with the following:

• Minimum single 2Ghz processor — Recommended dualcore/multicore 2Ghz or faster processors.

• Minimum 4 GB RAM—Recommended 12 GB RAM.

• Minimum 5 GB of free storage space.

• High End Workstation: Windows 11, Windows 10

• : Windows 2022, Windows 2019, Windows 2016

  • Can be 32-bit or 64-bit operating system.

• At least a 1024x768 screen resolution (faster preferred).

• Microsoft Office (Word, Excel and PowerPoint) for report creation.

• Must be a member of the same domain as the SharePoint farm that is being analyzed.

• Microsoft® .NET Framework 4.8 — Download

  NOTE: If the SharePoint has a newer version of .NET installed than 4.6.2 than the version installed on the Tools machine must be equal to or newer than installed on the Target SharePoint Server.

• Windows PowerShell 5.0 or newer

  • PowerShell 5.0 is part of the Windows Management Framework 3.0. Learn more.
  • Windows PowerShell System Requirements
  • The execution policy for PowerShell should be set to remotesigned on both the tools machine and the servers
  • The execution policy settings can be verified using “get-executionpolicy –list” in a PowerShell command window

• Networked “Documents” or redirected “Documents” folders are not supported. Local “Documents” folder on the data collection machine is required.

• IIS Management Tools (IIS 7 Administration components)

• Firewall exception for Remote Administration( RPC) – Dynamic Port Range

Accounts Rights

A domain account with the following:

• Member of the local Administrators group on all servers in the SharePoint environment
• Full Control to all Service Applications.
• Member of the “SysAdmin” group on SQL instances hosting SharePoint databases
• Unrestricted network access from the Tools machine to all servers
• Member of SharePoint Farm Administrators group
• Unrestricted network access from the Tools machine to all servers

Ability to run PowerShell scripts on the machine running the Offline Assessment Client. The Windows PowerShell execution policy must be set to RemoteSigned or a policy that provides an equivalent ability to run local scripts.

WARNING: Do not use the “Run As” feature to start the client toolset as the discovery process and collectors might fail. The account starting the client toolset must sign in to the local machine.

A Microsoft account is required to activate and sign in to the Premier Proactive Assessment Services portal. This is the RAP as a Service portal where you will activate your access token, install the toolset.

• If you don’t have one, create one.
• Contact your CSAM if the token in your Welcome Email has expired or can no longer be activated. Tokens expire after ten days. Your CSAM can provide new activation tokens for additional people.

Network and Remote Access

Ensure that the browser on the Tools machine or the machine from where you activate, install and submit data has JavaScript turned on. Follow the steps listed at "How to enable scripting in your browser."

Internet Explorer is the recommended browser for a better experience with the portal. Ensure Internet Explorer Enhanced Security Configuration (ESC) is not blocking JavaScript on sites. A workaround would be to temporary turn off Internet Explorer ESC when accessing the https://services.premier.microsoft.com portal.

Unrestricted network access from the Tools machine to all servers. This means access through any firewalls and router ACLs that might be limiting traffic to any of the servers. This includes remote access to:

• DCOM
• Remote Registry service
• Windows Management Instrumentation (WMI) services
• Default administrative shares (C$, D$, IPC$).

Ports and Protocol access requirements:

Ensure that the machine you use to collect data has the following:

• Complete TCP/UDP access, including RPC access to all servers.
• Access over ports 135, and 139 or 445 is also required.
• Windows Remote Management (WinRM) uses Ports 5985 for HTTP. Communication between the Tools machine and the SharePoint server that is targeted for the data collection on port 5985 has to be turned on as PowerShell commands will be run remotely via this port.

Note

When you run the Remote PowerShell and CredSSP configuration steps in section 6 of this document you will be prompted to allow port 5985 to be opened as part of the configuration, please select yes to allow the port to be opened when prompted.

Configure the servers firewall to ensure all servers running Windows Server 2016 and later have Remote Event Log Management turned on:

Note

Offline client might be unable to collect event log information from a Windows Server 2016 or later if Remote Event Log Management has not been allowed. When Remote Management is turned on, the following services must be started on the target servers:

• WMI
• Remote Registry service
• Server service
• Workstation service
• File and Printer Sharing service
• Automatic Updates service

Configure the server firewall to ensure all servers running Windows Server 2016 and newer have “Remote Event Log Management” turned on:

Note

Offline Assessment Client might be unable to collect event log information from a Windows Server 2016 or later if “Remote Event Log Management” has not been allowed. When “Remote Management” is turned on, the rules that allow Remote Event Log Management are also turned on.

To test if the tool will be able to collect event log data from a Windows Server host, you are able to try to connect to the Windows Server server using eventvwr.msc. If you are able to connect, collecting event log data is possible. If the remote connection is unsuccessful, you may need to turned on the Windows built-in firewall to allow “Remote Event Log Management”.

Connectivity Testing

• Event Log: To test if the tool will be able to collect event log data from a Windows Server, you can try using eventvwr.msc. If you are able to connect, collecting event log data is possible. If the remote connection is unsuccessful, you may need to turned on the Windows built-in firewall to allow “Remote Event Log Management”.
• Registry: Use regedit.exe to test remote registry connectivity to the target servers (File > Connect Network Registry).
• File: Connect to the C$ and Admin$ shares on the target servers to verify file access.

4. Additional requirements for Windows Server 2016 or later:

A. Log into the chosen data collection machine to identify its current IP address using IPConfig.exe from the command prompt. An example output is as follows:

C:\>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
Link-local IPv6 Address . . . . . : fe80::X:X:X:X%13
IPv4 Address. . . . . . . . . . . : X.X.X.X
Subnet Mask . . . . . . . . . . . : X.X.X.X
Default Gateway . . . . . . . . . : X.X.X.X

• Make a note of the IPv4 address of your machine. The final step in the configuration will use this address to ensure only the data collection machine can communicate with the Windows Update Agent on the SharePoint server farm.

B. Create, configure, and link a group policy object to the SharePoint Servers OU in the domain of the servers.

Create a new GPO

Make sure the GPO applies to the SharePoint Servers organizational unit.

Note

If other servers outside the scope are present in the OU, then security group filtering can be used to restrict the application of group policy to only the SharePoint Servers.

• Within the GPO open: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\ Windows Firewall with Advanced Security.
• Right-click Inbound Rules and then select New Rule.
• The rule you create will be merged with the rules that already turned on on the SharePoint Servers’ through local policy and/or other group policy objects that have inbound rules defined.
• On the New Inbound Rule Wizard, on the Rule Type page select Custom, and then select Next.
• On the Program tab, choose This Program Path and insert the following path without the quotes:
• “%SystemRoot%\system32\dllhost.exe” as shown in the following graphic and choose next.

On the Protocol and Ports Page Select “TCP” for the Protocol Type and “RPC Dynamic Ports” for Local Ports and select next as shown in the following graphic.

• On the scope page, select These IP Addresses under “which remote IP addresses does this rule apply to”, then select Add. Insert the IP address of the data collection machine identified in the first step. Select OK, then Next on the scope page.
• Choose Allow the Connection on the Action page and select Next.
• Leave the default profiles checked on the Profile page, then on the Name page, give the rule a name that describes what it allows, similar to “Allow Inbound to WUA from x.x.x.x” and finish the rule creation wizard to commit the rule to the firewall policy.
• Once the rule applies, it can be confirmed as active through Windows Firewall with Advanced Security MMC (WF.MSC) monitoring navigation node or by interrogating the output of the following PowerShell command “Get-NetFirewallRule -Enabled true -policystore ActiveStore” and confirming the created rule shows up.

Remote PowerShell and CredSSP Configuration (Tools Machine)

On the Tools Machine, launch PowerShell Prompt with the command “Run as Administrator”. And run the following commands (see later important note before running the following commands)

Enable-WSManCredSSP -Role client -DelegateComputer <SharePointServer FQDN>

Note:

• The “SharePointServer FQDN” command is the “Target Server” to which the “Tools Machine” connects to when collecting data. You must use the FQDN for the SharePoint server and not just the host name.
• The WinRM service needs to be running for this command to succeed.

Remote PowerShell and CredSSP Configuration (Target Farm Server)

On the Target Server (see the first page and the fourth page of this document to learn about Target Server), launch PowerShell Prompt with the command “Run as Administrator”. And run the following commands (see following important note before running the following commands)

winrm quickconfig
Enable-WSManCredSSP -Role server

Note

SharePoint 2013, SharePoint 2016 and SharePoint 2019 farms supported only at this time. On-Demand Assessment for SharePoint Server does not support SharePoint Server 2010 or earlier.

On-Demand Assessment for SharePoint Server supports SharePoint farms backed by SQL servers running SQL -Server 2014, SQL Server 2012. Earlier versions of SQL Server are not supported.

Remote PowerShell and CredSSP Configuration

As part of the assessment, most of the SharePoint information is gathered by executing PowerShell scripts remotely from the Tools Machine. It is important for the CredSSP delegation to be configured correctly so that the PowerShell scripts can be run remotely on the Target Server. The following script helps in knowing if the CredSSP is configured correctly by connecting and executing the script on the Target Server. Run the following script from the Tools Machine.

Executing the following snippet should output the list of all SharePoint Content databases of your SharePoint farm.

$farm = Get-Credential
$s = New-PSSession -ComputerName [FQDN of Target Server] -Authentication CredSSP -Credential $farm
Invoke-Command -Session $s -ScriptBlock { add-pssnapin Microsoft.SharePoint.PowerShell -ea 0 }
Invoke-Command -Session $s -ScriptBlock { get-spfarm }
Invoke-Command -Session $s -ScriptBlock { get-spcontentdatabase }
Get-PSSession | Remove-PSSession

Note

The “FQDN of Target Server” is the SharePoint server on which the CredSSP is turned on (see the first page and the fourth page of this document to learn about Target Server).

If that test fails, DO NOT proceed with the assessment and reach out the CSAM for further assistance.

Data Collection Methods

Appendix: Data Collection Methods

On-Demand Assessment for SharePoint Server uses multiple data collection methods to collect information. This section describes the methods used to collect data from a SharePoint environment. No VB scripts are used to collect data. Data collection uses workflows and collectors. The collectors are:

• Registry Collectors
• SharePoint PowerShell Scripts
• Event Log Collector
• SQL Queries
• IIS information
• File Data Collector
• WMI

Registry Collectors:

Registry keys and values are read from the On-Demand Assessment for SharePoint Server data collection machine (a.k.a Tools Machine) and all SharePoint Servers including SQL servers. They include items such as:

• SQL Alias information from HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo

This allows the assessment to determine if the SharePoint servers are using SQL alias to connect to the SQL server that is hosting the SharePoint databases.

Operating System information from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

This allows to determine Operation System information such as Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, Windows Server 2016.

SharePoint PowerShell Scripts:

Majority of the SharePoint data is gathered via running the SharePoint PowerShell scripts. For example, the information pertaining to Large list views, Alternate Access mappings, SharePoint services, ULS information, SharePoint Lists information, SharePoint Search, Timer Jobs and more, are all gathered using SharePoint PowerShell scripts.

These scripts are run remotely from the Tools Machine by connecting to the Target Machine. For more information about Tools Machine and Target Machines, see 1st page and 4th page of this document.

Event Log Collector:

Collects event logs from all the SharePoint Servers including SQL servers. Offline Assessment collects the last 7 days of Warnings and Errors from the Application and System logs.

SQL Queries:

Some of the information pertaining to the SQL databases that are hosted by the SharePoint SQL instance are gathered via SQL scripts. For example, the information related to the SQL data and log files (for example, the size and next growth size), SQL instance properties (for example, if using Integrated Security, if the instance is clustered), Index Fragmentation, Statistics information and more, are all gathered via SQL Scripts.

IIS Information:

The details of the IIS web sites and App Pool configurations are gathered using .NET code and workflows.

File Data Collector:

Enumerates files in a folder on a remote machine, and optionally retrieves those files. For example, web.config files, IIS Log files, App Host config files and more,

Windows Management Instrumentation (WMI):

WMI is used to collect various information such as:

• WIN32_Volume: Collects information on Volume Settings for each server in the SharePoint environment. The information is used for instance to determine the system volume and drive letter which allows Offline Assessment for SharePoint to collect information on files located on the system drive.

• Win32_Process: Collect information on the processes running on each server in the SharePoint environment. The information provides insight in processes that consume a large amount of threads, memory or have a large page file usage.

• Win32_LogicalDisk: Used to collect information on the logical disks. We use the information to determine the amount of free space on the drive where the database or log files are located.