Datasheet
SharePoint Service accountS and ServiceS
|
21
Central Administration and Web Application Both are services you’ll see in every
SharePoint farm. The Central Administration service runs only on SharePoint servers that
are hosting the Central Administration site. On most server farms, only one server needs to
host that site. Web Application is the service that lets SharePoint have web applications, serve
pages, and so on. It is fundamental to SharePoint, and every SharePoint server runs it. If you
enable Central Administration on a SharePoint server that did not originally have it running,
it will generate a web application on the server locally to support Central Administration’s
site collection. If you disable the Web Application service, the server will stop answering user
requests for web pages. This is useful if you want to run services, such as Search or BDC, but
not waste that server’s resources offering pages to users.
User Account Modes
When you install SharePoint, it automatically defaults to using Active Directory (AD) to supply
the user accounts to be used as users for the SharePoint sites. This means that you need to have
the user account in AD (or on the local server in a non-domain, standalone environment) before it
can be added as a user in SharePoint. This user account mode is called Active Directory Domain
Account mode.
However, there is another user account mode available, called Active Directory Account Creation
mode (ADAC). This lets you create the account in SharePoint first and then adds it to an organiza-
tional unit (OU) that you set up specifically for SharePoint in AD. This mode has limitations; the
account has to be added as an email address, the same email account cannot be added as a user to
more than one site collection, and it disables several settings in Central Administration, particularly
those that have to do with configuring or managing site collections so that they can only be run in
the command interface (with STSADM or PowerShell).This mode focuses quite a bit on applying
and isolating accounts per site collection.
Enabling ADAC is an advanced setting and can be done only during the installation of SharePoint.
It is a one-shot thing; it defines the way user accounts are applied to SharePoint, period. There is no
easy way to undo the choice, because it is locked in as the user account mode in the configuration
database for the whole SharePoint farm by the time installation is complete.
You get the chance to select the ADAC account mode by clicking the Advanced Settings button
during configuration. If you miss that button and complete the installation, the default Domain
Account mode will be applied.
Although SharePoint Foundation still supports ADAC (SharePoint Server 2010 does not), it has been
overshadowed by the capabilities of the Subscription Settings service, which uses multi-tenancy
to isolate site collections more effectively and can either isolate users in their own OU in AD or use
forms-based authentication (FBA), which lets you use a SQL database to store user accounts for web
applications (and the site collections within them) instead of AD.
Because of this, I will point out the Advanced Settings button during Chapter 3, “Complete
Installation,” but I will be focusing more on multi-tenancy in this book instead (Chapter 16). FBA is
rather fiddly and outside the scope of the book, but it can be applied per web application (or extended
web application) and, like multi-tenancy, is better than the “all-or-nothing” approach of ADAC.
626382c01.indd 21 1/27/11 10:47:24 AM