Deploying DeliverPoint

This section provides an overview of the installation and upgrading of DeliverPoint for Microsoft® SharePoint® 2013 and Microsoft® SharePoint® 2016. It is essential to read this section of the online documentation and complete the steps in the Installation Steps section, before you can use DeliverPoint. Information on using and administering DeliverPoint can be found later in the documentation.

To successfully deploy DeliverPoint within your organization, you will need to complete the following steps:

• Plan the use of DeliverPoint within your organisation
• Plan the installation of DeliverPoint
• Install DeliverPoint

If you have any questions related to this documentation or the DeliverPoint product, please contact Lightning Tools by clicking Submit Support Ticket on the Lightning Tools web site.

Installation Planning

Lightning Tools provides an installation wizard to install DeliverPoint binaries, and a configuration wizard to configure DeliverPoint. You will then need to complete some post configuration tasks before you can fully use DeliverPoint. During this process you will require access to:

• An instance of Microsoft® SQL Server®
• Your Microsoft® SharePoint® farm.
• Active Directory®.
  

!In a production environment you will need to raise a change request to install DeliverPoint.

Database server

DeliverPoint uses Microsoft® SQL Server® as the repository for both Active Directory® and SharePoint® permission information, retrieved using the two DeliverPoint interrogation SharePoint® timer jobs. DeliverPoint supports Microsoft® SQL Server® 2005, 2008, 2008 R2, 2012, 2014, and 2016. Using any other database platform such as Oracle® or SAP® is NOT supported.

The main reason for using an SQL Server database, is performance and scalability. DeliverPoint stores object information in a database rather than work with your SharePoint production databases in real-time so as to increase performance of the application. In larger farms, real-time interrogation of the farm in order to commit an individual administrative action could be too costly in terms of I/O activity, memory, and processor utilization on the SharePoint servers.

The DeliverPoint database holds minimal information about the user, such as account login name and display name, but it does not store account passwords. Hence, from a security perspective, there is no need to encrypt the database, nor should the existence of the account information in the DeliverPoint database be viewed as a security vulnerability since the DeliverPoint database cannot be used for logon purposes. Some of the SharePoint databases contain the same information, for example, the UserInfo table in the SharePoint content database or the SharePoint profile database associated with a User Profile service application. Having another database contain a copy of the same information does not increase security vulnerabilities.

DeliverPoint is accessed via the SharePoint user interface, and therefore the system requirements are minimal for end users. Supported browsers include:

• Microsoft Edge (All versions)
• Microsoft Internet Explorer 10 and above
• Chrome (Latest Version)
• Firefox (Latest Version)

When you execute the DeliverPoint Configuration Wizard, you provide the name of the SQL Server and the name of the DeliverPoint database. The DeliverPoint configuration wizard then creates the DeliverPoint database. The DeliverPoint database does not need to be created on the same SQL Server instance as the SharePoint databases. Most companies have naming conventions for their databases, and when a company has multiple servers running SQL Server, guidelines may exist as to where databases should be created. Therefore, when you install DeliverPoint in your SharePoint production and integration test environments, you should contact your database administrator (DBA), who will give you the name of the SQL Server and the name for the DeliverPoint database you should use.

You need to provide the DeliverPoint Configuration Wizard with an Active Directory user ID, known as the DeliverPoint service account. On the computer where you want to create the DeliverPoint SQL Server database, the DeliverPoint service account must be a member of the following SQL Server roles:

• securityadmin fixed server role
• dbcreator fixed server role
  

Once the DeliverPoint database is created, these two server roles can be removed from the DeliverPoint Service Account. If you want to run Windows PowerShell® cmdlets that affect the database, the account that is used to run the cmdlets must be a member of the db_owner fixed database role for the database.

Go to top of section →

SharePoint server

The Microsoft® SharePoint® 2013 and 2016 and related components of DeliverPoint are packaged as a SharePoint farm solution, and therefore cannot be installed in Office 365™. DeliverPoint uses Windows® Installer service to copy the DeliverPoint binaries to a specified location and creates a shortcut to the DeliverPoint configuration wizard on the Start Menu. The configuration wizard creates the DeliverPoint database, adds and then deploys the DeliverPoint SharePoint® farm solution. Then the DeliverPoint user interface (UI) feature is activated for each Web Application and five SharePoint® timer jobs are created:

• Two interrogator timer jobs,
• Job Execution timer job.
• Alerts Processing timer job.
• Permissions Auditing timer job.
  

*Note the two timer jobs Alerts Processing and Permissions Auditing were first added when the Audit Permissions functionality was included in DeliverPoint version 15.10.5. If you are using a version of DeliverPoint earlier than this version, you will only see three timer jobs.

As DeliverPoint is not implemented as a service application, and DeliverPoint isn’t targeting a specific web application, the timer jobs are associated with the Central Administration Web Application.

You only need to run the DeliverPoint MSI and the DeliverPoint Configuration Wizard on one SharePoint server. Lightning Tools recommend these are executed on the server which is hosting the SharePoint 2013/2016 Central Administration web site. All files, such as DeliverPoint _layout pages, are distributed to each SharePoint server via SharePoint’s solution deployment mechanism.

To install or upgrade DeliverPoint, you need full access rights to the SharePoint farm configuration database, and therefore you need to use a SharePoint farm administrator account to install DeliverPoint.

*Note you need to use the same security context to uninstall DeliverPoint that was used to install DeliverPoint. Ensure you record the account used to install DeliverPoint so that if you need to uninstall DeliverPoint, you can use the DeliverPoint configuration wizard to uninstall DeliverPoint. DeliverPoint can be uninstalled manually using any security context.

Active Directory and SharePoint Interrogation

DeliverPoint interrogates both Active Directory and the SharePoint farm, using two SharePoint timer jobs:

• Authentication Store Interrogation. All Active Directory domains and Forests registered with DeliverPoint will be fully interrogated. The information is extracted in a read-only fashion and the pertinent information, such as is required for Discover Object Permissions to show Domain Group membership when an account is added to SharePoint via nested Domain Groups, is stored in the DeliverPoint database. The DeliverPoint service account is used to crawl Active Directory. As the DeliverPoint service account is an Active Directory user account, and any Active Directory user account has read only access to Active Directory, no special Active Directory configuration is needed for the DeliverPoint Authentication Store timer job to extract the information. However, you should verify that the ports 3268 and 389 are open in the firewalls of your SharePoint server(s) and your Active Directory server(s).The load placed on your domain controllers is not substantial.
  
  Additionally, DeliverPoint also supports Forms Based Authentication (FBA). DeliverPoint automatically discovers whether Web Applications are configured to use FBA stores, and proceeds to gather all the necessary information for the interrogation, efficiently crawling and obtaining users and roles information from FBA stores.
  
  
• SharePoint Interrogation. DeliverPoint interrogates all SharePoint content databases in the SharePoint farm using the SharePoint Object Model (OM) and Application Programming Interfaces (API’s), and extracts, in a read-only fashion, the pertinent information needed for DeliverPoint to perform functions across an entire farm. The SharePoint content databases are not changed or read directly during the interrogation process. As the interrogation process moves through the farm, the process will interrogate an entire Web Application’s contents before moving on to the next Web Application. In other words, the interrogation process performs a deep dive crawl on all the managed paths, site collections, and sites (webs) existing in the Web Application before moving on to the next Web Application. The extracted information is placed into the DeliverPoint database. The account used to run SharePoint timer jobs (SharePoint farm account) is used to interrogate all Web Applications on your SharePoint farm.
  

The interrogation of both SharePoint and Active Directory is subject to physical network limitations; for example, a domain controller only accessible over a low-speed WAN will take longer to crawl than a single-server setup. Also, the length of time that it takes for DeliverPoint to interrogate SharePoint is dependent on the number of objects (site collections, webs, lists, etc.) rather than the size of the content databases. A farm with five million objects will take longer to interrogate than a farm with five thousand.

*Note Domains may be excluded from the Active Directory interrogation to improve interrogation performance.

You cannot use DeliverPoint until a full crawl of both Active Directory and SharePoint is complete. Lightning Tools recommend that you complete this initial full crawl when DeliverPoint interrogation will not have a detrimental affect on other processes which need Active Directory and SharePoint access, such as user profile synchronization or full crawls of SharePoint content sources. Lightning Tools recommend that you schedule full crawl interrogation to occur at night or another time that suits the SharePoint load, to mitigate any performance concerns you may have if you choose to execute the integration during business hours. Once the initial full crawl of both Active Directory and SharePoint is complete, the SharePoint Interrogation timer job can be configured for incremental crawls.

There are two types of interrogation – incremental and full.

• Full interrogation clears the related tables in the DeliverPoint database and then crawls all objects.
• An incremental interrogation crawls all objects found to have been changed since the last interrogation. For the SharePoint interrogator, the SharePoint Change Log is used to determine whether or not to crawl a given object.
  

The Authentication Store Interrogation timer job is configured by default to run weekly on a Saturday between 2 a.m. and 2:30 a.m., and the SharePoint Interrogation timer job is scheduled to run daily, starting every day between 2 a.m. and 4:45 a.m.

*The timer job schedules can be modified to meet your needs.

Go to top of section →

Job Execution timer job

DeliverPoint submits a job when a user commits an operation using the DeliverPoint interface. These jobs are then processed by the Job Execution timer job, by using information in the DeliverPoint database, and then using the SharePoint APIs to perform the actions against the objects in the SharePoint databases. The Job Execution timer job is scheduled to run every 5 minutes.

*The Job Execution timer job schedule can be modified to meet your needs.

Go to top of section →

Alerts Processing timer job

The Alerts Processing timer job is configured by default to run every 5 minutes.

*The timer job schedules can be modified to meet your needs.

Go to top of section →

Permissions Auditing timer job

The Permissions Auditing timer job is configured by default to run every 5 minutes.

*The timer job schedules can be modified to meet your needs.

Go to top of section →

Installation Steps →