28 February 2011

Installing Windows updates does not finish

I have noticed on a few machines lately that when giving the go ahead for the Windows update installation a machine will seem to be stuck on update installation screen before you can log in.  Since you are warned not to power off the machine you are naturally inclined just to try and wait it out.

If you do the Ctrl+Alt+Del this will finish off the installation screen and you can log in.  This looks like it could be a bug ins completing the Windows update notification.

(Apologies for the poor picture - I just borrowed it form a Google image search)

22 February 2011

Create a Windows 7 multi edition bootable USB and DVD ISO image - the easy way

This is a bit of an old topic by now but since SP1 has been released for Windows 7, there will be a need to do this again for the slipstreamed ISO.  Before we start here is some terminology. Windows Versions are XP, Vista, 7.  Editions of Windows 7 are Windows 7 Home Premium, Windows 7 Professional, etc.

"Unlock" the other editions
To simplify the OS deployment media (DVD / ISO)  - from now on refered to as the image.  Microsoft has made a single image from which any edition of Windows 7 can be installed.  The only difference is that there is a small text file that determines which version is available on that particular image.

The file is called ei.cfg and it is located in the \sources folder of the image file.  If this file is deleted or renamed then the installation will prompt you to choose the edition of Windows.

The easiest way of doing this is to create a bootable USB installation drive.
If however you still want to have an ISO file so you can use it for VM's or burning physical media you, will have crack open the ISO and then recreate an bootable iso, it actually easier than it sounds.

OPTION 1 - Create bootable USB installation drive

Download the Windows 7 USB / DVD Download Tool http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe

  • Insert your 4GB or bigger USB flash drive
  • Start the Windows 7 USB / DVD Download Tool
  • Choose your original ISO
  • Select USB device as your destination

The USB drive will now be boot-able and you can install form there.

  • To make it multi edition you need to delete the ei.cfg file from the sources folder.  

That's it, very simple and easy.

OPTION 2 - Create multi edition installation ISO
This happens in two parts.  I am using two freeware applications to perform this.

These two apps are very useful and I use them all the time, so take the time to check them out if you aren't already using them.

Part I extract the ISO
Once 7Zip is installed you can right click your ISO file and select extract.
This will now extract the entire folder structure.

Delete the ei.cfg file from the Sources folder

Part II create a bootable ISO
Open ImgBurn and from the menu screen select Create image file from files/folders

  • Browse to the source folder where you extracted and edited the original ISO.
  • Select the Advanced tab on the right
  • Select the Bootable disk tab on the right
  • Check the make image bootable box
  • For the boot image browse to the \boot folder (in the extracted iso folder) and select etfsboot.com as the boot image.
  • Add "Microsoft Corporation" in Developer ID
  • Change Sectors to load from 4 to 8 (4 if you for some reason want to do a Vista ISO)
  • Click the big Folder to ISO image on the bottom left and follow the prompts.

Your new ISO will now be bootable and multi edition.

This in no way causes any licensing issues since the version of Windows that you can end up using is dependent on the Key that you provide.  You can of course not enter a key and pick a version , but then you will have to at some point provide a valid key.

18 February 2011

Machines unable to automatically update root certificates fail on various applications

How to manually update a Windows machine trusted certificate store.

SSL certificates work in chains.

The lower certificate(red) has to trust the intermediary certificate (green) and that one on turn needs to trust the root certificate (Purple).  The trust is because the local machine can reference the trusted root certificate against the local one in the certificate store.   If however the root CA does not have a certificate in the local certificate store the chain will be broken and the certificate will not longer be trusted....

This doe not mean SSL will not work / encrypt  it just means that certain things will break, often unexpectedly or with strange error messages.

The reason you machine might not be updating the root certificates automatically could be that it is behind a corporate SUS server or that it has very limited internet access and cannot connect to the windows update servers.

There is hope though.  Because of limited update ability in Windows XP, Microsoft supplies root certificate update package for download.

You can download it from here : http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

This file is periodically updates so the link should be good in the future too.

17 February 2011

Data Protection Manager 2010 Installation Walk through Part II

Once your DPM installation is completed there are some required configuration tasks
  • Adding disks to the storage pool
  • Configuring tape libraries
  • Installing and configuring protection agents
  • Creating protection groups
Adding Disks to the storage pool.

In my VM I provisioned 2 additional disks
  • From the DPM console select the Managemetn section
  • Select the Disks tab
  • Form the actions menu click add

  • Add the disks you want to allocate to the storage pool
  • OK

The storage pool has now been created and you can see the associated properties.
Disks can be added and removed from the storage pool at any time depending on the amount of space available / required.

Configuring tape libraries
I don't have one...
But Microsoft does --- http://technet.microsoft.com/en-us/library/ff399665.aspx

Installing and configuring protection agents

Prepare agent machines
Before a machine can be protected the DPM agent needs to be installed.  It has to match the following software requirements.  http://technet.microsoft.com/en-us/library/ff399140.aspx

You also need to make some changes to the Windows Firewall on the DPM server.  It is nicely documented here http://technet.microsoft.com/en-us/library/ff399062.aspx

Installing the agent 
There are a few way to install the protection agent, but the one I prefer is the one that you would end up deploying with SCCM or batch.

On the DPM server the following folders have the installation files:

x64   -C:\Program Files\Microsoft DPM\DPM\ProtectionAgents\RA\3.0.7696.0\amd64
x86  -C:\Program Files\Microsoft DPM\DPM\ProtectionAgents\RA\3.0.7696.0\i386

You can execute the relevant installer on the client machine with the DPM server FQDN as a parameter. eg

DPMAgentInstaller_x86.exe myserver.mydomain.com

Attaching agents to the DPM server
The DPM server now needs to attach to the DPM agane ton the protected machine.  

From the management section select the agents tab

  • Click install from the actions pane
  • Select the option to attach agent in a trusted domain.
  • Follow the wizard and provide:
  • Agent name
  • Username and password for DPM connection
  • Confirm installation

You should now see your protected machine ins the Agents tab

Creating Protection groups
Your DPM server is now configured with a place to put the data.  Your clients are now configured to talk to the DPM server.  Now you need to specify what and how things will be backed up and retained.  To do this you need to create the protection groups.  The strategy for making up your protection groups is to group similar content source and retentions periods together.  For instance, you may have multiple file servers put in one protection group and only one SharePoint server in another.

From the Protection section of the DPM console select Create Protection Group from the actions menu.
This laucnhes an extensive wizrd to allows you to condigure what you want to back up where you want to keep it and for how long etc, etc,

That should now complete a very basic fully functional DPM 2010 deployment.

Data Protection Manager 2010 Installation Walkthrough

System Center Data Protection Manager 2010 or DPM 2010 is the Microsoft backup solution for file, Exchange and SharePoint.

As I was going to do the install in any case I figured why not just document the installation.  I deployed a brand new clean Windows 2008 R2 VM and started the install from there.

From the ISO execute the Setup file.  You will see the "not so pretty splash screen."  Select Install Data Protection Manager

 From this point on the installation pretty much drives it self.
Some prerequisite components are installed without needing any attention.
During the prerequisite check it detected the Single Instance Storage (SIS) was not installed, and notifies me that it will install and reboot. And that the installation needs to be restarted.
 Back into the installation we get prompted for installation location.  It allows you to specify the installation directories and if you want to install SQL locally and use it, or use an existing SQL server.
 Pick a password for the required and automatically created accounts.
 Opt in for receiving updates from Windows Update

 Opt out for the customer experience program
And now the wait begins.  My VM took about 10 minutes to finish up the install.
 Once complete you can now launch the DPM Admin Console and start backing stuff up.

Again I have to say how much I appreciate packages like this that just does everything for you.

16 February 2011

Windows Server 2003 trusted root certificate authority not updated

Certificates work in chains, each certificate has to trust the issuing CA, if it cannot trust it all the way to the root the certificate is not trusted.

I had a Windows 2003 server that gave me this issue when attempting to use and SSL hosted API.

When connecting to their site with IE as part of troubleshooting I got this as a result

The problem was the root CA was not trusted.  Normally this list of trusted CA is automatically updated through the Windows Update and other methods.

To fix this issue I had to manually download and install the trusted root for the application to work.

(Brows to CA' site, download trusted root cert.  Import on the 2003 server.)

The reason it is not updated is stated here

Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003.  Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP.  And since the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs.  However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions. 

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs increases significantly in size and may cause the list to grow too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885.  In Windows Server 2003, the issuer list cannot be greater than 0x3000.  For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 933430  Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003. 

Sounds kind of complex.

If you want to read more check out the full article that cover some interesting update differenced between XP 2003 2008 and Windows 7 check out http://support.microsoft.com/kb/931125

10 February 2011

Exporting and Importing SSL certificate chains in IIS and TMG

My personal belief nowadays is that any business or corporate application should exclusively be published in HTTPS because really HTTP is just plain text.  Usernames and password, all data etc, all going in plain intercept-able, sniff-able plain text.

This was traditionally offset by the performance penalty associated with the encryption and decryption process.  But that has not been a factor since CPUs hit GHz speeds.  As for the "perceived" size increase for adding SSL encryption it can be called minuscule, and that has not been a factor since the end of the  28,800 modem days.

To publish an Application in TMG with HTTPS you need the certificate to attach to your listener.

Exporting Certificates
Exporting and importing certificates is best done from the MMC console.

Typically a certificate is created on an IIS machine by requesting a certificate, submitting the certificate request and receiving the certificate and compling the certificate request process.  The certificate can then be exported.

  • Open the MMC console
  • Files - Add/Remove Snap In
  • Select Certificates and Click add
  • When Prompted select to manage certificates for "Computer account"
  • Select Local Computer
  • One open expand Certificates - Personal -Certificates

Find the certificate that needs to be exported.
Right Click - All tasks - Export

Follow the wizard and respond as follows when prompted;

  • Yes, export the private key
  • Include all certificates in the certification path if possible
  • Export all extended properties
  • Specify a password
  • Specify a file name

This will now give you a single PFX certificate file that you can import.  It should also contain any other certificates required higher up in the certificate chain.  If not you would have to import those manually.

In the image you can see the icons are different.  The first two are the root and intermediate certificates that exclude the private key.  The third one - that we just exported contains the private key.  This is needed to import the cert successfully into TMG

Importing the certificate

You will have to follow this process for every TMG server in your array.

  • Copy the file to the TMG server
  • Open the MMC console
  • Files - Add/Remove Snap In
  • Select Certificates and Click add
  • When Prompted select to manage certificates for "Computer account"
  • Select Local Computer
  • One open expand Certificates - Personal -Certificates
  • Right Click Certificates - All tasks - Import

Follow the wizard and provide the following when prompted

  • File name (of your exported certificate)
  • The password specified during the export
  • Un-check "Mark this key as exportable"
  • Check Include all extended properties
  • Automatically select the certificate store based on the type or certificate
  • Delete the certificate file you copied earlier

Once the import is complete refresh the view.  You should now see the new certificate in the personal store.  If you browse down to the intermediate and Trusted root certificates you should also see the additional certificates.

Double click your new certificate
It should show that everything is working 100% unless there is a rex X dot in the certificate.
On the certificate path tab you should see a nice chain all the way to the top.

Once completed on all the TMG servers you can now choose this for use in a listener.

Important Step - If the certificate contains intermediary or root certificates you will have to reboot the TMG server(s) before it will function correctly

Assign certificate to a listener

Create your listener as per usual.

  • On the connections tab specify "Enable SSL (HTTPS) connections on port:"  - leave it as 443
  • (Optional but reccomened  - Choose  "Redirect all traffic from HTTP to HTTPS" )
  • From the certificates tab choose the Select certificate button

You should now only see valid certificates. and you exported and imported certificate should be available

You can now use your listener to publish your site in SSL.

09 February 2011

Search Server diagrams and technical explanations

I like pictures, I draw them all the time to try and explain abstract environments for people so that they can better grasp or understand.  This in turn makes my job easier.  It is so nice then to discover that someone at MS has done a great job of drawing up the models for Search server.  It also has a lot of readable information in the model that further clarifies what they are talking about.

I always end up looking for this so I figured I would just re-post it myself.

Download Models About Search in SharePoint Server 2010

Models are posters that detail a specific technical area. These models are intended to be used with corresponding articles on TechNet. You can download and modify the files to illustrate how you plan to incorporate SharePoint Server 2010 in your own environment.
Search technologies for SharePoint 2010 Products
Download the model: Search technologies for SharePoint 2010 Products
This model compares the search technologies in the following:
  • SharePoint Foundation 2010
  • Search Server 2010 Express
  • Search Server 2010
  • SharePoint Server 2010
  • FAST Search Server 2010 for SharePoint
Download the model
Search environment planning for SharePoint Server 2010
Download the model: Search environment planning for SharePoint Server 2010
This models helps you plan your search environment by considering the following questions:
  • Where are your users and content?
  • What content do you plan to include in search results?
  • How many farms do you have to plan for?
Download the model
Search architectures for SharePoint Server 2010
Download the model: Search architectures for SharePoint Server 2010
Learn about the physical and logical components of architecture, scale-out decision points, and see examples of architectures.
Download the model
Design search architectures for SharePoint Server 2010
Download the model: Design search architectures for SharePoint Server 2010
This model helps you go through the initial design steps to determine a basic design for a SharePoint Server 2010 search architecture.
Download the model

Original link http://technet.microsoft.com/en-us/enterprisesearch/ee441229

08 February 2011

Updated Windows keyboard shortcuts

Typically I read a list of these and then just forget about them.  here is an updated list from MS about the Keyboard shortcuts available in the latest version of Windows. Some of these are very well known. Other are not.  The ones I found that are new to me are in BLUE

One of my pet peeves when it comes to laptops is that they very often omit the Windows Logo and /or the Application Key (the right click key)

Dell laptops used to hide the Application key as a small obscure key in the top right of the keyboard - (next to useless there) Now it is completely gone again.

And of course my all time favorite is the then IBM Thinkpads simply never had either keys until the buy out by Lenovo....

Windows system key combinations
F1: Help
CTRL+ESC: Open Start menu
ALT+TAB: Switch between open programs
ALT+F4: Quit program
SHIFT+DELETE: Delete item permanently
Windows Logo+L: Lock the computer (without using CTRL+ALT+DELETE)

Windows program key combinations
CTRL+C: Copy
CTRL+V: Paste
CTRL+Z: Undo
CTRL+B: Bold
CTRL+U: Underline
CTRL+I: Italic

Mouse click/keyboard modifier combinations for shell objects
SHIFT+right click: Displays a shortcut menu containing alternative commands
SHIFT+double click: Runs the alternate default command (the second item on the menu)
ALT+double click: Displays properties
SHIFT+DELETE: Deletes an item immediately without placing it in the Recycle Bin

General keyboard-only commands
F1: Starts Windows Help
F10: Activates menu bar options
SHIFT+F10 Opens a shortcut menu for the selected item (this is the same as right-clicking an object
CTRL+ESC: Opens the Start menu (use the ARROW keys to select an item)
CTRL+ESC or ESC: Selects the Start button (press TAB to select the taskbar, or press SHIFT+F10 for a context menu)
CTRL+SHIFT+ESC: Opens Windows Task Manager
ALT+DOWN ARROW: Opens a drop-down list box
ALT+TAB: Switch to another running program (hold down the ALT key and then press the TAB key to view the task-switching window)
SHIFT: Press and hold down the SHIFT key while you insert a CD-ROM to bypass the automatic-run feature
ALT+SPACE: Displays the main window's System menu (from the System menu, you can restore, move, resize, minimize, maximize, or close the window)
ALT+- (ALT+hyphen): Displays the Multiple Document Interface (MDI) child window's System menu (from the MDI child window's System menu, you can restore, move, resize, minimize, maximize, or close the child window)
CTRL+TAB: Switch to the next child window of a Multiple Document Interface (MDI) program - In browser it cycles between tabs
ALT+underlined letter in menu: Opens the menu
ALT+F4: Closes the current window
CTRL+F4: Closes the current Multiple Document Interface (MDI) window
ALT+F6: Switch between multiple windows in the same program (for example, when the Notepad Find dialog box is displayed, ALT+F6 switches between the Find dialog box and the main Notepad window)

Shell objects and general folder/Windows Explorer shortcuts
For a selected object:
F2: Rename object
F3: Find all files
CTRL+C: Copy
CTRL+V: Paste
SHIFT+DELETE: Delete selection immediately, without moving the item to the Recycle Bin
ALT+ENTER: Open the properties for the selected object

To copy a file
Press and hold down the CTRL key while you drag the file to another folder.

To create a shortcut
Press and hold down CTRL+SHIFT while you drag a file to the desktop or a folder.

General folder/shortcut control
F4: Selects the Go To A Different Folder box and moves down the entries in the box (if the toolbar is active in Windows Explorer)
F5: Refreshes the current window.
F6: Moves among panes in Windows Explorer
CTRL+Z: Undo the last command  (This can now be done for deleting a file to the recycle bin too)
CTRL+A: Select all the items in the current window
BACKSPACE: Switch to the parent folder
SHIFT+click+Close button: For folders, close the current folder plus all parent folders

Windows Explorer tree control
Numeric Keypad *: Expands everything under the current selection
Numeric Keypad +: Expands the current selection
Numeric Keypad -: Collapses the current selection.
RIGHT ARROW: Expands the current selection if it is not expanded, otherwise goes to the first child
LEFT ARROW: Collapses the current selection if it is expanded, otherwise goes to the parent

Properties control
CTRL+TAB/CTRL+SHIFT+TAB: Move through the property tabs

Accessibility shortcuts
Press SHIFT five times: Toggles StickyKeys on and off
Press down and hold the right SHIFT key for eight seconds: Toggles FilterKeys on and off
Press down and hold the NUM LOCK key for five seconds: Toggles ToggleKeys on and off
Left ALT+left SHIFT+NUM LOCK: Toggles MouseKeys on and off
Left ALT+left SHIFT+PRINT SCREEN: Toggles high contrast on and off

Microsoft Natural Keyboard keys (Most Keyboards)
Windows Logo: Start menu
Windows Logo+R: Run dialog box
Windows Logo+M: Minimize all
SHIFT+Windows Logo+M: Undo minimize all
Windows Logo+F1: Help
Windows Logo+E: Windows Explorer
Windows Logo+F: Find files or folders
Windows Logo+D: Minimizes all open windows and displays the desktop
CTRL+Windows Logo+F: Find computer
CTRL+Windows Logo+TAB: Moves focus from Start, to the Quick Launch toolbar, to the system tray (use RIGHT ARROW or LEFT ARROW to move focus to items on the Quick Launch toolbar and the system tray)
Windows Logo+TAB: Cycle through taskbar buttons
Windows Logo+Break: System Properties dialog box
Application key: Displays a shortcut menu for the selected item

Dialog box keyboard commands
TAB: Move to the next control in the dialog box
SHIFT+TAB: Move to the previous control in the dialog box
SPACEBAR: If the current control is a button, this clicks the button. If the current control is a check box, this toggles the check box. If the current control is an option, this selects the option.
ENTER: Equivalent to clicking the selected button (the button with the outline)
ESC: Equivalent to clicking the Cancel button
ALT+underlined letter in dialog box item: Move to the corresponding item

Windows Logo+Home: Hide Inactive Windows

For everyone celebrating the Chinese new year - Gong Xi Fa Cai

TMG and ISA VPN and additional networks NAT differences

Both Microsoft Threat Management Gateway 2010 (TMG) and Internet Security and Accelerator Server 2006 (ISA) provide VPN capability.  When the VPN is enabled you have an additional network available.  This network's interaction with the other attached networks is governed by the network rules.  A network rule can be defined to either route or NAT (network address translation) between the networks.

In routing the IP addresses do not change, routers are aware of the address ranges and can route traffic between the networks.

In the NAT addresses are changed so that all communication happens through a common IP address or addresses.

With ISA 2006 you only had the ability to choose between route and NAT.

In TMG 2010 this has been extended for better NAT configuration.  You can still choose to route or NAT but now you can choose the NAT IPs as opposed to being limited to the destination network default addresses. This is available from the additional NAT address selection tab.

Since these setting are for all network rules this greatly enhances your configuration option when it comes to deploying TMG in a multi network environment.  Even for configuring basic internet access.  You can now NAT all the servers in an Array behind a common NLB IP as opposed to having to allow an IP for each member in the array.  This make a big difference if you have to configure a primary or 3rd party firewall to line up with your TMG deployment.

04 February 2011

How to find out why your account keeps getting locked with Windows Server, TMG and Webspy

It has to rate as one of my all time most frustrating and annoying experiences. Having your account locked can be debilitating, rendering you useless until someone is kind enough to unlock your account, or worse yet you have to wait for the lockout time to expire.

Depending on the domain policy the amount of incorrect attempt and lockout duration will vary.  Either way you often find that no matter where you look you cant figure out from where and why your account is getting locked.

The way to find the locking machine is to go to the locking authority.  Active Directory.   If you investigate the Security Logs on the active directory servers you will find the lockout events.

On a Windows 2003 domain controller the event ID is 644. Note this is a successful action as the domain controller was able to successfully lock the account.

The field information you want to know is:
Target account name - the AD account name
Caller Machine Name - the machine name from where the account was locked out.

On a Windows Server 2008 and 2008 R2 domain controller the event ID is 4740

Once you have identified that machine locking your account you can check out the machine and see what's up.  In many cases it is a machine you logged onto and lever logged off from.

The other problem you may have is that your account is getting locked by another device on the internet.  This is normally a smart phone attempting to sync email.  Checking out the AD log will only reveal the reverse proxy server as the culprit  If you are using TMG or ISA you are in luck.

To find out where the problem lies you will have to analyse the Forefront Threat Management Gateway logs

Set up a filter for Logging and reporting.

Specify the Username in the domain\username manner
If you know what the offending rule might be then add that to the filter too.

I prefer to run the log for  "Last Hour" to catch the lockout event that happened in the past.

What you would expect to see is not a lockout event but a failed authentication event.  Like the screen shot but with RED not green.

If this still does not give you an idea of where to look you can further analyse the TMG or ISA logs with WebSpy Vantage.  Here you can find the user agent, and this should give you a very good idea of where the connection attempt is coming from.

Import the logs into a storage
Create a new analysis
Expend down to the username
Then expand the user agent

You can see that all the requests for that user from the internet coming in was made from his i-Phone.

Hopefully this helps someone to permanently resolve a account lock out problem.

For more info check out http://fixmyitsystem.com/2011/04/scripts-to-see-where-your-account-is.html

Update 2

TMG SP2 adds functionality to display more information for accounts lock out


03 February 2011

RDS Connecting to screen disappears while starting application that does not open

While attempting to connect to a Remote Desktop Services application you might run into this problem.  The application launches as expected.  The window indicates the the application is starting. Then the window disappears and the application does not open.  There is also no error message on the client machine or error events on the RDS servers. 

In my case it was because the login account had been locked.  Normally you would get the error when connecting to the server during login, but since it is hidden in this scenario you don't know what the problem is...

02 February 2011

Installing a Microsoft Search Server 2010 Farm Part I

This is how the Standalone install compares with the Server Farm install


Server Farm

options during installation

Stand-alone installation is automated with default settings and proceeds
without prompts.

·        Requires that you specify an existing SQL Server host computer
and an empty database.
·        At the end of the installation, you can run the Initial Farm
Configuration Wizard to configure certain initial farm settings.

and scalability

you to deploy a fully functional Search Server configuration on one computer.
The computer functions as an application server for crawling and serving
queries, a Web server for serving search queries and rendering search results,
and a database server for hosting all of the necessary search databases.
After a stand-alone installation, there is no option to add computers to the
deployment to create a multiple-server farm.
configuration can be useful when you want any of the following:
·        A small-scale deployment that has minimal administrative
·        A development or test environment
·        A deployment for product evaluation

you to deploy a fully functional Search Server deployment on one computer
initially, and then add multiple application servers and Web servers to the
deployment to distribute the search functionality and workload. We recommend
using the Server Farm installation option when you are creating a production
farm because this deployment can be scaled out to multiple crawl servers,
query servers, and Web servers.


SQL Server 2008 Express is installed automatically.

Requires a SQL Server host computer. The SQL Server host computer
can be a different computer from the Search Server host computer.


SQL Server 2008 Express limits maximum database size to 4 gigabytes (GB). In a stand-alone installation, this limits Search Server indexing capability to
approximately 300,000 items, depending on the size and type of the items.

With a SQL Server host computer that meets the version requirements specified in the
section in Hardware and
software requirements (Search Server 2010)
, Search Server provides
sub-second query response times for an index of up to 100 million items,
depending on the size and type of the items.

For my lab build I start off by installing SQL on my test server.  I will be building my whole farm on a single server and then add additional servers as I expand.   This is because traditionally it is not possible to grow a SharePoint environment that was installed as a standalone.

Installing a Microsoft Search Server 2010 Farm Part II

In http://fixmyitsystem.com/2011/01/installing-microsoft-search-server-2010.html I cover a stand alone installation.  This is the same except you select a server farm install.  Once the configuration wizard start you will start having to provide more information.

When you are setting up the farm initially you would select create a new farm.  When installing any additional server to perform roles for the farm they would "Connect to an existing farm"
On this screen you specify the database server.  In my case it is my localhost.
The database access account needs to be a SQL admin.

One of my pet peeves is running sites on anything other than port 80 and 443.  At least here you can specify a  port number and not have rely on the setup randomly choosing one for you like it does in a standalone install.

Once you complete these step the Central Admin page will eventually open up, it take a while to get things going so just be patient and don't panic.

Next up run through the farm configuration wizard.