My Experience Configuring Cloud Hybrid Search Service Application for SharePoint

   In this post I’ll talk through my personal experience deploying the new cloud hybrid search service application for SharePoint 2013 (also available in SharePoint 2016).  By no means am I an expert on this topic (especially in many of the supporting technologies such as AAD Connect, AD FS, etc.) but this is more meant to increase exposure to this new offering.  For an overview of cloud hybrid search and more information about actual implementation (which I will refer back to later) please read through Cloud Hybrid Search Service Application written by two of my Microsoft peers Neil and Manas (they are the true experts).

 

Components

   Here is a list of the high level components I used for my deployment.

Note: My Azure VM configuration is not using best practices for where or how to deploy different services.  Also my mention of GoDaddy and DigiCert are purely for example purposes and not an endorsement for either company.  I just happen to use their services and products in this scenario.

  • Office 365 (O365) trial tenant (sign up for one here)
  • 4 Azure VMs
    • A1 – Active Directory Domain Services (AD DS)
    • A1 – Active Directory Federation Services (AD FS)
    • A2 – Azure Active Directory Connect (AAD Connect), Web Application Proxy (WAP)
    • A4 – SQL Server 2014, SharePoint 2013 farm with Service Pack 1 and at least Aug 2015 CU
  • Custom domain (purchased through GoDaddy but any domain registrar should work)
    • Note: Office 365 does have a partnership with GoDaddy so configuration may be easier due to automated updates that can be performed
    • Additionally I was able to modify public DNS records through GoDaddy to allow federated authentication through AD FS
  • SSL wildcard certificate purchased from DigiCert
    • Only required if want to allow Office 365 user to open / preview a search result that resides on-prem with Office Online Server (new version of Office Web Apps Server 2013, not discussed in this post)
    • I also used this certificate for other purposes such as securing AD FS communication and implementing Remote Desktop Gateway (the latter is unrelated to this post)
  • Custom result source to display O365 search results in my on-prem farm

 

   Next we’ll take a look at some of these components more in depth.

 

SharePoint Server

   The new cloud hybrid search service application is available in SharePoint Server 2013 with the August 2015 CU or later.  I have heard from my peers that there are some issues with cloud hybrid search as of the October, November, and December 2015 CUs.  As such use either the August or September 2015 CUs at the time of this writing (Dec 8, 2015) or wait until the Jan 2016 CU which should contain the fix (link).  The SharePoint Server 2016 IT Preview 1 also supports cloud hybrid search although I have not tested it out myself.

 

Cloud Search Service Application

   To provision a cloud hybrid search service application the property CloudIndex on the service application must be set to True.  This property is a read-only property and can only be set at creation time.  As such you will need to create a new search service application in order to utilize the cloud hybrid search service.

   I have not tested creating a new cloud hybrid search service application using a restored backup admin database from an existing search service application.  The thought behind this would be to retain at least a portion of your existing search service application.  If you try this and have any findings let me know in the comments below.

 

Custom Domain

   A custom domain is not a requirement for cloud hybrid search.  I used one so that I could allow end users (demo accounts) to log into Office 365 as a federated user “someUser@<fakecompany>.com” rather than the default domain “someUser@<O365TenantDomain>.onmicrosoft.com”.

 

AAD Connect

   In order to search for on-prem content that has been indexed by Office 365 the user will need to have an account that is synchronized to Azure Active Directory / Office 365.  This allows the search service in Office 365 to show content based on the Access Control List (ACL) defined on-prem.

   There are multiple options available for synchronizing accounts between on-prem and AAD but the predominate ones include DirSync, AAD Sync, and AAD Connect.  Since AAD Connect is the future looking tool of choice of these three I decided to use it.  AAD Connect automates many of the tedious tasks of configuring federated authentication by stepping through a wizard.

   That said I did run into a number of issues during configuration due to missing certificates, invalid permissions, or other steps I missed or was unaware of.  If I got part of the way through the configuration and ran into a failure that I couldn’t recover from then I had to uninstall AAD Connect (do not remove all prerequisites when prompted), wipe out the contents of “<install drive>:Program FilesMicrosoft Azure AD SyncData”, and then re-install.

 

Display Search Results On-Prem

 

***PLEASE READ AS THIS IS IMPORTANT***

    The default scenario for cloud hybrid search is to index both on-prem and O365 content which are then queried in O365.  It is possible to create or modify an on-prem result source to use the remote index from your Office 365 tenant which allows for querying and display the combined search results on-prem.  The problem though is that when you query for and click results on-prem the search analytics click data is not incorporated back to the cloud index to further influence search results.

Ex. I queried for “SharePoint” in on-prem search center and clicked the 4th result on result page.  Multiple other users also searched for “SharePoint” and clicked the same 4th result.  SharePoint search (via timer jobs and other background processes) incorporates that click data and adjusts the 4th result to now appear higher in rankings upon subsequent search queries.

   I have unsuccessfully tested a few options to manually pass the search click data up to SharePoint Online.  These include creating a ClientContext object and calling the RecordPageClick() method on SearchExecutor, modifying the display template page, and more.  I did hear from a SharePoint MVP that successfully tested out a way to push search analytics data between on-prem and O365 but it took a fair amount of customizations to accomplish.  If I find out any additional information, workaround, or updates on this topic I’ll update this post to reflect that.

 

Example

   As you can see from the below screenshots I can initiate a search query from on-prem or O365 (respectively) and get the same combined result set.

 

OnPremResults

 

SPOResults

 

 

Conclusion

   Due to my prior inexperience around AD FS, Web Application Proxy, AAD Connect, and other applications it took me a few days to get everything working end-to-end.  After that small hurdle I was very excited to be seeing combined on-prem and O365 search results in both on-prem and O365.  Do note though the section above calling out the current issue with search analytics data not being sent back and forth.  Aside from that I am looking forward to testing this out with customers and reaping the many benefits such as inclusion of content in the Microsoft Graph (formerly Office Graph) / Delve and other O365 only offerings.

 

      -Frog Out

Wrap Up from Microsoft Ignite 2015

   This was the first year of the Microsoft Ignite conference which merged a number of previous conferences including TechEd, SharePoint Conference, Project Conference, and more.  With over 23,000 attendees, a new venue, and numerous Microsoft senior leadership and product group in attendance (including CEO Satya Nadella himself) this was definitely a huge event.  Rather than re-capping the event itself I wanted to take a minute to mention a few items that I heard / saw at the conference.  I am still downloading and viewing a number of sessions that I couldn’t attend (same time as another session or room was at capacity) but these are highlights that I wanted to share with others.

 

Recap

  • No “internal” FIM in SharePoint 2016 – SharePoint 2016 will not ship with a version of the Forefront Identity Manager product included.  This is a fairly big deal for any customers that are using the “SharePoint Synchronization” option (allows for import and export of content to / from SharePoint) for the User Profile Sync in 2010 or 2013.  Your options in 2016 will be the Active Directory Import (same as 2007 and re-introduced in 2013) or “external” FIM which is installed and managed outside of SharePoint Server.  See the following resources for more details and how to install FIM 2010 R2 + SP1 with SharePoint 2013 so that you can start planning today if you do need the full features of syncing data into and out of SharePoint.

What’s New for IT Professionals in SharePoint Server 2016 (session recording with announcement)

Configuring SharePoint 2013 for the Forefront Identity Manager 2010 R2 Service Pack 1 Portal (install overview)

  • Project Siena – Project Siena looks like a viable alternative (not replacement) for many (smaller) custom development scenarios.  Essentially it is an app that lets you build other apps.  I do not see this replacing InfoPath, Lightswitch, and half a dozen other technologies that have popped up over the past few years but I do see a promising future for this technology (HTML5 + JS based, similar to many other tech stacks that Microsoft is promoting).  Note that it is still in a beta release last time I checked but the fact that it caters to the Excel power user with similar syntax merged with an easy drag and drop interface feels like this could gain traction better than some other tools.  If you aren’t familiar with Project Siena you really need to see it to understand it.

Microsoft Project Siena: Build Apps and Create New Mobile Solutions (session recording with demos)

Microsoft Project Siena (Beta) (product site)

  • New SharePoint hybrid search option – Hybrid search is receiving a huge update / upgrade later this year.  In it’s current (May 2015) form SharePoint hybrid search involves separate search service applications / indices for on-prem farms and Office 365 / SharePoint Online.  If you query one source you can federate the query to the other and get results in a separate result block.  The problem though is that configuration can be fairly complex, search results aren’t integrated (in-line with each other), and you likely have a large number of servers on-prem for the search service.  Later this year (target timeframe, subject to change) Microsoft will release an update which will allow an on-prem “cloud search service application” to crawl and parse content but then push the metadata up to Office 365 for indexing, querying, etc.  The massive benefit of this is that your on-prem content will then be able to be used in other services like Delve, Office 365 data loss prevention (DLP), and others that currently have no expected on-prem release (or won’t be supported until future releases of SharePoint). Additionally you will need a much smaller on-prem server footprint to support search (the example given was going from 10+ search servers down to 2).  This is a big win in my opinion and I can’t want to test it out when it is released.

Implementing Next Generation SharePoint Hybrid Search with the Cloud Search Service Application (session recording)

  • Nano Server – Nano Server is a new installation option for Windows Server 10 (Server 2016 or whatever the final name ends up as) akin to Server Core in the past.  There were a number of sessions that talked about how small the footprint of Nano Server will be (400MB, yes MB compared to 8+ GB of server + GUI “full” edition).  The changes that this introduces not only affect performance but also re-architecting tools to work remotely (there is no local logon or UI for Nano Server, everything must be done remotely).  Things like Event Viewer, Task Manager, Local Services, etc. can be accessed remotely in a web UI similar to the “new” Azure Portal UI (super slick, take a look).  This may sound scary to some admins who are used to having RDP or locally logging on to a server but listen to Jeffrey Snover’s take on this.  We are IT Professionals and this is a technology that will reduce number of reboots, make servers more secure, reduce infrastructure footprint, and have numerous other benefits.  You owe it to yourself and your company to learn about this and see if it will work for the services you provide.

Nano Server (session recording)

Nano Server: The Future of Windows Server Starts Now (session recording)

Remotely Managing Nano Server (session recording)

  • PowerShell – Getting to see Jeffrey Snover (inventor or PowerShell) and Don Jones (first follower of PowerShell, see the link in slide deck) geek out about PowerShell was one of the best sessions I got to see at Ignite.  Hard to describe in words hence I recommend go watch the recording.  Jeffrey had some great advice about using PowerShell as a tool to explore and dive into problems or scenarios you are trying to solve.  That sense of adventure can be a motivating force for your personal and professional careers.  It was really inspiring and I love the fact that Jeffrey (and Don’s) mindset is spreading to so many others these days.

Windows PowerShell Unplugged with Jeffrey Snover (session recording)

 

   On a side note I also wanted to mention one of the obvious but not always talked about benefits of going to a conference like this in-person.  During the week I was able to introduce myself to a number of presenters that I had previously not met.  Some were MVPs, fellow Premier Field Engineers (PFEs), product group members, and more.  The connections you make can last for years and provide an invaluable network for sharing information and getting assistance when you are in need.  I even got a PowerShell sticker directly from Jeffrey Snover himself (another personal highlight).

WP_20150511_001

 

Conclusion

   This is just a short list of some of the sessions that I attended along with highlights or key points that I wanted to share.  If I find anything else significant from the recordings I am going back to watch I’ll update this post.  For now though go check out the recordings above or the hundreds of other ones that are up on Channel 9.  I encourage you to attend next year when Ignite 2016 will be in Chicago again May 9-13.

 

      -Frog Out

Default Search Index File Location for SharePoint 2013

    Blogging this as a simple reminder to myself on the default (out of the box) value of the Search Service Application index location in SharePoint 2013.  Invariably I have to look this up every couple of months when supporting customers and only ever find the PowerShell commands to retrieve it.  Putting both on here.  Hopefully this saves someone else a few minutes of their day as well.

 

PowerShell Commands

$ssi = Get-SPEnterpriseSearchServiceInstance 
$ssi.Components | Select-Object IndexLocation

 

Default Value

C:Program FilesMicrosoft Office Servers15.0DataOffice ServerApplications

IndexLocation1

 

      -Frog Out

PowerShell Script to Workaround No Data in SharePoint 2013 Usage Reports

   Over the past few months I’ve had 2 customers that have run into an scenario where the SharePoint 2013 web analytics usage reports have no data (all zeroes) in the reports.  While working with some brilliant Microsoft escalation engineers (thanks Anthony and Jason) we were able to run some PowerShell scripts that added receivers to start data showing again on the following day.  Since I haven’t seen any posts on this as of yet I thought I would post a version of the PowerShell scripts we used.

 

Scenario

    In SharePoint 2013 the search service application incorporates web analytics (which is a separate service application in SharePoint 2010).  Web analytics processes usage logs on the SharePoint machines and generates reports on a daily schedule.  These reports can be viewed for an individual site in the site settings under Site Collection Administration > Popularity and Search Reports.

UsageReportDataEmpty1

 

   In the Popularity and Search Reports you can click on the Usage report which will launch an Excel workbook.

UsageReportDataEmpty2

 

   What I found with 2 customers and one of my lab farms was that the Usage report contained all zeroes for data even though the customer (and me in my lab farm) had been using the site regularly with multiple accounts over the past few days.

UsageReportDataEmpty3

 

   We analyzed the logging database and found that it had usage data, but the search analytics database did not.  (Note: do not directly query the search analytics database as that is unsupported as of the time this post was written.  See http://technet.microsoft.com/en-us/library/cc678868.aspx for more information.)  So it appeared the data in the logging database wasn’t being processed by the search service web analytics timer jobs.  After verifying that the timer jobs were indeed running the long road of PowerShell queries into the system began.  We finally used the below commands to arrive at what we believe to be the culprit for these customers.  Our findings follow the commands.

 

$aud = Get-SPUsageDefinition | where {$_.Name -like “Analytics*”} 
$aud | fl 

$prud = Get-SPUsageDefinition | where {$_.Name -like “Page Requests”}  
$prud | fl 
  • AnalyticsUsage usage definition had no Receivers defined
  • PageRequest usage definition had no Receivers defined

UsageReportDataEmpty4

 

    Not having any Receivers defined also led to the EnableReceivers property to be set to false for both.

 

Workaround

   The workaround in these scenarios was to manually create the Receivers.  The PowerShell commands to do so is below (slightly modified to check for empty receivers first).  Again this sample script is provided as-is with no warranty.  Do not run this in your environment without first testing.  This is not an official Microsoft approved script.  You can download a copy off my SkyDrive folder as well.

 

if((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell) -eq $null) 
{ 
    Add-PSSnapin Microsoft.SharePoint.PowerShell 
} 

$aud = Get-SPUsageDefinition | where {$_.Name -like “Analytics*”} 
# if analytics usage definition receivers is empty then manually add back receiver 
if($aud.Receivers.Count -eq 0) 
{ 
    $aud.Receivers.Add(“Microsoft.Office.Server.Search.Applications, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”, “Microsoft.Office.Server.Search.Analytics.Internal.AnalyticsCustomRequestUsageReceiver”) 
} 
# if analytics usage definition receiver is not enabled then enable it 
if($aud.EnableReceivers -eq $false) 
{ 
    $aud.EnableReceivers = $true 
    $aud.Update() 
} 
$aud | fl 
$prud = Get-SPUsageDefinition | where {$_.Name -like “Page Requests”}  
# if page requests usage definition receivers is empty then manually add back receiver 
if($prud.Receivers.Count -eq 0) 
{ 
    $prud.Receivers.Add(“Microsoft.Office.Server.Search.Applications, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”, “Microsoft.Office.Server.Search.Analytics.Internal.ViewRequestUsageReceiver”)  
} 
# if page requests usage definition receiver is not enabled then enable it 
if($prud.EnableReceivers -eq $false) 
{ 
    $prud.EnableReceivers = $true 
    $prud.Update() 
} 
$prud | fl 

   After the script has been run the output from the prior commands can confirm that Receivers have been created and the EnableReceivers property is set to true.

UsageReportDataEmpty5

 

<Update 2013-08-09>

   The next step is to recycle the OWSTimer service (SharePoint Timer Service) on each server.  This ensures that the new receivers are properly picked up by the timer jobs.

</Update 2013-08-09> 

  Waiting one day the usage reports were now showing data.  (Note the below report was mocked up manually to show data as I did not have direct access to the customers’ reports, but this is consistent with what we had seen after the scripts were applied.)

UsageReportDataEmpty6

 

Conclusion

   This is a strange scenario of no data in the usage reports when there is data in the logging databases.  I’ve run into it myself and with 2 customers, but when I tried to reproduce the scenario I couldn’t.  If anyone is facing this issue hopefully this process of manually creating the usage definition receivers and waiting 24 hrs is a workaround.  Let me know if you have seen this and if the workaround works for you.  Curious to learn more on it.

 

      -Frog Out