SharePoint 2013/SharePoint 2016 – Applying Cumulative Update removes all users with db_owner

Hey All – Recently ran into an issue where a customer had AvePoint installed in the farm (Which requires the DocAve account to have db_owner) and after every CU it’d remove an user that was manually granted db_owner. This is actually a security measure in place to make sure there isn’t an errant account left with db_owner permissions on the database. There are times when we want that account to stay (For things like third party tools or RBS..though they should find a way to use SP_DATA_ACCESS instead!) There is a registry key BypassDboDropMember that was added to SP2013 in the October 2016 CU and to SP2016 in the October 2017 CU (Note: You will need to be on these CU levels to gain access to this functionality) for bypassing this behavior:

Instructions For SP2013 (From support.microsoft.com link above):

Note: For SP2016 just change the registry subkey to 16.0

  1. After you install this update, you can follow these steps to control the metafiles optimization:
    Start Registry Editor:

    • In Windows Server 2012, if you’re using a mouse, move it to the upper-right corner, go to Search, enter regedit in the search text box, and then select regedit.exe in the search results.
    • In Windows Server 2008, go to Start, enter regedit in the Search programs and files text box, and then select regedit.exe in the search results.
  2. Locate and then select the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS\
  3. On the Edit menu, point to New, and then select DWORD Value.
  4. Enter BypassDboDropMember, and then press the Enter key.
  5. In the Details pane, press and hold (or right-click) BypassDboDropMember, and then select Modify.
    In the Value data box, enter 1, and then select OK.
    Note If you don’t want to bypass the behavior, you can set the value to 0.
  6. Exit Registry Editor.

SharePoint Patching 101 – Don’t forget to save all those CAB files in the same folder as the EXE!

Hey All – I’ve seen people run into this issue a few times now so I figured it’d be worth a quick post. A lot of the SharePoint 2013 Cumulative Updates include 3 files – 2 CAB’s and an EXE. These used to be included in the same self-extracting executable file, but now are 3 separate downloads. Make sure to select ALL 3 from the Microsoft Download Center and then make sure they are all in the same folder when you go to run the EXE and patch that beautiful SharePoint farm of yours.

These guys…

blogcabfiles

-AJB

SharePoint 2013/2016 Cloud Hybrid Search Service Application

I ran through the setup of the new SharePoint 2013/2016 Cloud Hybrid Search Service Application and wrote about it on the Skyline blog! Definitely an exciting new service and the best hybrid search experience to date..

http://www.skylinetechnologies.com/Insights/Skyline-Blog/October-2015/SharePoint-Cloud-Hybrid-Search-Service-Application

SharePoint 2013 – Publishing Sites Loading W/ Unexpected Error

Ran into a unique issue today so I figured I’d blog about it!

This was only affecting site collections with the SharePoint Publishing Infrastructure Feature enabled. I created a new site collection with Team Site template and that loaded fine until the Publishing Feature was activated and then it started to load w/ errors.

There was a line in the logs that stuck out:

DelegateControl: Exception thrown while adding control ‘Microsoft.SharePoint.Publishing.Navigation.PortalSiteMapDataSource’: System.InvalidOperationException: Operation is not valid due to the current state of the object.   

 at Microsoft.SharePoint.SPUserToken.GetClaimsUserLoginName()   

 at Microsoft.SharePoint.SPSite.CopyUserToken(SPUserToken userToken)   

 at Microsoft.SharePoint.SPSite.SPSiteConstructor(SPFarm farm, Guid applicationId, Guid contentDatabaseId, Guid siteId, Guid siteSubscriptionId, SPUrlZone zone, Uri requestUri, String serverRelativeUrl, Boolean hostHeaderIsSiteName, SPUserToken userToken, Boolean appWebRequest, String appHostHeaderRedirectDomain, String appSiteDomainPrefix, String subscriptionName, String appSiteDomainId, Uri primaryUri)   

 at Microsoft.SharePoint.SPSite..ctor(SPFarm farm, Uri requestUri, Boolean contextSite, Boolean swapSchemeForPathBasedSites, SPUserToken userToken)   

 at Microsoft.SharePoint.SPSite..ctor(SPFarm farm, Uri requestUri, Boolean contextSite, SPUserToken userToken)   

 at Microsoft.SharePoint.SPSite..ctor(String requestUrl, SPUserToken userToken)   

 at Microsoft.SharePoint.Publishing.CachedObjectFactory.get_SuperUserSite()   

 at Microsoft.SharePoint.Publishing.CachedObjectFactory.OpenWebFromSuperUserSite(Guid webId)   

 at Microsoft.SharePoint.Publishing.CacheManager..ctor(SPSite site)   

 at Microsoft.SharePoint.Publishing.CacheManager.GetManager(SPSite site, Boolean useContextSite, Boolean allowContextSiteOptimization, Boolean refreshIfNoContext)   

 at Microsoft.SharePoint.Publishing.CachedAreaLookup.EnsureLookup(Boolean errorsAsExceptions)   

 at Microsoft.SharePoint.Publishing.CachedAreaLookup.GetCachedAreaOrException()

I double checked the Object Cache settings for all web apps and everything looked good.

Removing the Object Cache Accounts using this PowerShell command made the sites with Publishing Infrastructure enabled load up without errors:

After that I ran the commands to re-add the Object Cache (SuperUser/SuperReader) accounts and everything was still working. A few days earlier the application pool account for this web app expired and was reset to the original password, which may have had something to do with this. Looks like it just needed a little reset of the Object Cache accounts and everything was back up and running!

SharePoint 2013 – 404 Error When Connecting to ACS or ADFS /_trust/default.aspx

Ran into an interesting error this morning that I thought I’d share. Recently, I worked on a project utilizing Azure ACS with Google Accounts. This was working on multiple servers, but one was displaying a Page Cannot Be Displayed message when clicking the Google Sign-In button. Looking at a network trace it was getting a 404 error for the following page:

http://webappurl/_trust/default.aspx?trust=Google%20Account&ReturnUrl=/_layouts/15/Authenticate.aspx?Source%3d%252F&Source=/

Doing a little bit of research this page is used when utilizing ADFS/ACS. Interesting part about this is it worked on 2 out of the 3 servers and the server affected worked with Windows Integrated login. I checked a network trace on a working server and saw that after it hits the /_trust/default.aspx it redirects to the ACS URL (https://acsname.accesscontrol.windows.net) and then redirects to https://accounts.google.com/ServiceLogin. I was able to hit both of these URL’s individually on the non-working server.

I popped open IIS on the problematic server and noticed something interesting. The _trust IIS Virtual Directory was missing!

TrustsFolderMissingInIIS

Big surprise, the other 2 (working) servers had this Virtual Directory. Running the provision PowerShell method fixed the issue..I’m really digging this command lately.

Thanks Jasper for the tip!

http://blog.repsaj.nl/index.php/2014/07/sp2013-sharepoint-adfs-and-404-on-_trustdefault-aspx/

SharePoint 2013 – Crawling a “2010 Mode” Site Collection

Working on an upgrade project we decided to keep a SharePoint site (highly customized) in 2010 mode for the time being. First, here is the list of items that will not function while the SharePoint site remains in “2010 compatibility mode.” This is because the features were deprecated/removed and replaced with new/different services and functionality.

Please see the entire list at this official Microsoft link: https://technet.microsoft.com/en-us/library/Ff607742.aspx

Feature Replaced by in SharePoint 2013
Search Scopes Result Sources
SharePoint Web Analytics Reports Analytics now built into Search Service Application

*I remember reading about workflows experiencing intermittent issues in 2010 mode (As described here: http://en.share-gate.com/blog/not-working-after-sharepoint-migration-to-2013), but there is no official documentation stating this fact and it all depends how customized the workflow is.

After getting the search scopes migrated and showing up in the search scope admin area of site settings I noticed no results were coming in. The SharePoint site was added to the default content source in search which is for crawling SharePoint sites I tried giving it its own content source with type SharePoint Site and still no-go. After changing the content source to type Web Site everything was rocking and rolling..

-AJB

SharePoint 2013 – Missing Patches Error

While working on a SharePoint test environment the other day I tried to take a backup of a site collection and got an error. After digging further I noticed that all databases were in compatibility mode. This lead me to Windows Update and I noticed that SharePoint security patches had been pushed to all servers in the farm and the SharePoint Products Configuration Wizard had NOT been run. This is a big no-no…please, if you push patches to your servers monthly and they include SharePoint-related patches make sure to run the grey wizard after. After applying patches to the servers in the farm I tried to run the grey wizard and got the following error:

“Error: Some farm products and patches were not detected on this or other servers. If products or patches are missing locally, you must quit this program and install the required products and patches on this server before starting this wizard. If products or patches are missing on your servers, you must install the required products and patches on the specific servers, and you may then click the Refresh button to perform the status check again.”

After running the following command on each server everything started working:

Get-SPProduct –local

SharePoint Error – Database is too old and upgrade is required

I was recently working on a SharePoint Migration Project where we migrated from a SharePoint 2010 farm to a shiny new SharePoint 2013 SP1 farm. Some of the sites were to stay in “2010 Site Collection Mode” until the site owner was ready to upgrade and others were upgraded to 2013 right away. Below is a screenshot or Central Admin showing the database upgrade status for 3 content databases:

  1. The top database was completely upgraded to 2013. Looks beautimus!
  2. The middle database has some sites upgraded and others in 2010 mode…Looks OK..
  3. The bottom database SHOULD have some site collection in 2010 mode and others in 2013 mode just like the middle database. Something looks off here right? Running the Upgrade-SPContentDatabase cmdlet did nothing and PSConfig did nothing.

CADBTooOldError

Looking at the eventvwr Application Log shows some interesting new errors:

eventvwrdbtooolderror

Nothing has changed in the farm from a SharePoint Server perspective…I was able to run the Get-SPContentDatabase command on each content database in this state and get back the appropriate webapp object for each. When clicking the content database anywhere in Central Admin I would get the error “Object Reference not set to an Instance of an Object” and this was causing other errors in the environment:

  1. Alerts were not working
  2. Issues with editing files/check-in and check-out
  3. Not able to select any site collection in Central Admin

Users could still get to the site collections…The experience just wasn’t optimal. I took a look through ULS, Eventvwr, and SQL Logs and couldn’t find anything besides a larger stack trace for the Object Reference Error and not much else.

Something happened between this content database and the SharePoint server causing the database to be in this funky state. PowerShell to the rescue!
The Fix: Running the Dismount-SPContentDatabse and Mount-SPContentDatabase fixed the issue.

For example:

SharePoint 2013 – Service Pack 1

SharePoint 2013 SP1 has been released! I’m a day late…so this isn’t exactly hot off the press

http://blogs.technet.com/b/office_sustained_engineering/archive/2014/02/25/announcing-the-release-of-service-pack-1-for-office-2013-and-sharepoint-2013.aspx

Check out the new addition to the Central Administration menu! SharePoint got Yammered..

 

SP2013SP1O365

Testing Notes: I setup a SharePoint 2013 Server (Windows Server 2012 RTM/SQL Server 2012 SP1) Farm to test out Service Pack 1 and what it brings to the table. This was a fresh installation – installed the Server OS > installed SQL 2012 > installed SP2013 RTM bits > upgraded to March 2013 PU bits > upgraded to SP1 bits > ran config wizard.

The Bad:

  1.  The Document Conversions Load Balancer Service appears to be in a state where it will NOT start: (NOTE: This also happened using a SP2013 SP1 ISO)ServicesOnServerErrorLB
    1. I am able to click the LB Service link, which brings me to the settings page
    2. LBSettings
    3. But when I click Start I get redirected to this error page:
    4. Error Starting Load Balancer
    5. UPDATE – As mentioned in the comments by Tuppence Weix, this can be fixed with the following PowerShell command:
  2. Also, apparently Yammer and OneDrive for business are critical issues (You can just click the X to close)
  3. YammerO365CriticalError

The Good:

  1. When creating a new User Profile Service Application you are presented with the option to use Yammer for Social Collaboration!
  2. SP1UPSCreation
  3. This adds  the following entry to the navigation bar (Starting to look more and more like O365):
  4. SP1NavBarYammer
    1. Clicking Yammer Redirects to http://webappurl/_layouts/15/Yammer.aspx
    2. sp1clickyammer
    3. Clicking TAKE ME TO YAMMER redirects to https://www.yammer.com/?trk_event=sp_landing
  5. By clicking the Office 365 link on the left (Current) navigation in Central Administration you can configure Yammer (Which is just an activate/deactivate functionality for the link in the navigation bar..discussed above) and you can configure Office 365 settings for the OneDrive and Sites links in the top navigation bar.
  6. This is the screen you are presented with..pretty cool! I actually just worked on a project where we deployed an IIS HTTP Handler to rewrite URL’s to an Office 365 tenant…now this functionality is baked into SharePoint
  7. OneDriveConfigSP1
  8. I did some testing by typing in my trial Office 365 tenant so I could play around here.
  9. After clicking OK the change was nearly instant (I did need to clear browser cache in IE..but I tested in Firefox/Chrome right away which I wasn’t previously authenticated to the SharePoint site and the links were updated within a matter of seconds).
  10. Clicking  OneDrive and Sites Redirected Perfectly!
  11.   OneDriveO365Redirect
  12. For every good thing there is a bad thing though. The About Me link still redirects to the On Premise MySite Host…This is OK because most of the content here is directly synchronized from Active Directory, which makes the profile pages On Prem/Office 365 very similar (minus manually typed in information – Skills, About Me, Ask Me About, etc.). If the user had permissions within the UPS to create a personal site and has ALREADY done so..the links to that On Prem personal site collection will still show as links on the left-hand side. If you are looking for a truly hybrid environment there will need to be settings adjustments to lock down users being redirected to Office 365 (UPS Permissions settings, Decide if you want to use audiencing/targeting to send some user on prem/some users to Office 365, etc.
  13. Just note setting these features in Central Admin to redirect users to an Office 365 tenant will not change user permissions settings in the UPS (This is very similar to using Trusted MySite Locations pre-SP1…and then using audiencing to route specific users to the MySite Tenant. In the past you could point a MySite Location at an Office 365 tenant, but the About Me link would be broke (User Not Found) and when clicking on a people column containing that user it would give the same error (Because the URL structure after person.aspx is different for on premise and Office 365..Hence the need for a HTTP Handler or some other form of URL redirect). Otherwise you may end up managing personal site collections on prem, when these users actually have storage in Office 365.
  14. MyProfile

SharePoint User License Enforcement – Not Enforcing CSWP

After reviewing a possible scenario with User License Enforcement/Standard users utilizing the content search web part (CSWP) I noticed some interesting behavior. It appears that user license enforcement doesn’t enforce all standard features (MS forgot the CSWP). I have done extensive testing against Excel Services and Visio Services, which present a nice message indicating that you don’t have licensing to view that web part.

The Content Search Web Part cannot be added by a standard user:

Standard

clip_image002

 

Enterprise

clip_image004

BUUUUT it still displays for a Standard user! Possible oversight on Microsoft’s Part (And possibly unsupported??)

clip_image006

AJB