SharePoint SE Build, Migration, Validation, and Governance Checklist

Interactive runbook for user sign-off during SharePoint Subscription Edition environment build.

Backup reminder

Enable

Every Backup reminder not configured.

Overall progress 0 / 0 steps passed

0 Pass 0 Fail 0 Skip 0 Pending

How to use this checklist

Find and filter steps: Start near the top of the page to filter by status/category, search steps, and set Current operator before saving notes.
Overall progress: Use the Pass/Fail/Skip/Pending counters to monitor completion and blockers.
Phase and migration checklists: Work through the PH and MIG sections before moving to the lower-page support panels.
Phase/step tables: Click a step row to cycle status. Use Save notes to store Owner, Comment, and Evidence.
Runbook metadata: Complete the metadata panel in the MIG-04 support block before final sign-off and export.
Backup reminder, governance alerts, and sign-off lock: Review these support panels together above the status banners before final sign-off.
Risk register: Add/update risk entries, mitigation owners, and due dates, then save the register before using Finalize and lock.
Snapshot (JSON): Use when you need a manual backup/restore file or a shareable point-in-time copy.
XML: Use when you need one persistent working file (for example data/checklist-state.xml). Watch the XML auto-save banner in the lower status stack for connection/write state.
Session close check: Review the lower-page status banners and confirm XML auto-save is connected or export a fresh Snapshot before closing.

Runbook metadata

Project / code

Environment

Change ticket { title: "Capture final certificate evidence package and obtain PKI/security sign-off.", instruction: "Goal: Close certificate lifecycle controls with complete evidence and formal approval. Action: Compile CA certificate details, WFE binding output, chain validation results, and runtime checks into the handover evidence package, then obtain PKI/security sign-off. How: Collect outputs from PH-07 steps 1 and 2, include CA request/approval references and secure PFX handoff record, and record final approver sign-off in the approved workflow system. Expected Result: Certificate replacement is fully documented and approved for operational handover. Evidence: Attach consolidated certificate evidence package path/reference and final approval record ID." } ]

Checklist version

On-call contacts

Metadata not saved yet.

Snapshot export file name will include ticket, version, and timestamp.

Export sync status: unknown.

Find and filter steps

Role mode

Current operator

Search steps

Quick actions

Governance action alerts 0

No action required. Governance checks are clear.

SharePoint 2019 → SPSE Migration Checklist

Data migration runbook from the SP2019 source environment. Follows the same governance rules as the build checklist: owner and evidence are required before marking any step Pass.

0 Pass 0 Fail 0 Skip 0 Pending 0 / 0 steps passed

Risk register (track before sign-off)

Risk	Severity	Owner	Mitigation	Due date	Accepted by	Action

Sign-off lock UNLOCKED

Account permission requirements (validate before PH-01)

Account	Purpose	Minimum required permissions
svcspsetup	Setup	Local Administrator on all SharePoint servers; SQL roles dbcreator and securityadmin on spsql22.anl.gov; SharePoint setup execution account.
svcspfarm	Farm	Log on as a service; SQL login with rights required for farm database access per baseline; no Domain Admin membership.
svcspsvcapps	Service Applications	Log on as a service; rights to run service application pools and service instances assigned during provisioning.
svcspwebapps	Web Applications	Log on as a service; rights to run IIS application pools for content web applications.
svcspsearch	Search	Log on as a service; rights required for Search service and crawl components per security baseline.
svcspsssql	SQL	SQL service/operations account permissions managed by DBA team according to SQL hardening standard.

Do not start PH-01 until setup and farm account permissions are validated and documented.

High Availability (HA) Options and Why DNS Round Robin Was Chosen (expand for details)

SharePoint farms can be made highly available for end-user access using several approaches. The most common options are:

Hardware or Virtual Load Balancer (Layer 4/7): Provides health-checked, seamless failover and advanced routing, but requires dedicated infrastructure, network changes, and ongoing management. Often used in large or security-sensitive environments.
DNS Round Robin: Simple, infrastructure-light method that distributes user requests across multiple WFE servers by publishing multiple A records for the web application hostname. No built-in health checks; relies on DNS and client cache behavior. Easy to implement and maintain, but requires manual intervention if a WFE fails.
Network Load Balancing (NLB): Windows NLB can be used for basic load distribution, but is less common in modern SharePoint deployments due to complexity and limitations.

Why DNS Round Robin?

Simplicity: No additional hardware, software, or network changes required. DNS changes can be made quickly by the admin team.
Cost-effective: No licensing or infrastructure costs.
Meets project requirements: For this environment, the risk of a WFE outage is mitigated by monitoring and prompt DNS updates. The organization does not require advanced health checks or SSL offload features.
Operational transparency: All steps and troubleshooting are documented in this checklist, including how to update DNS and flush client caches if a WFE fails.

Note: If future requirements demand automated failover or advanced traffic management, a hardware or virtual load balancer can be introduced with minimal changes to the SharePoint farm.

How to set up minimum required permissions (expand for step-by-step guidance)

svcspsetup (Setup):
- Add to Administrators group on all SharePoint servers:
  - Open Computer Management → Local Users and Groups → Groups → Administrators.
  - Right-click Administrators → Add to Group → Add svcspsetup.
  - Or run: net localgroup Administrators svcspsetup /add
  - Capture a screenshot of the final permissions state for your evidence record.
- Assign SQL roles:
  - Open SQL Server Management Studio (SSMS) and connect to spsql22.anl.gov as a sysadmin.
  - Navigate: Security → Logins → New Login → Add svcspsetup (Windows Auth).
  - Right-click login → Properties → Server Roles → Check dbcreator and securityadmin.
  - Or run in a query window:
    ALTER SERVER ROLE [dbcreator] ADD MEMBER [svcspsetup]
    ALTER SERVER ROLE [securityadmin] ADD MEMBER [svcspsetup]
  - Capture a screenshot of SQL role assignments after completion.
- Test permissions: Log in as svcspsetup, launch SharePoint setup, and confirm database creation works. Capture the success screen/output for evidence.
svcspfarm (Farm):
- Grant Log on as a service right:
  - Open secpol.msc → Local Policies → User Rights Assignment.
  - Double-click Log on as a service → Add User or Group → Add svcspfarm.
  - Or use a GPO: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
  - Capture a screenshot showing the configured user rights assignment.
- SQL login and database access:
  - In SSMS: Security → Logins → New Login → Add svcspfarm (Windows Auth).
  - Map to SharePoint config/content databases as db_owner.
  - Or run: CREATE LOGIN [svcspfarm] FROM WINDOWS
  - Capture a screenshot or query output proving database role membership.
- Do not add to Domain Admins.
svcspsvcapps / svcspwebapps / svcspsearch (Service/Web/Search):
- Grant Log on as a service right: (see above for steps and GPO path). Capture proof of assignment for evidence.
- Assign to app pool/service: During SharePoint provisioning, select the correct managed account for each service/app pool. Capture the final mapping view.
- Verify not used for interactive logon.
- Check mapping: Central Admin → Security → Configure managed accounts. Record the page output as evidence.
svcspsssql (SQL):
- Follow DBA team’s SQL hardening standard. Request a checklist or template if not available.
- Grant only required permissions (least privilege).
- Document all assignments and approvals for audit. Save screenshots of each permission assignment.

Tip: Document every step and capture screenshots for audit evidence. Review every permission in both Windows and SQL before starting PH-01.

Server topology

Server	MinRole	Combined services
sp-wfe-01	WebFrontEndWithDistributedCache	Web requests + caching
sp-wfe-02	WebFrontEndWithDistributedCache	Web requests + caching
sp-app-01	ApplicationWithSearch	Service apps + search
sp-app-02	ApplicationWithSearch	Service apps + search

Platform: SharePoint Subscription Edition | SQL Server: spsql22.anl.gov

Service account mapping

Purpose	Account
Farm	svcspfarm
Setup	svcspsetup
Service Applications	svcspsvcapps
Web Applications	svcspwebapps
Search	svcspsearch
SQL	svcspsssql

No failed steps.

Evidence references are being reviewed.

Audit readiness checks pending.

XML auto-save: Not connected. Click "Connect XML auto-save" to protect notes by writing each Save notes action directly to your XML file.

PowerShell steps include GCC-safe script templates. Run them from an elevated Windows PowerShell session on internal network hosts only.

Activity timeline (expand) 0

No activity recorded yet.