The purpose of this blog is to share some of the key takeaway for configuring Cloud Hybrid Search. If you have reviewed Technet documents, you’d think it’s something that can be done with eyes closed. But just like anything else, once you start deep diving, you’ll realize it is not as straight forward as they say. Here are few key points that will help in configuring Cloud Hybrid Search.
Environment: Intranet portal (homepage for 10K users) on SharePoint 2013 with medium customization and uses search based managed property for displaying content. If cloud search service application is deployed to existing portal, there is high risk that existing portal will break because managed properties can’t be migrated to cloud. To mitigate that, we were advised to create a separate new farm (single server) and then establish hybrid connectivity between this farm and SharePoint Online.
This new farm will crawl content from existing farm and ship the indexes to the cloud. This would let users on SharePoint Online to search for on-prem content. However, it won’t solve on-prem users searching their on-line content but that was something we decided to be alright with. Since we can’t have a broken intranet portal, we decided to go with this architecture.
Gotcha#1: Script vs Hybrid Picker
There are two methods to configure hybrid connectivity.
- Hybrid Picker
- CreateCloudSSA.ps1 and OnboardCloudHybridSearch.ps1 scripts
From what I know, it doesn’t really matter which method you end up using, they both should work just fine. However, we end up using script option as it allows for more control and flexibility.
One thing that I wasn’t sure about was how to go about establishing the server to server trust (STS), more specifically, generating and exchanging certificate with SharePoint online tenant. I was not sure if we are to use the certificate which is used for binding on-premise web application or if that certificate Is based on the public domain name of the online tenant, similar to what this user is asking: https://social.technet.microsoft.com/Forums/office/en-US/fb51d4dc-45dd-43ab-9d16-b75c9f797ea7/sharepoint-hybrid-ssl-and-sts-requirement?forum=sharepointadmin . What I was told that since our setup is only going to use Cloud Hybrid Search, we don’t really have to worry about that. So we didn’t have to manually generate and upload certificate.
Gotcha#2: Delete Existing Search Service Application on New Farm
The first step in script method is to run CreateCloudSSA.ps1. It is pretty nontrivial script which takes 4 parameters and Cloud Search Service Application is successfully deployed on on-prem farm. Now here comes 2 curve balls. When we tried to run Onboard script using an account with global admin rights (per requirements) it kept failing at aauthentication step. At fIrst, we thought it had to do with multi-factor authentication. So that was turned off. But the problem remained. When all else fails, an incident ticket with Microsoft opened and found that it was doing that because we were using federation service other then ADFS and for that we need to use cloud only global admin account.
After conquering that challenge, re-ran the script but it finished with error, ‘not being able to connect to machine running Admin component’. Back to researching but unfortunately did not make any breakthrough. Second incident ticket opened with Microsoft.
The resolution was to delete existing search service application (on-prem on new farm) and then re-run the script. Luckily in our case that search service application was not doing anything, we were able to do that. However, it wouldn’t have been possible if it was our main SharePoint 2013 farm.
