If you’ve ever wondered what’s happening “behind the scenes” when someone opens a SharePoint site, uploads a document, or runs a search — you’re essentially asking about the farm architecture. Understanding how a SharePoint farm is structured is one of those foundational topics that every SharePoint admin, developer, or IT professional needs to get right. Once you understand it, everything else — deployment, troubleshooting, scaling, disaster recovery — just makes a whole lot more sense.
In this tutorial, I’m going to walk you through everything you need to know about SharePoint farm architecture, from what a farm actually is to how servers are configured, how MinRole works, and what you need to plan for high availability and security. Let’s dive in.
What Exactly Is a SharePoint Farm?
A SharePoint Farm is simply a group of servers that work together to deliver SharePoint services to your users. Think of it like a team — each member has a specific role, and together they make the whole thing work.
These servers include:
- Web Front-End (WFE) Servers – Handle user requests and serve pages
- Application Servers – Run backend services like Search, User Profiles, and Managed Metadata
- Database Servers (SQL) – Store all your content, configuration, and service data
The word “farm” is used because all these servers are interconnected and managed as a single unit through a shared configuration database. Any server that is part of the farm can communicate with every other server, and Central Administration is your control panel to manage all of it.
Farm Topology: How Servers Are Arranged
When you set up a SharePoint farm, the way you arrange your servers is called the topology. Microsoft has defined three main topology sizes based on organizational needs:
| Topology | Also Known As | Typical Use Case |
|---|---|---|
| Single-Tier | Small Farm | Dev, test, or very small orgs |
| Two-Tier | Medium Farm | Small to medium businesses |
| Three-Tier | Large Farm | Enterprise deployments |
Single-Tier (Small Farm)
Everything — WFE, application services, and SQL — runs on one machine. This is great for development, testing, or proof-of-concept environments, but not recommended for production. There’s no redundancy here — if that one server goes down, so does SharePoint.
Two-Tier Farm
In a two-tier setup, you separate SharePoint from the database. You have one or more SharePoint servers running both WFE and application services on the first tier, and a SQL Server on the second tier. This is a practical choice for small to medium organizations that don’t have a huge user base but still need some separation of concerns.
Three-Tier Farm (Recommended for Production)
This is the gold standard for production environments. You have:
- Tier 1 (Web Tier): Web Front-End servers handling user requests
- Tier 2 (Application Tier): Application servers running backend services
- Tier 3 (Database Tier): SQL Server(s) storing all content and configuration data
A standard three-tier farm configuration consists of two front-end web servers, one application server, and one database server at minimum. This topology is specifically designed to support scaling out or scaling up as your organization grows.
Check out Difference Between Team Site and Communication Site in SharePoint
The Three Core SharePoint Server Roles — Explained Simply
Web Front-End (WFE) Servers
These are your frontline soldiers. When a user opens a browser and navigates to a SharePoint site, the request lands on a WFE server. The WFE server:
- Receives the HTTP/HTTPS request
- Talks to the application and database servers to fetch the data
- Renders the final page and sends it back to the user’s browser
You can have multiple WFE servers sitting behind a load balancer. This not only distributes the traffic evenly but also means that if one WFE goes down, the others keep serving your users without any interruption.
Key responsibilities:
- Handling all incoming user traffic
- Rendering SharePoint pages and responses
- Participating in load balancing
- Caching frequently accessed content (with the Distributed Cache service)
Application Servers
Application servers are the workhorses running in the background. They don’t serve pages directly to users, but they run all the service applications that make SharePoint powerful — things like:
- Search Service – Crawls and indexes all your content
- User Profile Service – Manages people profiles, org charts, and My Sites
- Managed Metadata Service – Handles term stores and content types
- Business Connectivity Services (BCS) – Connects SharePoint to external data sources
- Distributed Cache – Speeds up operations like activity feeds, authentication tokens, and navigation
Since search is one of the most resource-intensive services, larger organizations often dedicate entire servers just to the search service.
Database Servers (SQL Server)
The database tier is where all your data lives. SharePoint uses SQL Server extensively and creates many databases automatically during setup:
| Database Type | What It Stores |
|---|---|
| Configuration Database | Farm-wide settings and topology |
| Content Databases | Sites, documents, lists, and libraries |
| Central Admin Content DB | Central Administration settings |
| Search Databases | Crawl store, link store, analytics data |
| Service Application DBs | User profiles, managed metadata, etc. |
A production farm should never run SQL on the same machine as SharePoint. Your SQL server needs its own dedicated resources, and for high availability, you’ll want SQL Server Always On Availability Groups configured.
Read SharePoint Online vs. SharePoint On-Premise
MinRole in SharePoint: The Smarter Way to Configure Your Farm
Starting with SharePoint Server 2016, Microsoft introduced a concept called MinRole — and it’s genuinely one of the most useful changes to farm management in years. SharePoint Server 2019 and SharePoint Server Subscription Edition both support and extend MinRole.
So what is MinRole? In simple terms, when you add a server to a SharePoint farm, you assign it a predefined role. SharePoint then automatically starts and stops the right services on that server based on its role. No more manually figuring out which services to enable on which server.
The MinRole Server Roles
MinRole defines 8 server roles across three categories:
Dedicated Roles:
- Front-end – Handles user requests and runs user-facing services
- Application – Runs backend and administrative services
- Distributed Cache – Runs only the Distributed Cache service
- Search – Runs all search-related components
Shared Roles (for smaller farms):
- Front-end with Distributed Cache – Combines front-end and caching on one server
- Application with Search – Combines application services and search on one server
Special Roles:
- Single-Server Farm – Everything on one machine (dev/test only, cannot add more servers)
- Custom – You manually control which services run (maximum flexibility, but you lose MinRole’s automated management)
Why MinRole Matters
Before MinRole, administrators had to manually figure out which services to start on which server — and it was easy to misconfigure things, leading to performance problems or wasted resources.
With MinRole:
- SharePoint automatically configures services on each server based on its role
- When you enable or disable a service application in the farm, MinRole automatically adjusts all servers accordingly
- Capacity planning becomes more predictable because each server is running only what it’s supposed to run
- For a high-availability MinRole farm, you need a minimum of four servers (one of each dedicated role), not counting SQL servers
Check out When to Use OneDrive vs SharePoint for File Storage
SharePoint Farm Configuration: The Key Components
Service Applications
Service applications are the backbone features of SharePoint. They’re designed to be shared across multiple web applications within a farm, and in a multi-farm setup, they can even be shared across farms.
The most commonly configured service applications are:
- Search Service Application – Enterprise-grade search across all your content
- Managed Metadata Service – Centralized term stores for consistent taxonomy
- User Profile Service – Feeds into My Sites, people search, and social features
- App Management Service – Required if you’re deploying SharePoint Add-ins
- Excel Services / Word Automation Services – Document conversion and rendering
You can configure service applications via Central Administration (the GUI approach) or via PowerShell (preferred for automation and scripted deployments).
Central Administration
Central Administration (often just called “Central Admin”) is the web-based management portal for your entire SharePoint farm. From here, you can:
- Create and manage web applications and site collections
- Configure and manage service applications
- Monitor the health of the farm using the Health Analyzer
- Manage incoming email and outbound SMTP settings
- Run timer jobs and review their history
- Manage farm-level backups
Best practice: Deploy Central Administration on at least two servers in the farm. If one server goes down, you still have access to manage the farm. Also, restrict access to the Central Admin port (default: 11000 range) to internal admin machines only — never expose it externally.
Load Balancing
If you have multiple WFE servers, you need a load balancer sitting in front of them to distribute traffic. Your options are:
| Load Balancing Option | Best For |
|---|---|
| Network Load Balancing (NLB) | Built into Windows Server; good for basic setups |
| Hardware Load Balancer (HLB) | Advanced traffic routing, SSL offloading, health monitoring |
| Azure Load Balancer | SharePoint farms hosted in Azure |
| F5 / Citrix NetScaler | Enterprise-grade options with deep SharePoint awareness |
For production, a hardware load balancer or a capable software-based alternative (like Windows Server’s ARR or a third-party solution) is strongly recommended. It gives you session persistence, health probes, and SSL offloading capabilities that NLB alone doesn’t provide.
Read Create Site Retention Policies in SharePoint
Multi-Farm SharePoint Architecture: When One Farm Isn’t Enough
Larger organizations sometimes go beyond a single farm. Microsoft supports several multi-farm patterns:
- Content Farms – Host sites and service applications; can also consume services from other farms
- Services Farms – Dedicated to hosting service applications (Search, User Profiles, Managed Metadata) consumed by content farms
- Search Farms – Host only the Search service application
- My Site Farms – Dedicated farms for My Sites when multiple content farms exist
In multi-farm setups, the SharePoint Server Subscription Edition supports federated service applications across the last three versions (Subscription Edition, 2019, and 2016 — the “N-2” support model). This is a huge benefit if you’re gradually upgrading farms while keeping services running.
Infrastructure Requirements for a SharePoint Farm
Getting your infrastructure right is just as important as the SharePoint configuration itself.
Network Requirements
- Intra-farm latency should be less than 1ms one-way, 99.9% of the time over any 10-minute window. Exceeding this threshold causes serious performance problems.
- If you’re building a stretched farm across two data centers, Microsoft requires that both sites connect with that same sub-1ms latency — otherwise, it’s not supported.
- For hybrid scenarios connecting to Microsoft 365, Azure ExpressRoute is the preferred connection method. It offers a dedicated private connection with lower latency and higher reliability than a regular internet VPN.
Storage Requirements
Don’t underestimate storage planning — it has a huge impact on performance.
- SQL Server disks should use fast SSD-backed storage. Avoid putting content databases, log files, and tempDB on the same volume.
- Separate your TempDB files onto their own dedicated fast disk. TempDB is heavily used by SharePoint during search crawls and large queries.
- For VMs in Azure, use Azure Managed Disks (Premium SSD tier) for SharePoint VMs.
- Use SQL Server Always On Availability Groups for content and service application databases. This gives you both HA (automatic failover) and the option for readable secondary replicas for reporting.
Hardware Sizing at a Glance
| Farm Size | Users | WFE Servers | App Servers | SQL Servers |
|---|---|---|---|---|
| Small | < 1,000 | 1–2 | 1 | 1 |
| Medium | 1,000–10,000 | 2–4 | 2 | 1–2 |
| Large | 10,000–50,000+ | 4+ | 2–4 | 2+ (Always On) |
Check out Term Store in SharePoint
Scalability: Growing Your SharePoint Farm
One of the great things about SharePoint farm architecture is that it’s designed to grow with your organization. You have two ways to scale:
Scaling Out (Horizontal Scaling)
Add more servers to the farm. For example:
- Add a second or third WFE server to handle more concurrent users
- Add a dedicated Search server when your search crawl is overloading your application server
- Add a dedicated Distributed Cache server if you’re running into session/feed performance issues
Scaling out is the preferred approach for production farms because it also improves fault tolerance — more servers means the farm can keep running even if one goes down.
Scaling Up (Vertical Scaling)
Increase the resources (RAM, CPU, storage) on existing servers. This is simpler but has limits — and usually requires downtime for physical machines. It’s best suited for smaller environments where adding servers isn’t practical.
Pro tip: With MinRole, scaling out is actually much easier than in older versions. When you add a new server and assign it a MinRole, SharePoint automatically starts the right services on it. No manual configuration needed.
High Availability and Disaster Recovery
This is one area where you absolutely cannot cut corners. Microsoft’s own guidance is clear: high availability and disaster recovery are the highest priority when planning a SharePoint farm.
High Availability (HA)
HA is about keeping SharePoint running even when something fails. Key HA strategies:
- Multiple WFE servers behind a load balancer – If one WFE fails, traffic routes to the remaining servers automatically
- Redundant application servers – For MinRole, deploy two servers for each role
- SQL Server Always On Availability Groups – Provides automatic failover for your databases with near-zero downtime
- Distributed Cache redundancy – Run the Distributed Cache service on at least two servers to avoid a single point of failure
Disaster Recovery (DR)
DR is about recovering from a major outage or data loss event. Key terms to understand:
- RTO (Recovery Time Objective) – How long can you afford to be down?
- RPO (Recovery Point Objective) – How much data loss is acceptable (measured in time)?
Common DR strategies for SharePoint farms:
| DR Strategy | Description | Best For |
|---|---|---|
| Cold Standby | A secondary farm that is set up but not running; requires manual activation | Lower budget, longer RTO acceptable |
| Warm Standby | Secondary farm is running but not serving users; databases are kept in sync | Medium RTO requirements |
| Hot Standby | Fully active secondary farm; near-instant failover | Critical systems, low RTO required |
| SQL Log Shipping | Transaction logs regularly shipped to a secondary SQL instance | Cost-effective RPO management |
| Always On AGs with readable secondaries | Replicated databases with automatic failover | Recommended enterprise approach |
Best practice: Document your DR plan in what Microsoft calls a “run book” or “cook book” — a document detailed enough that a third-party team could execute the recovery plan without your help. And most importantly, test your DR plan regularly. A plan that’s never been tested is just a hope.
Check out Add Custom Theme in SharePoint
Security Considerations
A SharePoint farm often holds sensitive organizational data, so locking it down is non-negotiable.
Authentication Methods
SharePoint supports several authentication methods — pick the right one for your environment:
- Windows Authentication (Kerberos or NTLM): The default and most common choice for corporate environments using Active Directory. Kerberos is preferred over NTLM because it’s more secure and supports delegation (important for some service applications).
- Forms-Based Authentication (FBA): Useful for extranet or internet-facing sites where external users don’t have Active Directory accounts. Works with SQL databases and LDAP directories as identity stores.
- SAML / Trusted Identity Providers: Allows integration with external identity providers, including ADFS and third-party IdPs, enabling SSO scenarios.
- OAuth 2.0 / OpenID Connect: Supported for modern integration scenarios, particularly for hybrid setups connecting to Microsoft 365 and Azure Active Directory (now Entra ID).
Firewall and Network Security
- Segment your network: Keep your WFE servers in a DMZ or perimeter network, your application servers in an internal zone, and your SQL servers in the most restricted internal zone. Never expose SQL directly to the internet.
- Lock down Central Administration: Restrict access to the Central Admin website by IP address or host header. It should only be accessible from dedicated admin machines.
- Use HTTPS everywhere: All SharePoint web applications should be configured with HTTPS (TLS 1.2 or higher). SharePoint Server Subscription Edition now supports TLS 1.3 via its new database connectivity layer introduced in the 25H1 update — a significant security improvement.
- SSL Certificate Management: As of SharePoint Server Subscription Edition, you can manage SSL/TLS certificates directly from Central Administration or PowerShell — including automatic deployment of certificates to all servers in the farm and expiration alerts.
- Limit service account permissions: Follow the principle of least privilege. Each service account (farm account, service application accounts, web application pool accounts) should have only the permissions it actually needs.
SharePoint Farm vs. SharePoint Online — A Quick Reality Check
If you’re on-premises, you’re managing all of this infrastructure yourself. It’s powerful and customizable, but it comes with real operational costs: hardware, SQL licensing, Windows Server licensing, patching, monitoring, and more.
SharePoint Online (part of Microsoft 365) handles all the infrastructure for you — but you give up control over things like custom service applications, farm-level configuration, and on-premises integrations.
Many organizations today run a hybrid model — keeping their SharePoint farm on-premises for sensitive data while using SharePoint Online for collaboration and Microsoft 365 integrations like Power Apps, Power Automate, and Teams.
SharePoint Server Subscription Edition has first-class hybrid support, including integrated Power Apps and Power Automate commands that appear directly in modern document library pages when the farm is connected to a Microsoft 365 tenant.
Quick Summary: Farm Architecture at a Glance
| Component | Role | Key Consideration |
|---|---|---|
| WFE Server | Handles user requests, serves pages | Add more for load balancing and redundancy |
| Application Server | Runs service applications (Search, Profiles, etc.) | Isolate resource-heavy services like Search |
| Database Server (SQL) | Stores all farm content and config | Always On AGs recommended for production |
| MinRole | Automates service configuration per server | Available in SP2016, 2019, and Subscription Edition |
| Central Administration | Farm management GUI | Deploy on 2+ servers; restrict access |
| Load Balancer | Distributes traffic across WFE servers | Use hardware/software LB for production |
| Distributed Cache | Speeds up feeds, tokens, navigation | Run on 2+ servers for redundancy |
Conclusion
SharePoint farm architecture might seem intimidating at first, but once you break it down into its core components — WFE servers, application servers, database servers, MinRole, service applications, and load balancing — it starts to make a lot of sense. The key is to plan properly before you deploy. Think about your user count, your growth expectations, your HA and DR requirements, and your security needs. Get those right upfront, and you’ll end up with a SharePoint farm that’s fast, resilient, and easy to manage.
Whether you’re setting up a small two-server farm for a 500-user organization or designing a multi-farm architecture for a global enterprise, the principles covered in this tutorial form the foundation. Take your time, follow Microsoft’s guidance, test your setup thoroughly — and always test your disaster recovery plan before you need it.
You may also like:
- SharePoint Contribute vs Edit Permissions
- SharePoint Recycle Bin
- 15 SharePoint Document Library Best Practices
- SharePoint Folder Structure Best Practices
Hey! I’m Bijay Kumar, founder of SPGuides.com and a Microsoft Business Applications MVP (Power Automate, Power Apps). I launched this site in 2020 because I truly enjoy working with SharePoint, Power Platform, and SharePoint Framework (SPFx), and wanted to share that passion through step-by-step tutorials, guides, and training videos. My mission is to help you learn these technologies so you can utilize SharePoint, enhance productivity, and potentially build business solutions along the way.
