Active Directory, IIS 7.0 web-farm reference

This post is targeted at helping IIS Administrators understand how Active Directory can be used by IIS web-farms.  My goal is to help anyone looking to deploy IIS (in a web-farm scenerio) and use Active Directory as a authentication store.  There are several moving parts related to a web-farm. 




  1. Content deployment


  2. Configuration management, including Shared Configuration   


  3. SSL certificates   


  4. Logging   


  5. FTP deployment using Active Directory.   


  6. Load-balancing (hardware and software)   


  7. Hardware selection for web-farms.  


  8. Virtual servers or physical machine. 

As you can see, it’s easy to get confused and makes troubleshooting a web-farm more difficult than a stand-alone server.  For purposes of this post, we’ll focus on Active Directory and web-farms.   Here is a introduction of the topics we’ll be covering in this post.


Web-farms




  • What is a web-farm?


  • Why do I need a web farm?


  • How do I distribute traffic to all machines?


  • What is a Virtual IP address?


  • Diagram of a web-farm?

Active Directory




  • What is Active Directory?


  • Do I need Active Directory?


  • Diagram of Active Directory

Deployment of a test environment




  • Deploying Active Directory


  • Deploying member servers with IIS



  • Setup your machines. 


  • Setting up example1.com on Server1, Server2

  • Setup NLB (network load-balancing)


  • Create AD users and Groups


  • Create Remote Share on file server


  • Configure IIS to use a remote share.

Web-farms


What is a web-farm?  A web-farm is 2 or more machines hosting a single instance of a website.  Pretty simple huh?!  Yes, that is the definition of a web-farm.   Wikipedia has a reference to a Server Farm.  Web-farm or Server farm, they pretty much are the same thing, just worded differently.  Wikipedia’s definition includes the term “cluster”.  


In my opinion, a cluster provides failover of a single instance of something.  For example, if you have two machines hosting a single instance of a database.  The database instance only runs on a single server.  The other server participating in the cluster is idle.  I refer to two machines hosting a single instance as a Active / Passive Cluster.


Why do I need a web farm? – Running a single website on multiple machines has many benefits.  Probably the biggest reason is scalability followed by redundancy.  Scalability is used when you need your website to handle increasing workloads or peaks in traffic.  Another benefit provides for controlled change management in a production environment.  For instance, you have 2 machines in your web-farm and you want to update your website.  You can take Server1 out of rotation, update and test the code, then introduce back into rotation.  If you experience issues, you can reverse the code changes back to the original set of files.  While you have been testing your updates, the website has been running without interuption on Server2. Once you have worked out any issues, you can perform the same steps on Server2 while Server1 would be handle requests.


How do I distribute traffic to both machines?  You would use some form of load-balancing.  Microsoft provides a free version called Network Load-balancing.   There are also 3rd party load-balancers by Cisco, F5 and Foundry networks.   You could use DNS round-robin load-balancing.  You would setup two separate A records pointing to a single DNS name. (www.example.com)  For example, Server1 ip address is 192.168.1.10 and Server 2 is 192.168.1.11.   You would have an A record example.com pointed to 192.168.1.10 (Server1) and another A record pointed to 192.168.1.11 (Server2).  When a person requests a record for www.example.com, one request would go to Server1, the second request would go to Server2.  The downside of using DNS load-balancing, if a server is not responding, in this example half of your requests would fail.


What is a Virtual IP address? A virtual ip address (VIP) is usually not connected to a specific server.  It’s normally configured on a hardware load-balancer that distributes traffic.  If you are using Microsoft’s NLB, it has the ability to distribute traffic to multiple machines while not being tied to a specific server.  Confused?!  For more information how Microsoft’s NLB works, please review the documentation.  One clarification, if you were using DNS round-robin to distribute traffic, there would not be a need for a virtual IP address.


Web-farm Diagram



 


Active Directory


What is Active Directory? Active Directory is Microsoft’s version of directory services.  Directory services provides a central database for authentication, print services, file share access and other features.  Here is the wikipedia definition.  Active Directory provides LDAP (lightweight directory access protocol) services.   Active Directory uses DNS to help resolve the name of objects including servers, domain controllers.  For purposes of this article, we will not cover in-depth Active Directory rather show how it’s used in a web-farm scenerio.  For more information on Active Directory, we recommend checking out Technet.


Do I need Active Directory for a webfarm?  You technicially do not need Active Directory to run a web-farm.  Each machine could be a stand-alone server and use the local SAM database for user accounts.  If you needed to do authentication between machines.  You need to create the same user account, password and grant the same permissions.  The strength of using Active Directory is the ability to have a central authentication resource.  For our purposes, we’ll be using domain accounts for application pools, anonymous users.


Diagram of Active Directory



Deployment of a test environment


For purposes of this article, I’m going to use Virtual PC for showing how easy it is to setup an environment.  You could also use VMWare or Hyper-V for testing.  The host machine is running Windows Server 2008 enterprise x64 edition.  There is 4 GB of RAM and 250 GB IDE hard-drive.  (PS:my host machine doesn’t support hyper-V)


Necessary software / Assumptions



Setup your machines.




  • Download and install Virtual PC


  • Download ISO version of Windows Server 2008


  • Create a single instance of Windows Server 2008.  The first machine will be DC1


  • Create a second machine, this will be DC2.


  • Create a third machine, call it Server1 (Inside this VM, add additional Network Adapter)


  • Create a forth machine, call it Server2 (Inside this VM, add additional Network Adapter)

Create Websites on Server1, Server2




  • Create a website on both servers, point to c:inetpubwwwroot.  This will be changed later on to use a remote share.

Setup NLB (network load-balancing)


For our example, we setup Microsoft network load-balancing. 



Create AD users and Groups


Log into your domain controller, create 3 items (an FTP user, anonymous user and Group)



Create Remote Share on file server


This section covers setting up your file server and granting permissions to the AD group



Configure IIS to use a remote share.


This section covers setting up IIS to use the remote share, setting the application pool to use the AD user.



In-summary this article covers how to setup and configure an environment using Active Directory as the authentication store with web-farms.  Web-farms can help with scalability and redundancy.   Here is some additional resources I found while writing this blog.



I hope you find this article help.


Steve Schofield
Microsoft MVP – IIS

Active Directory, web-farm reference links

NO-IP.com review

After several years of having a static ip address, I switched my DSL service that has only a dynamic (DHCP) ip address.  I knew I would miss having a static IP address.  no-ip.com offers a free service where you can install a agent on your machine.  Here is more information about the service.  When your ip address is updated from your provider, the DNS name you created automatically is updated.  There is no need to remember the ip address.


I used no-ip.com for DNS resolution years ago and their service is impressive.   They offer a wide array of services including mail forwarding, server monitoring and more services which are DNS related.  I can’t think of another DNS provider as stable as they have been.  In all the years I used them, the only outage was a brief one when MS Blaster hit.  Yes, that has been a few years ago.  ? 


So if you have a dynamic ip address and occasionally want to access your home machine, being able to create a DNS name is as easy as 1..2..3. 


If you have another service similar to this, please let me know. 

mail.live.com migration from gmail

I recently switched how I read my listserv email to a http://live.com mail account.  Live.com is coming along in their features.  Google rules the world and I’ve yet to see many positive posts on live.com (none actually).  I wanted to share my experience.  I have several email accounts route to a central account.  I use a central account to read and archive Listserv messages.  I was using Google’s gmail and for the most part, it was ok.  I missed the ability to separate messages into folders outside my inbox.  I dread a cluttered inbox, from what I can tell, the Gmail offers labels and archiving features isn’t quite what I was looking for.  I like to separate messages into individual folders.  Live.com has the look and feel of Outlook, which allows me to create separate folders.  Then I can have mail messages go directly to specific folders.  I can casually browse specific folders when I want.  So far, the SPAM has been nearly perfect, I’ve had no issues with much SPAM getting into my inbox. 


The real kicker for me was how Gmail’s lack of support to read posts from http://forums.iis.net.  I answer a fair amount of questions, when someone responses, I’m notified.  When I browse with Gmail’s reader, the response is blank. I had to browse to the site to review the response.  When I read with live.com, replies shows up directly in the message.  I never got used to Gmail’s feature where messages are consolidated into a single message.  Maybe it’s just me, but I’d rather not have that. 


My Live.com account does display ads, but I have no issues ignoring them.  In addition, a free account gets 5 GB of space.  So I have no worries of running out of space.   I still use Google for searching, I’ve not totally taken the plunge to migrate all my stuff.  I’m a Microsoft platform person, so maybe my entire view is slanted.  I wanted to share my experience and maybe get others feedback.  I’m sure I will.  ?


Happy emailing!


Steve

IPSecurity restrictions in IIS 6

I made a reference to the IISOle.dll and used the following code to add restrictions.  It requires .NET 3.5.   You can use Visual Basic Express to compile the code.  Thanks Brent for the assistance!


Imports System.DirectoryServices
Module Module1


    Sub Main(ByVal v_arrArgs As String())


        Dim args() As String = Environment.GetCommandLineArgs
        Dim y As Integer
        For y = 1 To UBound(args)
            ProcessIT(args(y))
        Next
        Console.Write(“Done”)
    End Sub


    Sub ProcessIT(ByVal value As String)
        Dim ServerIP As String
        Dim IPAddress As String
        Dim SiteID As String
        Dim arrSplit As String() = Nothing
        ‘Try


        arrSplit = value.Split(CType(“!”, Char))
        ServerIP = arrSplit(0)
        IPAddress = arrSplit(1)
        SiteID = arrSplit(2)
        Dim Dir As New DirectoryEntry(“IIS://” & ServerIP & “/W3SVC/” & SiteID & “/ROOT”)
        Dim IpSec As IISOle.IPSecurity = Dir.Properties(“IPSecurity”).Value
        IpSec.GrantByDefault = True
        Dim IpList = (From Ip As String In CType(IpSec.IPDeny, Object())).ToList()


        For Each item As String In IpList
            Console.WriteLine(item.ToString())
        Next
        Console.WriteLine(“Done”)
    End Sub


End Module

Here is a forum post.


http://forums.iis.net/p/1148477/1865759.aspx


Cheers,


Steve Schofield

Personal: – Open Office 2.0 and printing Envelopes

Thought I would pass this tip along.  I recently setup my parents computer with Open Office (WinXP too).   My parents needed basic Office functionality, I was impressed with the Open Office suite.  My Dad uses the envelopes feature the most.  They had a HP 940 printer, which would handle printing envelopes.  I was getting inconsistant results when getting it to work with one printer configuration.   


What I wanted to pass along for others looking at Open Office, I created a ‘default printer’ option with regular settings.  I created an additional printer setup to support Envelopes, which was pointing at the same printer.  So inside Open Office, when I wanted to print envelopes, I chose the ‘envelope printer’.  This worked liked a charm.  I got the idea from a post here


Hope this helps.


Steve


 

URLRewrite for IIS 7.0 released

IIS team has made the URL Rewrite Module for IIS 7.0 Release To Web (RTW) available for download. This is a final, production-ready release that is officially supported by Microsoft.


Install the URL Rewrite Module for IIS 7.0 RTW today!



Great job Ruslan and IIS team, one more module closer to Apache. ?


Lots of articles posted on http://learn.iis.net


http://blogs.iis.net/ruslany/archive/2008/11/10/url-rewrite-module-release-to-web.aspx


Cheers,


Steve Schofield
Microsoft MVP – IIS

Path, CommandLine and ExecutablePath not exposed in Powershell using WMI as a regular user.

This post is more a question and a on-going research.  Thought I would share my findings so far.  If you know the answer, please do share. ?  I’ve been trying understand why the three properties (Path, CommandLine, Executable) not exposed to non-Administrators.   Here is information on the Win32_Process class.  I suspect it’s a Security related design, which makes sense.  I’ve not been able to find the root explanation.  To reproduce the error, follow the steps below;



  • Log into your machine as a local administrator


  • Launch a powershell session, you might need to install it.  Install Windows Powershell 


  • Launch a Calculator instance


  •  Run gwmi –query ‘select * from win32_process where name=”calc.exe”’   The results are listed below.


  • Then use the Runas command to launch another Powershell window as a normal user, (aka a non-administrator), follow the same procedure.  Notice the Path, Commandline and Executable values are NULL.

I’ve ran Process Monitor and looked at security, I found a few posts on SeDebugPrivilege and adjusting access.    I’m still searching for a clear explaination.  If / when I have this, I’ll update my post.  Stay tuned!


Results as a Administrator


ProcessName                : calc.exe
Handles                    : 51
VM                         : 65687552
WS                         : 5050368
Path                       : C:Windowssystem32calc.exe
__GENUS                    : 2
__CLASS                    : Win32_Process
__SUPERCLASS               : CIM_Process
__DYNASTY                  : CIM_ManagedSystemElement
__RELPATH                  : Win32_Process.Handle=”25048″
__PROPERTY_COUNT           : 45
__DERIVATION               : {CIM_Process, CIM_LogicalElement, CIM_ManagedSyste
                             mElement}
__SERVER                   : PC1
__NAMESPACE                : rootcimv2
__PATH                     : \PC1rootcimv2:Win32_Process.Handle=”25048
Caption                    : calc.exe
CommandLine                : “C:Windowssystem32calc.exe”
CreationClassName          : Win32_Process
CreationDate               : 20081109222814.158575-300
CSCreationClassName        : Win32_ComputerSystem
CSName                     : PC1
Description                : calc.exe
ExecutablePath             : C:Windowssystem32calc.exe
ExecutionState             :
Handle                     : 25048
HandleCount                : 51
InstallDate                :
KernelModeTime             : 312500
MaximumWorkingSetSize      : 1380
MinimumWorkingSetSize      : 200
Name                       : calc.exe
OSCreationClassName        : Win32_OperatingSystem
OSName                     : Microsoftr Windows Serverr 2008 Enterprise |C:Win
                             dows|DeviceHarddisk0Partition1
OtherOperationCount        : 70
OtherTransferCount         : 204
PageFaults                 : 1245
PageFileUsage              : 1884
ParentProcessId            : 19884
PeakPageFileUsage          : 1884
PeakVirtualSize            : 65789952
PeakWorkingSetSize         : 4932
Priority                   : 8
PrivatePageCount           : 1929216
ProcessId                  : 25048
QuotaNonPagedPoolUsage     : 5
QuotaPagedPoolUsage        : 124
QuotaPeakNonPagedPoolUsage : 5
QuotaPeakPagedPoolUsage    : 124
ReadOperationCount         : 2
ReadTransferCount          : 438
SessionId                  : 1
Status                     :
TerminationDate            :
ThreadCount                : 1
UserModeTime               : 312500
VirtualSize                : 65687552
WindowsVersion             : 6.0.6001
WorkingSetSize             : 5050368
WriteOperationCount        : 0
WriteTransferCount         : 0


Results as Non-Administrator


ProcessName                : calc.exe
Handles                    : 51
VM                         : 65687552
WS                         : 5050368
Path                       :
__GENUS                    : 2
__CLASS                    : Win32_Process
__SUPERCLASS               : CIM_Process
__DYNASTY                  : CIM_ManagedSystemElement
__RELPATH                  : Win32_Process.Handle=”25048″
__PROPERTY_COUNT           : 45
__DERIVATION               : {CIM_Process, CIM_LogicalElement, CIM_ManagedSyste
                             mElement}
__SERVER                   : PC1
__NAMESPACE                : rootcimv2
__PATH                     : \PC1rootcimv2:Win32_Process.Handle=”25048
Caption                    : calc.exe
CommandLine                :
CreationClassName          : Win32_Process
CreationDate               : 20081109222814.158575-300
CSCreationClassName        : Win32_ComputerSystem
CSName                     : PC1
Description                : calc.exe
ExecutablePath             :
ExecutionState             :
Handle                     : 25048
HandleCount                : 51
InstallDate                :
KernelModeTime             : 312500
MaximumWorkingSetSize      : 1380
MinimumWorkingSetSize      : 200
Name                       : calc.exe
OSCreationClassName        : Win32_OperatingSystem
OSName                     : Microsoftr Windows Serverr 2008 Enterprise |C:Win
                             dows|DeviceHarddisk0Partition1
OtherOperationCount        : 70
OtherTransferCount         : 204
PageFaults                 : 1245
PageFileUsage              : 1884
ParentProcessId            : 19884
PeakPageFileUsage          : 1884
PeakVirtualSize            : 65789952
PeakWorkingSetSize         : 4932
Priority                   : 8
PrivatePageCount           : 1929216
ProcessId                  : 25048
QuotaNonPagedPoolUsage     : 5
QuotaPagedPoolUsage        : 124
QuotaPeakNonPagedPoolUsage : 5
QuotaPeakPagedPoolUsage    : 124
ReadOperationCount         : 2
ReadTransferCount          : 438
SessionId                  : 1
Status                     :
TerminationDate            :
ThreadCount                : 1
UserModeTime               : 312500
VirtualSize                : 65687552
WindowsVersion             : 6.0.6001
WorkingSetSize             : 5050368
WriteOperationCount        : 0
WriteTransferCount         : 0

 

stsadm extension pack that is a must have!

I’ve been doing more with Sharepoint.  There is two main command line tools, psconfig and stsadm.    In true MVP fashion, a Sharepoint MVP Gary LaPoint has developed and makes available a tool that extends stsadm.  If you do any type of sharepoint automation (configuration for example), I definitely recommend you check out his tool!  It has been a life saver for me.  One example, the gl-createwebapp extension allows you to create a web application to a custom folder location.   Gary’s tool is very well documented also! 


Here is a link to the tool and blog!


http://stsadm.blogspot.com/


Thank you Gary for taking time to develop, document and release such a value tool!


Cheers,


Steve Schofield
Microsoft MVP – IIS