Pre-configure a Windows File Server Cluster or NAS device for Windows Azure Pack: Web Sites

This chapter shows you how to configure your own File Server or File Server Cluster for use with Windows Azure Pack: Web Sites.

Background

If you choose the Standalone Windows File Server option during installation, file server preparation is not required and is automated for you. However, although the Standalone option is useful for "proof of concept" installations, a production environment usually requires a more robust solution such as a Windows File Server Cluster or third-party Network Attached Storage device (NAS). Windows Azure Pack: Web Sites uses does not depend on per-web site file share permissions, which enables it to work with heterogeneous file storage implementations such as NAS devices.

Warning

Windows Azure Pack: Web Sites relies on File Server Resource Manager (FSRM), which does not support scale-out file servers.

Five Main Steps

Pre-configuring your own Windows File Server, Windows File Server Cluster, or third party NAS device involves the following five main steps. The implementation of these steps varies depending on whether you are working in an Active Directory domain or in a workgroup environment. Steps for both environments are presented.

Note

Although it is beyond the scope of this document to provide configuration instructions for third-party NAS devices, you should generally follow the procedures presented here, making adjustments as required by your non-Windows file cluster or NAS device.

1. Provision Groups and Accounts

2. Enable Windows Remote Management (WinRM) and File Server Resource Manager (FSRM)

3. Provision the Content Share and the Certificate Share

4. Add the FileShareOwners group to the local Administrators group to enable WinRM

5. Configure access control to the shares

   

1. Provision Groups and Accounts

 

 Provision Groups and Accounts in Active Directory

1.   Create the following Active Directory global security groups:

a.   FileShareOwners

b.   FileShareUsers

c.   CertStoreFSUsers

2.   Create the following Active Directory accounts as service accounts. The accounts to create are

a.   FileShareOwner

b.   FileShareUser

c.   CentralCertStoreUser (When the standalone file server option is used, this account is called CertificateShareUser).

Note

As a security best practice, the users for these accounts (and for all Web Roles) should be distinct from each other and have strong user names and passwords. For more information, see Windows Azure Pack: Web Sites Security Enhancements.

The FileShareOwner, FileShareUser, and CentralCertStoreUser passwords must be set with the following conditions:

·      Enable Password never expires

·      Enable User cannot change password

·      Disable User must change password at next logon

3.   Add the accounts to the group memberships as follows:

a.   Add FileShareOwner to the FileShareOwners group

b.   Add FileShareUser to the FileShareUsers group

c.   Add CentralCertStoreUser to the CertStoreFSUsers group

Provision Groups and Accounts in a Workgroup

On a workgroup, run net and WMIC commands to provision groups and accounts.

1.   Run the following commands to create the FileShareOwner, FileShareUser, and CentralCertStoreUser accounts. Replace <password> with your own values.

net user FileShareOwner <password> /add /expires:never /passwordchg:no

net user FileShareUser <password> /add /expires:never /passwordchg:no

net user CentralCertStoreUser <password> /add /expires:never /passwordchg:no

2.   Set the passwords for the accounts just created to never expire by running the following WMIC commands:

WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE

WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE

WMIC USERACCOUNT WHERE "Name='CentralCertStoreUser'" SET PasswordExpires=FALSE

3.   Create the local groups CertStoreFSUsers, FileShareUsers and FileShareOwners, and add the accounts in the first step to them.

net localgroup CertStoreFSUsers /add

net localgroup CertStoreFSUsers CentralCertStoreUser /add

net localgroup FileShareUsers /add

net localgroup FileShareUsers FileShareUser /add

net localgroup FileShareOwners /add

net localgroup FileShareOwners FileShareOwner /add

2. Enable Windows Remote Management (WinRM) and File Server Resource Manager (FSRM)

On the File Server role, or on each node of the Windows File Server Cluster if you are using a cluster, run the following commands at an elevated command prompt to configure WinRM and FSRM:

powershell.exe Enable-PSRemoting –Force

winrm.cmd set winrm/config/winrs @{MaxConcurrentUsers="10";MaxShellsPerUser="50";MaxProcessesPerShell="5000";IdleTimeout="10000"}

 

netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new remoteip=any

 

%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Management /featurename:FSRM-Infrastructure /all

3. Provision the Content Share and the Certificate Share

The Content Share contains tenant web site content, whereas the Certificate Share contains custom tenant certificates.

The procedure to provision the content share and the certificate share on a single file server is the same for both Active Directory and Workgroup environments, but different for a Failover cluster in Active Directory.

Provision the content and certificate shares on a single file server (AD or Workgroup)

On a single file server, run the following commands at an elevated command prompt. Replace the values for <C:\WebSites> and <C:\Certificates> with the corresponding paths in your environment.

set WEBSITES_SHARE=WebSites

set CERTIFICATES_SHARE=Certificates

set WEBSITES_FOLDER=<C:\WebSites>

set CERTIFICATES_FOLDER=<C:\Certificates>

 

md %WEBSITES_FOLDER%

md %CERTIFICATES_FOLDER%

 

net share %WEBSITES_SHARE% /delete

net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full

 

net share %CERTIFICATES_SHARE% /delete

net share %CERTIFICATES_SHARE%=%CERTIFICATES_FOLDER% /grant:Everyone,full

Provision the content and certificate shares on a Failover cluster (Active Directory)

On the Failover cluster, create the following UNC clustered resources:

1.   WebSites

2.   Certificates

4. Add the FileShareOwners group to the local Administrators group to enable WinRM

In order for Windows Remote Management to work properly, you must add the FileShareOwners group to the local Administrators group.

Active Directory

Execute the following commands at an elevated command prompt on the File Server, or on every File Server Failover Cluster node. Replace the value for <DOMAIN> with the domain name you will use.

set DOMAIN=<DOMAIN>

net localgroup Administrators %DOMAIN%\FileShareOwners /add

Workgroup

Execute the following command at an elevated command prompt on the File Server.

net localgroup Administrators FileShareOwners /add

5. Configure access control to the shares

Execute the following commands at an elevated command prompt on the File Server or on the File Server Failover Cluster node which is the current cluster resource owner. Replace values in italics with values specific to your environment.

Active Directory

set DOMAIN=<DOMAIN>

set WEBSITES_FOLDER=<C:\WebSites>

set CERTIFICATES_FOLDER=<C:\Certificates>

 

icacls %WEBSITES_FOLDER% /reset

icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)

icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)

icacls %WEBSITES_FOLDER% /inheritance:r

icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)

icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

 

icacls %CERTIFICATES_FOLDER% /reset

icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(F)

icacls %CERTIFICATES_FOLDER% /inheritance:r

icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\CertStoreFSUsers:(OI)(CI)(RX)

Workgroup

set WEBSITES_FOLDER=<C:\WebSites>

set CERTIFICATES_FOLDER=<C:\Certificates>

 

icacls %WEBSITES_FOLDER% /reset

icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)

icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)

icacls %WEBSITES_FOLDER% /inheritance:r

icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)

icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

 

icacls %CERTIFICATES_FOLDER% /reset

icacls %CERTIFICATES_FOLDER% /grant FileShareOwners:(OI)(CI)(F)

icacls %CERTIFICATES_FOLDER% /inheritance:r

icacls %CERTIFICATES_FOLDER% /grant CertStoreFSUsers:(OI)(CI)(RX)

See Also

Deploy Windows Azure Pack: Web Sites